User Tools

Site Tools

This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at <<<<<<<<<<


This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:guest-wlan-webinterface [2013/03/10 13:25]
del Setup firewall rules for guests
doc:recipes:guest-wlan-webinterface [2017/05/30 15:03] (current)
tmomas ↷ Links adapted because of a move operation
Line 1: Line 1:
 +====== Configure a guest WLAN using the Luci web-interface ======
 +Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe is based on the more comprehensive [[doc:​recipes:​guest-wlan|Guest WLAN page]], providing a more user-friendly approach through the Luci web-interface.
 +Note that all MAC addresses have been erased from the screenshots.
 +===== Create and configure a new wireless controller =====
 +After logging into the web-interface,​ manoeuvre to the **Wifi** page under **Network**. Click **Add** over the wireless controller (e.g., the 2.4 GHz radio) you want to have your guest network on. A new interface will be added as shown here:
 +\\ \\ {{:​doc:​recipes:​createwireless.png|}}\\ \\ \\ 
 +As you can see, our new wireless controller is created, and we named it guest. Next up is configuring it. Choose the **Edit** option for the controller. You will need to create a new network, as you can see we named our new network guest here:
 +\\ \\ {{:​doc:​recipes:​editwirelessforguest.png|}}\\ \\ 
 +Also, make sure to set up wireless security if you want to protect the connection.\\ ​
 +===== Configure the new interface =====
 +Now if you manoeuvre to the Interfaces page under Network, and you should see your new interface, looking similar to this:
 +\\ \\ {{:​doc:​recipes:​guestinterfacecreated.png|}}\\ \\ \\ 
 +You will need to configure you interface before it is useful. Choose **Edit**, pick the protocol **Static address**, and fill out your chosen IPv4 address. We chose here, but you may have different preferences. However, avoid using or as they may already be in use and prevent your guests from acquiring IP-addresses. Remember to set the netmask. You will also need to enable DHCP, we chose to go with the default options here except for the Leasetime wich is only one hour, suitable for environments where a large number of guests connect and leave through a day.
 +\\ \\ {{:​media:​doc:​recipes:​editinterfaceforguest.png|Set IP address and netmask for the guests and enable DHCP}}\\ \\ \\ 
 +Notice that you have a **Firewall Settings** tab to the far right of the  **General Setup** tab. Make sure you visit this tab, and create a new zone for your guest, like we have done here:
 +\\ \\ {{:​doc:​recipes:​createfirewallzoneforguest.png|}}\\ \\ 
 +===== Configure the firewall =====
 +Now you are just about done. That last thing we need to do, is to open up for traffic between you guest network and WAN in the firewall. Go to the **Firewall** page under **Network**,​ choose **Edit** for your guest zone. Set **Input** to **REJECT** and tick wan under **Allow forward to destination zones**. Correctly configured it should look like this:
 +\\ \\ {{media:​doc:​recipes:​guest-wlan-firewall-setup.png|Check that your Guest interface has access to WAN and that Input is set to REJECT}}\\ \\ 
 +Remember to click **Save & Apply**. The last thing we need to do is to give our guests access to the Internet.\\ ​
 +Right now neither DNS nor DHCP traffic will be accepted. We need to create two rules, which we can do from the **Traffic rules** tab under the **Firewall** tab. Both rules can be put in under **Open ports on router:**. We name the first one **Guest DNS** here (you can name it what you want), setting both TCP and UDP traffic and port 53:
 +\\ \\ {{:​media:​doc:​recipes:​guest-wlan-dns-setup.png|Enter new rule to allow DNS traffic from guests}}\\ \\ \\ 
 +We need to configure the rule, so choose to edit it. Set **Source zone** to **guest**, and set **Destination zone** to **Device (input)** like shown here:
 +\\ \\ {{:​media:​doc:​recipes:​guest-wlan-dns-config.png|Set Source zone to Guest and Destination zone to Device}}\\ \\ \\ 
 +Similarly, create a new rule to allow DHCP for guests. We name this rule Guest DHCP, choose UDP as protocol, and set 67-68 for ports. Again edit the rule, setting **Source zone** to **guest**, and set **Destination zone** to **Device (input)**. When you are done it should look like this:\\ \\ {{:​media:​doc:​recipes:​guest-wlan-firewall-config.png|Cross check that your two rules have the same set-up}}