I'm currently running Merlin's 374.42 firmware on my N66U (which has been very stable for me) and really wanted to set up a guest network for my son's friends to use while visiting, but block them from accessing my intranet or modem UI, and to force DNS filtering for all guests.
I am definitely a novice when it comes to using iptables, but looked at a lot of posts (including http://forums.smallnetbuilder.com/showpost.php?p=98722&postcount=14 which was a lot of help, thanks sinshiva!) and came up with a configuration that seems to work. I'm sharing it here in case others are trying to do the same thing, plus I'd like others who understand this a lot better to check if I missed something. I don't want to have inadvertently opened a security hole. Everything seems to work as expected though.
My setup is a U-verse NVG589 modem (local address of 192.168.1.254) in IP passthough mode while the N66U uses 192.168.2.0/24. First I configured a persistent guest network on 2.4 GHz as wl0.1. In the web UI I allow intranet access since I block it by using iptables commands instead. To separate the guest network I created a new bridge br1 using 192.168.3.1 and moved wl0.1 to it. Using iptables I then set up routing to the WAN, block access to br1 as well as the modem's subnet, and allow DHCP/DNS so dnsmasq can work properly. At this point the guest network uses the same DNS as everyone else, then the last two lines of the firewall-start script set up the filtered DNS.
/jffs/scripts/firewall-start (Note the first lines were added just to help with debugging.)
Then I configure dnsmasq to serve addresses to br1.
/jffs/configs/dnsmasq.conf.add
So, is there something about this configuration I should be concerned about?
I am definitely a novice when it comes to using iptables, but looked at a lot of posts (including http://forums.smallnetbuilder.com/showpost.php?p=98722&postcount=14 which was a lot of help, thanks sinshiva!) and came up with a configuration that seems to work. I'm sharing it here in case others are trying to do the same thing, plus I'd like others who understand this a lot better to check if I missed something. I don't want to have inadvertently opened a security hole. Everything seems to work as expected though.
My setup is a U-verse NVG589 modem (local address of 192.168.1.254) in IP passthough mode while the N66U uses 192.168.2.0/24. First I configured a persistent guest network on 2.4 GHz as wl0.1. In the web UI I allow intranet access since I block it by using iptables commands instead. To separate the guest network I created a new bridge br1 using 192.168.3.1 and moved wl0.1 to it. Using iptables I then set up routing to the WAN, block access to br1 as well as the modem's subnet, and allow DHCP/DNS so dnsmasq can work properly. At this point the guest network uses the same DNS as everyone else, then the last two lines of the firewall-start script set up the filtered DNS.
/jffs/scripts/firewall-start (Note the first lines were added just to help with debugging.)
Code:
#!/bin/sh
exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
brctl delif br0 wl0.1
brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport bootps --sport bootpc -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport domain -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport domain -j ACCEPT
#Force all guests to use filtered DNS (Norton Children)
iptables -t nat -I PREROUTING -i br1 -p tcp --dport domain -j DNAT --to 199.85.126.30
iptables -t nat -I PREROUTING -i br1 -p udp --dport domain -j DNAT --to 199.85.126.30Then I configure dnsmasq to serve addresses to br1.
/jffs/configs/dnsmasq.conf.add
Code:
interface=br1
dhcp-range=br1,192.168.3.2,192.168.3.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.3.1So, is there something about this configuration I should be concerned about?
