Differences

This shows you the differences between two versions of the page.

doc:recipes:guest-wlan [2012/11/07 05:07]
uvray313 grammer
doc:recipes:guest-wlan [2014/07/31 12:08] (current)
kronick network and ssid names swapped
Line 24: Line 24:
| ''%%[..] | ''%%[..]
config 'interface' 'guest' config 'interface' 'guest'
-#      option 'type' 'bridge' 
        option 'proto' 'static'         option 'proto' 'static'
        option 'ipaddr' '10.0.0.1'         option 'ipaddr' '10.0.0.1'
Line 39: Line 38:
| ''[..] | ''[..]
config 'wifi-iface' config 'wifi-iface'
-        **option 'device' '...'**+        **option 'device' '???'**
        option 'mode' 'ap'         option 'mode' 'ap'
-        option 'network' '**guest**+        option 'network' 'guest' 
-        option 'ssid' 'guest'+        option 'ssid' '**openwireless.org**'
        option 'encryption' 'none'         option 'encryption' 'none'
[..]'' | [..]'' |
-For ''option 'device' '...' '' you should put the device listed in your 'wifi-device' section. For example, if your 'wifi-device' says ''config 'wifi-device' 'wifi0' '' then the wifi-iface section should say ''option 'device' 'wifi0' ''+For //''option 'device' '???' ''// you should put the device listed in your 'wifi-device' section. For example, if your 'wifi-device' says //''config 'wifi-device' '**wifi0**' ''// then the wifi-iface section should be //''option 'device' '**wifi0**' ''//
-**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcome hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:howto:obtain.firmware.generate|build]] the images yourself.  --- //sup 2012/05/12 20:22//+**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcom hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:howto:obtain.firmware.generate|build]] the images yourself.  --- //sup 2012/05/12 20:22//. Worked with AR71xx + AR9280, Barrier Breaker r41336 (Kernel 3.10.36) 
 + 
 +**Note:** [[http://openwireless.org|Open Wireless Movement]] //Wireless networks labeled with the SSID "openwireless.org" are shared resources volunteered by a neighbor who is a member of the Open Wireless Movement. This person has generously offered you a portion of their bandwidth. Please be considerate when you use it.//
==== Step 3: Define a new DHCP pool ==== ==== Step 3: Define a new DHCP pool ====
Line 56: Line 57:
config 'dhcp' 'guest' config 'dhcp' 'guest'
        option 'interface' 'guest'         option 'interface' 'guest'
-        option 'start' '150+        option 'start' '50
-        option 'limit' '100'+        option 'limit' '200'
        option 'leasetime' '1h'         option 'leasetime' '1h'
[..]%%'' | [..]%%'' |
Line 68: Line 69:
config 'zone' config 'zone'
        option 'name' 'guest'         option 'name' 'guest'
 +        option 'network' 'guest'
        option 'input' 'REJECT'         option 'input' 'REJECT'
        option 'forward' 'REJECT'         option 'forward' 'REJECT'
Line 80: Line 82:
# Client DNS queries ordinate from dynamic UDP ports (>1023) # Client DNS queries ordinate from dynamic UDP ports (>1023)
config 'rule' config 'rule'
 +        option 'name' 'Allow DNS Queries'
        option 'src' 'guest'         option 'src' 'guest'
        option 'dest_port' '53'         option 'dest_port' '53'
Line 88: Line 91:
# DHCP communication uses UDP ports 67-68 # DHCP communication uses UDP ports 67-68
config 'rule' config 'rule'
 +        option 'name' 'Allow DHCP request'
        option 'src' 'guest'         option 'src' 'guest'
        option 'src_port' '67-68'         option 'src_port' '67-68'
Line 107: Line 111:
config 'zone' config 'zone'
        option 'name' 'guest'         option 'name' 'guest'
 +        option 'network' 'guest'
        option 'input' 'REJECT'         option 'input' 'REJECT'
        option 'forward' 'REJECT'         option 'forward' 'REJECT'
Line 113: Line 118:
# Quick rule to allow SSH in # Quick rule to allow SSH in
config 'rule' config 'rule'
 +        option 'name' 'Allow SSH in'
        option 'src' 'guest'         option 'src' 'guest'
        option 'dest_port' '22'         option 'dest_port' '22'
Line 120: Line 126:
# Allow DNS Guest -> Router # Allow DNS Guest -> Router
config 'rule' config 'rule'
 +        option 'name' 'Allow DNS Queries'
        option 'src' 'guest'         option 'src' 'guest'
        option 'dest_port' '53'         option 'dest_port' '53'
Line 127: Line 134:
# Allow DHCP Guest -> Router # Allow DHCP Guest -> Router
config 'rule' config 'rule'
 +        option 'name' 'Allow DHCP request'
        option 'src' 'guest'         option 'src' 'guest'
        option 'src_port' '67-68'         option 'src_port' '67-68'
Line 135: Line 143:
# Allow only specific source MAC addresses out to the WAN # Allow only specific source MAC addresses out to the WAN
config 'rule' config 'rule'
-        option '_name' 'Nintendo DS'+        option 'name' 'Allow my Nintendo DS'
        option 'src' 'guest'         option 'src' 'guest'
        option 'dest' 'wan'         option 'dest' 'wan'
Line 144: Line 152:
# Drop broadcast traffic, it just fills the logs :) # Drop broadcast traffic, it just fills the logs :)
config 'rule' config 'rule'
 +        option 'name' 'Drop guest broadcast'
        option 'src' 'guest'         option 'src' 'guest'
        option 'dest_ip' '172.16.62.255'         option 'dest_ip' '172.16.62.255'
Line 150: Line 159:
# Another explicit deny at the end. # Another explicit deny at the end.
config 'rule' config 'rule'
 +        option 'name' 'Deny guest -> WAN'
        option 'src' 'guest'         option 'src' 'guest'
        option 'dest' 'wan'         option 'dest' 'wan'
Line 156: Line 166:
[..]%%'' | [..]%%'' |
 +
 +==== Step 4c: Block everything, but http and https ====
 +
 +In this configuration I shared my guest SSID, but only provide http and https connections, and isolate GUEST network from LAN network.
 +
 +Edit ''/etc/config/firewall'', remove any //'guest'// configurations and add new zone section covering the 'guest' interface, allow SSH, DNS and DHCP to guests, and http and https to the outside world, then block the rest.
 +
 +| ''%%[..]
 +config zone                                   
 +        option name 'guest'               
 +        option network 'guest'             
 +        option forward 'REJECT'           
 +        option output 'ACCEPT'             
 +        option input 'REJECT'
 +       
 +config forwarding                             
 +        option src 'guest'                 
 +        option dest 'wan'
 +
 +config rule                                   
 +        option src 'guest'                     
 +        option src_port '67-68'               
 +        option dest_port '67-68'               
 +        option proto 'udp'                     
 +        option target 'ACCEPT'                 
 +        option name 'Allow DHCP request'       
 +
 +config rule                                   
 +        option src 'guest'                     
 +        option dest_port '53'                 
 +        option proto 'tcpudp'                 
 +        option target 'ACCEPT'                 
 +        option name 'Allow DNS Queries'       
 +
 +config rule                                   
 +        option src 'guest'                             
 +        option target 'DROP'                   
 +        option name 'Deny Access to router'   
 +
 +config rule                                   
 +        option src 'guest'                     
 +        option dest 'lan'                     
 +        option name 'Deny Guest -> LAN'       
 +        option proto 'all'                     
 +        option target 'DROP'                   
 +
 +config rule                                   
 +        option target 'ACCEPT'                 
 +        option src 'guest'                     
 +        option dest 'wan'                     
 +        option name 'Allow Guest -> WAN http'     
 +        option proto 'tcp'                     
 +        option dest_port '80'                 
 +
 +config rule                               
 +        option target 'ACCEPT'             
 +        option src 'guest'                 
 +        option dest 'wan'                     
 +        option name 'Allow Guest -> WAN https' 
 +        option proto 'tcp'                 
 +        option dest_port '443'
 +
 +config rule                                   
 +        option src 'guest'                     
 +        option dest 'wan'                     
 +        option name 'Deny Guest -> WAN'
 +        option proto 'all'                 
 +        option target 'DROP'
 +
 +[..]%%'' |
 +
 + --- //senomoto 2014/06/26 22:01//
==== Step 5: Limit bandwidth of the connection ==== ==== Step 5: Limit bandwidth of the connection ====
-This is completely optional. Install package wshaper:+This is completely optional, but advised. Install package wshaper:
''opkg install wshaper'' ''opkg install wshaper''
Edit ''/etc/config/wshaper'': Edit ''/etc/config/wshaper'':
-''config 'wshaper' 'settings' +''config wshaper 'settings' 
-       **option 'network' '...'** + option network 'guest
-       option 'downlink' '512+ option downlink '64
-       option 'uplink' '128'+ option uplink '512'
'' ''
-For ''option network '...' '' run ''iwconfig'' and find out the interface that is running the guest WLAN.+**Note:** ''downlink'' and ''uplink'' options are maximal limits, but in practice the speed will be slightly lower as wshaper also tries to prioritize traffic (so that the network stays responsive even when someone downloads a huge file - there are also wshaper options that can control this). The units are kbits.
-**Note:** ''downlink'' and ''uplink'' options are maximal limits, but in practice the speed will be lower as wshaper also tries to prioritize traffic (so that the network stays responsive evene when someone downloads a huge file). The units are kbits.+**Also note:** The ''downlink'' and ''uplink'' limits are //reversed// from what one might expect, as the data is flowing in the opposite direction from wshaper's usual (wan) interface.
===== Apply changes ===== ===== Apply changes =====
-  - Enable the new wireless network<code>wifi</code>+  - Enable the new wireless network<code>/etc/init.d/network restart</code>
  - Restart the firewall<code>/etc/init.d/firewall restart</code>   - Restart the firewall<code>/etc/init.d/firewall restart</code>
  - Restart the DHCP service <code>/etc/init.d/dnsmasq restart</code>   - Restart the DHCP service <code>/etc/init.d/dnsmasq restart</code>
  - Start traffic shaping <code>/etc/init.d/wshaper start</code>   - Start traffic shaping <code>/etc/init.d/wshaper start</code>
  - Make traffic shaping permanent <code>/etc/init.d/wshaper enable</code>   - Make traffic shaping permanent <code>/etc/init.d/wshaper enable</code>
 +
 +===== HotSpot (Captive Portal)=====
 +
 +If you want to setup a simple Hotspot for your guest WLAN, take a look at [[http://wiki.openwrt.org/doc/howto/wireless.hotspot.nodogsplash|Nodogsplash]] or [[http://wiki.openwrt.org/doc/howto/wireless.hotspot.wifidog|WiFiDog]].
===== Troubleshooting ===== ===== Troubleshooting =====

Back to top

doc/recipes/guest-wlan.1352261257.txt.bz2 · Last modified: 2012/11/07 05:07 by uvray313