networking - no internet access on guest SSID on netgear WNR2000 router

07
2014-07
  • b10hazard

    I have a WNR2000v2 Netgear router that I want to put on our company's network. My boss wanted me to set up two SSIDs, one is for guests and the other is for employees. He wanted the guest wireless account configured for internet access ONLY, which means that any guests connected to this SSID should not be able to see any company computers.

    I've never configured a router this way so I did some research and found out that since my company's network already has a DHCP server and a gateway that I have to disable DHCP on the router and plug the ethernet cable connected to my gateway into one of the LAN ports, NOT the WAN port. I did this and entered the IP addresses of my company's gateway, DHCP servers, and DNS servers. Then I setup the two SSIDs and I restarted the router. First, I connected to the Non-Guest SSID, it connected without a problem and gave my computer a company IP address (10...132, not a 192.168.1.** address) and I had internet access. I took this as a good sign because it tells me that my companies DHCP server is assigning the IP address, not the router. Then I tried connecting to the Guest SSID. I was able to connect to the SSID and it gave me a company IP address, but I was not able to get internet access.

    Since I've never set up a guest wifi SSID like this before I'm not sure where to go from here. Is what I'm trying to do possible with this router? I would like to set it up so that computers connected to the guest SSID can access the internet. Any help would be much appreciated. Thanks.

    • Answers
  • Will.Beninger

    Alright your problem can be broken down into two main things here.

    1. You need clients to have company access on a secure SSID
    2. You need guests to only have internet access on an open SSID

    Now, for the first problem, you need to set up the router so that all DHCP requests are forwarded to your DHCP server. These clients need to behave as if they were plugged into the network. Your DHCP server must be involved because they are usually interfaced with AD & DNS. It sounds like you've already managed to do this. This should be placed on your company VLAN so the traffic is treated as such.

    For, your second problem, these clients should behave as if they originated in a DMZ (De-Militarized Zone). They should have no company access, and only able to access internet exterior to your network. Typical implementations would have you create a separate VLAN for these clients so their DHCP requests are responded to ONLY by a DHCP server that handles this type of thing. If you already have a DMZ DHCP server then set it up to listen to that VLAN (If you have a webserver it can sometimes be serviced by this). If you have only one DHCP server that handles both, you need to make sure it can differentiate and assign addresses to that VLAN and that all traffic is routed/switched through this DMZ with no access to the company VLAN.

    I know this may look complicated, but this is the necessary steps to have the traffic entirely differentiated from each other.

  • Scott Chamberlain

    I just ran in to this exact same issue with the same router.

    What causes this to happen is even though you have guest isolation it still uses the internal networks DHCP server to assign IP's.

    So far, so good.

    The problem is the DNS server your internal DHCP server is assigning to new clients is likely some computer in your internal LAN and not a computer beyond the gateway. You likely have a DNS sever running on the network, that DNS server with then forward the request on to your ISP's DNS server if the request is not for a internal name for your LAN.

    And that is where the problem lies!

    Due to the guest isolation your wireless guests are attempting to talk to your DNS server on your LAN to resolve addresses when browsing the internet, however you told the router not to allow any wireless guests to talk to any IP on the internal LAN!

    I have no idea how to fix it, but if I come up with something I will come back update this post.


    • Related Question

    networking - Wireless router suddenly has no internet connection
  • Daniel Gratz

    Have a Buffalo wireless router running DD-WRT. It was working fine but suddenly today I can't get any internet through it. There is no internet connection if I connect via wireless or even the LAN port. This is what I see if I try to go to any website:

    This webpage is not available
    The server at www.baidu.com can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Google Chrome from accessing the network.
    Here are some suggestions:
    Reload this webpage later. […]

    I've reset the modem, I've tried two different laptops and both have same problem in that they can't connect through the router. Any ideas?

    P.S: the wireless adapter in each laptop is set to automatic DNS.

    EDIT:

    I have Internet if I connect directly to the FTTH modem. Also, another wireless router I have works.


    • Related Answers
  • MaQleod

    First step in EVERY connection outage should be to bypass your router and connect your computer directly to your ISP device. Can you ping your DNS server? If the answer is no, try 74.125.226.240. If that still doesn't work, call your ISP. If it does work, then ping google.com, does it work now? If no, change your DNS servers and retest. If yes, your internet connection is fine and it is something with your router (since you have already ruled out a single computer).

    Plug your router back in and log into it. Do you get an IP? Is your DNS set correctly? Try the above tests again from the router interface. Check your DHCP configuration. What do your computers get when they type ipconfig or ifconfig? Does that match what your router is set to hand out? Have you tried swapping cables between the router and the modem?

    tcpdump can also be a friend here, especially if you can run it on the router's WAN (not sure if ddwrt is capable of this or not). It would be helpful to see what the router is actually sending out. I could also help to see what is being sent between the router and a computer.

    Basically, you need to work on narrowing down the problem to a specific point on your network or you can do all the resetting and reconfiguring you want and it is just stabs in the dark.