If you connect a CPE, things are slightly different in so far that LAN devices are still reachable by clients in the GUEST network (b/c of the default route in the CPE), but not the other way around, since there is no subnet route pointing to the CPE as the gateway in charge. on a WiFi router such as the Linksys WRT or TP-Link WR/WDR. However, this applies only to setups where both wireless radios are tied to networks on the same router, e.g. Therefore, clients in the LAN are exposed to the GUEST network and vice versa.
SInce the kernel has routes for each subnet and needs IP forwarding turned on to be able to reach the WAN, every packet from the GUEST network finds its way to the WAN, but also to the LAN if no firewall rules prevent this. So, if you have a private network (LAN) and a guest network (GUEST) sharing an Internet connection (WAN), routing and forwarding comes into play.
It's just a restriction in respect to packet forwarding of the WiFi chip itself. That's the reason why one should use WPA2 encryption in addition to AP isolation if the latter is applicable. So in monitor mode one can still spy on wireless frames being exchanged between any client and the AP, regardless of AP isolation. Radio waves can't be "isolated", they are receivable by every receiver. Note that any client still can receive all wireless frames if he uses monitor mode on his WiFi adapter. It prevents wireless clients from connecting to each other, although they are in the same subnet. While we're still at it and looking for a moment back to the KISS principle as I outlined in page 1 of the current thread, could someone explain to me why following a much simpler approach would potentially "expose the personal network to the guest network when using the same router" (which btw is how things are done most of the time in that all are conected to a same modem/router) given that the CPE supports AP isolation for the Guest WiFi network SSID?ĪP isolation is done in the WiFi chip. Setup is pretty straight-forward, but DD-WRT uses another terminology (which seems much more complicated if you ask me). These ports in networkĮth0.3 are the ones I connect the guest CPE to. In this case the GUEST VLAN is only accessible on ports 1 and 2, not by WiFi. If you don't use the WiFi of your main router, you don't need a bridge. Members: eth0.3, wlan0-1, wlan1-1 (wlanN-1 is the convention of OpenWRT for an additional wireless interface) Members: eth0.1, wlan0, wlan1 (wlan0 is 2.4 GHz, wlan 1 is 5 GHz, SSID is "private") Port: 5 (internal port 5 is external port labeled "Internet")īridges (bridge for guest LAN only needed for port and WiFi interface, see note below) : Ports: 3, 4 (port 0 is the internal CPU port with my WDR4300 under OpenWRT) (Sorry for formatting, no tables possible here): for the following setup (ignore the part re trunking): I can show you my setup for a guest network, maybe you can transfer the principle to DD-WRT. VLAN3) are irrelevant, but NVRAM assignments could matter unless they obey the standard LINUX conventions. Usually, under Linux the interface name defines the VLAN ID. I must be missing something in turning on the vlan3 to port 3.ĭid you ask in the DD-WRT forum already? They seem to have strange conventions.
So, I plugged the cpe210 into each of the 4 ports and tested it and they all indicated 192.168.0.x as the ip address. So, I tried other ports on the router, knowing that sometimes port 3 in telenet can be port 4 or port 2 or port x. However, when I connect the router to the modem and then the cpe210 to port 3 of the router, it's showing ip192.168.0.xx as the address. I've connected the router to the computer (without internet) and ran arp -a to see if the ip address is showing up. I've set up vlan3 to go to port 3 of the router. Have done as suggested and when I telenet the router, everything looks as it should. Still working at getting the wrtac1200 working.
If DD-WRT differs in this respect from OpenWRT, just find the place where you would assign In network settings the network then is assigned an interface such asĪth1.1. GLAN or whatever you named it), this will create the link betweenĪth1.1 and the WiFi interface (SSID). In wireless setting you should be able to assign the SSID with a network (
0 kommentar(er)
