I have successfully set up home network as follows:
OpenWRT router as a main router and DD-WRT router as an access point. Guest wifi is set up in DD-WRT and guests can't see main network devices nor eachother.
But how can I add an exception for guest network devices to allow them to acces raspberry pi (192.168.1.195) in main network?
+-----------------------+
| Openwrt (DHCP Server) |
| 192.168.1.1 |
+-----------------------+
|
|
|
+----------------------------------------------------+
| DD-WRT |
| 192.168.1.2 |
| |
| WAN Disabled |
| Gateway 192.168.1.1 |
| Type DHCP Server |
| DHCP Server Disabled |
| |
| |
| +-----------------+ +-----------------------------+|
| | AP wl0 | | Guest VLAN wl0.1 ||
| | | | ||
| | | | Unbridged ||
| | | | Net Isolation: Yes ||
| | | | Forced DNS Redirection: Yes ||
| | | | Optional DNS Target 1.1.1.1 ||
| | | | IP Address 192.168.2.1/24 ||
| | | | AP Isolation: Yes ||
| +-----------------+ +-----------------------------+|
+---------|--------------------------------|---------+
| |
| |
+---------------+ +-------------+
| ClientA | |ClientB |
| 192.168.1.195 | <-------------- |192.168.2.30 |
+---------------+ How to access +-------------+
A from 192.168.2.X?
To me it looks like the guest network is completely handled by DD-WRT, so this is a DD-WRT question, not an OpenWrt question. In OpenWrt, you would add a firewall rule to allow access.
Ok, looks like I have extra problems with DD-WRT managing the guest network as I want to control fw rules and routes on OpenWrt.
Any advice on setup how to utilize DD-WRT router only for wifi access point (main + guest wifi) and all other network management (DHCP, zones, routes, firewall) is done on OpenWrt?
If the guest network is handled by DD-WRT, you cannot make other rules to affect the guest network on another device.
The best topology for this is to have your main router handle all the networks (lan + guest + others) and run all other devices as dumb APs (ideally fully VLAN aware and capable of running multiple SSIDs). This way your main router's fireall handles all of the rules.
When using a dumb access point aka a Wireless Access Point you need to Masquerade over the LAN interface.
For DDWRT something like
iptables -t nat -I POSTROUTING -o br0 -j MASQUERADE
All but number 5. Masquerading is only necessary in a dumb AP with guest wifi configuration (example of how to do it with OpenWrt) -- in other words, the guest wifi is created and routed on the dumb AP. If the main router handles the guest network, you'll be simply using a multi-SSID dumb AP (with VLANs)., no routing or firewall or anything else happens on the dumb AP.
Does this mean I should use another cable from DD-WRT eth port (assigned to vlan3) to OpenWrt and continue the remaining setup there or how other will different VLANs reach OpenWrt?
I've done the DD-WRT part, except number 5.
Created br1 and assigned vlan3 and wl0.2 to it.
br1 ip address is set to 172.16.0.1/24. Main network managed by OpenWrt is 192.168.1.0/24
I am not getting ip address on connecting to wl0.2. br1 is just sitting there separate.
No, just one cable between the two routers. This will be a 'trunk' cable -- i.e. carrying multiple networks on the same cable using VLANs (802.1q tagged).
the wireless hardware should not be spcified in the network config.
Let's see your config so far...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
OpenWrt is the main router. I want to manage everything with OpenWrt and leave DD-WRT only for wireless because my OpenWrt is located in a garage rack but DD-WRT in livingroom.
host_to_guest route is there because of my previous setup, where guest network was managed by DD-WRT.
I have not yet made any configurations on OpenWrt.
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule
option name 'Allow-guest-DHCP'
option src 'guest'
option proto 'udp'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-guest-DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
This should get you a functional guest network on eth1 as a tagged network on VLAN2.
From there, you'll need to configure you DD-WRT device to setup a bridge with VLAN2 and a wifi SSID. In most cases, the AP should not have an address on this network.
I followed your instructions and looks like I've got guest network working. For detailed configutration of DD-WRT I got help from their community - thanks egc.
I assume, I should make a configuration for tagged vlan1 also?
At the moment main SSID (wl0 on DD-WRT) has no DHCP nor access anywhere. And ping on 192.168.1.2 (DD-WRT router) from OpenWrt wired network fails.
Looks like vlan1 from DD-WRT is also working now on the OpenWrt main network.
I had to create eth2.1 device (eth2 connects to AP) and add that device to the br-lan.
I don't know if this is the right way to do it but everything appears to be working as expected.
config device
option type '8021q'
option ifname 'eth2'
option vid '1'
option name 'eth2.1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth2.1'
Thank you psherman, you're great! I got my problem solved and learned a lot.
Client isolation is a wifi thing -- so you can enable it in the SSID settings. However, it only works within the same AP.
if you have multiple APs broadcasting the same SSID, the clients on any given AP will not be able to see each other, but the clients on one AP will be able to see the clients on the other AP and vise versa.