Professional Documents
Culture Documents
Main Page Community portal Current events Recent changes Random page Help Donations
Contents
1 Introduction 2 Preparation 3 Configuration 3.1 Step 1: Remove the Wireless Interface from the LAN bridge 3.2 Step 2: Add DHCP for the unbridged WLAN interface 3.3 Step 3: Controlling Access 4 References
Introduction
This guide explains how to separate the wireless interface from the "LAN&WLAN" bridge so that they are on different subnets. You are then able to control communication between the interfaces using iptables commands. If your router is configured as a Wireless Access Point (WAN is disabled) then you must be sure to set the gateway and local DNS as recommended in the WAP guide. This also applies to WDS client nodes (but not the main WDS node) which are bridged to another router that does routing for them. Keep your eye out for the places this guide gives alternative instructions for WAP's. Note: If you're separating virtual interfaces then use the instructions from the Multiple WLAN Guide.
Preparation
Go to the Administration -> Commands page, insert the command below, and press the Run Commands
www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN 1/6
2/17/13
button to find out the actual name of your wl0 interface. If you have a wl1 interface that you want to unbridge then change the command accordingly.
nrmgtw0inm va e l_fae
Before beginning, read Bug 1853 (http://svn.dd-wrt.com/ticket/1853) about a minor bug with bridge creation and a haphazard fix to the bug that was introduced in changeset 16181. This guide will NOT be changed to reflect the bridge creation changes until recommended builds are affected by the change.
Configuration
Step 1: Remove the Wireless Interface from the LAN bridge
1. 2. 3. 4. 5. 6. 7. Navigate to the Setup -> Networking page. Press the Add button in the Create Bridge section Type "br1" into the blank input box that is on the left side of all the options that just appeared. Press the Apply Settings button at the bottom of the page and new input boxes will appear. Set an IP Address that is in an unused subnet. ie. 192.168.2.1 Set the Subnet Mask to 255.255.255.0 Press the Apply Settings button again so that the IP address will be assigned to the br1 interface before you continue.
1. Press the Add button in the Assign to Bridge section. 2. Select br1 in the left drop down menu that appeared and in the middle menu select the name of your wireless interface that you discovered during the preparation. 3. Press the Apply Settings button and the wireless interface will now be moved from br0 to br1.
www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN 2/6
2/17/13
Note: The picture below displays a virtual wireless interface being assigned to br1 instead of the physical interface. Be sure to assign your physical interface as instructed already.
If DHCP is disabled on your main LAN in Basic Setup, then the Multiple DHCP method above will not work. Instead you will need to use Additional DNSMasq Options. Go to the Services tab and find the DNSMasq section. Make sure that DNSMasq is Enabled. Adjust the following options to fit your environment (omit the comment lines starting with '#') and them to the Additional DNSMasq Options text area.
#EalsDC o b1 nbe HP n r itraeb1 nefc=r #Sttedfutgtwyfrb1cins e h eal aea o r let dc-pinb13121821 hpoto=r,,9.6.. #StteDC rneaddfutlaetm o 2 husfrb1cins e h HP ag n eal es ie f 4 or o r let dc-ag=r,9.6..0,9.6..5,5.5.5.,4 hprneb11218210121821025252502h
www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
3/6
2/17/13
If you would like to use different DNS servers for the VAP then you can use this DNSMasq option regardless of which DHCP configuration method you used.
dc-pinb16[N I 1,DSI 2 hpoto=r,,DS P ][N P ]
You should now be able to connect to the unbridged wireless interface and receive a DHCP lease with an IP address that is in the 192.168.2.0/24 subnet. Make sure that you can connect to it, receive a DHCP lease, and connect to the router's 192.168.2.1 address before you do anything further. If your WAN port is active (ie. you're not making a WAP) then you should also be able to browse the internet. If you are making a WAP then you must either use the iptables commands for WAP's in the next section, or create routes throughout your network.
Enable NAT on the WAN port to correct a bug in builds over 17000
itbe - nt- PSRUIG- `e_afc`- SA -t `va gtwniad` pals t a I OTOTN o gtwnae j NT -o nrm e a_pdr
Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
itbe - FRAD- b1- sae-saeNW- ACP pals I OWR i r m tt -tt E j CET itbe - FRAD- tp-tpfasSNRTSN- TPS -capmst-mu pals I OWR p c -c-lg Y,S Y j CMS -lm-s-opt
www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
4/6
2/17/13
Restrict br1 from accessing the WAN port (no internet access!)
itbe - FRAD- b1- `e_afc`- DO pals I OWR i r o gtwnae j RP
Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAPs)
itbe - FRAD- b1- `va gtwniad``va gtwnntak - sae-saeNW- DO pals I OWR i r d nrm e a_pdr/nrm e a_ems` m tt -tt E j R
Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
itbe - FRAD- b1- `va gtlniad``va gtlnntak - sae-saeNW- DO pals I OWR i r d nrm e a_pdr/nrm e a_ems` m tt -tt E j R
Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
itbe - nt- PSRUIG- b0- SA -t `va gtlniad` pals t a I OTOTN o r j NT -o nrm e a_pdr
Restrict br1 from accessing the router's local sockets (software running on the router)
itbe - IPT- b1- sae-saeNW- DO pals I NU i r m tt -tt E j RP
References
V24: WLAN separate from LAN, with independent DHCP - A similar guide WLAN separate from LAN, with independent dhcp, etc - Command line method (old)
www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN 5/6
2/17/13
Multiple WLANs - For unbridging virtual wireless interfaces Retrieved from "http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN" Categories: Interfaces | Wlan | Lan | Basic tutorials
Article | Discussion | Edit | History What links here | Related changes | Upload file | Special pages | Permanent link Print as PDF This page was last modified 16:50, 18 August 2012. This page has been accessed 234,514 times. About DD-WRT Wiki | Disclaimers | Powered by MediaWiki | Design by Paul Gu
www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
6/6