[Solved, see post 12] Isolated guest wifi on wireless ethernet bridge, how to?

Discussion in 'Tomato Firmware' started by 1weirdFish, Nov 5, 2018.

  1. 1weirdFish

    1weirdFish New Member Member

    Hello everyone, a long time reader, first time poster here. First of all, I would like to thank everyone for the involvement in this amazing community! Over the years, your questions / advices have helped me learn a great deal of knowledge about wireless networking on TomatoUSB family of routers.

    Now some background about my home wireless network and the goal I want to archive:

    My wife and I both work at home a lot, so having a reliable wireless network is a must to me. In other words, I don't get to "play" a lot on our main wireless router (a Linksys EA6900 running AdvancedTomato v3.5-140-AIO-64K).

    To improve the wireless coverage in the Kitchen area, I have a secondary wireless router (Asus RT-AC66U with the same AdvancedTomato v3.5-140-AIO-64k) running in wireless ethernet bridge mode, it's 5GHz radio connects to the main router, and it's 2.4GHz radio is running 3 APs, first one "Work" is for our work laptops to connect to when we are near Kitchen, it uses the 2.4GHz wireless interface wl0; The second AP "Play" on 2.4GHz is for my Media player / Smart TV / Amazon Echo etc., it is a virtual wireless interface (wl0.1 connected to VLAN3); The third AP "Guest" is for when we have friends / kids over and they need access to internet, it's also a virtual wireless interface (wl0.2 connected to VLAN4).

    My goal is to completed separate these 3 APs, so the devices connected "Guest" or "Play" can only access internet, nothing else. The devices connected to "Work" should have full access my entire home network resources, as well as to the internet. Devices on "Work" don't really need to access the devices connected to "Play" or "Guest" AP.

    My main router's configuration is almost like default, except I changed the IP address to 192.168.2.1, enabled DHCP, configured wireless security to WPA Personal + AES, etc.

    On the secondary router, this is what I have done so far:
    • Basic Settings -> Network -> WAN Settings, "Type" disabled, "Bridge WAN port to primary LAN(br0)" checked.
    • Basic Settings -> Network -> LAN,
      • br0 --- STP disabled, DHCP disabled, address: 192.168.2.2;
      • br1 --- STP disabled, DHCP enabled, address: 192.168.3.2, ip range 192.168.3.3 - 192.168.3.200;
      • br2 --- STP disabled, DHCP enabled, address: 192.168.4.2, ip range 192.168.4.4 - 192.168.4.200;
    • DNS & Gateway is set to 192.168.2.1;
    • 2.4GHz is in AP mode with WPA Personal +AES (this is the "Work" AP),
    • 5GHz is in wireless ethernet bridge mode connecting to the main router's 5GHz radio.
    • Advanced Settings -> virtual wireless,
      • wl0.1 in AP mode (this is "Play" AP), WPA/WPA2 Personal+AES, bridged to LAN1(br1)
      • wl0.2 in AP mode ("Guest" AP here), WPA2 Personal+AES, bridged to LAN2(br2),
    • Advanced Settings -> VLAN Settings,
      • VLAN1, VID 1, Port1, default, bridged to LAN(br0);
      • VLAN2, VID 2, WAN Port, bridged to WAN;
      • VLAN3, VID 3, Port2, Port 4, bridged to LAN1(br1);
      • VLAN4, VID 4, Port3, bridged to LAN2(br2).
    • Advanced Settings -> Wireless;
      • eth1 & eth2 are bridged to LAN(br0);
      • wl0.1 is bridged to LAN1(br1);
      • wl0.2 is bridged to LAN2(br2).


    That's all the customization I have done. Now if I connect to the primary router, everything works, I can see all my home network, I can browser Internet, I can manage the secondary router via it's GUI at 192.168.2.2.

    The problems are within the secondary router,
    1. Can't connect "Work", "Play" or "Guest" AP, security is ok but can't get the IP address from DHCP from primary router;
    2. If I connect to it using a fixed IP address, using secondary router (192.168.2.2) as gateway and primary router (192.168.2.1) as DNS, I can connect, and I can access my home network using IP addresses, but I can't go to Internet.
    Any thoughts? Thank you very much in advance. Sorry about the long post, this really drives me nuts.
     
    Last edited: Nov 12, 2018
  2. 1weirdFish

    1weirdFish New Member Member

     
    Last edited: Nov 12, 2018
  3. Sean B.

    Sean B. LI Guru Member

    You won't be able to accomplish your goal while using a wireless connection between the primary and secondary routers. This is because you can only enable VLAN trunking ( aka Tagging ) on the switch ports, it is not supported via the wireless interfaces. VLAN trunking/tagging is required in order to transport ( aka trunk ) multiple separate VLANs over a single link. You would have to run a cable connection between your primary and secondary routers, then you could trunk the VLANs so they exist at both ends. Where as currently, with the wireless bridge connection, anything connected to the secondary router is forced to be part of the VLAN that the wireless interface is assigned to on the primary router ( when traffic is viewed from the primary router's perspective ).

    In other words, while VLAN1 VLAN3 and VLAN4 exist on the secondary router, once traffic crosses over to the primary router it all becomes VLANX .. where X is the VLAN of which the wireless interface is assigned on the primary router. You lose the ability to segregate traffic once it hits the primary router, and with that goes the ability to enforce differing policies on what the traffic can/cannot do.
     
    Last edited: Nov 6, 2018
  4. 1weirdFish

    1weirdFish New Member Member

    Thank you very much Sean, for taking the time to explain VLAN trunking / tagging! So if I understand you correctly, I could do this if I separate 2.4GHz and 5GHz into 2 VLANs on the main router, and isolate it's 5GHz traffic only for Internet access, thus the clients of "Guest" and "Play" APs from secondary router are separated, is it right?

    Also, is VLAN trunking / tagging the only option here? I was guessing I could accomplish my goal using iptables /ebtables rules on secondary router only.
     
  5. Sean B.

    Sean B. LI Guru Member

    If, on the main router, you bridged only the 5ghz interface to VLAN3 for instance. Connected the secondary router to that 5ghz interface and leave the access rules default which is no cross-VLAN communications allowed, anyone connected to the secondary router would only be able to access the internet ( in relation to what's accessible on the primary router via secondary router ). As long as that fits your needs, and there's no clients that connect to the secondary router of which you want to have access to other LANs on the primary router, you're set.

    It's the only option if you wish to have multiple segregated networks flow between both routers while maintaining the same level of segregation and policy control over the traffic at both ends. Otherwise you can enforce VLAN/subnet specific control only on the side of which the traffic is originating. Once it crosses to the other router the traffic becomes one VLAN/subnet and any policy enforcement ( applied by that side of the connection ) affects all traffic without distinction as such.


    **NOTE** Keep in mind, the overall functionality of VLANS/subnets and associated routing policy created on the secondary router is not really defined. Wireless ethernet bridge mode is intended to function as the name implies, a bridge. By design, the primary router is meant to handle DHCP and IP subnetting to the clients connected on the secondary router. Essentially limiting the secondary router and it's clients to only the one VLAN/subnet of which the wireless interface is associated to on the primary router. Attempting to add VLANs/subnets created and controlled by the secondary router may yield unexpected behavior once you start trying to control the routing of those VLANs/subnets ( such as iptables rules ). You may find the secondary router has limited, or even no authority over the traffic.
     
    Last edited: Nov 7, 2018
  6. 1weirdFish

    1weirdFish New Member Member

    That actually fit my needs, except I have to mangle with the main router. Based on the same theory, if I created a virtual wireless on 5GHz on the main router and assign it to a separated VLAN, and connect the secondary router to the newly created virtual wireless on 5GHz, I should be ok, am I right?

    Thanks again Sean for your knowledge and patient.
     
  7. Sean B.

    Sean B. LI Guru Member

    You'd have to try and see. The theory is correct on paper, but if I recall correctly there ends up being issues for VLAN'ing due to the fact virtual interfaces inherit the MAC address of the parent interface. I could be mistaken though, so worth a shot.
     
  8. 1weirdFish

    1weirdFish New Member Member

    Ok, I am going to try it out this weekend and report back.

    Meanwhile, I have been under the pressure to make my current setup work, due to the fact the SmartTV (which is wired to the secondary router, on VLAN3) stop working. After some searching online, I have added the following iptables rules in Scripts -> Firewall yesterday, the result is devices connected "Play" and "Guest" with manual (fixed) IP addresses have now access to Internet, as well as my primary router plus the whole network, which is the unfortunate part. Any advices on how to make it better?

    iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br1 -m iprange --dest-range 192.168.2.3-192.168.2.200 - j REJECT
    iptables -I FORWARD -i br2 -m iprange --dest-range 192.168.2.3-192.168.2.200 - j REJECT
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.2.2​

    It's temporary solution, and I haven't fully tested it, but just for curiosity, is it enough to separate traffic from those 3 APs on the secondary router?
     
    Last edited: Nov 12, 2018
  9. Sean B.

    Sean B. LI Guru Member

    I'm having a hard time nailing down exactly what your network topology is and how you're trying to use it. But if what I'm currently putting together is correct, which is:

    • Primary router - Is gateway to internet / Has things,clients,devices etc connected to it that you do not want accessible from clients connected to the secondary router / 5ghz radio interface is connected to secondary router / VLAN,bridge,subnet etc configuration has not been stated that I'm aware of
    • Secondary router - Connected to primary router using Wireless Ethernet Bridge Mode over the 5ghz interface / Has multiple VLANs/subnets configured on it with multiple AP's on the 2.4ghz radio assigned to them / Clients connected to this router should be able to access the internet via the primary router, but not any clients,devices etc on the LAN of the primary router / Clients connected to an AP on the secondary router should not be able to access clients/devices etc that are connected to a different AP of the secondary router.
    Then what I would suggest is to switch connection type between the primary and secondary routers to Wireless Client Mode rather than using Ethernet Bridge Mode. Then, on the primary router create a VLAN/bridge/subnet specifically used only for the secondary routers connection, for example lets use VLAN3, br1 , 192.168.2.0/24 and bridge the 5ghz wireless interface to it. Use a different VLAN/bridge/subnet for all other clients/devices that will connect to the primary router.. such as VLAN1, br0, 192.168.1.0/24.

    On the secondary router. Change to Wireless Client mode and connect to the primary router. Create a VLAN/bridge/subnet for each different AP you're going to create. For clarity, we'll use a different IP scheme than the primary router, but know that in this type of connection they won't interact nor matter. IE:

    VLAN1, br0, 10.1.10.0/24 - Play AP

    VLAN3, br1, 10.1.11.0/24 - Guest AP


    And there you go. All clients on the secondary router should be able to access the internet, but nothing else on the primary router. All AP's on the secondary router should be isolated from each other as well. The only issue that comes with this type of network setup is with port forwarding, in that port forwards for any devices on the secondary router side need to be configured on both the primary router pointed at the IP address of the secondary router, and then also on the secondary router pointed at the IP address of the device.
     
  10. 1weirdFish

    1weirdFish New Member Member

    Excellent point. I am going to try it out this weekend. I think I am getting 100% of what I want to archive if this solution works.

    Thanks again for your expertise and the time you spent to put together the reply.
     
  11. Sean B.

    Sean B. LI Guru Member

    You're welcome. Let me know how it works out.
     
  12. 1weirdFish

    1weirdFish New Member Member

    Have been playing with my set up for the past 4 hours (have to do it before others wake up, right?), and I am happy to report back my experience.

    I first went the route Sean suggested (separate vlan on primary router, and wireless client mode on secondary router), but I just couldn't connect the secondary to the primary no matter what. After some online searching, I found this
    http://www.linksysinfo.org/index.php?threads/wireless-client.73780/
    Even though my secondary router is a MIPS (Asus RT-AC66U) router, but my primary is an ARM (Linksys EA6900) router. I tried many times, if I select Wireless Ethernet Bridge mode on the secondary router, with 5G radio configuration, it connects to the primary router right away; If I select Wireless Client mode on the secondary, with the same radio parameters, it just won't connect, but sometimes both primary and secondary shows the linkage is there in Status -> Device List.

    So I had to go with what I originally planned, create a separate vlan on primary router, add a virtual wireless on 5GHz and connect the secondary router to the virtual wireless using Wireless Ethernet Bridge mode.

    I initially experienced some issues, such as the wired / wireless clients of the secondary router don't get DHCP from primary router, etc. After enable "DHCP Routes" in Advanced Settings -> Route and enable "Enable SYN Cookies" in Advanced Settings -> Firewall, which I read from this article
    https://www.spideylab.com/tomato-router-wireless-repeater-ethernet-bridge-mode/
    Everything starts to work as expected. I will document step-by-step what I did in the next post, just to recordkeeping for myself, and hopefully someone will find it useful someday.

    Finally, many thanks to Sean for his help during this experiment!
     
    Last edited: Nov 10, 2018
  13. 1weirdFish

    1weirdFish New Member Member

    Detailed instructions on connecting my secondary wireless router (Asus RT-AC66U: AdvancedTomato v3.5-140-AIO) to my primary wireless router (Linksys EA6900: AdvancedTomato v3.5-140-AIO) using Wireless Ethernet Bridge mode.

    Configure the primary router
    First of all, I assume your primary router has been properly setup already, i.e. you can connect to it wirelessly with a device and you can browse with it.
    1. With a browser, go to the primary router's management GUI, in my case it's 192.168.1.1.
    2. Under Basic Settings -> Network -> LAN, add a new bridge: br1, STP disabled, 192.168.2.1, DHCP range 192.168.2.4 - 192.168.2.200,
    3. Go to Advanced Settings -> Virtual Wireless, add a new Virtual Wireless Interface, make it AP and security WPA Personal, let's called "Play" and assign it to br1 created previously,
    4. Save the changes, and go back to Status -> Overview, make sure the newly created virtual wireless interface is there.
    Now let's configure the secondary router
    1. Let's assume I have just reset my secondary router to factory default, so it should also have a default IP of 192.168.1.1.
    2. Login to the secondary router, goto Advanced Settings -> Routing, make sure "Mode" is set to Gateway, and uncheck "RIPv1 & v2" for LAN, make sure "DHCP Routes" is checked,
    3. Under Basic Settings -> Network -> WAN Settings, change "Type" to disabled, and tick "Bridge WAN port to primary LAN(br0)",
    4. Under Basic Settings -> Network -> LAN, change br0 to "STP" disabled, IP Address: 192.168.2.2, "DHCP" disabled; Change default Gateway and DNS to 192.168.2.1,
    5. Under Basic Settings -> Network -> Wireless, configure 2.4GHz (eth1) as AP, set it up the way you prefer,
    6. For 5GHz (eth2), change "Wireless Mode" to Wireless Ethernet Bridge, "Wireless Network Mode" to Auto, Channel to Auto, and SSID to "Play" (or whatever you named on primary router in step 3).
    7. Save changes. At this point, the router will reboot. *** Note *** Now since the secondary router has "DHCP" disabled, so if for some reason, it fails to connect to the primary router and you need further troubleshoot, you will need to connect to it using manual IP address. Here are the steps for that: (Changed the computer's IP address to 192.168.2.3, with subnet 255.255.255.0, and connect computer to the secondary router with an ethernet cable or wirelessly using the AP created in step 5 above. In a browser, open 192.168.2.2. After troubleshooting's done and the secondary connects to the primary router successfully, change computer back to DHCP)
    8. Login to secondary router's management GUI at 192.168.2.2, verify all the changes are still there.
    9. Under Advanced Settings -> Firewall, make sure "Enable SYN cookies" is checked, and "NAT Loopback" is set to "Forwarded only", "NAT Target" to MASQUERADE,
    10. Under Advanced Settings -> DHCP/DNS, add check marks to "Use received DNS with user-entered DNS" and "Use user-entered Gateway if WAN is disabled".
    And you are done.

    Optional steps (I think?)
    • If you have "Wireless Filter" enabled on primary or secondary router, it's a good idea to disable it during the setup, and turn it back on afterwards.
    • In Ste 3 under primary configuration, I left "Broadcast" of the new virtual wireless interface unchecked (hidden SSID), which doesn't seem to have any negative impact.
    • In primary router configuration, I did create a new VLAN under Advanced Settings -> VLAN: VLAN3, VID3, bridged to br1. I don't think it's necessary, correct me if I am wrong. (See Sean's comments below, I am not sure if that's correct, can someone confirm?)
    • If for some reason the secondary can't connect to the primary router, double check the settings of "Country / Region", "Transmit Power" under Advanced Settings -> Wireless; Then use "Wireless Survey" tool to see if you can see the primary router's 5Ghz virtual wireless AP there (if you need to do this, don't leave that SSID hidden)
    Thank you.
     
    Last edited: Nov 12, 2018
  14. Sean B.

    Sean B. LI Guru Member

    There are several aspects of your tutorial that need clarification:

    1. Why is a virtual interface being used for this AP? Do you have other 5ghz AP's that are used by clients on the primary router?

    2. In your prior posts, the AP's "Play" and "Guest" were located on the secondary router. Yet here you're creating an AP "Play" on the primary router to be used as the connection point for the secondary router. Is this an oversight or is there some reasoning behind this?

    DHCP being disabled on the secondary router is irrelevant to any aspect of connecting to it. As I stated in a previous post, when using "Wireless Ethernet Bridge Mode" you are extending the network on the primary router you connected it to, not creating a new one. You enabled DHCP on that network here:

    Therefor if you connect to the secondary router you will receive a DHCP lease in the 192.168.2.0/24 subnet from the primary router. Unless, something is not configured or functioning correctly.

    Accessing the secondary routers web interface shouldn't need anything special either, just that you're connected to the secondary router via AP or LAN, and not connected to the primary router. When connected to your "private" network on the primary router you will not be able to access the secondary routers web interface. This is because, by design ( see the last section of this post ), the networks are isolated from each other.

    If you did the same when you tried Wireless Client Mode, it may have caused the failure. Also the encryption selection can cause issues as well.

    If you did not create a VLAN/subnet/bridge that is used only for the secondary routers connection, then clients connected to the secondary router AP's would be able to see and access the other clients/devices connected to the primary router. Of which you stated you wanted the primary router isolated from the secondary router clients.
     
  15. 1weirdFish

    1weirdFish New Member Member

    Yes Sean. I am using the 5Ghz AP for my work. That's the whole purpose of this exercise.
    I am going to fix the opening post when I have time, I wanted to do a complete step-by-step tutorial, for myelf and others who might find it helpful.
    I am only during this during the setup, once you changed the secondary router to wireless ethernet bridge mode, sometimes it won't connect to the primary router without further changes under firewall and rourting sections, that's why I said I need a computer and fixed IP address.
     
  16. 1weirdFish

    1weirdFish New Member Member

    I did both, as I said, I tried many times, but I didn't try wireless client mode without encryption.
    I did create subnet, VLAN and a bridge. What I meant is I think subnet and bridge should be enough, i.e. VLAN can be skipped.
    Thanks Sean.
     
  17. Sean B.

    Sean B. LI Guru Member

    There is nothing about the use of a 5ghz AP on your primary router for your main/private LAN in your original or subsequent posts. Hence the question.

    That's all well and good. I'm not trying to pick on you, just that if a "tutorial" is not clear and correct it will simply create more threads on the issue due to users who followed it being confused or doing it wrong.

    If this step was done on the possibility of something not working, that would be worthy of mention rather than making it a standard step in the process. This is related to the DHCP routes option, which can be enabled prior to changing the connection to Ethernet Bridge mode, thereby preventing the need for a computer/static IP.

    I realize you created them all. I stated what would happen if you didn't. Subnet and bridge are not enough. If you notice under the Advanced->VLAN section, there is a column titled "default" of which only one VLAN is marked. If any incoming packets do not have a VLAN ID, the default VLAN is where the router will send them. And as the default VLAN on your primary router is likely the br0 interface, if you did not assign a VLAN ID to the br1 bridge you created for this connection it would cause it to fail.


    Glad you got it working. Take care.
     
    Last edited: Nov 12, 2018
  18. 1weirdFish

    1weirdFish New Member Member

    Thank you very much for your help.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice