[SOLVED] Guest VAP doesn't assign ip address

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
jsilvag
DD-WRT Novice


Joined: 12 Oct 2023
Posts: 15

PostPosted: Thu Oct 12, 2023 20:52    Post subject: [SOLVED] Guest VAP doesn't assign ip address Reply with quote
Hi there,

I been using DDWRT for a while now without any issues at all; I have a few TP-Link ARCHER-C7 v5 with DD-WRT v3.0-r53562 working as an AP with WAN disabled and DCHP Type as "Forwarder". They aren't used as a gateway since I have another device as gateway.
I'm trying to setup a "Guest VAP" where users get an IP address from the same DHCP Server as the "Wireless Interface wlan0 normal users" but at the same time they don't have access to internal network resources, but I haven't be able to configure it.

I tried to create an "Unbridged Virtual Interface" as indicated here https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN without success, the users of the "Unbridged Virtual Interface" can't even get an IP address.

This is my current setup:

192.168.152.247 is my global gateway, 192.168.152.117 is my DHCP server and 192.168.152.1 is the TP-LINK.









Any help is appreciated.


Update: Thanks everyone for your time, I'll try to give more details of what I'm trying to achieve. Right now all my clients get IP address from a Windows Server DHCP in the range 192.168.152.20-100 with 192.168.152.117 for DNS and 192.168.152.247 for gateway; so for example a PC would get the ip 192.168.152.40/24, with 192.168.152.117 for DNS and 192.168.152.247 as gateway.

This was enough until we reached a point were we need a "Guest WiFi" where users can get Internet but wouldn't be able to access local services, for example a local exchange server (192.168.152.120).

Right now the TP-Link is "DHCP Forward" configured so the only DHCP in the network is the Windows Server, my main objective is give "Guest WiFi" users internet but no access to other local resources, it really doesn't matter if the "Guest WiFi" users are on the 192.168.152.0 network or on a new segment created inside the TP-Link.

I'm still trying to achieve it, thanks for reading.


Last edited by jsilvag on Fri Oct 13, 2023 17:23; edited 3 times in total
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1404

PostPosted: Thu Oct 12, 2023 22:49    Post subject: Reply with quote
I am confused at what you are doing... but will take a guess... first have you read:
https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

From what I understand, you want the guest isolated from other on the network, does that include the internet (ie WAN)?

One of the issues I see is that if you want the same dhcp network you would have to have it connected to the same network... What you probably would want to do is create the second network but run a secondary dhcp server for just that interface... the reason being then you can isolate that network perfectly fine and know who guests are based on ip address, then create the firewall rules for any specific exceptions.

If I am not understanding the problem, I apologize
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6847
Location: Romerike, Norway

PostPosted: Fri Oct 13, 2023 4:19    Post subject: Reply with quote
It will not hand out IP addresses when set to Forwarder.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Fri Oct 13, 2023 6:30    Post subject: Reply with quote
You were posting in the wrong forum.

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

I will transfer this thread to the appropriate forum for you.

First your setup as a a Wireless Access Point (WAP, aka dumb access point, aka dumb switch) is wrong.

Second a VAP on a WAP needs special attention.

See attached document how to properly setup a WAP and especially take note of the paragraph VAP on a WAP.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jsilvag
DD-WRT Novice


Joined: 12 Oct 2023
Posts: 15

PostPosted: Fri Oct 13, 2023 14:23    Post subject: Reply with quote
Wildlion wrote:
I am confused at what you are doing... but will take a guess... first have you read:
https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

From what I understand, you want the guest isolated from other on the network, does that include the internet (ie WAN)?

One of the issues I see is that if you want the same dhcp network you would have to have it connected to the same network... What you probably would want to do is create the second network but run a secondary dhcp server for just that interface... the reason being then you can isolate that network perfectly fine and know who guests are based on ip address, then create the firewall rules for any specific exceptions.

If I am not understanding the problem, I apologize

Thanks for your reply, I'm open to create a secondary DHCP, but do you mean to create it inside the TP-LINK? I'm still trying to figure out how, I also updated the original post with more details.
jsilvag
DD-WRT Novice


Joined: 12 Oct 2023
Posts: 15

PostPosted: Fri Oct 13, 2023 14:24    Post subject: Reply with quote
egc wrote:
You were posting in the wrong forum.

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

I will transfer this thread to the appropriate forum for you.

First your setup as a a Wireless Access Point (WAP, aka dumb access point, aka dumb switch) is wrong.

Second a VAP on a WAP needs special attention.

See attached document how to properly setup a WAP and especially take note of the paragraph VAP on a WAP.


Thanks for your response. Can you be a little bit more specific on what is wrong with my WAP? I updated the original post with more info.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Fri Oct 13, 2023 14:29    Post subject: Reply with quote
I attached a document in my earlier post with the proper way to setup a WAP and setup a VAP on a WAP.

Have a look Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jsilvag
DD-WRT Novice


Joined: 12 Oct 2023
Posts: 15

PostPosted: Fri Oct 13, 2023 14:38    Post subject: Reply with quote
egc wrote:
I attached a document in my earlier post with the proper way to setup a WAP and setup a VAP on a WAP.

Have a look Smile


I will take a good look a it and write back, thanks!
jsilvag
DD-WRT Novice


Joined: 12 Oct 2023
Posts: 15

PostPosted: Tue Oct 17, 2023 13:49    Post subject: Reply with quote
egc wrote:
I attached a document in my earlier post with the proper way to setup a WAP and setup a VAP on a WAP.

Have a look Smile


I have read the document completely a few times by now.

This is what I have tried right now (mostly pages 3,4 and 9 of the PDF):

Setup/Basic Setup/Network Setup
WAN: Disabled
DHCP Server: Disable
Local IP Address in subnet of primary router but outside DHCP scope, unique ip address
Gateway and local DNS are pointing to primary router
Use dnsmasq for DNS: Enabled

Services/Services/Services Management
Enable dnsmasq: Enable

Setup/Advanced Routing/Advanced Routing
Operating Mode: Gateway

Security/Firewall/Security
SPI Firewall: Enable

Wireless/Basic Settings/Virtual Interfaces
Add Virtual AP
Network Configuration: Unbridged
IP Address: 192.168.2.1/24 (I'm not really sure about this one)

Setup/Networking/DHCDP
192.168.2.1/24 wlan0.1 On 100 20 1440















I believe that before isolating the VAP traffic first I should get DHCP working on the VAP (right?); I try to connect to the VAP but I can't get an IP address.

1. When I change the "Network Configuration" (Wireless/Basic Settings/Virtual Interfaces) to Unbridged what should I set as IP address?
2. Do I need to add rules to have DHCP working?
3. Can you help me identity the rules I should set in order to have Internet but no local access to resources?

Sorry but I can't figure it out by myself, so I'll appreciate any help. Thanks!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Tue Oct 17, 2023 14:10    Post subject: Reply with quote
Ok first about your Network setup.

What is the IP address of the primary router.
Do you have a separate DNS server on your network?


The instructions about VAP on a WAP state:
Quote:
DHCP server Disabled (=off and NOT set as Forwarder!)


What exactly is not clear about that?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jsilvag
DD-WRT Novice


Joined: 12 Oct 2023
Posts: 15

PostPosted: Tue Oct 17, 2023 16:28    Post subject: Reply with quote
egc wrote:
Ok first about your Network setup.

What is the IP address of the primary router.
Do you have a separate DNS server on your network?

The instructions about VAP on a WAP state:
Quote:
DHCP server Disabled (=off and NOT set as Forwarder!)


What exactly is not clear about that?


Ok,
Primary router IP address: 192.168.152.247
Yes, I do have a separate DNS server on my network: 192.168.152.117

Well, I don't know why the DCHP option wasn't saved, but after save it and rebooted my WAP clients can get IP address from the specified range 192.168.2.1/24, sorry about that.

I added the next rule on Administration/Commands and "Save Firewall". After a reboot the VAP clients have Internet.
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Now, I would like to block access to local resources to VAP clients, I tried with this command without success (VAP clients can open the OWA portal of the internal mail server (192.168.152.22):
Code:
iptables -I FORWARD -i $wlan0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


Thanks in advance!
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2849
Location: Germany

PostPosted: Tue Oct 17, 2023 16:34    Post subject: Reply with quote
It's all in the guide, on page 9.........
_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.2 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Tue Oct 17, 2023 16:34    Post subject: Reply with quote
Great we are making progress Smile

You were almost there the correct rule should be:
Code:
iptables -I FORWARD -i wlan0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


and not $wlan0.1 the $ denotes a variable in (b)ash

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jsilvag
DD-WRT Novice


Joined: 12 Oct 2023
Posts: 15

PostPosted: Tue Oct 17, 2023 17:51    Post subject: Reply with quote
egc wrote:
Great we are making progress Smile

You were almost there the correct rule should be:
Code:
iptables -I FORWARD -i wlan0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


and not $wlan0.1 the $ denotes a variable in (b)ash


Awesome!
VAP users can't get to local resources on the same LAN, I also add 192.168.153.0/24 (which is another LAN) and works as expected:

Code:
iptables -I FORWARD -i wlan0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i wlan0.1 -d 192.168.153.0/24 -m state --state NEW -j REJECT


Thanks a lot, it works as intented!

If it's not to much to ask Idea, next I would like:
1. Block the access to the VAP web interface to VAP users, which rule should I use?
2. Can you recommend me a QoS article? I want to lower the priority of the VAP users traffic?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12781
Location: Netherlands

PostPosted: Wed Oct 18, 2023 9:59    Post subject: Reply with quote
To block access to the router itself you have to use the INPUT chain but of course you need to allow DNS and DHCP traffic so you need these five rules:

#For isolating the WAP itself from the VAP/bridge:
Code:
GUEST_IF=wlan0.1
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT


Just copy paste and add to Administration > Commands Save as firewall (if you already have rules then Edit and add the rules)

I cannot give you much advice about QoS, I do not need it, I have fast internet and fast routers and with the kids at university there is not much bandwith needed Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum