2

I have a router on which I installed DD-WRT firmware. I am trying to set up a virtual interface to use as a guest network. The guest network should be on the 192.168.8.0/24 subnet while our LAN is on the 192.168.1.0/24 subnet. The guest network should have full internet access, but no access to our LAN. I think I have everything set up correctly as far as creating the virtual interface and assigning it to a bridge (br1). I am able to connect to the guest network and the client gets an IP on the correct subnet. I am not able to access anything outside the 192.168.8.0/24 subnet however. I'm guessing I need to setup some iptables rules, but I'm pretty shaky with them. Here is what I currently have under firewall:

iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o $wanif -m state --state NEW -j ACCEPT

Edit, more info:

I set up a wireless virtual interface (ath0.1) to be my guest network. Under Setup>Networking I then created a bridge called br1 with the ip 192.168.8.1 and assigned ath0.1 to it. I added a DHCP server to the bridge. Then under Services>Services I added the following to Additional DNSMasq Options

interface=br1
dhcp-range=br1,192.168.8.100,192.168.8.200,255.255.255.0,1440m

Finally, I added the iptables rules above to the firewall under Administration>Commands.

rybl
  • 444

1 Answers1

3

For this you need to have a default route setup for the .8 network, which means you need something to handle routing between the two networks.

However, if you are only interested in keeping traffic from the connections off of ath0.1 from getting to anything but the outside (your border router and beyond), you could set that up without having a second network. what you would need to do is setup iptables rules that block traffic from ath0.1 to the network range, and a reverse rule as well, that blocks traffic from the network range. You would also need a rule pair that allows traffic to and from the gateway router.

Something like :

iptables -t INPUT -i ath0.1 -d 192.168.1.254 -j ACCEPT     
iptables -t OUTPUT -o ath0.1 -d 192.168.1.254 -j ACCEPT     

iptables -t OUTPUT -o ath0.1 -s 192.168.1.0.24 - j DROP
iptables -t INPUT -i ath0.1 -d 192.168.1.0.24 - j DROP

These rules should allow you to have everything on 192.168.1.0/24 without allowing traffic to get to the main net, except to the router (named 1.254 here). They may need some minor tweaking as well.

Jimmy Sawczuk
  • 103
Jimsmithkka
  • 166