Need dd-wrt configuration to isolate wireless router from local LAN...

Alex Hewitt hewitt_tech at comcast.net
Mon Dec 22 17:41:25 EST 2008 

Drew Van Zandt wrote:
> Method (1): Put the wireless router outside the wired router.
> Method (2): Add something like:
> iptables -I INPUT -d 192.168.1.0/255.255.255.0 
> <http://192.168.1.0/255.255.255.0> -j DROP
> and (to allow the wired router as a destination):
> iptables -I INPUT -d 192.168.1.1 <http://192.168.1.1> -j ACCEPT
>
> You might need to do that second method to the nat table instead of 
> the default table, that's all from memory so the syntax is probably 
> not quite right.
>
> --DTVZ
>
> On Thu, Dec 11, 2008 at 3:53 PM, Alex Hewitt <hewitt_tech at comcast.net 
> <mailto:hewitt_tech at comcast.net>> wrote:
>
>     This might not have an easy answer but I want to setup a wireless
>     router
>     inside an existing LAN. I want to be able to let users connect to the
>     wireless router but not be able to access systems on the LAN that the
>     wireless  router will be installed on. So the scenario is:
>
>                          Internet Connection
>                                      .
>                                      .
>                          Existing router (192.168.1.1
>     <http://192.168.1.1>)
>                                      .
>                                      .
>                           Wireless router (192.168.2.1
>     <http://192.168.2.1> or any private network)
>
>     A user connecting to the wireless router would get an address such as
>     192.168.2.100 <http://192.168.2.100> and they could ping or
>     otherwise see machines on the
>     192.168.1. <http://192.168.1.>* network. I've got dd-wrt v2.4
>     micro edition running on a
>     WRT54G V5 wireless router. The main router is a LinkSys RV042
>     model.  Is
>     there a simple way to stop users connected on the wireless router from
>     accessing systems on the main LAN? One way to achieve this would be to
>     add a switch between the ISP's equipment and the RV042 but I'd like to
>     make sure that any wireless connections couldn't chew up too much
>     bandwidth.
>
>     -Alex
>
>     _______________________________________________
>     gnhlug-discuss mailing list
>     gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
>     http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
Just a followup. I used the second method. Drew's suggested iptables 
commands were correct except for the table that needed to be updated 
which turned out to be the "FORWARD" table in OpenWRT. Also making the 
iptables rules persist requires modifying a file "/etc/firewall.user". 
Initially I miss-understood how this was to be done because the 
documentation suggested that merely executing firewall.user would make 
the iptables rules persist across reboots and power cycling. In fact you 
need to add your new rules to the firewall.user script which gets run 
every time the router is rebooted.

-Alex

More information about the gnhlug-discuss mailing list