# OpenWrt Wiki

### Site Tools

doc:recipes:guest-wlan-webinterface

# Differences

This shows you the differences between two versions of the page.

 doc:recipes:guest-wlan-webinterface [2013/01/09 12:10]del doc:recipes:guest-wlan-webinterface [2017/05/30 15:03] (current)tmomas ↷ Links adapted because of a move operation Both sides previous revision Previous revision 2017/05/30 15:03 tmomas ↷ Links adapted because of a move operation2013/10/11 12:25 sourcejedi Insert missing word "avoid" :)2013/09/25 07:53 zerofx … even more line breaks …2013/09/25 07:38 zerofx basically inserted a single line break before and a double on after each screenhot, to make the page more readable on wider screens2013/03/10 19:23 del 2013/03/10 19:22 del 2013/03/10 19:21 del 2013/03/10 13:29 del 2013/03/10 13:25 del Setup firewall rules for guests2013/03/10 12:48 del 2013/03/10 12:44 del Avoid IP address conflicts2013/03/10 12:38 del Change Input rule to isolate guest2013/01/19 20:41 del 2013/01/09 12:10 del 2013/01/02 15:50 del 2013/01/02 15:47 del 2013/01/02 15:46 del created Next revision Previous revision 2017/05/30 15:03 tmomas ↷ Links adapted because of a move operation2013/10/11 12:25 sourcejedi Insert missing word "avoid" :)2013/09/25 07:53 zerofx … even more line breaks …2013/09/25 07:38 zerofx basically inserted a single line break before and a double on after each screenhot, to make the page more readable on wider screens2013/03/10 19:23 del 2013/03/10 19:22 del 2013/03/10 19:21 del 2013/03/10 13:29 del 2013/03/10 13:25 del Setup firewall rules for guests2013/03/10 12:48 del 2013/03/10 12:44 del Avoid IP address conflicts2013/03/10 12:38 del Change Input rule to isolate guest2013/01/19 20:41 del 2013/01/09 12:10 del 2013/01/02 15:50 del 2013/01/02 15:47 del 2013/01/02 15:46 del created Line 1: Line 1: + ====== Configure a guest WLAN using the Luci web-interface ====== + Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe is based on the more comprehensive [[doc:​recipes:​guest-wlan|Guest WLAN page]], providing a more user-friendly approach through the Luci web-interface. + Note that all MAC addresses have been erased from the screenshots. + + ===== Create and configure a new wireless controller ===== + After logging into the web-interface,​ manoeuvre to the **Wifi** page under **Network**. Click **Add** over the wireless controller (e.g., the 2.4 GHz radio) you want to have your guest network on. A new interface will be added as shown here: + \\ \\ {{:​doc:​recipes:​createwireless.png|}}\\ \\ \\ + As you can see, our new wireless controller is created, and we named it guest. Next up is configuring it. Choose the **Edit** option for the controller. You will need to create a new network, as you can see we named our new network guest here: + \\ \\ {{:​doc:​recipes:​editwirelessforguest.png|}}\\ \\ + Also, make sure to set up wireless security if you want to protect the connection.\\ ​ + + ===== Configure the new interface ===== + Now if you manoeuvre to the Interfaces page under Network, and you should see your new interface, looking similar to this: + \\ \\ {{:​doc:​recipes:​guestinterfacecreated.png|}}\\ \\ \\ + You will need to configure you interface before it is useful. Choose **Edit**, pick the protocol **Static address**, and fill out your chosen IPv4 address. We chose 192.168.3.1 here, but you may have different preferences. However, avoid using 192.168.1.1 or 10.0.0.1 as they may already be in use and prevent your guests from acquiring IP-addresses. Remember to set the netmask. You will also need to enable DHCP, we chose to go with the default options here except for the Leasetime wich is only one hour, suitable for environments where a large number of guests connect and leave through a day. + \\ \\ {{:​media:​doc:​recipes:​editinterfaceforguest.png|Set IP address and netmask for the guests and enable DHCP}}\\ \\ \\ + Notice that you have a **Firewall Settings** tab to the far right of the  **General Setup** tab. Make sure you visit this tab, and create a new zone for your guest, like we have done here: + \\ \\ {{:​doc:​recipes:​createfirewallzoneforguest.png|}}\\ \\ + + ===== Configure the firewall ===== + Now you are just about done. That last thing we need to do, is to open up for traffic between you guest network and WAN in the firewall. Go to the **Firewall** page under **Network**,​ choose **Edit** for your guest zone. Set **Input** to **REJECT** and tick wan under **Allow forward to destination zones**. Correctly configured it should look like this: + \\ \\ {{media:​doc:​recipes:​guest-wlan-firewall-setup.png|Check that your Guest interface has access to WAN and that Input is set to REJECT}}\\ \\ + Remember to click **Save & Apply**. The last thing we need to do is to give our guests access to the Internet.\\ ​ + + Right now neither DNS nor DHCP traffic will be accepted. We need to create two rules, which we can do from the **Traffic rules** tab under the **Firewall** tab. Both rules can be put in under **Open ports on router:**. We name the first one **Guest DNS** here (you can name it what you want), setting both TCP and UDP traffic and port 53: + \\ \\ {{:​media:​doc:​recipes:​guest-wlan-dns-setup.png|Enter new rule to allow DNS traffic from guests}}\\ \\ \\ + We need to configure the rule, so choose to edit it. Set **Source zone** to **guest**, and set **Destination zone** to **Device (input)** like shown here: + \\ \\ {{:​media:​doc:​recipes:​guest-wlan-dns-config.png|Set Source zone to Guest and Destination zone to Device}}\\ \\ \\ + Similarly, create a new rule to allow DHCP for guests. We name this rule Guest DHCP, choose UDP as protocol, and set 67-68 for ports. Again edit the rule, setting **Source zone** to **guest**, and set **Destination zone** to **Device (input)**. When you are done it should look like this:\\ \\ {{:​media:​doc:​recipes:​guest-wlan-firewall-config.png|Cross check that your two rules have the same set-up}}