DD-WRT - restricting access between main/guest networks

[Phoenix3434]

Hey guys. I need some clarification from the following guide under the "Restricting Access" section:
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

I am just playing around with DD-WRT router to set up a guest network that is separate from the main network. I just entered the following commands from the full list below:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

I don't understand why I need the other commands.. For example: "Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)". What the heck does this mean. Could you guys please provide more details as to what each command does (as in elaborate on the "#" descriptions)? Having trouble understanding the purpose of each command based on the brief descriptions. My network knowledge is not really the best. Thanks.

#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#Restrict br1 from accessing br0 (do not use on WAP's)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

#Restrict br0 from accessing br1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

#Restrict br1 from accessing the WAN port (no internet access!)
iptables -I FORWARD -i br1 -o `get_wanface` -j DROP

#Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

#Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP

#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

[wilsonlam97]

I think the guest network can't connect to other devices on the private network but it works vice-versa.

I probably wrong.

[xalex0]

These commands set up the routing rules, i.e. whenever a packet comes, the router has to decide what to do with it, e.g. ACCEPT or DROP (-J parameter). In order to decide it can use all kinds of information , i.e. the source/destination interfaces (-i -o parameters), ports (--dport parameter), protocol (-p parameter)

For example, if you want to eliminate any communication between br0 and br1, you use:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

If you want to stop br1 from accessing the internet (WAN interface), you use the following. Note: `get_wanface`simply gets substituted with the actual WAN interface
#Restrict br1 from accessing the WAN port (no internet access!)
iptables -I FORWARD -i br1 -o `get_wanface` -j DROP

Here `nvram get wan_ipaddr`/`nvram get wan_netmask` becomes the external IP with the subnet. I assume that here the subnet filtering would be useful if WAN is another private network (not directly internet) and you want to protect it from the guests.
#Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

I don't have mush experience either, so I might be wrong here. For more information read the man page http://linux.die.net/man/8/iptables

[Mark77]

Wow, smart guys with the iptables. I'm surprised.

Now, how do I set dd-wrt (on a wrt54gl) up so that if I use a certain virtual access point, it VLAN-tags all the packets with a VLAN ID of, say, 9 and dumps 'em onto my network?

[xalex0]

Now, how do I set dd-wrt (on a wrt54gl) up so that if I use a certain virtual access point, it VLAN-tags all the packets with a VLAN ID of, say, 9 and dumps 'em onto my network?

Create an interface for the VLAN with the required tag and then set iptables to forward only packets between the VAP and VLAN interfaces?