Author
Message
colorbars DD-WRT Novice Joined: 25 Sep 2019 Posts: 7
Posted: Sun Mar 12, 2023 5:11 Post subject: Guest WLAN that has access to only one thing
Firmware: DD-WRT v3.0-r51937 std (03/05/23) on Netgear R7800 running as a router.
What I'm trying to do is create a virtual WLAN that is identical to the regular WLAN (same DHCP server, same LAN IP space, etc) except that clients connected to the new virtual WLAN would only be allowed to connect to one specific port on one specific local IP address. I tried setting up a bridge as described in https://forum.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners and https://forum.dd-wrt.com/wiki/index.php/Guest_Network but it wouldn't even allow me to connect to the new network and that wasn't really what I was trying to do anyway.
So I went back to what I originally tried that doesn't work either. In the Administration/Commands page I added these to the Firewall as a test:
#Allow the specific IP I want to connect to
iptables -A INPUT -i wlan0.1 -d 192.168.0.2 -j ACCEPT
#Reject everything else
iptables -A INPUT -i wlan0.1 -d 0.0.0.0/0 -j REJECT
And it still allowed everything whether it was connecting to 192.168.0.2 or not. (There's also the issue that apparently the --dport xx parameter isn't supported, but one thing at a time.) Ideas/suggestions?
Back to top
Sponsor
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3002 Location: Germany
Posted: Sun Mar 12, 2023 8:08 Post subject:
In short not possible, and in the linked articles there is nothing about same IP and same subnet and same dhcp as the main lan.
Back to top
colorbars DD-WRT Novice Joined: 25 Sep 2019 Posts: 7
Posted: Sun Mar 12, 2023 20:23 Post subject:
ho1Aetoo wrote: In short not possible
Are you saying it isn't possible to filter the traffic from a particular interface in any way?
Quote: and in the linked articles there is nothing about same IP and same subnet and same dhcp as the main lan.
I didn't say there was but perhaps I wasn't being clear. I tried to set up a guest network as those articles intended for the use they were intended, hoping to modify it to suit my needs once I had it working. That didn't work so I moved on to a different way of doing what I wanted (the second part I posted) but that didn't work either.
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3002 Location: Germany
Posted: Sun Mar 12, 2023 20:28 Post subject:
Traffic in the same subnet is switched and not routed.
If you want full control over the VAP then the VAP must use a different subnet.
Back to top
colorbars DD-WRT Novice Joined: 25 Sep 2019 Posts: 7
Posted: Mon Mar 13, 2023 7:00 Post subject:
I can live with using a different subnet. So how would you (or anyone else who'd like to chime in) suggest I do what I'm trying to do?
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Mon Mar 13, 2023 7:07 Post subject:
First start with setting up a Guest Virtual Access Point (VAP)
I attach my personal notes how I do it.
After you are done and have checked it is working,we can discuss the iptables rules
For some examples see: https://wiki.dd-wrt.com/wiki/index.php/Iptables _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
colorbars DD-WRT Novice Joined: 25 Sep 2019 Posts: 7
Posted: Tue Mar 14, 2023 9:37 Post subject:
Guest VAP is working.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Tue Mar 14, 2023 9:46 Post subject:
Enable Net Isolation and the Guest WLAN can only have internet acces but not local LAN access.
check if that is the case
If you want that your guest WLAN can connect to one IP address on your local LAN then use something like:
Code: iptables -I FORWARD -i wlan0.1 -d 192.168.0.2 -j ACCEPT
Test from command line (telnet/putty) and if it works add to Administration/Commands, Save Firewall _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
colorbars DD-WRT Novice Joined: 25 Sep 2019 Posts: 7
Posted: Wed Mar 15, 2023 7:24 Post subject:
When the VAP is in unbridged it won't connect to anything, either on the internet or on the LAN, either with or without the Code: iptables -I FORWARD -i wlan0.1 -d 192.168.0.2 -j ACCEPT
I tried leaving it in bridged mode and adding Code: iptables -A FORWARD -i wlan0.1 -d 0.0.0.0/0 -j REJECT
but that didn't block anything on either the LAN or WAN.
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3002 Location: Germany
Posted: Wed Mar 15, 2023 8:21 Post subject:
Then you have not configured your VAP properly.
And I have no idea how to help you if 3 instructions are not enough.
Back to top
colorbars DD-WRT Novice Joined: 25 Sep 2019 Posts: 7
Posted: Wed Mar 15, 2023 9:30 Post subject:
I got it. AP isolation had to be disabled. Then I put Code: iptables -I FORWARD -i wlan0.1 -d 192.168.0.2 -j ACCEPT
iptables -I FORWARD -i wlan0.1 -o $(get_wanface) -j REJECT
into the firewall and now it will only access 192.168.0.2 and nothing else, which is what I was looking for, so thanks.
One last question. Am I correct that the iptables in DD-WRT doesn't support the --dport parameter or anything that would be an equivalent?
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3002 Location: Germany
Posted: Wed Mar 15, 2023 10:13 Post subject:
colorbars wrote: When the VAP is in unbridged it won't connect to anything, either on the internet or on the LAN, either with or without the Code: iptables -I FORWARD -i wlan0.1 -d 192.168.0.2 -j ACCEPT
sounds like a wrong configuration, I run VAPS myself on the main router as well as on wireless AP and unbridged VAPs work without problems and also have internet access
note I have 5x7800
see https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1263376#1263376
colorbars wrote: I tried leaving it in bridged mode and adding Code: iptables -A FORWARD -i wlan0.1 -d 0.0.0.0/0 -j REJECT
but that didn't block anything on either the LAN or WAN.
bridged VAP's also work without problems if you configure them correctly.
However, it would also make sense to filter bridged VAPs on the bridge.
colorbars wrote: I got it. AP isolation had to be disabled. Then I put Code: iptables -I FORWARD -i wlan0.1 -d 192.168.0.2 -j ACCEPT
iptables -I FORWARD -i wlan0.1 -o $(get_wanface) -j REJECT
into the firewall and now it will only access 192.168.0.2 and nothing else, which is what I was looking for, so thanks.
I don't see what that has to do with AP isolation.
"AP isolation" isolates WLAN devices on the same interface for example wlan0 <-> wlan0
also I just tested it.
a "network isolated" client with "AP isolation" on wlan0.1 and an "AP isolated" client on wlan0
The rule from egc works without problems......
colorbars wrote: One last question. Am I correct that the iptables in DD-WRT doesn't support the --dport parameter or anything that would be an equivalent?
--dport also works without problems...
Back to top
colorbars DD-WRT Novice Joined: 25 Sep 2019 Posts: 7
Posted: Fri Mar 17, 2023 0:20 Post subject:
Let's just look at --dport for now.
The command Code: iptables -I FORWARD -i wlan0.1 -d 192.168.0.2 -j ACCEPT
runs with no errors and does what it's supposed to.
The command Code: iptables -I FORWARD -i wlan0.1 -d 192.168.0.2 --dport 80 -j ACCEPT
gives the error Code: iptables v1.8.5 (legacy): unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
and the help file makes no mention of --dport at all. Maybe I'm missing something but that doesn't look like working to me.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3002 Location: Germany
Posted: Fri Mar 17, 2023 9:38 Post subject:
as a hint the protocoll "-p" is missing
Back to top