Separate LAN and WLAN (light)

From DD-WRT Wiki

(Redirected from Separate LAN and WLANv2)
Jump to: navigation, search

Contents

[edit] Introduction

This is a 'light' version of Separate_LAN_and_WLAN, so if more detail is needed, refer there.

[edit] Device used

Buffalo WHR-HP-G300N (Atheros device: some menus may vary on Broadcom), build 27506 (07/09/15) std

[edit] Screenshots

Image:SeparateWIFIfromLANv2_01.png Image:SeparateWIFIfromLANv2_02.png Image:SeparateWIFIfromLANv2_03.png Image:SeparateWIFIfromLANv2_04.png Image:SeparateWIFIfromLANv2_05.png

[edit] Firewall Script

Finally, copy and paste this to the Admin->Commands section, then click Save Firewall:

#Allow guest bridge access to Internet
 iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
 iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Allow br0 (LAN) access to br1 (WLAN)
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
#Block access from br1 (WIRELESS) to br0 (LAN)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#NAT to make Internet work
 iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#Deny access to local router services from Guest (240.x br1) network
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset 
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset 
#iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset 
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset 

[edit] References & Credits