WLAN Not being isolated

[JBDive]

Firmware: DD-WRT v24 RC-6 (01/02/08) std
WRT54GL

Appears WLAN is not being isolated. Although WLAN users get the Worldspot redirect and prompt and must connect before they can do anything and WLAN users are on 192.168.182.x they are able to see and access the LAN on 192.168.0.x.

Services/Hotspot: Chillispot-enabled, Separate Wifi from the LAN Bridge-enabled

I see something in the instructions about "On the DHCP interface, select WLAN" however I do not see that TAB anywhere in this firmware. Again Chillispot/Worldspot appear to work great, WLAN isolation does not.

[WorldSpot]

You need to add iptable rules.
CoovaAP does this by default.

You may also try these instructions:
http://worldspot.net/forum/index.php/topic,1106.0.html

Feedback welcome.

[JBDive]

That makes sense however it does not appear to work or I did it wrong.

I inserted the following under <Administration>, <Commands>
 
#!/bin/sh

##

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i tun0 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j logdrop

# secure access to local addresses other than chillispot
iptables -A FORWARD -i tun0 -j DROP;
iptables  -t nat -I PREROUTING -i tun0 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -j DROP
iptables  -t nat -I PREROUTING -i tun0 -d 192.168.0.0/16 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 169.254.0.0/16 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 172.16.0.0/12 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 10.0.0.0/8 -j DROP
iptables  -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -j ACCEPT

##bandwidth limitation for all hotspot users.
##uncomment below to activate

#DEV="tun0"
#DOWNLINK="1024"
#UPLINK="256"
#
#tc qdisc del dev $DEV root
#tc qdisc del dev $DEV ingress
#
## limit download
#tc qdisc add dev $DEV root handle 1: htb
#tc class add dev $DEV parent 1: classid 1:1 htb rate  ${DOWNLINK}kbit burst 6k
#tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst 192.168.182.1/24 flowid 1:1
#
## limit upload
#tc qdisc add dev $DEV ingress handle ffff:
#tc filter add dev $DEV parent ffff: protocol ip u32 match ip src 0.0.0.0/0 police rate ${UPLINK}kbit burst 10k drop flowid :1

I then hit <Save Startup> and the command is listed and rebooted the router. Using my notebook I logged into the wifi side (192.168.182.x), unplugged my wired side. Connected, got my prompt for Worldspot, <Connected> and browsed the Internet. Opened a command window then pinged 192.168.0.254, the router wired side and got a reply. Picked a known machine on the wired side and pinged it and also got a reply.

[JBDive]

ok I gave up on DD-WRT and dropped in CoovaAP however it has some major issues with features I want from what I can tell. It did seem to isolate the wireless correctly although at least once I was able to connect to the LAN side when I was making changes to the Router/AP settings over wireless it appeared to place me on the LAN network and left me there.

Anyway what I am not finding in the CoovaAP firmware:

1. How to se the date/time.
2. Using OpenDNS doesn't seem to work, wireless clients are forwarded the ISP's DNS servers. In fact it appears to ignore the DNS servers I inserted outright.
3. Firewall rules are not near restictive enough. I want to restrict an incoming connection by Port and source IP, can't seem to do that.

[WorldSpot]

I then hit <Save Startup> and the command is listed and rebooted the router. Using my notebook I logged into the wifi side (192.168.182.x), unplugged my wired side. Connected, got my prompt for Worldspot, <Connected> and browsed the Internet. Opened a command window then pinged 192.168.0.254, the router wired side and got a reply. Picked a known machine on the wired side and pinged it and also got a reply.

Are you sure you enabled the "separate wifi from lan" option?

1. How to se the date/time.

on the upper right, near the time, you can click on 'set'

2. Using OpenDNS doesn't seem to work, wireless clients are forwarded the ISP's DNS servers. In fact it appears to ignore the DNS servers I inserted outright.

There should be no reason not using your ISP dns. This is why coova doesn't need to know about the dns.

3. Firewall rules are not near restictive enough. I want to restrict an incoming connection by Port and source IP, can't seem to do that.

Have you checked the Network/Firewall page?
There should be what you need there.

[cybertechs]

In order to isolate the WLAN from the LAN you need to do the following in DDWRT:

iptables -I FORWARD 1 -s 192.168.182.0/24 -d 192.168.x.0/24 -j REJECT
iptables -I INPUT 1 -s 192.168.182.0/24 -d 192.168.x.0/24 -j REJECT

Replace "x" with the number of your subnet.

SAVE FIREWALL not save startup.

Hope this helps.

I had the same issue and resolved it with that command.

[JBDive]

2. Using OpenDNS doesn't seem to work, wireless clients are forwarded the ISP's DNS servers. In fact it appears to ignore the DNS servers I inserted outright.

There should be no reason not using your ISP dns. This is why coova doesn't need to know about the dns.

I know it's been awhile since I visited this thread but I really need to get OpenDNS to work. Why on earth anyone would want to open a HotSpot and allow unrestricted DNS is beyond me. I want OpenDNS so I can limit the porn and so forth plus monitor the AP use. I have posted over at Coova as well on this. In basic testing I don't think even the LAN side uses the DNS settings you insert but Wireless side certainly doesn't. It passes out the AP as the primary and the ISP's DNS as secondary. Since OpenDNS is not blocking on the wireless side it appears the hotspots IP which is given as the primary is not looking at the settings for DNS as a DNS querry should hit the AP, the AP is set to OpenDNS so unless OpenDNS is to slow the secondary of the ISP's DNS shouldn't even come into play.

As it's been some months since I messed with this is there a better option than Coova now for the total novice to setup that doesn't require working with iptables and such, sorry I like GUI on some things.

[WorldSpot]

In coova, have you tried to add opendns servers in network/lan/dns servers?
I don't know the exact effect of this.
You may also ask on openwrt forum, because all this part of the firmware of from the openwrt whiterussian firmware.

[jamie398]

Just clear somthing up as I spent ages scratching my head. DD-WRT V23 has the WLAN option  in chillispot, V24 does not, thats why you din't see the option. How are you getting on with CoovAp? I din't find it as easy as DD-WRT so I flashed back (which was a mission in itself) and installed v23 which seems to work fine and most of the guides are written around this version. I also had problems with WDS in V24.