DD-WRT Setting Up Guest Network
For this you need to have a default route setup for the .8 network, which means you need something to handle routing between the two networks.
However, if you are only interested in keeping traffic from the connections off of ath0.1 from getting to anything but the outside (your border router and beyond), you could set that up without having a second network. what you would need to do is setup iptables rules that block traffic from ath0.1 to the network range, and a reverse rule as well, that blocks traffic from the network range. You would also need a rule pair that allows traffic to and from the gateway router.
Something like :
iptables -t INPUT -i ath0.1 -d 192.168.1.254 -j ACCEPT
iptables -t OUTPUT -o ath0.1 -d 192.168.1.254 -j ACCEPT
iptables -t OUTPUT -o ath0.1 -s 192.168.1.0.24 - j DROP
iptables -t INPUT -i ath0.1 -d 192.168.1.0.24 - j DROP
These rules should allow you to have everything on 192.168.1.0/24 without allowing traffic to get to the main net, except to the router (named 1.254 here). They may need some minor tweaking as well.
Related videos on Youtube
14 : 52
09 : 14
11 : 06
08 : 55
09 : 28
rybl
Updated on September 18, 2022Comments
-
rybl over 1 year
I have a router on which I installed DD-WRT firmware. I am trying to set up a virtual interface to use as a guest network. The guest network should be on the 192.168.8.0/24 subnet while our LAN is on the 192.168.1.0/24 subnet. The guest network should have full internet access, but no access to our LAN. I think I have everything set up correctly as far as creating the virtual interface and assigning it to a bridge (br1). I am able to connect to the guest network and the client gets an IP on the correct subnet. I am not able to access anything outside the 192.168.8.0/24 subnet however. I'm guessing I need to setup some iptables rules, but I'm pretty shaky with them. Here is what I currently have under firewall:
iptables -I INPUT -i br1 -m state --state NEW -j logaccept iptables -I FORWARD -i br1 -o $wanif -m state --state NEW -j ACCEPTEdit, more info:
I set up a wireless virtual interface (ath0.1) to be my guest network. Under Setup>Networking I then created a bridge called br1 with the ip 192.168.8.1 and assigned ath0.1 to it. I added a DHCP server to the bridge. Then under Services>Services I added the following to Additional DNSMasq Options
interface=br1 dhcp-range=br1,192.168.8.100,192.168.8.200,255.255.255.0,1440mFinally, I added the iptables rules above to the firewall under Administration>Commands.
-
Jimsmithkka over 12 yearswhat is the full ip schema, meaning where/what are the gateway addresses. Also as a side note, you could just drop packets from .8 going to .1 via iptables
-
rybl over 12 yearsThe gateway for the our LAN is 192.168.1.1 the router is acting as the gateway for the guest network 192.168.8.1. Dropping IPs to the .1 network would be great, but I still can't access outside addresses on the .8 network.
-
surfasb over 12 yearsShould post under the DD-WRT forums. Make sure to specify your router model and what version of DD-WRT (minimal, standard, VOIP, etc).
-
derchris over 12 yearsI'm missing a major information here. How/where is the separate network created? Are you VLAN some of the routers switch ports?
-
rybl over 12 years@derchris The router is plugged into our main .1 network. I want the virtual adapter on the .8 network to bridge to this connection for outside IP addresses, but block any attempt to connect to the .1 network. I'm not sure if that answered your question or not.
-
derchris over 12 years@rybl, I understand what you are trying to achive. But it is not clear to me how you connect to each of the networks. The router has 4 ethernet ports, which can be VLAN'ed. Is that what you are doing? Anyway, I think this explains what you are looking for: dd-wrt.com/wiki/index.php/…
-
-
Jimsmithkka over 12 yearslet me know if my syntax is correct or not, i don't have iptables memorized
-
rybl over 12 yearsThanks for the answer. I will give it a try first thing Monday morning and get back to you.
