Add Public Access Point (Separate from Private LAN)?

[ikecomp]

Hi All

Sorry if this is in the wrong section but I thought this was closely related to the article on adding an access point to an existing network. If this belongs elsewhere let me know.

So here's the skinny. I recently upgraded to the Asus RT-N56U from an older Linksys WRT54GL running DD-WRT (it served me well and is still kicking but it was time for the upgrade). At any rate, I have everything running buttery smooth with padavan's firmware on the Asus and the new speeds are nice. However, I want to take advantage of my old linksys to use it as a guest wireless access point.

This isn't hard to do as I've done this before with an old netgear router (configure ip address of old router out of dhcp range of new router, setup different/same ssid depending on needs, connect cable to lan port of old router so it can pull ip address from new router, etc) but my end game is slightly different.

I want the old linksys to be able to pull an internet connection from the Asus (via lan cable) however, I don't want wireless clients connected to the linksys to be able to see my private LAN hosted on the ASUS

I'm certain this is possible and I can do it if given some guidance but I'm not sure where to start. Is there some setting in the old ddwrt to bridge the wireless radio to a different ip address range for wireless clients but still have an internet connection?

Thanks for any help and let me know if I need to provide more information

 

[overdrive31]

Plug the cable coming from the ASUS into the WAN port of the WRT54GL, now be sure the LAN IP of the Linksys is not in the same subnet as the ASUS. If you went the wireless client bridge as WAN route using ddwrt, you would only have wired to share from it, without creating a wireless repeater in ddwrt which will reduce wireless bandwidth in half for clients connecting to it. Both solutions requires the LAN IP subnet of the Linksys to be different from the ASUS routers LAN IP subnet. For instance, if the ASUS is 192.168.1.1, you will want to set the Linksys up with a static WAN IP like 192.168.1.2 and for it's LAN IP to use something like 192.168.2.1

 

[ikecomp]

Plug the cable coming from the ASUS into the WAN port of the WRT54GL, now be sure the LAN IP of the Linksys is not in the same subnet as the ASUS. If you went the wireless client bridge as WAN route using ddwrt, you would only have wired to share from it, without creating a wireless repeater in ddwrt which will reduce wireless bandwidth in half for clients connecting to it. Both solutions requires the LAN IP subnet of the Linksys to be different from the ASUS routers LAN IP subnet. For instance, if the ASUS is 192.168.1.1, you will want to set the Linksys up with a static WAN IP like 192.168.1.2 and for it's LAN IP to use something like 192.168.2.1

Thanks for you response but I tried those and didn't much like those as viable options. Especially the repeater. However, I did find a way to accomplish this and it only cost me a good night's sleep

At any rate this is what I did:

1) Did 30-30-30 reset on my router to erase all previous settings.
2) Logged into the router connected via cable and updated the router IP to be 192.168.2.1 instead of the default 192.168.1.1 and left everything else on the basic settings as default.
3) After the router rebooted, I set up the wireless network (channel, SSID, encryption, etc) and applied the settings
4) Created a separate bridge named br1 for the Wireless connection (on my router the physical adapter is eth1 but may be different on yours. You will need to know this)
5) I gave this bridge (br1) an IP and subnet mask of 192.168.3.1/255.255.255.0
6) I also added a dhcp server for br1. You can find all the instructions for bridging the connection in the link below

http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN

7) Now for the most important part. I had to make sure that anyone connected to this wireless connection could see the internet but not see my main LAN so I had to update the firewall with these commands (also found in the guide above).

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

8) unplug the power from the router and then plug the network cable coming from your main router/switch into the WAN port of your secondary router (guest router).

9) Plug the power to the router back in and you should be able to join your new wireless network and have access to the internet but not any of the computers on your main lan. I verified this by trying to ping some of the static pc's on my home network and also tried connecting to some of their shares and none worked. Only the internet.

10)OPTIONAL BUT RECOMMENDED: If you plan to use this as a guest access router, you should set some quality of service for it so that guests can not hog all the bandwidth. I set uplink/downlink to be 1/3 the bandwidth of my main connection. I set this for 192.168.3.0/24 in the netmask section (this is the IP range for br1).

Next, I believe I will explore using this old router as multipupose. I plan to use it as an AP for older G devices in my home as well as creating a separate vlan for guest account access like what I did above. That way my new Asus can be used only for 2.4/5 ghz N devices and the linksys for G devices and guest access.

At any rate, hope this helps someone. In the meantime, I have much slumber to catch up on.

EDIT: Added some missing firewall commands