Mar 29, 2013

Separate WLAN in DD-WRT

If you have a DD-WRT device, you can configure the WLAN to be completely separate from the LAN while still granting it internet connection. That means that the WLAN subnet won't be able to access any device in the LAN subnet, but it will be able to passthrough the router/modem to get internet access.

The basic configuration consists on the following:
  1. Create a new bridge with a new subnet address that will contain the WLAN interface.
  2. Add DHCP service to the new subnet if needed.
  3. Configure the firewall settings to setup the WLAN.
The first two are self-explanatory, but for the third one you have to insert the following in the firewall rules, save it and apply it:

iptables -t nat -I POSTROUTING -o `get_wanface`
 -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j
 TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get 
lan_ipaddr`/`nvram get lan_netmask` -m state
--state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j 
SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
TCA="tc class add dev br1" 
TFA="tc filter add dev br1" 
TQA="tc qdisc add dev br1" 
SFQ="sfq perturb 10" 
tc qdisc del dev br1 root 
tc qdisc add dev br1 root handle 1: htb 
tc class add dev br1 parent 1: classid 1:1 htb rate 1024kbit 
$TQA parent 1:1 handle 10: $SFQ 
$TFA parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1 
iptables -t mangle -A POSTROUTING -d 192.168.3.0/24 -j
MARK --set-mark 10 
TCAU="tc class add dev imq0" 
TFAU="tc filter add dev imq0" 
TQAU="tc qdisc add dev imq0" 
insmod imq 
insmod ipt_IMQ 
ip link set imq0 up 
tc qdisc del dev imq0 root 
tc qdisc add dev imq0 root handle 1: htb 
tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit 
$TQAU parent 1:1 handle 10: $SFQ 
$TFAU parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1 
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -j
MARK --set-mark 10

With the above rules we're doing the following:
  • Allowing the WLAN subnet to access internet.
  • Allowing the WLAN subnet to access to DNS and DHCP servers.
  • Limiting WLAN bandwidth to 1024kbit/512kbit download/upload speed.
Take note that in the example above, the bridge with the WLAN interface is named br1 and the bridge with the rest of internaces is br0, also the WLAN subnet is 192.168.3.0/24.