Hi All,
I have a NVR with LAN interface, and 2 IP Cameras which uses WiFi. I don't want them to access my private network, so I used to create a VLAN with guest WiFi and a single LAN port under openwrt routers.
Sadly the old router was dead so I bought a R7000 and flashed it with merlin.
Can someone teach me how to do so? I tried it for a long time but no luck.. maybe I am too new to networking.
Objective:
Port 1 and wl0.1 under VLAN 10
This VLAN 10 has its own DHCP server, gateway 192.168.10.1
VLAN10's members can see each other but cannot access VLAN1 (my home LAN)
I tried the below, can someone help to modify it..
Do the below at startup
And use
/jffs/scripts/dnsmasq.postconf to do the DHCP part..
I have a NVR with LAN interface, and 2 IP Cameras which uses WiFi. I don't want them to access my private network, so I used to create a VLAN with guest WiFi and a single LAN port under openwrt routers.
Sadly the old router was dead so I bought a R7000 and flashed it with merlin.
Can someone teach me how to do so? I tried it for a long time but no luck.. maybe I am too new to networking.
Objective:
Port 1 and wl0.1 under VLAN 10
This VLAN 10 has its own DHCP server, gateway 192.168.10.1
VLAN10's members can see each other but cannot access VLAN1 (my home LAN)
I tried the below, can someone help to modify it..
Do the below at startup
Code:
WAN0_IFNAME=`nvram get wan0_ifname`
# Add vlan 10 to WAN0
vconfig add $WAN0_IFNAME 10
# Assign port 1,8 to vlan10, with port 8 tagged
robocfg vlan 1 ports "2 3 4 8t"
robocfg vlan 10 ports "1 8t"
ifconfig vlan10 up
# Remove guest wlan from br0 and assign it to br1, assign gateway IP
brctl delif br0 wl0.1
brctl addbr br1
brctl addif br1 vlan10 wl0.1
ifconfig br1 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255
# Drop any new connections from guest wifi to the router
iptables -I INPUT -i br1 -m state --state NEW -j DROP
# Allow guest wifi to access DHCP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
# Allow guest wifi to access DNS
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
# Set appropriate firewall rules for new br1
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
nvram set lan_ifname="br0"
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan1_ifname="br1"
nvram set lan_ifnames="wl0.1"
killall eapd
eapd
And use
/jffs/scripts/dnsmasq.postconf to do the DHCP part..
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
logger "dnsmasq-dhcp: Configure br1 to have special DHCP"
#iptables -D INPUT -i br1 -j ACCEPT
#iptables -I INPUT -i br1 -j ACCEPT
ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
pc_append "
log-dhcp
interface=br1
dhcp-range=br1,192.168.10.150,192.168.10.240,255.255.255.0,86400s
dhcp-option=br1,3,192.168.10.1
dhcp-option=br1,6,8.8.8.8,8.8.4.4
" /tmp/etc/dnsmasq.conf