Separate LAN and WLAN

From DD-WRT Wiki

Revision as of 23:08, 18 February 2006 by Joshua7878 (Talk | contribs)
Jump to: navigation, search

Info below taken from this thread. Note that a major rewrite of this tutorial was posted to the thread Nov. 21st, 2005 and this page has not yet been updated. As soon as I get some feedback that the new version is working for others I'll update this page. - 4Access

Improvements that are not yet included on this page:
1. DHCP issue resolved
2. WPA/WPA2 didn't work with the steps I posted originally - Works with the updated instructions.
3. Firewall rules tightened up a bit. (The router is arguably "more secure" from the Wireless clients than with my last set of instructions)

Add some intro..

1. Remove Wireless interface (eth1) from the LAN bridge (br0):

a) Go to the 'Setup -> VLANs' page. b) At the bottom of the page change the "Wireless" option from "LAN" to "None"

(Above setting doesn't take place until the next reboot which is good because it kills the WLAN. We'll fix that in the next step.)

2. Configure the wireless interface:

a) Go to the 'Administration -> Diagnostics' page and click the 'Run' button. b) Paste the following command into the text box:

wlconf eth1 up;ifconfig eth1 netmask

c) Click the 'Save Startup' button instead of the 'Cmd' button (Don't close this window yet!)

3. Configure the necessary iptables rules:

a) Paste the following into the same text box used above but this time press the 'Save Firewall' button:

iptables -D INPUT -j DROP;iptables -A INPUT -i eth1 -m state --state NEW -j logaccept;iptables -A INPUT -j DROP;iptables -D FORWARD -j DROP;iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT;iptables -A FORWARD -j DROP;iptables  -t nat -I PREROUTING -i eth1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j DROP

The above iptables rules are overly complex for a couple of reasons:

1. I wanted to keep the organization of the rules as close to the DD-WRT default configuration as possible. This required deleting a few of the default rules, adding ours, then recreating the default rules to keep things in the proper order.

2. I wanted them to work even if you change the wireless subnet (indicated in green above) or if the LAN ports' subnet is something other than 192.168.1.X - basically the rules should work with nearly all configurations unless you've been doing some other advanced stuff with iptables.

Another thing to note is that thanks to the changes BrainSlayer made in recent builds of v23 port forwarding to the WLAN should work without requiring any manual modifications to the iptables rules! (Although I haven't tested this and quite honestly I'm not sure why you'd want to forward ports to the WLAN in a configuration like this...) Port forwarding to the WLAN will NOT work with v22 without manually creating the necessary iptables rules.

Now on to the DHCP issue. With the steps laid out above you will have to configure your wireless clients with static IP addresses. One way to get DHCP working on the wireless subnet is to DISABLE "DNS Masq" on the 'Administration -> Management' page and then issue the following command which will enable DHCP on the wireless interface and lease addresses from to

dnsmasq -z eth1 -F, -l /tmp/dnsmasq.wifi.leases

If you want DHCP to start automatically for the wireless subnet every time the router reboots repeate step two above but use the following command instead:

wlconf eth1 up;ifconfig eth1 netmask;dnsmasq -z eth1 -F, -l /tmp/dnsmasq.wifi.leases

The problem with this is that you can't use the DNSMasq option for DHCP on your LAN ports... see below:


Note that you CAN still have DHCP enabled for the LAN ports, you just can't use DNSMasq as the DHCP server.