Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe contains information provided by our forums members and one blogger as showed below:
The changes below assume an OpenWrt default configuration, the relevant files are:
/etc/config/network and define a new
The new network interface will have to be configured as a bridge if your wireless network has multiple radios and access points, and you wish to connect more than one to the guest network.
In /etc/config/wireless, define a new, second wifi-iface section by copying the existing one and change its network option to point to the newly created interface section.
option 'device' '???' you should put the device listed in your 'wifi-device' section. For example, if your 'wifi-device' says
config 'wifi-device' 'wifi0' then the wifi-iface section should be
option 'device' 'wifi0'
Note: Your hardware may not be capable of this. For example, open source b43 driver for Broadcom hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to build the images yourself. — sup 2012/05/12 20:22. Worked with AR71xx + AR9280, Barrier Breaker r41336 (Kernel 3.10.36)
Note: Open Wireless Movement Wireless networks labeled with the SSID "openwireless.org" are shared resources volunteered by a neighbor who is a member of the Open Wireless Movement. This person has generously offered you a portion of their bandwidth. Please be considerate when you use it.
In order to support DHCP on 'guest' wireless, a new
dhcp pool must be defined in
/etc/config/firewall and add new zone section covering the 'guest' interface, allow internet, DNS and DHCP to guests:
— sartan 2011/03/17 05:45
I created this small set of firewall rules to completely isolate guests on the guest SSID. I had some devices that only worked with WEP or no authentication at all. WEP doesn't like to run on .11n devices in HT mode, so the only option was a wide-open SSID. I also didn't want my neighbors to quickly steal my internet… This firewall config will only allow specific, known source MACs to connect to the internet, with zero access to the rest of the network.
/etc/config/firewall and add new zone section covering the 'guest' interface, allow SSH, DNS and DHCP to guests, allow only specific source MAC addresses out to the WAN, drop broadcast traffic and deny the rest of orders:
In this configuration I shared my guest SSID, but only provide http and https connections, and isolate GUEST network from LAN network.
/etc/config/firewall, remove any 'guest' configurations and add new zone section covering the 'guest' interface, allow SSH, DNS and DHCP to guests, and http and https to the outside world, then block the rest.
— senomoto 2014/06/26 22:01
This is completely optional, but advised. Install package wshaper:
opkg install wshaper
config wshaper 'settings'
option network 'guest'
option downlink '64'
option uplink '512'
uplink options are maximal limits, but in practice the speed will be slightly lower as wshaper also tries to prioritize traffic (so that the network stays responsive even when someone downloads a huge file - there are also wshaper options that can control this). The units are kbits.
Also note: The
uplink limits are reversed from what one might expect, as the data is flowing in the opposite direction from wshaper's usual (wan) interface.
- Here is an example of a shell script with minimal settings required to setup guest wifi. You need to reboot router when script finishes.
#!/bin/sh # This is supposed to be run on openwrt # Written by Stanislav German-Evtushenko, 2014 # Based on http://wiki.openwrt.org/doc/uci/firewall # Configure guest network uci delete network.guest uci set network.guest=interface uci set network.guest.proto=static uci set network.guest.ipaddr=192.168.101.21 uci set network.guest.netmask=255.255.255.0 # Configure guest Wi-Fi uci delete wireless.guest uci set wireless.guest=wifi-iface uci set wireless.guest.device=radio0 uci set wireless.guest.mode=ap uci set wireless.guest.network=guest uci set wireless.guest.ssid=openwireless.org uci set wireless.guest.encryption=none # Configure DHCP for guest network uci delete dhcp.guest uci set dhcp.guest=dhcp uci set dhcp.guest.interface=guest uci set dhcp.guest.start=50 uci set dhcp.guest.limit=200 uci set dhcp.guest.leasetime=1h # Configure firewall for guest network ## Configure guest zone uci delete firewall.guest_zone uci set firewall.guest_zone=zone uci set firewall.guest_zone.name=guest uci set firewall.guest_zone.network=guest uci set firewall.guest_zone.input=REJECT uci set firewall.guest_zone.forward=REJECT uci set firewall.guest_zone.output=ACCEPT ## Allow Guest -> Internet uci delete firewall.guest_forwarding uci set firewall.guest_forwarding=forwarding uci set firewall.guest_forwarding.src=guest uci set firewall.guest_forwarding.dest=wan ## Allow DNS Guest -> Router uci delete firewall.guest_rule_dns uci set firewall.guest_rule_dns=rule uci set firewall.guest_rule_dns.name='Allow DNS Queries' uci set firewall.guest_rule_dns.src=guest uci set firewall.guest_rule_dns.dest_port=53 uci set firewall.guest_rule_dns.proto=udp uci set firewall.guest_rule_dns.target=ACCEPT ## Allow DHCP Guest -> Router uci delete firewall.guest_rule_dhcp uci set firewall.guest_rule_dhcp=rule uci set firewall.guest_rule_dhcp.name='Allow DHCP request' uci set firewall.guest_rule_dhcp.src=guest uci set firewall.guest_rule_dhcp.src_port=68 uci set firewall.guest_rule_dhcp.dest_port=67 uci set firewall.guest_rule_dhcp.proto=udp uci set firewall.guest_rule_dhcp.target=ACCEPT uci commit
- OPTIONAL: The following script installs and configures traffic shaper.
#!/bin/sh opkg install wshaper uci delete wshaper.settings uci set wshaper.settings=wshaper uci set wshaper.settings.network=guest uci set wshaper.settings.uplink=2000 uci set wshaper.settings.downlink=500 /etc/init.d/wshaper enable /etc/init.d/wshaper start
- Enable the new wireless network
- Restart the firewall
- Restart the DHCP service
- Start traffic shaping
- Make traffic shaping permanent
If you don't get an IP from DHCP check if you listen to the interface.
doc/recipes/guest-wlan.txt · Last modified: 2014/11/26 01:20 by giner