Prevent clients of a wireless access point from accessing the main network
I have a network and a WAP connected to that main network. The WAP is a Buffalo WZR-HP-AG300H running DD-WRT, serving DHCP on a different subnet than the main. What I would like to have is a setup in which clients of the WAP cannot access the main network, while still allowing traffic to and from the internet (via the main network). Is this possible?
Here is a diagram of the current network structure:
Internet
|
Modem
|
Switch
/
AP1. AP2 (Forwards to a new subnet)
If you can't tell from the diagram, AP 1 just acts as a WiFi forwarding device, but AP 2 acts as the base of a new network. What I'm trying to do is block the nets from communication, but still allow for an internet connection.
Also, for iptables commands, the two subnets are 192.168.0.0/24, and 192.168.11.0/24
NOTE: I don't own the network. I'm just making a private network, so that if something within gets hacked, it can't reach main, and so everything outside of the subnet is safe.
NOTE 2: I have a Netgear prosafe plus connected to the WAN port so I can control traffic outside of the router, to solve that problem.
networking wireless-networking router dd-wrt subnet
asked Jan 27 at 22:32
MenotdanMenotdan
237
|
show 1 more comment
I have a network and a WAP connected to that main network. The WAP is a Buffalo WZR-HP-AG300H running DD-WRT, serving DHCP on a different subnet than the main. What I would like to have is a setup in which clients of the WAP cannot access the main network, while still allowing traffic to and from the internet (via the main network). Is this possible?
Here is a diagram of the current network structure:
Internet
|
Modem
|
Switch
/
AP1. AP2 (Forwards to a new subnet)
If you can't tell from the diagram, AP 1 just acts as a WiFi forwarding device, but AP 2 acts as the base of a new network. What I'm trying to do is block the nets from communication, but still allow for an internet connection.
Also, for iptables commands, the two subnets are 192.168.0.0/24, and 192.168.11.0/24
NOTE: I don't own the network. I'm just making a private network, so that if something within gets hacked, it can't reach main, and so everything outside of the subnet is safe.
NOTE 2: I have a Netgear prosafe plus connected to the WAN port so I can control traffic outside of the router, to solve that problem.
networking wireless-networking router dd-wrt subnet
asked Jan 27 at 22:32
MenotdanMenotdan
237
1
You can do this in dd-wrt, but you will have to use the CLI to make a access control list with IPtables. You will need to provide more information about your network and subnets for anyone to give you a reasonable answer.
– Tim_Stewart
Jan 28 at 1:16
@Tim_Stewart I gone done do add a diagram and some more info
– Menotdan
Jan 28 at 12:24
1
Which of these devices are acting as NAT gateways? It sounds like your "modem" is really a NAT gateway router with integrated modem functionality, and it sounds like AP2 is also a NAT gateway, correct?
– Spiff
Jan 29 at 0:02
@Spiff I'm not sure. I'm not the owner, my dad is. I just have the buffalo and have it set up as the base of a new subnet, where then, I can forward my web server and whatnot to the internet, and if it gets hacked, it can't reach my dad's network. Although I know the AP2 hands out DHCP (because I configured it), so it may have Network Address Translation on.
– Menotdan
Jan 29 at 0:21
1
The wzr-hp-ag300h is a router with a wireless AP. But if that is all that you have control of, then no, it is not possible. You cannot control the flow of data beyond the WAN port. If you had access to the switch you could setup a VLAN and that would separate AP1 traffic from AP2 traffic. Somewhere beyond the switch there must be another device that also performs routing and if you had access to that, you could separate the traffic . But if all you can do is control AP2 then there is nothing you can do to control the flow of data once it leaves that device.
– Larryc
Jan 29 at 8:05
|
show 1 more comment
I have a network and a WAP connected to that main network. The WAP is a Buffalo WZR-HP-AG300H running DD-WRT, serving DHCP on a different subnet than the main. What I would like to have is a setup in which clients of the WAP cannot access the main network, while still allowing traffic to and from the internet (via the main network). Is this possible?
Here is a diagram of the current network structure:
Internet
|
Modem
|
Switch
/
AP1. AP2 (Forwards to a new subnet)
If you can't tell from the diagram, AP 1 just acts as a WiFi forwarding device, but AP 2 acts as the base of a new network. What I'm trying to do is block the nets from communication, but still allow for an internet connection.
Also, for iptables commands, the two subnets are 192.168.0.0/24, and 192.168.11.0/24
NOTE: I don't own the network. I'm just making a private network, so that if something within gets hacked, it can't reach main, and so everything outside of the subnet is safe.
NOTE 2: I have a Netgear prosafe plus connected to the WAN port so I can control traffic outside of the router, to solve that problem.
networking wireless-networking router dd-wrt subnet
asked Jan 27 at 22:32
MenotdanMenotdan
237
I have a network and a WAP connected to that main network. The WAP is a Buffalo WZR-HP-AG300H running DD-WRT, serving DHCP on a different subnet than the main. What I would like to have is a setup in which clients of the WAP cannot access the main network, while still allowing traffic to and from the internet (via the main network). Is this possible?
Here is a diagram of the current network structure:
Internet
|
Modem
|
Switch
/
AP1. AP2 (Forwards to a new subnet)
If you can't tell from the diagram, AP 1 just acts as a WiFi forwarding device, but AP 2 acts as the base of a new network. What I'm trying to do is block the nets from communication, but still allow for an internet connection.
Also, for iptables commands, the two subnets are 192.168.0.0/24, and 192.168.11.0/24
NOTE: I don't own the network. I'm just making a private network, so that if something within gets hacked, it can't reach main, and so everything outside of the subnet is safe.
NOTE 2: I have a Netgear prosafe plus connected to the WAN port so I can control traffic outside of the router, to solve that problem.
networking wireless-networking router dd-wrt subnet
networking wireless-networking router dd-wrt subnet
asked Jan 27 at 22:32
MenotdanMenotdan
237
asked Jan 27 at 22:32
MenotdanMenotdan
237
edited Jan 29 at 13:05
Menotdan
asked Jan 27 at 22:32
MenotdanMenotdan
237
asked Jan 27 at 22:32
MenotdanMenotdan
237
asked Jan 27 at 22:32
MenotdanMenotdan
237
237
1
You can do this in dd-wrt, but you will have to use the CLI to make a access control list with IPtables. You will need to provide more information about your network and subnets for anyone to give you a reasonable answer.
– Tim_Stewart
Jan 28 at 1:16
@Tim_Stewart I gone done do add a diagram and some more info
– Menotdan
Jan 28 at 12:24
1
Which of these devices are acting as NAT gateways? It sounds like your "modem" is really a NAT gateway router with integrated modem functionality, and it sounds like AP2 is also a NAT gateway, correct?
– Spiff
Jan 29 at 0:02
@Spiff I'm not sure. I'm not the owner, my dad is. I just have the buffalo and have it set up as the base of a new subnet, where then, I can forward my web server and whatnot to the internet, and if it gets hacked, it can't reach my dad's network. Although I know the AP2 hands out DHCP (because I configured it), so it may have Network Address Translation on.
– Menotdan
Jan 29 at 0:21
1
The wzr-hp-ag300h is a router with a wireless AP. But if that is all that you have control of, then no, it is not possible. You cannot control the flow of data beyond the WAN port. If you had access to the switch you could setup a VLAN and that would separate AP1 traffic from AP2 traffic. Somewhere beyond the switch there must be another device that also performs routing and if you had access to that, you could separate the traffic . But if all you can do is control AP2 then there is nothing you can do to control the flow of data once it leaves that device.
– Larryc
Jan 29 at 8:05
|
show 1 more comment
1
You can do this in dd-wrt, but you will have to use the CLI to make a access control list with IPtables. You will need to provide more information about your network and subnets for anyone to give you a reasonable answer.
– Tim_Stewart
Jan 28 at 1:16
@Tim_Stewart I gone done do add a diagram and some more info
– Menotdan
Jan 28 at 12:24
1
Which of these devices are acting as NAT gateways? It sounds like your "modem" is really a NAT gateway router with integrated modem functionality, and it sounds like AP2 is also a NAT gateway, correct?
– Spiff
Jan 29 at 0:02
@Spiff I'm not sure. I'm not the owner, my dad is. I just have the buffalo and have it set up as the base of a new subnet, where then, I can forward my web server and whatnot to the internet, and if it gets hacked, it can't reach my dad's network. Although I know the AP2 hands out DHCP (because I configured it), so it may have Network Address Translation on.
– Menotdan
Jan 29 at 0:21
1
The wzr-hp-ag300h is a router with a wireless AP. But if that is all that you have control of, then no, it is not possible. You cannot control the flow of data beyond the WAN port. If you had access to the switch you could setup a VLAN and that would separate AP1 traffic from AP2 traffic. Somewhere beyond the switch there must be another device that also performs routing and if you had access to that, you could separate the traffic . But if all you can do is control AP2 then there is nothing you can do to control the flow of data once it leaves that device.
– Larryc
Jan 29 at 8:05
1
1
You can do this in dd-wrt, but you will have to use the CLI to make a access control list with IPtables. You will need to provide more information about your network and subnets for anyone to give you a reasonable answer.
– Tim_Stewart
Jan 28 at 1:16
You can do this in dd-wrt, but you will have to use the CLI to make a access control list with IPtables. You will need to provide more information about your network and subnets for anyone to give you a reasonable answer.
– Tim_Stewart
Jan 28 at 1:16
@Tim_Stewart I gone done do add a diagram and some more info
– Menotdan
Jan 28 at 12:24
@Tim_Stewart I gone done do add a diagram and some more info
– Menotdan
Jan 28 at 12:24
1
1
Which of these devices are acting as NAT gateways? It sounds like your "modem" is really a NAT gateway router with integrated modem functionality, and it sounds like AP2 is also a NAT gateway, correct?
– Spiff
Jan 29 at 0:02
Which of these devices are acting as NAT gateways? It sounds like your "modem" is really a NAT gateway router with integrated modem functionality, and it sounds like AP2 is also a NAT gateway, correct?
– Spiff
Jan 29 at 0:02
@Spiff I'm not sure. I'm not the owner, my dad is. I just have the buffalo and have it set up as the base of a new subnet, where then, I can forward my web server and whatnot to the internet, and if it gets hacked, it can't reach my dad's network. Although I know the AP2 hands out DHCP (because I configured it), so it may have Network Address Translation on.
– Menotdan
Jan 29 at 0:21
@Spiff I'm not sure. I'm not the owner, my dad is. I just have the buffalo and have it set up as the base of a new subnet, where then, I can forward my web server and whatnot to the internet, and if it gets hacked, it can't reach my dad's network. Although I know the AP2 hands out DHCP (because I configured it), so it may have Network Address Translation on.
– Menotdan
Jan 29 at 0:21
1
1
The wzr-hp-ag300h is a router with a wireless AP. But if that is all that you have control of, then no, it is not possible. You cannot control the flow of data beyond the WAN port. If you had access to the switch you could setup a VLAN and that would separate AP1 traffic from AP2 traffic. Somewhere beyond the switch there must be another device that also performs routing and if you had access to that, you could separate the traffic . But if all you can do is control AP2 then there is nothing you can do to control the flow of data once it leaves that device.
– Larryc
Jan 29 at 8:05
The wzr-hp-ag300h is a router with a wireless AP. But if that is all that you have control of, then no, it is not possible. You cannot control the flow of data beyond the WAN port. If you had access to the switch you could setup a VLAN and that would separate AP1 traffic from AP2 traffic. Somewhere beyond the switch there must be another device that also performs routing and if you had access to that, you could separate the traffic . But if all you can do is control AP2 then there is nothing you can do to control the flow of data once it leaves that device.
– Larryc
Jan 29 at 8:05
|
show 1 more comment
1 Answer
1
active
oldest
votes
I have solved the issue with the following firewall:
iptables -I FORWARD -d 192.168.0.0/24 -j logdrop
iptables -I FORWARD -d 192.168.0.1 -j logaccept
I can access the router, but I can't access any other computers in the network, I'm also going to disable ping requests to the router so it's harder to tell that the network is there.
answered Jan 29 at 18:07
MenotdanMenotdan
237
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399056%2fprevent-clients-of-a-wireless-access-point-from-accessing-the-main-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I have solved the issue with the following firewall:
iptables -I FORWARD -d 192.168.0.0/24 -j logdrop
iptables -I FORWARD -d 192.168.0.1 -j logaccept
I can access the router, but I can't access any other computers in the network, I'm also going to disable ping requests to the router so it's harder to tell that the network is there.
answered Jan 29 at 18:07
MenotdanMenotdan
237
add a comment |
I have solved the issue with the following firewall:
iptables -I FORWARD -d 192.168.0.0/24 -j logdrop
iptables -I FORWARD -d 192.168.0.1 -j logaccept
I can access the router, but I can't access any other computers in the network, I'm also going to disable ping requests to the router so it's harder to tell that the network is there.
answered Jan 29 at 18:07
MenotdanMenotdan
237
add a comment |
I have solved the issue with the following firewall:
iptables -I FORWARD -d 192.168.0.0/24 -j logdrop
iptables -I FORWARD -d 192.168.0.1 -j logaccept
I can access the router, but I can't access any other computers in the network, I'm also going to disable ping requests to the router so it's harder to tell that the network is there.
answered Jan 29 at 18:07
MenotdanMenotdan
237
I have solved the issue with the following firewall:
iptables -I FORWARD -d 192.168.0.0/24 -j logdrop
iptables -I FORWARD -d 192.168.0.1 -j logaccept
I can access the router, but I can't access any other computers in the network, I'm also going to disable ping requests to the router so it's harder to tell that the network is there.
answered Jan 29 at 18:07
MenotdanMenotdan
237
answered Jan 29 at 18:07
MenotdanMenotdan
237
answered Jan 29 at 18:07
MenotdanMenotdan
237
answered Jan 29 at 18:07
MenotdanMenotdan
237
237
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399056%2fprevent-clients-of-a-wireless-access-point-from-accessing-the-main-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You can do this in dd-wrt, but you will have to use the CLI to make a access control list with IPtables. You will need to provide more information about your network and subnets for anyone to give you a reasonable answer.
– Tim_Stewart
Jan 28 at 1:16
@Tim_Stewart I gone done do add a diagram and some more info
– Menotdan
Jan 28 at 12:24
1
Which of these devices are acting as NAT gateways? It sounds like your "modem" is really a NAT gateway router with integrated modem functionality, and it sounds like AP2 is also a NAT gateway, correct?
– Spiff
Jan 29 at 0:02
@Spiff I'm not sure. I'm not the owner, my dad is. I just have the buffalo and have it set up as the base of a new subnet, where then, I can forward my web server and whatnot to the internet, and if it gets hacked, it can't reach my dad's network. Although I know the AP2 hands out DHCP (because I configured it), so it may have Network Address Translation on.
– Menotdan
Jan 29 at 0:21
1
The wzr-hp-ag300h is a router with a wireless AP. But if that is all that you have control of, then no, it is not possible. You cannot control the flow of data beyond the WAN port. If you had access to the switch you could setup a VLAN and that would separate AP1 traffic from AP2 traffic. Somewhere beyond the switch there must be another device that also performs routing and if you had access to that, you could separate the traffic . But if all you can do is control AP2 then there is nothing you can do to control the flow of data once it leaves that device.
– Larryc
Jan 29 at 8:05