0
1
I'm using a WRT160NL as Repeater Bridge. It extends my wireless signal and all clients are on the same subnet getting DHCP leases from the primary router which also connects to the internet.
Reference image from DD-WRT wiki:
Physical interface ath0 at secondary site is connected to the main wifi, virtual interface ath0.1 has the same SSID and serves clients which works fine.
Problem:
I also like to have a guest wifi on its own subnet. A separated net which uses the primary router as a gateway. So I added another virtual interface ath0.2. There is also a guide which I followed here: Multiple WLANS.
Because DD-WRT is in "Client Bridge" mode you cannot configure a DHCP server for a virtual interface. So I'm using the "Command Method" as described in the link. If I connect to ath0.2 it seems to work, client gets an IP from the new IP range. Unfortunately the clients can't reach the internet. Seems like the Gateway IP from ath0.2 is not routed/bridged correctly.
IP range differs from the main net. I created a new bridge br1 and added it to the guest net. I also tried different gateways as DHCP option (adress from main router, dd-wrt's adress, adress of virtual interface itself) to no avail.
Is it even possible to have DD-WRT act as a DHCP server on a virtual interface when it is in Repeater Bridge mode simultaneously? Thanks for thoughts on this!
EDIT:
Adress ranges:
primary router 192.168.178.1/24
secondary 192.168.178.2/24
For ath0.2 I configured 192.168.179.2/24
Clients get the right adresses and gateway as configured with dnsmasq.
EDIT 2: Added the following iptables rules:
# Allow br1 access to br0, the WAN, and any other subnets
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
# Allow br1 to access DHCP & DNS on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
Then I tested connectivity with 192.168.179.2 and 192.168.178.2 as gateway. Still no internet access.
Routing table:
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
169.254.0.0 255.255.0.0 * U 0 LAN & WLAN
192.168.178.0 255.255.255.0 * U 0 LAN & WLAN
192.168.179.0 255.255.255.0 * U 0 br1
Well, 192.168.179.2 is not even pingable when connected to the net at ath0.2.
duenni
Posted 2015-09-09T19:12:28.520
Reputation: 2 109
What IP ranges do you use and what is a typical
ipconfigoutput (if Windows clients) for a client computer; and does it match what you'd expect - i.e. is a "guest" client receiving your primary router as a gateway? Do clients get the right DNS addresses (also inipconfigbut more detail fromipconfig /all)? – Kinnectus – 2015-09-10T06:00:19.497Added address ranges. I can add the output of
ifconfig(no windows ;-)) later today but I'm sure that adress leases contain the expected adresses. – duenni – 2015-09-10T06:19:43.857Having a quick read of the
DNSMasqlink you posted you may need to delve into the iptables configuration of your secondary router as it mentions about things like the different bridges being given access to other bridges and NAT etc... It's under the "restricting access" section of the page. Although it says "restricting access" i think it has options that may fix your problem.... be careful with some of the iptables rules, though, as they can lead to blocking things you might not want to block :) – Kinnectus – 2015-09-10T06:36:15.570Yep, I would do that after everything is working to restrict access from one subnet to another. With no iptables rules at all everything should work out of the box. And it does work but not if I add another bridge with its own subnet and DHCP... – duenni – 2015-09-10T06:40:43.833
What I was saying is that some of the "Restrict Access" options may FIX your problem... – Kinnectus – 2015-09-10T06:59:58.420
Edited my question.. – duenni – 2015-09-10T17:36:33.427