Hi,
I have built a small Hotspot environment with CoovaAP on a WRT54GL.
Now I´ve got a problem with  my Wireless clients. They shouldn´t be allowed to access my LAN clients.
I think I can do this with iptable rules but I don´t know how.
Heres a picture og my setup:

WWW--------Router (192.168.1.1)------------WRT-WAN (192.168.1.198)---------WRT LAN (192.168.100.1)----------WRT WLAN (10.1.0.1)
                            |
                            |
                   LAN (192.168.1.x)

So every Wireless user who logs on to the Hotspot gets an IP like 10.1.0.x and after registering on the Hotspot the User
gets full access to my network.
But the wireless users shouldn´t be allowed to have acess to the LAN clients in 192.168.1.x but they need to have access to the router 192.168.1.1
instead they won´t have internet access.

Now it´s the question how to setup iptables that the WLAN clients only have access to 192.168.1.1
Another possibilitie is to allow only traffic on port 80.

Maybe anybody has some advise for me?

Thanks
draught

I could be wrong here as i'm a bit new to the whole thing myself but what you probably need to do is create another vlan on your router (vlan2) which the wireless clients will all run off. Then create an iptable rule to allow access from vlan2 to the WAN interface on your router for internet access.

I could be wrong but your LAN clients and the WLAN clients should then be isolated from each ohter.

Hope this helps.

(Last edited by defrag1984 on 26 Mar 2008, 21:59)

iptables -a OUTPUT -s 10.1.0.0/24 -d 192.168.100.0/24 -j DROP

thats how you do it from a manual standpoint. i run my own scripts though so i'm not sure how to work it into the default script. basically just deny output from the WLAN source to the LAN destination.

personally, I broke the bridge br0 and treat the wifi (eth2) and lan (vlan0) separately.  Both can get to the internet.  I exposed my VPN server on the wifi, so wifi clients can VPN into the LAN if needed.

i agree with ziggurat29, i was going to suggest "put the wifi on a seperate subnet"

ziggurat29, that looks like exactly what I'm trying to do.  I think my rules are whack though.  I get packet loss when i'm on the wifi.  could you post the relevant bits of /etc/firewall.user and /etc/config/network?

I would like you to clarify some things.  Is your drawing specifying 2 physical devices (a router and a WRT router)?  If so, are both running OpenWRT?

If both are running OpenWRT, one thing that could be done is create a virtual lan (a vlan) on both so that you can wrap your packets coming from the wireless interface in that vlan packet, send it to the router where it's going to be routed to the internet in a way that they can't have access to your lan (192.168.1.x).

(Again assuming 2 separate devices) without that, your packet go through the NAT process and you won't be able to differentiate packets because they will all look the same to the router.

Or you could do something like madrebel says, except his iptable rule is wrong.  You'd have to do something like this:

The previous rules must be added in the '/etc/firewall.user' file on the WRT router.

Note: All the added rules have to be placed after the iptables flush lines (Ex: iptables -t nat -F prerouting_rule) or they will be deleted by the flush lines.

Again, a lot of this is made on a few assumptions.  So, please, clarify what you want to do.

(Last edited by dominiquefortin on 6 Jul 2008, 19:03)