Separate LAN and WLAN (light)

From DD-WRT Wiki

Revision as of 21:23, 7 March 2018 by Jeremywh7 (Talk | contribs)
Jump to: navigation, search



This is intended to be a 'light' version of Separate_LAN_and_WLAN. You should refer back to Separate_LAN_and_WLAN when you need more basic information.

Device used

This is a rough draft of a page that details how I separated the WIFI from the LAN on Build 27506 2015-09-07 DD-WRT v3.0-r27506 (07/09/15) std On a Buffalo WHR-HP-G300N

(It's a Atheros device. Some menus may vary slightly from Broadcom hardware.)







Firewall Script

Lastly, this goes in the Commands section, Save Firewall:

#Allow guest bridge access to Internet
 iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
 iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Allow br0 (LAN) access to br1 (WLAN)
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
#Block access from br1 (WIRELESS) to br0 (LAN)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#NAT to make Internet work
 iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#Deny access to local router services from Guest (240.x br1) network
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset 
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset 
#iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset 
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset 

References & Credits