Author Topic: FAQ (5 of 5): Wireless Guest Network on Buffalo DD-WRT  (Read 9805 times)

brian_nathaniel

  • Big Bull
  • *****
  • Posts: 921
FAQ (5 of 5): Wireless Guest Network on Buffalo DD-WRT
« on: May 25, 2012, 12:38:34 pm »

This is a pretty simple set up to allow your guests to have access to your network on a different subnet and not be able to access other users on the network and the devices on your LAN.

 

Here are the steps:

 

  1. Add a virtual interface in the wireless section. This will be labeled as ath0.1
  2. Check the advanced box and enable AP isolation and set Network Configuration to "unbridged" and set up your IP address scheme and subnet mask.
  3. Then apply the settings

 

Next we are going to add a DHCP server to this virtual interface.

 

  1. Go to Setup then Networking
  2. Here we are going to go down to DHCPD and we are going to add another DHCP server.
  3. When we add it we are going to assign it to the virtual interface we created. The default identifier for this virtual interface is ath0.1
  4.  When that is selected we are going to press apply

 

Now you should have a virtual interface with a separate DHCP server on another subnet. Now we are going to add a code to the command so that the wireless guests will have no access to the devices on the LAN.

 

  1. Go to Administration and then commands
  2. In this window here we are going to add the following code

iptables -I FORWARD -i ath0.1 -o br0 -j logdrop
 iptables -I FORWARD -i br0 -o ath0.1 -j logdrop

 

 3. Then once that is added we are going to press save firewall.

 

That is it. Now you should have a separate SSID with its own subnet and DHCP server that cannot connect to other wireless guests nor the devices on the LAN.

 


corrinewinslow

  • Calf
  • *
  • Posts: 2
Re: FAQ (5 of 5): Wireless Guest Network on Buffalo DD-WRT
« Reply #1 on: July 07, 2012, 01:50:43 pm »

The post should include an additional iptables command to enable internet access for the guest network, a common use of guest networks.

 

e.g.

 

# Enable NAT for traffic routing out eth1 (WAN port) for guest network (ath0.1)

iptables -t nat -I POSTROUTING -s `nvram get ath0.1_ipaddr`/`nvram get ath0.1_netmask` -o eth1 -j SNAT --to `nvram get wan_ipaddr`

 

Should also refer to a DD-WRT wiki entry that lists advanced iptables settings (at the bottom of the post).

 DD-WRT wiki - Multiple WLANs

 

BTW, your instructions are more recent, simple and direct. I do not understand why the DD-WRT wiki suggested creating bridge for a single interface/VAP/ath0.1. Seems unnessarily complicated even though it may be elegant.

 

Corrine


buddee

  • Big Bull
  • *****
  • Posts: 548
Re: FAQ (5 of 5): Wireless Guest Network on Buffalo DD-WRT
« Reply #2 on: July 07, 2012, 03:23:37 pm »

Its done that way in the dd-wrt wiki because this guide is so simple that it lacks basic functionality aspects, the fact that you even had to include a reference link to the dd-wrt wiki shows that. And the fact that you had post code for the 'enable NAT on WAN for guest network' shows even more how incomplete this guide here is...  The dd-wrt wiki maybe 'elegant' as you put it, but it will also give your guest network FULL functionality - whereas this guide won't give you the full functionality of a guest network.


Baji

  • Calf
  • *
  • Posts: 1
Re: FAQ (5 of 5): Wireless Guest Network on Buffalo DD-WRT
« Reply #3 on: December 30, 2012, 06:29:06 pm »

The original poster's instructions DO NOT WORK ! 

 

A number of intermediate steps are missing from these instuctions. Setting up an "unbridged" virtual interface creates a WLAN that cannot be assigned to a bridge. The firewall rules specified also requite some examination.

 

Unfortunately, the original author's signature line  "I no longer work for Buffalo and am not associated with the company in any way", may be dissuading readers from challenging this post because of his implied expertise.

 

I am no expert on wifi or iptables, but I posted steps for setting up a guest wireless network on my blog.  Copy paste link from here => http://ohiobaji.blogspot.com/2012/12/share-your-i-net-safely.html

 

ps:   buddee, thank you for pointing out the issues on this and other wifi forums.