1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Guest Wireless Connected, No Internet

Discussion in 'Tomato Firmware' started by Saber98, Mar 22, 2018.

  1. Saber98

    Saber98 Network Newbie Member

    I have an ASUS RT-AC66u and I am using Tomato by Shibby 140 AIO 64K

    I've used a different 3rd party firmware previously and have set up a guest network with no problem. However I encountered a bug with it's WPA2 implementation if you have a Wi-Fi printer it will drop and be inaccessible until you reboot either the router or printer and remain for only a couple of hours. Flashed Tomato by Shibby and Printer works fine and is stable, awesome build.

    Primary network 10.0.0.0/24
    Guest network 192.168.0.1/24

    WAN is disabled and bridged to LAN.

    Use user-entered gateway if WAN is disabled is selected

    I have the IPTables, but this site won't let me post them and keeps giving me a warning that a "sneaky URL has been detected in the content". I can PM them to someone, or if someone can show me how I can post them here I will.

    No luck, no matter what I do I can't get the guest WiFi to get internet access.
     
    Last edited: Mar 22, 2018
  2. eibgrad

    eibgrad Network Guru Member

    You also have to NAT the guest network over the private network for internet access to work.

    Code:
    iptables -t nat -I POSTROUTING -s 192.168.0.1/24 -j SNAT --to $(nvram get lan_ipaddr)
     
  3. Saber98

    Saber98 Network Newbie Member

    Sent you a PM of my IPTables, since this site keeps saying there is a sneaky URL in the content for my IPTables... :rolleyes:
     
  4. eibgrad

    eibgrad Network Guru Member

    Just replied to that conversation.
     
  5. Saber98

    Saber98 Network Newbie Member

    We can keep the convo here., I tried pinging the google DNS servers as suggested.

    ping 8.8.8.8

    Pinging 8.8.8.8 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    No luck.
     
  6. eibgrad

    eibgrad Network Guru Member

    The following is wrong:

    Code:
    dhcp-option=tag:br1,3,10.0.0.254
    The gateway needs to be on the same network as the guest.

    Code:
    dhcp-option=tag:br1,3,192.168.0.1
     
  7. Saber98

    Saber98 Network Newbie Member

    How do I fix that? I know in dd-wrt I could set the dhcp-option but not sure how to do that with Tomato.
     
  8. eibgrad

    eibgrad Network Guru Member

    IIRC, tomato adds the correct default gateway automatically. But that's for a WAN enabled config. A WAP config might be different (I just don't remember). Or perhaps you didn't disable the WAN and it's picking up the default gateway from there. Regardless, you should be able to add that directive in the Custom Config field under Advanced->DHCP/DNS.
     
  9. Saber98

    Saber98 Network Newbie Member

    It looks like you can modify it under the LAN. I set the Default Gateway as 192.168.0.1 as well as DNS. I confirmed that WAN is disabled.

    This is what it looks like now:

    pid-file=/var/run/dnsmasq.pid
    resolv-file=/etc/resolv.dnsmasq
    addn-hosts=/etc/dnsmasq/hosts
    dhcp-hostsfile=/etc/dnsmasq/dhcp
    expand-hosts
    min-port=4096
    stop-dns-rebind
    rebind-localhost-ok
    interface=br0
    interface=br1
    dhcp-range=tag:br1,192.168.0.2,192.168.0.254,255.255.255.0,120m
    dhcp-option=tag:br1,3,192.168.0.1
    dhcp-lease-max=255
    dhcp-authoritative


    Still fails for ping or browsing.
     
  10. eibgrad

    eibgrad Network Guru Member

    Get rid of all the firewall rules *except* the NAT rule. Let's not add restrictions until it works.
     
  11. eibgrad

    eibgrad Network Guru Member

    Also, check that the client's IP config is correctly configured. Perhaps you didn't renew the client's lease after that change, so it has the same bad gateway!
     
  12. Saber98

    Saber98 Network Newbie Member

    This is the only rule I have now:

    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

    Rebooted router, no go.
     
  13. eibgrad

    eibgrad Network Guru Member

    Did you verify the client has the 192.168.0.1 gateway?
     
  14. Saber98

    Saber98 Network Newbie Member

    Confirmed:

    Wireless LAN adapter Wi-Fi:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : 11b/g/n Wireless LAN Mini-PCI Express Adapter II
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.0.196(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Wednesday, March 21, 2018 10:56:40 PM
    Lease Expires . . . . . . . . . . : Thursday, March 22, 2018 12:56:40 AM
    Default Gateway . . . . . . . . . : 192.168.0.1
    DHCP Server . . . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 192.168.0.1
     
  15. eibgrad

    eibgrad Network Guru Member

    Can the client ping the primary router's IP?
     
  16. Saber98

    Saber98 Network Newbie Member

    Yep

    ping 192.168.0.1

    Pinging 192.168.0.1 with 32 bytes of data:
    Reply from 192.168.0.1: bytes=32 time=32ms TTL=64
    Reply from 192.168.0.1: bytes=32 time=1ms TTL=64
    Reply from 192.168.0.1: bytes=32 time=2ms TTL=64
    Reply from 192.168.0.1: bytes=32 time=2ms TTL=64

    Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 32ms, Average = 9ms
     
  17. eibgrad

    eibgrad Network Guru Member

    Well that means the routing works. Can't understand why it can't ping a public IP.

    No, I mean the primary router's IP!
     
  18. Saber98

    Saber98 Network Newbie Member

    Yeah you're telling me. I've set up a number of these like this (DD-WRT), first I've ever had an issue with the guest network not working. I have Linksys I'm using to segment my network a couple of different ways, mostly to keep the Internet of crap devices from talking to each other, they have a direct path out to the internet but are not allowed on the primary network.
     
  19. eibgrad

    eibgrad Network Guru Member

    I just realized you misunderstood me. I wanted you to ping the primary router's LAN ip, NOT the WAP's LAN ip. I want to see if it will route from br1 to br0.
     
  20. Sean B.

    Sean B. LI Guru Member

    Maybe I missed it, but I didn't catch the topology here. Are you using a primary router which has an internet connection on it's WAN side and a private network on the LAN side, and then a secondary router used for a guest network?
     
  21. Saber98

    Saber98 Network Newbie Member

    Yeah doesn't route to the primary LAN (br0).

    ping 10.0.0.253

    Pinging 10.0.0.253 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 10.0.0.253:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
     
  22. eibgrad

    eibgrad Network Guru Member

    As I understand it, the second router is a WAP, so its LAN side is bridged to the primary router, and he has a guest VAP being NAT'd over the private network.
     
  23. Saber98

    Saber98 Network Newbie Member

    I'm using the Wireless Access point as just a WAP, it's doing no routing. I have a PFSense firewall that I am using as my WAN device.

    network path inbound:

    PFSense Firewall----> Unmanaged Gigabit Switch---> WAP

    WAP has the primary access point with my LAN IP 10.0.0.0/24 which is DHCP'd from the PFSense firewall.
    WAP also has a guest network with a different IP (192.168.0.1/24)

    It's a setup I'm familiar with as I've set it up before with dd-wrt.
     
  24. eibgrad

    eibgrad Network Guru Member

    Ok, now add the following firewall rules to the WAP and try again.

    Code:
    iptables -I FORWARD -i br1 -o br0 -j ACCEPT
    iptables -I FORWARD -i br0 -o br1 -j ACCEPT
     
  25. Sean B.

    Sean B. LI Guru Member

    So:

    Router: LAN = 10.0.0.0/24

    WAP: LAN = 192.168.0.0/24

    Connection = Router LAN port <-> WAP LAN port

    ?
     
  26. eibgrad

    eibgrad Network Guru Member

    Well actually you are routing; the guest network over the private network (if I understand the config correctly).
     
  27. Sean B.

    Sean B. LI Guru Member

    If so, did you put the LAN port used for connection to the WAP into it's own VLAN, IP'd to the same subnet? As that would be required. Save some iptables magic.
     
  28. Saber98

    Saber98 Network Newbie Member

    Okay, now we're getting some where.

    ping yahoo
    Ping request could not find host yahoo. Please check the name and try again.

    ping 10.0.0.253

    Pinging 10.0.0.253 with 32 bytes of data:
    Reply from 10.0.0.253: bytes=32 time=1ms TTL=63
    Reply from 10.0.0.253: bytes=32 time=5ms TTL=63
    Reply from 10.0.0.253: bytes=32 time=1ms TTL=63
    Reply from 10.0.0.253: bytes=32 time=1ms TTL=63

    Ping statistics for 10.0.0.253:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 5ms, Average = 2ms

    Still fails for outbound DNS lookups, but I am able to ping the Primay LAN IP of the WAP.
     
  29. Saber98

    Saber98 Network Newbie Member

    That's correct, I meant from the Primary LAN IP, it's doing no routing, but yes from Guest to Primary it would have to route. :)
     
  30. eibgrad

    eibgrad Network Guru Member

    Add the following to DNSMasq:

    Code:
    dhcp-option=tag:br1,6,8.8.8.8,8.8.4.4
     
  31. Saber98

    Saber98 Network Newbie Member

    Yes, LAN IP is statically assigned outside of DHCP scope of PFSense firewall.

    VLAN config:

    VLAN VID Port 1 Tagged Port 2 Tagged Port 3 Tagged Port 4 Tagged WAN Port Tagged Default Bridge
    1 1 Yes Yes Yes Yes * LAN (br0)
    2 2 Yes WAN
    3 3 LAN1 (br1)
     
  32. Sean B.

    Sean B. LI Guru Member

    Must have been a long day, because I still can't seem to follow on what exactly the network layout is here. But this is what I'd assume would be used:

    Router =
    • br0 - private
      • IP = 10.0.0.253
      • LAN Ports = 1 2 3
      • VLAN1
    • br1 - guest
      • IP = 192.168.0.1
      • LAN Ports = 4
      • VLAN3
    WAP =
    • br0 - unused
    • br1 - guest
      • IP = 192.168.0.2
      • LAN Ports = 1 2 3 4
      • WAN = disabled
      • Default gateway ( available when WAN is set to disabled ) = 192.168.0.1
      • VLAN3
    Connection = Router LAN port 4 <-> WAP LAN port 4
     
  33. Saber98

    Saber98 Network Newbie Member

    No luck

    Wireless LAN adapter Wi-Fi:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : 11b/g/n Wireless LAN Mini-PCI Express Adapter II
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.0.196(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Wednesday, March 21, 2018 11:26:56 PM
    Lease Expires . . . . . . . . . . : Thursday, March 22, 2018 1:26:57 AM
    Default Gateway . . . . . . . . . : 192.168.0.1
    DHCP Server . . . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 8.8.8.8
    8.8.4.4
    NetBIOS over Tcpip. . . . . . . . : Enabled

    ping yahoo
    Ping request could not find host yahoo Please check the name and try again.
     
  34. eibgrad

    eibgrad Network Guru Member

    One of the problems here is that the OP originally couldn't post links. So he started a private conversation w/ me in which he dumped his config. So that's not in this thread.

    As I understand it, it's *much* simpler. He just has a primary router to which he's added a WAP w/ LAN connection (br0) and added a WAP for guests assigned to a bridge (br1). That's all it is. But he's misconfigured the dhcp-options for gateway and DNS.

    "yahoo" is not a domain name! Try yahoo.com
     
  35. Saber98

    Saber98 Network Newbie Member

    WAN is bridged to LAN after I disabled the WAN.
     
  36. Saber98

    Saber98 Network Newbie Member

    Yeah I know. :) but I can't put "yahoo domain" or I get flagged for trying to sneak in a URL.

    And yes, you are correct, it is that simple.
     
  37. eibgrad

    eibgrad Network Guru Member

    You can't resolve any domain names, but the client can ping those same DNS servers by IP ( 8.8.8.8 and 8.8.4.4 )??
     
  38. Saber98

    Saber98 Network Newbie Member

    Nope, i can't ping 8.8.8.8

    >ping 8.8.8.8

    Pinging 8.8.8.8 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    But I can ping my firewall from the guest network:

    >ping 10.0.0.254

    Pinging 10.0.0.254 with 32 bytes of data:
    Reply from 10.0.0.254: bytes=32 time=2ms TTL=63
    Reply from 10.0.0.254: bytes=32 time=2ms TTL=63
    Reply from 10.0.0.254: bytes=32 time=2ms TTL=63
    Reply from 10.0.0.254: bytes=32 time=1ms TTL=63

    Ping statistics for 10.0.0.254:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms
     
  39. eibgrad

    eibgrad Network Guru Member

    Do you have the gateway configured on LAN side (br0) of the WAP? It should be the LAN ip of the primary router.
     
  40. Sean B.

    Sean B. LI Guru Member

    I believe this is the problem. I think he's looking at the default gateway option for the interface, under the impression it's for the LAN clients. Setting it to this IP would still allow LAN connectivity, but nothing would get outside of the LAN segment.
     
  41. Saber98

    Saber98 Network Newbie Member

    I do, I have the gateway pointing to my firewall.
     
  42. Sean B.

    Sean B. LI Guru Member

    Note my above post. You need to change that to the IP address of the uplink. I'm not sure if that's the router or firewall box. But whichever it is, needs to be there.. not the br0 IP of the WAP.
     
  43. Saber98

    Saber98 Network Newbie Member

    I've set it to both my Firewall, as well as the guest IP (192.168.0.1) Now that I have the default gateway set as my firewall I am no longer able to ping it.
     
  44. Sean B.

    Sean B. LI Guru Member

    What is the WAP physically connected to? The router or the firewall?
     
  45. Saber98

    Saber98 Network Newbie Member

    The WAP is physically connected to an un-managed switch, which connects to a firewall / router.
     
  46. Saber98

    Saber98 Network Newbie Member

    Yeah, I set the gateway to the IP of the Firewall.
     
  47. Sean B.

    Sean B. LI Guru Member

    And the connection from that switch to the router/firewall is, lets say, port 4. So we have:

    switch <-> port 4 router/firewall

    What is the IP of the bridge you have port 4 assigned to on the router/firewall?
     
  48. eibgrad

    eibgrad Network Guru Member

    If you telnet/ssh into the WAP, can you ping the internet by domain name (e.g., google.com) or IP ( 8.8.8.8 ) from there?
     
  49. Sean B.

    Sean B. LI Guru Member

    I have a feeling the IP of that bridge is going to be 10.0.0.253. Which will not work. The gateway for a network must be inside the same subnet as that network. The network 192.168.0.0/24 cannot have a 10.0.0.0/24 gateway.
     
  50. Saber98

    Saber98 Network Newbie Member

    Router/Firewall IP 10.0.0.254

    WAP LAN IP 10.0.0.250
     
  51. Sean B.

    Sean B. LI Guru Member

    ??? . What happened to 192.168.0.1?

     
  52. Sean B.

    Sean B. LI Guru Member

    With the WAN disabled, the WAP will not function to cross over these networks. You would need to enable VLAN tagging on the link port of the WAP and router/firewall.. and configure a bridge on the router/firewall matching the subnet of the guest network.
     
  53. Saber98

    Saber98 Network Newbie Member

    Br0 - VLAN1 - 10.0.0.250 - Private Wireless network

    Br1 - VLAN3 - 192.168.0.1 - Guest Wireless network.
     
  54. Sean B.

    Sean B. LI Guru Member

    Yes. And the WAP will not NAT a network on it's LAN. You have disabled and are not using the WAN, the CPU is not used, only the switch. This will not work.

    The router/firewall has to do the NAT'ing. And to get both networks to the router/firewall you have to use VLAN tagging, which pipes 2 separate vlans/subnets over one port link between the 2. Then each has a bridge configured for its subnet on the router.
     
  55. Saber98

    Saber98 Network Newbie Member

    I thought it might have something to do with the WAN being disabled. I've used the same configuration with DD-WRT, (WAN disabled bridged to LAN), but this must be a limitation with Tomato.
     
  56. Sean B.

    Sean B. LI Guru Member

    Not trying to argue, but you must be mistaken. A switch cannot perform the functions of a router. When you disable the WAN of any soho router, you have turned it into a switch. The 4 LAN ports are literally a 4 port switch inside. A managed switch, but a switch none the less. The routing is done by an internal port connecting to the CPU, of which is connected to the WAN.
     
  57. Saber98

    Saber98 Network Newbie Member

    DD-WRT is buggy, so it could of been a bug in all honesty of how it works. lol

    I have the exact same setup with a Linksys E3000 running DD-WRT, I have 2 segmented LANS running on it for some Internet of Crap devices.
     
  58. Sean B.

    Sean B. LI Guru Member

    Do both the WAP and the router/firewall support VLAN tagging? If so, this can be configured to work.
     
  59. Saber98

    Saber98 Network Newbie Member

    PFSense supports VLAN tagging. I'm looking through Tomato to see how I can add the TAG.
     
  60. Saber98

    Saber98 Network Newbie Member

    Okay, I see it. I've configured VLAN Tagging once before and pretty much had to scrap it, because I'm pretty sure I configured it incorrectly.
     
  61. Sean B.

    Sean B. LI Guru Member

    If port 4 is connecting the WAP to the switch, you would add port 4 to both br0 and br1 and check the box for tagged on port 4 in each one as well.
     
  62. Saber98

    Saber98 Network Newbie Member

    Okay. That makes sense, and set up the tags on the firewall for which VLAN the tags are for.
     
  63. Sean B.

    Sean B. LI Guru Member

    You would then need a matching bridge interface for both networks on the router/firewall.. IE:

    WAP:
    • br0 - private
      • IP = 10.0.0.253
      • Ports = 2 3 4+tagged
      • VLAN1
    • br1 - guest
      • IP = 192.168.0.2
      • Ports = 1 4+tagged
      • VLAN3
    Router/firewall:
    • br0 - private
      • IP = 10.0.0.254
      • Ports = 2 3 4+tagged
      • VLAN1
    • br1 - guest
      • IP = 192.168.0.1
      • Ports = 1 4+tagged
      • VLAN3
    Connection = Router/firewall port 4 <-> WAP port 4
     
  64. Sean B.

    Sean B. LI Guru Member

    You can then set the default gateway on the WAP to either 10.0.0.254 or 192.168.0.1.
     
  65. Sean B.

    Sean B. LI Guru Member

    And, incase you are unaware, with this configuration the router/firewall is in control of DHCP on the WAP's LAN. So DHCP needs to be disabled on both WAP interfaces. Unless for some reason the router/firewall is not configured as a DHCP server.
     
  66. Saber98

    Saber98 Network Newbie Member

    It is the DHCP. I'm reading up on how to enable VLANs over a single port as the firewall only has 2 NICs. 1 interface for the WAN, 1 interface for the LAN.

    Also will have to make sure the switch will be able to forward 802.1Q tagged frames.
     
  67. eibgrad

    eibgrad Network Guru Member

    Ok, now we're running off the rails here.

    Let's review the situation. The OP has a primary router (10.0.0.254). He's added a WAP (10.0.0.250, br0). He's added a guest network (192.168.0.1, br1) to that WAP. And he wants to access the internet from the guest network.

    All he needs to do is route from the guest network (br1) over the primary network (br0) of the WAP to reach the primary router and eventually the internet.

    That's how I understand it. Now maybe I missed something, but if I'm right here, this shouldn't be all that complicated. This is done all the time, both w/ tomato and dd-wrt.

    It is perfectly valid to NAT the guest network (br1) over the private network (br0) on the WAP! We do that so that the WAP masks the source IP of the client on the guest network (br1) w/ its LAN ip on the primary network (br0). That's why, once we added the NAT rule, the guest client was able to ping the primary router! The problem is, that same guest can't ping a public IP! It makes it to the primary router and no further.

    This type of config is done all the time, both w/ tomato and dd-wrt. Whether the WAN is or isn't enabled is irrelevant to NAT'ing. You can route and NAT between all network interfaces at any time as long as routing and the firewall are enabled. In this case, it makes sense to disable the WAN since it's not being used as a WAN. Just reassign it to the LAN. But regardless, again, this issue of the WAN has no bearing on the ability to either route or NAT any network interfaces.

    Something else is amiss here. And at this point, I recommend setting the WAP back to factory defaults and NOT creating a guest network initially. Just configure it as a simple WAP (disable the WAN, assign its port to the LAN, configure the IP, gateway, DNS, etc.) and then confirm via telnet/ssh you can ping both a domain name and explicit IP (e.g., 8.8.8.8 ) from the WAP. Get that working flawlessly, then we'll visit the issue of the guest network.
     
  68. Sean B.

    Sean B. LI Guru Member

    You cannot have LAN ports in 2 VLANS/subnets at the same time. The WAP cannot NAT between 2 LAN ports on separate VLANS. It would have to go out to the CPU and route, which is disabled via WAN.
     
  69. Sean B.

    Sean B. LI Guru Member

    Or perhaps I'm thinking of Router/Gateway mode instead of WAN.
     
  70. Saber98

    Saber98 Network Newbie Member


    Have done that a couple of times before I even created the thread. This little project has been going on for about a month now. The ONLY time I had this working was when I had the WAN enabled and it got a DHCP address from my Firewall. But obviously I don't want to double NAT so I disabled the WAN and I'm here scratching my head trying to figure out why it won't nat.


    I've flashed this router, at least 10 different times to bring it completely back to factory default.

    I'm calling it a night, It's way passed me getting to bed. I really do appreciate the assistance and plan on checking this thread tomorrow when I get into work and will keep working at it.

    I'll reset the WAP from work and continue working with it during any down time and will report back.
     
  71. Saber98

    Saber98 Network Newbie Member

    The WAP is in Gateway mode if that helps.
     
  72. Sean B.

    Sean B. LI Guru Member

    No, I'm thinking right. You can't NAT from LAN to LAN, because there's no separation for the outgoing interface. When you SNAT/DNAT to an IP other than the interface IP that will work. But you cannot NAT to another subnet with a LAN port, because the IP of the bridge interface is the same on both sides.
     
  73. Sean B.

    Sean B. LI Guru Member

    AH HA! Turn that back to Router!@Q#@Q#@Q@
     
  74. Saber98

    Saber98 Network Newbie Member

    In router mode, still no dice.... Can't ping 8.8.8.8 or my firewall 10.0.0.254
     
  75. Sean B.

    Sean B. LI Guru Member

    What are your iptables rules?

    iptables -t filter --list-rules
    iptables -t nat --list-rules

    also:

    ifconfig br0
    ifconfig br1
     
  76. Saber98

    Saber98 Network Newbie Member

    This is what I have for my firewall:

    iptables -I FORWARD -i br1 -o br0 -j ACCEPT
    iptables -I FORWARD -i br0 -o br1 -j ACCEPT
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

    br0 Link encap:Ethernet HWaddr 30:85:A9:E7:7E:C8
    inet addr:10.0.0.250 Bcast:10.0.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1915 errors:0 dropped:0 overruns:0 frame:0
    TX packets:525 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:395134 (385.8 KiB) TX bytes:423713 (413.7 KiB)

    br1 Link encap:Ethernet HWaddr 30:85:A9:E7:7E:C8
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:91 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:12104 (11.8 KiB) TX bytes:789 (789.0 B)
     
  77. eibgrad

    eibgrad Network Guru Member

    I literally don't know what you're talking about. I do this ALL THE TIME! Neither routing nor NAT'ing are dependent on the WAN or CPU (whatever that means). The WAN is just another network interface. Yes, we usually NAT over the WAN. But you can route and NAT between *any* and *all* network interfaces at any time! WAN enabled, disabled, whatever, it doesn't matter because it's not relevant. Just as long as routing and the firewall are enabled.

    Case and point:

    https://www.dd-wrt.com/wiki/index.php/Guest_Network

    This is for dd-wrt, but it applies to tomato as well. Notice at the bottom of the page it explains what you have to do when the router is configured as a WAP (no WAN). Notice it (implicitly) NAT's the guest network over the private network.

    Code:
    iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
    That's what the OP is trying to do. It works to the extent he can ping the primary router's IP (if he removes the NAT rule, even that won't work), but he can't get any further. No internet access. Again, we've already proven you can route and NAT. The problem is internet access.
     
  78. Sean B.

    Sean B. LI Guru Member

    Tell me this then. How was NAT responsible for the connection, when OP had it in gateway mode the whole time? Gateway mode disables NAT. And if you don't know what I'm talking about by CPU I suggest you google how a router works, routing is done in the CPU, switching is done on the LAN switch.
     
  79. eibgrad

    eibgrad Network Guru Member

    Router mode disables NAT. That's why Gateway mode is the default.
     
  80. Sean B.

    Sean B. LI Guru Member

    Backwards. I knew it's been a long day. Anyways, you won't pull this off with NAT either way. Best o luck
     
  81. Saber98

    Saber98 Network Newbie Member

    I'm also using a Linksys with DD-WRT with WAN disabled bridged to LAN. I set it up 2+ years ago and it's been working without a hitch ever since.

    Here is the DD-WRT build info:

    Router Model
    Linksys E3000
    Firmware Version
    DD-WRT v3.0-r29316 mega (03/22/16)
    Kernel Version
    Linux 3.10.101 #11987 Tue Mar 22 10:56:41 CET 2016 mips

    This configuration is similar I believe to a Layer 3 switch.

    I'd post the IPTables, but it keeps nagging me about trying to insert a URL...
     
  82. eibgrad

    eibgrad Network Guru Member

    Does it have a guest network (br1)? Are you NAT'ing that guest network over the LAN (br0) of the WAP?

    I say again, this is a perfectly valid config. I run this same config on dd-wrt and tomato all the time. And dd-wrt even has wikis showing you how to do it this way!

    Something else is amiss. This is why I wanted you to start over, only so we had a known good state before the guest network is added. You need to confirm *before* adding the guest network that once you telnet/ssh into the WAP, you can do everything the guest network is expected to do; ping a public domain name, ping an explicit IP, etc. If that doesn't work perfectly, then adding a guest network will not work either, and only add to the confusion.
     
  83. eibgrad

    eibgrad Network Guru Member

    As a sanity check, I configured a spare tomato router last night. It's an old ASUS WL-520GU. Given the limited flash (4MB), I had to install an older version of Shibby Tomato (v124). Here are the changes I made.

    Basic->Network ...

    1. Disabled the WAN and assigned its port to the LAN.

    2. Disabled DHCP on the primary network (br0) and changed the LAN ip to 192.168.61.199 (my primary network is 192.168.61.0/24, w/ the router @ 192.168.61.1).

    3. Added the primary router's LAN ip as the default gateway (192.168.61.1) and DNS (192.168.61.1).

    4. Added a new network (br1), assigned it 192.168.99.1 / 255.255.255.0, no STP, DHCP enabled, w/ a DHCP range of 192.168.99.100 thru 192.168.99.149.

    5. Saved the changes.

    Advanced->Virtual Wireless ...

    1. Added wl0.1 as a VAP, named it Tomato24-Guest (wl0 is named Tomato24), and assigned it to the br1 bridge created above.

    2. Saved the changes.

    Administration->Scripts->Firewall ...

    1. Added the following two firewall rules.

    Code:
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
    iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
    2. Saved the changes.

    Rebooted. It works.

    Yes, that's all it took. Very simple. Didn't even have to make any changes to DNSMasq. In fact, here's what the GUI generated without any effort on my part.

    Code:
    root@unknown:/tmp/home/root# cat /tmp/etc/dnsmasq.conf
    pid-file=/var/run/dnsmasq.pid
    resolv-file=/etc/resolv.dnsmasq
    addn-hosts=/etc/dnsmasq/hosts
    dhcp-hostsfile=/etc/dnsmasq/dhcp
    expand-hosts
    min-port=4096
    stop-dns-rebind
    rebind-localhost-ok
    interface=br0
    interface=br1
    dhcp-range=tag:br1,192.168.99.100,192.168.99.149,255.255.255.0,1440m
    dhcp-option=tag:br1,3,192.168.99.1
    dhcp-lease-max=255
    dhcp-authoritative
    And I used an Apple iPod Touch 5th Gen as a client connected to Tomato24-Guest, and got the following config from DHCP.

    Code:
    IP Address: 192.168.99.105
    Subnet Mask: 255.255.255.0
    Router: 192.168.99.1
    DNS: 192.168.99.1
    As I said, it's no problem routing and NATing the guest network over the private network on a WAP w/ the WAN disabled. I've done this for YEARS w/ both dd-wrt and tomato.

    When things go wrong, what usually happens is that ppl *over* configure the router. And it doesn't help to make your initial firewall rules overly restrictive either. Only add the absolute minimum to get it working, *then* worry about making it more restrictive (e.g., denying access by guests to resources on the primary network).

    It's getting late, but if you want me to upload images, fine, I'll do it later when I have the chance.
     
  84. Sean B.

    Sean B. LI Guru Member

    I'm starting to think you have some sort of obsession with NAT, as it seems to be your answer to most any networking issue. Why would you not trunk these VLANs when both the WAP and router are capable of doing so? The main router ( already the DHCP server for the private network ) would handle DHCP for both networks, all firewall/QoS/DNS rules an settings etc would be managed from one GUI on one device ( main router ) for both networks, all clients on both networks would show up on the main router's device list ( it won't see any on the guest side with your double-nat ), no future port forward or other services issues ( again, you're double-natting him on purpose for some reason ) etc etc. Even if I'm tired enough to be way off about NATing port to port on the same switch, the question still remains - why not get the network to function correctly rather than pull some bandaid packet mangling?
     
    Last edited: Mar 22, 2018
  85. eibgrad

    eibgrad Network Guru Member

    Sean B., it's clear you and I see these forums differently. You treat these forums as if they are a good venue for providing perfect solutions. I don't. I see it as one of the worst ways to practice networking. If we were all in the same physical room, w/ a whiteboard, had hours to spend tinkering w/ the actual equipment, verifying things step by step, w/ debugging tools, etc., I'd be all ears. But that's not the reality of the situation. More times than not, we're dealing w/ very limited information, much of which is incorrectly described, using the wrong terminology, and wholly dependent on the OP for that information. It's amazing we solve as many problems as we do given the circumstances. For these reasons, I look for the simplest to implement, easiest to understand, and most likely to succeed solutions that get the job done.

    I never claimed it was the only solution, or the perfect solution. Why complicate things unnecessarily? Esp. in a forum like this, where we rarely have the big picture, and where you're often dealing w/ individuals who have minimal networking knowledge. It's not as if I'm offering some crazy solution. It's common enough that the dd-wrt wikis explain how to do it this way.

    FWIW, you can avoid the use of NAT and expose the guest network to the primary router, provided the primary router is capable of static routes. But that's often problematic. Some routers w/ OEM firmware don't support static routes, or they do but the ISP prevents access by locking down the router. So NAT'ing just ends up being the easiest and most likely to succeed solution because it confines the entire config to the WAP (no outside dependencies).

    I have a question for you. Why do repeatedly insist that what I offer as a solution is not just less than ideal, but that it won't work? That I have it wrong? Suggest (if not outright state) that I don't know what I'm talking about? It's one thing to claim there's a better way, or offer a solution that avoids this or that limitation. It's quite another to claim it won't work. You did this w/ NAT loopback (insisting SNAT wasn't necessary), FTP (insisting my script wouldn't work), and now this (insisting you can't route/NAT between network interfaces w/ the WAN disabled). How many times do you have to be proven wrong before you'll recognize that I do know what I'm talking about?

    I repeatedly summarized the configuration as I understood it, and which the OP repeatedly confirmed. The OP made no indication that the solution I was offering would not meet his requirements. In fact, he seemed to indicate that he had this same configuration working w/ dd-wrt. So I wasn't about to start looking for a "perfect" solution, esp. if the limitations as you've stated them were not part of his stated requirements.

    Fact is, 99% of ppl are going to be satisfied w/ the solution I offered. If later the OP decides it comes up short for the reasons you've stated, fine. Tell him what the limitations are and offer an alternative. If you had done that, you and I wouldn't have anything to quibble about. But don't tell him what I'm offering as a solution won't work! That's over the top. And only leads to confusion for the OP.
     
    koitsu likes this.
  86. eibgrad

    eibgrad Network Guru Member

    FWIW, I took screenshots of the relevant pages and client IP config and uploaded them to Box.com. I also included a dump of iptables showing the FORWARD and NAT rules being repeatedly hit w/ packets.

    https://app.box.com/s/6if4u2ncl0ugpdnlex0p98bjcdcsrmej

    Hopefully this will make things even clearer.

    Again, realize this needs more firewall rules to deny access by guests to resources on the private network. And rules limiting guest access to the WAP (DNS and DHCP minimally). I didn't include any restrictions for clarity's sake. I was only trying to show what was minimally necessary to get it working.

    If it helps, I do have an AP-based guest firewall script posted on PasteBin.

    https://pastebin.com/NxU0Q9iu

    Perhaps a bit too elaborate, but still seems popular among tomato users if the hit count is any indication. You can always use the bits and pieces you find relevant to your situation.
     
  87. Saber98

    Saber98 Network Newbie Member

    Yep, as I'm using the WAN port as an extension of the LAN.

    Agreed, I've used this config several times with DD-WRT without an issue, and for years.

    Yep, I factory default primary network up and running no issue.
     
  88. Saber98

    Saber98 Network Newbie Member

    No luck getting this to work. I think it's a bug within this build. I've tried factory default, reflashing, clearing NVRAM, nothing. I've ONLY ever gotten this to work when WAN is enabled and is taking a DHCP address from my firewall.

    As soon as I disable the WAN port and bridge it to the LAN, reboot I'm no longer able to NAT traffic from the guest network to the private network. I can repeat this every single time.

    Here are the steps
    Create the Guest Bridge, VLAN, Guest wireless reboot etc. This is with the WAN port enabled for DHCP. Disable WAN, assign it to the LAN, reboot the WAP guest network is no longer able to NAT.

    I'll have to figure out a different way to get my guest wireless set up. Possibly look into getting a managed switch and setting up VLAN tagging.

    Yes Sean, this configuration does work on DD-WRT, on this ASUS RT-AC66u, as well as a Linksys E3000. I've had this same configuration on other Linux builds work without issue for years. It's only this version of Tomato that I have tried, where this does not work.

    Anyone have an older version of the Tomato build where this does work for an ASUS RT-AC66u? If so what build and I'll give it a try.

    Thanks for all the help, I do appreciate it. Hopefully one day I can repay the favor.
     
    Last edited: Mar 23, 2018
  89. eibgrad

    eibgrad Network Guru Member

    If NAT is somehow an issue, but it can still route, as I said previously, you could use a static route instead. IOW, add a static route to the primary router that points to the LAN ip (on the private network) of the WAP as the gateway to the guest network. The only point of using NAT was to avoid having to do this.

    Only other possible issue is that sometimes the primary router will only NAT its own local IP network over the WAN (e.g., dd-wrt). Hopefully that's not the case. But if it is, and you have low-level access to the primary router, you could add the necessary NAT rule.
     
  90. Sean B.

    Sean B. LI Guru Member

    Huh... who woulda thought :confused:
     
  91. Saber98

    Saber98 Network Newbie Member

    Considering I've been running this type of config on a different 3rd party, and had the same config working on this router with said other 3rd party it doesn't make any sense.

    Yes you've explained it, but it goes without saying that its worked this way with other implementations. Not just DD-WRT, but also Gargoyle on the Linksys E3000.

    I've purchased a managed switch and will setup a router-on-a-stick scenario so I can control multiple VLANS through a central location which should make management easier.
     
  92. i1135t

    i1135t Network Guru Member

    Instead of disabling the WAN after creating the Guest network, have you tried disabling the WAN port (bridging to LAN) before creating the Guest interface br1 - then Guest wifi? Could be a bug in tomato where doing this in reverse order is creating the problem that you're running into.

    FYI, yes you can limit access to private lan from Guest network through iptables. DNS lookups not so much since both networks pull from same source, however I don't know how pfsense dns works so not sure..
     
  93. Saber98

    Saber98 Network Newbie Member

    Yes, have done that. Guest WiFi won't work at all if I disable the WAN first before creating the guest interface.

    I've purchased a managed switch and have tagging working on that. Working on getting tagging to work in Tomato, that's also proving to be a challenge.
     
    Last edited: Mar 24, 2018
  94. Saber98

    Saber98 Network Newbie Member

    VLAN tagging is also broken in the Tomato By Shibby build for the RT-AC66u. No matter what I did, it would not trunk the untagged VLAN or the tagged vlan. It would either do one or the other, but not both networks.

    I ended up just reverting back to DD-WRT to setup the Guest Network.

    Thanks for all of the assistance everyone, I do appreciate it.
     
  95. Sean B.

    Sean B. LI Guru Member

    Just a quick note, and surprised I didn't remember this earlier. I would bet a paycheck that one or both of your routers has the port order inverted in the GUI. Meaning Port 1 in the GUI corresponds to Port 4 on the router etc. In these cases, VLAN tagging will fail as you're actually enabling it on the wrong physical port. If you get bored and have nothing better to do, it would be interesting to see if that is the case.
     
    Last edited: Mar 26, 2018
  96. Saber98

    Saber98 Network Newbie Member

    Nope, that wasn't it. I played around with it yesterday and got it to work. Even though I had port 4 set be to tagged in the GUI, it showed as untagged in the CLI. Neither port 1 or port 4 showed as tagged in the CLI. I've seen others report similar behavior and how I came across the commands below.

    So I ran the following robocfg commands:

    robocfg VLAN 1 ports "0u 2u 3u 4u 8t"
    robocfg VLAN 100 ports "0t 1t 8t" (ports are inverted for AC66u 1 = 4 etc.)


    After that it trunked the traffic as expected. I have it running that command as a startup script on the WAP and I've rebooted it several times as a test and can confirm that its working now.

    What a pain in the ass though. :)
     
  97. Sean B.

    Sean B. LI Guru Member

    Must be a Shibby build or router model specific issue, never run into that on Toastman. Glad it's working for ya, and without using any network bandaids as well. :)
     
  98. Saber98

    Saber98 Network Newbie Member

    Yeah I'm glad it's working too. I tried to find a toastman installation for the RT-AC66u to try that, but couldn't find any information on which ones worked with my model of router and didn't want to risk bricking it. So I went back to Tomato by Shibby with a determination to get it to work. lol
     
    Sean B. likes this.
  99. tvlz

    tvlz LI Guru Member

    That was fixed after Shibby compiled v140, You can get an updated Vlan file so that the GUI port # matches the case port# here
    http://www.linksysinfo.org/index.php?threads/can-vlan-gui-port-order-be-corrected.70160/#post-247634

    Can you do a "robocfg show" I want to see how the ports are displayed with your robocfg commands, then remove your startup script, reboot and retry your setup with a test Advanced Vlan file (from the testing dir, use the link above), hopefully it will allow both tagged and untagged on the default port.
     
    Last edited: Apr 8, 2018
    Sean B. likes this.

Share This Page