#StackBounty: #networking #router #dd-wrt Block all WAN access on Wi-Fi interface using DD-WRT

Bounty: 50

I have a dd-wrt router with two Wi-Fi interfaces (ath0, ath1). I want everything that’s on ath0 to not have any kind of WAN access. Only LAN (to and from the device).

How would I do this in the easiest and most robust manner?

Before I’ve tried this using ath1 aswell by adding a virtual AP, a new bridge for the AP and some advanced routing and firewall settings. This was overly complicated though and I figured it should be a lot easier to just use my, unused anyway, ath0 (5GHz) interface for this purpose.

I am using OpenVPN as a client which makes things a bit more complicated. When using iptables firewall with the old approach I would always have to manually re-set the firewall settings because a file in /etc/ is overwriting my rules (-I at the top) because of the VPN, allowing everything WAN access as long as its over the VPN. Because of squashFS I couldn’t find a way to prevent that and always having to manually overwrite it after saving settings/rebooting the router isn’t so nice. Also I’m not sure if it won’t overwrite it again later.

I don’t want ath0 to have VPN access either. I can’t use iptables with a source IP because it should be for all clients on that SSID/interface and as soon as they connect, so I won’t really know an IP in advance.

I’ve tried looking this up but I couldn’t find anything that’d work for my case except for the overly advanced virtual AP/bridge solution.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.