hi, new here.
my configuration is as such:
i have dd-wrt router (sigh) as my gateway in 192.168.1.1
i have openwrt router as my main router (dhcp, dns, firewall, etc,etc) in 192.168.1.2.
dhcp gives clients addresses between 192.168.100-200 and gateway as 192.168.1.1 (ofc).
everything works fine.
i now want to add guest wifi on openwrt router in subnet 192.168.2.x. i can't find a way to use dd-wrt as gateway. no internet whatever i do (i've followed the guides in wiki),
not sure if the issue is from openwrt side or dd-wrt.
Why do you need two routers anyway? Using one will massively simplify your network and ease troubleshooting.
1st one could be a BCM based *DSL modem, OP can't get rid of ?
i have physical limitation which requires me to divide between gateway and router.
dd-wrt is configured only as gateway. same subnet, no dhcp and such. practically a modem.
In this setup the network is only routed once, by the ddwrt router. The OpenWrt router is a device on the LAN providing dhcp and dns services. But since traffic is not routed through it, it can't actually firewall.
So the whole design should be revisited, preferably with an eye to removing the ddwrt router entirely.
Without changing the way the network is now, you could still add a 192.168.2.0 guest network and route guest->lan inside the OpenWrt router. OpenWrt is already configured to route requests for the Internet to 192.168.1.1.
but then guest wlan will have access to home lan, no? this is undesirable.
That is handled with a firewall rule that blocks guests from reaching any 192.168.1 IP. (Even with this rule in place, it will still work to have 192.168.1.1 as the gateway, as the firewall considers the final destination of the packet).
so if i understand correctly - i need to add static route for 192.168.2.x to 192.168.1.1 + firewall rule to block all traffic from it to 192.168.1.x ?
Generally the locally routed guests are NATted into the LAN, so the upstream router (ddwrt) sees guest traffic as coming from 192.168.1.2 and does not require special routes. It is also possible to have symmetric routing by installing a static route in the main router 192.168.2.0/24 via 192.168.1.2. Then the main lan knows what to do with 192.168.2.X packets and NAT in the second router is not required.
The configuration for the basic NATd locally routed guest is the same as a regular guest network on a main router except that the firewall needs to allow guest->lan forwarding instead of guest->wan, and masquerading is turned on on the lan zone. Once that is working you can enhance it by removing NAT.
1 Like
To add what @mk24 already pointed out:
N.B. I administer a lot of DDWRT routers (Broadcom e.g. NetGear R7000, Asus AC68 etc. ) for friends family and neighbours with hardware flow offloading and on Kernel 4.4. SLTS they are still humming along
i'll try and update. thanks!
i don't like dd-wrt because for some reason everything there feels "backwards". something just don't feel right.
i had experience in the past with pfsense and fortigate. openwrt feels and behaves like those much more then dd-wrt does.
it is rock solid in my home, though. on the other hand - so does openwrt. the only reasons i'm using dd-wrt is broadcom hardware (lesson learned).
1 Like
hi, thanks for the assist.
guest network is working BUT i have issue with firewall rules.
the moment i enable "block guest from lan" i lose internet connectivity.
i've tried to add another rule which allows network to gateway but it doesn't help (i've made sure to put it above the block rule).
not sure how to configure firewall rules to forward internet traffic via gateway while blocking all other traffic to lan (in the same subnet as the gateway).
any help would be appreciated. thanks!
The lan is your way out so you cannot block that.
It is in the manual, click here to see
scroll down: Traffic rules block_Guest_from_Lan
this is the exact section which says how to block it..
anyway - i think i found my mistake. right now everything is working like it should.
i'll make a few more test to confirm. thanks!
1 Like
If you are satisfied and have a working solution for your use case please mark that solution as solved:
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.