Firewall to protect my Hotspot with DD-wrt Access point

tombee79 · January 8, 2013, 10:26am

HI

I have configure a hotspot on my 750G MT box. I have the following configuration
Port 1: Is my WAN connection to internet ( ISP )
Port 2 and 3 : Are used for my casual internet browsing network : 192.168.88.1/24
Port 4: Has network 192.168.77.1/24
Port 5: Has network 192.168.66.1/24 with 4 VLANS: Vlan4 with ID: 4, VLan3 with ID:3, and Vlan5 with ID:5.

The hotspot is configured on Vlan5. I used thin AP with DD-wrt ( asus ap ). I only use the radios from the access point nothing else. Everything is done on MT box. The MT box and the DD-wrt AP is connected with the Vlan5, which is bridged with Virtal access point SSID. OK?
You follow me?

Everything work great, no issues what so ever. My problem is that once the users sign in to the hotspot, they can PING, traceroute, do all crazy thing if they know how to hurt my inside network or desktop, i have server to etc. so how to disallow users to “run” thru my network subnets and, How to BLOCK THAT, so they can only go to internet and do whatever they want and they can not “touch” my internal network devices. including the dd-wrt router itself?

I had put some firewall to the dd-wrt router but they seem not doing anything i assume that the router is just bridged or something else.
Here is the firewall rules i put into the dd-wrt router.

\

pockets created from clients in the brige 4, br4, that are a in transit to other destinations,

iptables -I FORWARD -i br4 -p tcp -d 192.168.0.0/16 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset
iptables -I FORWARD -i br4 -p tcp -d 10.0.0.0/8 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset

iptables -I FORWARD -i br4 -p icmp -d 192.168.0.0/16 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset
iptables -I FORWARD -i br4 -p icmp -d 10.0.0.0/8 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset

\

pockets that are origineted from clients in the brige4 and directly pointed at the router itself.

iptables -I INPUT -i br4 -p tcp -d 192.168.0.0/16 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset
iptables -I INPUT -i br4 -p tcp -d 10.0.0.0/8 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset

iptables -I INPUT -i br4 -p icmp -d 192.168.0.0/16 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset
iptables -I INPUT -i br4 -p icmp -d 10.0.0.0/8 -mac ! --mac-source xx:xx:xx:xx:xx:xx -j logreject --reject-with tcp-reset

xx:xx:xx:xx:xx:xx – is my laptop, I want to be able to access everything on my inside LAN with My laptop MAC : xx:xx:xx:xx:xx:xx address, if it is not my laptop block it.

Any ideal why this is not working?

thx