[buellwinkle]

I want to isolate my wired lan from my wifi lan so I can setup a free hotspot without wifi users being able to access our local wired network. It's a Buffalo WHR-G300N and it has DD-WRT at v24-sp2 (10/10/09) std.

Yes, I did read - http://www.dd-wrt.com/wiki/index.php/V24:_WLAN_separate_from_LAN%2C_with_independent_DHCP

BUT, every guide I see tells me to go to Setup > VLANs, but the VLAN tab does not exist. It does exist on an old DD-WRT V24 RC7, but not on the router I want to do this on.

Anyone have step by step instructions on setting this up on my configuration? Or, what I have to do different using the instructions in the guide at the link above.

Bonus question. Once I get that working, I want a wifi user to go to a TOS page and click ACCEPT button. I heard nocatsplash does not work well or at all with this version. Any ideas?

[phuzi0n]

[aviator]

I also have a whr-hp-g300n and read the http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
and WAP article, but still unable to connect to internet via wifi. Wired works, DHCP dnsmasq works with wifi and I can manage ddwrt over wifi using the internal lan ip. I have tried multiple combos of iptables including:

iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

Any help would be appreciated.
thanks

[phuzi0n]

Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)

iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP


Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

[aviator]

I re-tried those 4, in order but still to no avail.
I did:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

with SPI on and not on.

I have defaulted the device 3 times and retried, the images look like a earlier release than Firmware: DD-WRT v24SP2-EU-US (08/19/10) std

[phuzi0n]

Telnet/SSH to the router and check the output of these commands.

iptables -t nat -I POSTROUTING
iptables -vnL FORWARD

[aviator]

result:

root@DD-WRT1:~# iptables -t nat -I POSTROUTING
root@DD-WRT1:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 62 packets, 10001 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- br1 * 0.0.0.0/0 10.10.148.0/ 23 state NEW
39 1872 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT 0 -- br1 * 0.0.0.0/0 0.0.0.0/0 state NEW

[phuzi0n]

[aviator]

root@DD-WRT1:~# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1089 packets, 94194 bytes)
pkts bytes target prot opt in out source destination
902 83533 0 -- * * 0.0.0.0/0 0.0.0.0/0
root@DD-WRT1:~#

[phuzi0n]

That's an odd rule... I think that command completion isn't working on your build. Try this full version of the command for NAT.

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to-destination `nvram get lan_ipaddr`

If for some reason it doesn't work then check if the rule was added using the debug command from my last post.

[aviator]

the full version did not work either. I'm not sure what debug command you are referencing but I did this article: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=37215 and only received a timestamp and:
\

[phuzi0n]

[aviator]

It worked! I downloaded the lastest BrainSlayer firmware and used your last command and it worked the first time.

Thanks