Separate LAN and WLAN (light)

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 23:01, 16 February 2016 (edit)
S2s2 (Talk | contribs)
← Previous diff
Revision as of 21:23, 7 March 2018 (edit) (undo)
Jeremywh7 (Talk | contribs)
m (Separate LAN and WLANv2 moved to Separate LAN and WLAN (light): v2 insinuates that it replaces "Separate LAN and WLAN")
Next diff →

Revision as of 21:23, 7 March 2018



This is intended to be a 'light' version of Separate_LAN_and_WLAN. You should refer back to Separate_LAN_and_WLAN when you need more basic information.

Device used

This is a rough draft of a page that details how I separated the WIFI from the LAN on Build 27506 2015-09-07 DD-WRT v3.0-r27506 (07/09/15) std On a Buffalo WHR-HP-G300N

(It's a Atheros device. Some menus may vary slightly from Broadcom hardware.)







Firewall Script

Lastly, this goes in the Commands section, Save Firewall:

#Allow guest bridge access to Internet
 iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
 iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Allow br0 (LAN) access to br1 (WLAN)
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
#Block access from br1 (WIRELESS) to br0 (LAN)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#NAT to make Internet work
 iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#Deny access to local router services from Guest (240.x br1) network
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset 
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset 
#iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset 
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset 

References & Credits