[lordslash]

Hi people, I am trying to setup a guest wlan which has access only to web (basically I want to block torrent).

I have a modem with IP 192.168.0.1 and a D-Link 615 running DD-WRT with IP 192.168.0.2 and acting as DHCP server

I followed this guide to enable multiple wlan: http://shitepod.co.uk/blog/2013/09/07/dd-wrt-multiple-wlan-set-up-on-a-dlink-dir-615/ and I set up my Virtual Interface as Unbridged: my modem is 192.168.0.1, the D-Link with DD-WRT is 192.168.0.2, so I set the IP address of the new WiFi to 192.168.2.1 and subnet mask is always 255.255.255.0
In the Networking section I created a Bridge between br1 and br0, where br1 is 192.168.2.1 and I assigned br1 to the ra1 interface.
I finally enabled Multiple DHCP on br1.

When I try to connect to the Guest WiFi I cannot obtain a valid IP address from the DHCP server Sad
I tried to add the following rules to iptables as suggested but nothing changed:
iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT
iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

Then I tried with this other guide: http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs where the idea is to set up the virtual interface as bridged. The rest of the guide seems to be the same as the other one except from the fact that the interface assigned to br1 is wl0.1 which i don't have as option (I only have eth2, vlan1, vlan2, ra0, ra1).
Still, when I try to connect I get no valid IP address..
Do you have an idea of what I am doing wrong?

Thanks for your help!!

[lordslash]

ok, I managed to get it work by setting the virtual interface as bridged and without assigning any bridge table or multiple DHCP server. Problem is that I get IP 192.168.0.100 instead of 192.168.2.XXX as I expected. Anyway I will try now to disable torrent only on this guest network and I will come back with updates..

[lordslash]

uhmm i think that if I don't get an IP network in a different range I cannot block P2P connections.. i found on this guide
http://blog.danjoannis.com/?p=1362
that in order to limit the number of TCP and UDP connection from a client says to add this to iptables:

#Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.10.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.10.0/24 -m connlimit --connlimit-above 25 -j DROP

[lordslash]

UP!

Still trying to manage to separate the two networks without success
I realized that the key thing that allows me to get or not get an IP address is how the bridge is assigned. In most of the guides I found around they say to assign the bridge br1 to wl0.1 but as I mentioned before, I don't have wl0.1 on my list of interfaces. Another guide says to assign it to ra1 but I don't understand what is ra1 (and when I select ra1 then DHCP doesn't work anymore on my guest wlan).

Can someone help me understand the difference between ra1 and wl0.1? Thanks a lot for your support!

[lordslash]

I feel like I'm making a monologue or talking to myself on a mirror, but sometimes this helps more then expected
I read on the dd-wrt Multiple WLANs wiki:

[Zaf0d]

[Specimen]

You set the interface to unbridged and then you want to bridge it?

I'll be honest with you, I started reading and gave up, because in order to help you whoever is going to dig into this has to read both those links, quite a lot of work.

It would be simpler to go just step by step and just state exactly what you have done. iptables is advanced routing and you can't even set up a guest WLAN yet, dont' get ahead of yourself.

Before entering into unbridged WLANs and iptables, you should first just try to setup a Guest WLAN and make sure that works.

[lordslash]

You're right! Configuring a bridge as "unbridged" makes no sense, but that's what was written in the guide related to the DLink 615 and multiple WLAN