Setup:
3 Linksys MX4300 setup with mesh with 802.11s (Main 192.168.1.1, Node1 192.168.1.2, Node2 192.168.1.3) (Normal br0 network works fine)
Firmware: DD-WRT v3.0-r61648 std (06/05/25)
wlan0.1 is the 2.4Ghz guest network and wlan1.1 is the 5Ghz guest network both I tried to put under br1.
I tried with and without an assortment of firewall rules based on different forum posts but without any luck. Things such as:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Screenshots are from Node2 settings. Let me know if a different screenshot would be helpful.
Joined: 04 Aug 2018 Posts: 1566 Location: Appalachian mountains, USA
Posted: Mon Jun 09, 2025 23:42 Post subject:
Your IP addresses are messed up. When you say 192.168.X.Y/24, the /24 is saying that Y is effectively a wild card. (Each of the four numbers in the IP address is 8 bits in binary. The /24 is saying the first 24 bits of the IP are fixed.) The subnet you are specifying has X fixed but Y assignable to be anything. [Added edit: Subnet IP ranges specified for bridges (including br0 router specs on the Basic Settings page) and unbridged wifi networks need to be nonoverlapping! An IP address should never fall into more than one such range simultaneously.] So you never want to use the same value X for two different subnets, for example for a bridge like br1 and for an unbridged wifi interface.
If you want a wifi to be bridged to br1, define it with default bridging (which will be to br0) and then use an assignment to bridge on the Networking page to assign it to br1. Once you do Save and Apply at the bottom, plan on many seconds before the new configuration appears in the current bridging table.
I didn't do a thorough look at your config, but that caught my eye quickly.
Somewhere I wrote my own version of doing a guest network, which I like a bit better than the classic guide for beginners you site. (But then I would, right?) I'll find it and post the link shortly. _________________ On 61465: 3x Dynalink DL-WRX36, Linksys MX4200v2, 2x MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
Last edited by SurprisedItWorks on Tue Jun 10, 2025 0:01; edited 1 time in total
It's old, very old (so old that wlan0.1 was still called ath0.1), but maybe it will shed the right spark of light on something. _________________ On 61465: 3x Dynalink DL-WRX36, Linksys MX4200v2, 2x MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
Joined: 15 Aug 2016 Posts: 290 Location: Melbourne, Australia
Posted: Tue Jun 10, 2025 3:42 Post subject:
Another fine points needs to be added to the discussion above.
An interface, whether LAN port or wifi AP, once placed on a bridge, will have its existing IP address SUBSUMED by the bridge's network.
In other words, the interface will have a new IP address within the bridge's network. (Relevant details on DD-WRT's GUI may still appear on screen, the previous network address no longer applies to the interface.
Good luck. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
___________________________________________________
2x Netgear R9000 & 2x XR700 Features:
- Gateway
- Overclocked -2000MHz
- SmartDNS, DDNS
- Both 5GHz & 2.4GHz using DDWRT (not Vanilla component)
- Private Home network on default br0 bridge together with vlan1 + wlan0 & 1
- Isolated port-based VLANS, placed on bridges + vAPs (wlan0.1 & 1.1) for guests & IoT devs)
- WireGuard Server for secure on-the-road access & remote control of devices @home
- OpenVPN Client for incognito & o/seas based programs
- 10G SFP+ connected to RB5009 (via optical fiber)
- QoS - HFSC/FQ_CODEL deployed on ISP's 500/50mbps connection
Joined: 16 Nov 2015 Posts: 7041 Location: UK, London, just across the river..
Posted: Tue Jun 10, 2025 8:29 Post subject:
i didn't read all the thread, but have you tried to turn off NSS-ECM, as well the NSS subsystem...? _________________ Atheros
TP-Link WR1043NDv2 -DD-WRT 62606 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 -DD-WRT 62890 GTW/SmDNS/DoT,AD-Blk,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT 62606 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla,VPN cli
Netgear R9000 --DD-WRT 62606 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 62606
Broadcom
Netgear R7000 --DD-WRT 63020 GTW/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN cli
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Thank you for all the suggestions so far. It takes me a while to try things.
- For IP addresses, all of br0 is 192.168.1.x and all of br1 is 192.168.2.x. Still looking at that.
- I tried turning off NSS-ECM and NSS subsystem, but my main router went unresponsive and didn't provide ips. I'll have to try that again and see if I clicked something wrong.
- I changed wlan0.x and wlan1.x to default
Troubleshooting, I noticed that the guest network works if the device connects directly to the main router. The problem is when a device tries to connect to the guest network through one of the other 2 nodes that are meshed to that main router when it says no internet available. I'll keep trying some things.
