Why Can Guest Network Still Access My Private Network?

3 posts / 0 new
Last post
kingandpoppy
kingandpoppy's picture
Why Can Guest Network Still Access My Private Network?

Hi, I followed the Wiki page to setup a Guest network and it seems to be a pretty straight forward setup, all I needed to do was to create a virtual interface (wl0.1) and then add a DHCP for wl0.1

This setup is supposed to isolate my private network from Guest network but for some reason the connection on the Guest network  can still access all my resources on the privite network side.  What have I done wrong? 

My private network is in 192.168.1.* range and Guest is in 10.0.0.*

https://www.myopenrouter.com/sites/default/files/u83959/virtual2.jpg

Thanks,

Brand

Smitty16367
Smitty16367's picture
Hi,

Hi,

there is something missing to set up a save guest network. There are many different tutorials around and many of them do not work properly. Maybe they are made with older dd-wrt version with older linux kernals. Are you german? I am and one of the best tutorials I found is Simon Pedrett's Sicheres Gästenetzwerk mit DD-WRT. You may google it. The setting to keep guest away from your home lan is made in firewall settings. The firewall settings in the tuturial worked perfectly as they are on my T-Link router with dd-wrt v2.6 but not so on my Nighthawk with dd-wrt v3.0. Here are my setting:

#-------------------------------------------------------------------------------------------------------------------
# Make private wlan completely secure and give internet access.
#-------------------------------------------------------------------------------------------------------------------
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
# ------------------------------------------------------------------------------------------------------------------
# Block Torrent and P2P Networks for guests
#-------------------------------------------------------------------------------------------------------------------
iptables -I FORWARD -p tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 25 -j DROP
#-------------------------------------------------------------------------------------------------------------------
# Harden security of WLAN. Keep guests from accessing router.
#-------------------------------------------------------------------------------------------------------------------
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
#-------------------------------------------------------------------------------------------------------------------

hope this helps.

Smitty

 

kingandpoppy
kingandpoppy's picture
Thanks Smitty16367 :D 

Thanks Smitty16367 :D