User Tools

Site Tools


doc:recipes:guest-wlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:guest-wlan [2012/11/07 05:07]
uvray313 grammer
doc:recipes:guest-wlan [2015/05/12 22:22] (current)
Bernini [Multiple network devices] Further layout uniformity
Line 1: Line 1:
 ====== Configure a guest WLAN ====== ====== Configure a guest WLAN ======
 +
 +<WRAP center round important 70%>
 +People looking for a way to configure a guest WLAN through the web interface should read [[doc:​recipes:​guest-wlan-webinterface|the LuCI guest WLAN recipe]].</​WRAP>​
  
 Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe contains information provided by our forums members and one blogger as showed below: Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe contains information provided by our forums members and one blogger as showed below:
Line 9: Line 12:
   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]
  
-===== Configuration ​=====+===== Manual configuration ​=====
  
 The changes below assume an OpenWrt default configuration,​ the relevant files are: The changes below assume an OpenWrt default configuration,​ the relevant files are:
Line 18: Line 21:
   * [[doc:​uci:​firewall|/​etc/​config/​firewall]]   * [[doc:​uci:​firewall|/​etc/​config/​firewall]]
   * [[doc:​uci:​wshaper|/​etc/​config/​wshaper]]   * [[doc:​uci:​wshaper|/​etc/​config/​wshaper]]
 +
 +:!: A guest WLAN (or plain guest network) [[doc:​recipes:​guest-wlan#​multiple_network_devices|across multiple network devices]] requires a separate VLAN.
  
 ==== Step 1: Define a new network ==== ==== Step 1: Define a new network ====
  
-Edit ''​/​etc/​config/​network'' ​and define a new ''​[[doc:​uci:​network#​interfaces|interface]]''​ section: +Edit [[doc:​uci:​network|/​etc/​config/​network]] and define a new ''​[[doc:​uci:​network#​interfaces|interface]]''​ section: 
-| ''​%%[..]+<​code>​
 config '​interface'​ '​guest'​ config '​interface'​ '​guest'​
-#       ​option '​type'​ '​bridge'​ 
         option '​proto'​ '​static'​         option '​proto'​ '​static'​
         option '​ipaddr'​ '​10.0.0.1'​         option '​ipaddr'​ '​10.0.0.1'​
         option '​netmask'​ '​255.255.255.0'​         option '​netmask'​ '​255.255.255.0'​
-[..]%%''​ | +</​code>​
- +
-The new network interface will have to be configured as a bridge if your wireless network has +
-multiple radios and access points, and you wish to connect more than one to the guest network. +
 ==== Step 2: Copy the existing wireless network ==== ==== Step 2: Copy the existing wireless network ====
  
-In /​etc/​config/​wireless,​ define a new, second ​wifi-iface section by copying the existing one and change ​its network option to point to the newly created interface section.+In [[doc:​uci:​wireless|/​etc/​config/​wireless]], define a new wifi-iface section by copying the existing one and changing ​its network option to point to the newly created interface section.
  
-| ''​[..]+<​code>​
 config '​wifi-iface'​ config '​wifi-iface'​
-        ​**option '​device'​ '...'** +        option '​device' ​    ​'???
-        option '​mode'​ '​ap'​ +        option '​mode' ​      ​'​ap'​ 
-        option '​network'​ '**guest**+        option '​network' ​   '​guest'​ 
-        option '​ssid'​ '​guest'​+        option '​ssid' ​      ​'​guest'​
         option '​encryption'​ '​none'​         option '​encryption'​ '​none'​
-[..]''​ | +</​code>​ 
-For ''​option '​device'​ '...' ''​ you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says ''​config '​wifi-device'​ '​wifi0'​ ''​ then the wifi-iface section should ​say ''​option '​device'​ '​wifi0'​ ''​+For //''​option '​device'​ '???' ''​// you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says //''​config '​wifi-device'​ '**wifi0**' ''​// then the wifi-iface section should ​be //''​option '​device'​ '**wifi0**' ''​//
  
-**Note:** Your hardware ​may not be capable of thisFor example, open source ​b43 driver for Broadcome ​hardware ​cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom ​(with 2.6 kernel) - currently, ​you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself --- //sup 2012/05/12 20:22//+| {{:meta:​icons:​tango:​48px-emblem-important.svg.png?​nolink}} | Some hardware ​or drivers might not support multiple SSIDsThis is the case for e.g. the FOSS b43 driver for Broadcom ​hardware. If you want multiple SSIDs with Broadcom you'​ll ​need to use the [[doc/​hardware/​soc/​soc.broadcom.bcm47xx#​broadcom-wl|proprietary wl driver]]. |
  
 ==== Step 3: Define a new DHCP pool ==== ==== Step 3: Define a new DHCP pool ====
Line 53: Line 53:
 In order to support DHCP on '​guest'​ wireless, a new ''​[[doc:​uci:​dhcp#​dhcp.pools|dhcp]]''​ pool must be defined in ''/​etc/​config/​dhcp'':​ In order to support DHCP on '​guest'​ wireless, a new ''​[[doc:​uci:​dhcp#​dhcp.pools|dhcp]]''​ pool must be defined in ''/​etc/​config/​dhcp'':​
  
-| ''​%%[..] +    ​[..] 
-config '​dhcp'​ '​guest'​ +    config '​dhcp'​ '​guest'​ 
-        option '​interface'​ '​guest'​ +      option '​interface'​ '​guest'​ 
-        option '​start'​ '150+      option '​start'​ '50
-        option '​limit'​ '100+      option '​limit'​ '200
-        option '​leasetime'​ '​1h'​ +      option '​leasetime'​ '​1h'​ 
-[..]%%''​ |+    [..]
  
 ==== Step 4a: Adjust firewall settings ==== ==== Step 4a: Adjust firewall settings ====
Line 65: Line 65:
 Edit ''/​etc/​config/​firewall''​ and add new zone section covering the '​guest'​ interface, allow internet, DNS and DHCP to guests: Edit ''/​etc/​config/​firewall''​ and add new zone section covering the '​guest'​ interface, allow internet, DNS and DHCP to guests:
  
-| ''​%%[..] +    ​[..] 
-config '​zone'​ +    config '​zone'​ 
-        option '​name'​ '​guest'​ +      option '​name'​ '​guest'​ 
-        option '​input'​ '​REJECT'​ +      ​option '​network'​ '​guest'​ 
-        option '​forward'​ '​REJECT'​ +      ​option '​input'​ '​REJECT'​ 
-        option '​output'​ '​ACCEPT'​+      option '​forward'​ '​REJECT'​ 
 +      option '​output'​ '​ACCEPT'​ 
 +     
 +    # Allow Guest -> Internet 
 +    config '​forwarding'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest'​ '​wan'​ 
 +      
 +    # Allow DNS Guest -> Router 
 +    # Client DNS queries ordinate from dynamic UDP ports (>1023)  
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DNS Queries'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_port'​ '​53'​ 
 +      option '​proto'​ '​tcpudp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow DHCP Guest -> Router 
 +    # DHCP communication uses UDP ports 67-68 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DHCP request'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​src_port'​ '​67-68'​ 
 +      option '​dest_port'​ '​67-68'​ 
 +      option '​proto'​ '​udp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +    [..]
  
-# Allow Guest -> Internet +==== Step 4b: Different modifications to firewall settings ====
-config '​forwarding'​ +
-        option '​src'​ '​guest'​ +
-        option '​dest'​ '​wan'​+
  
-# Allow DNS Guest -> Router +I created this small set of firewall rules to completely isolate guests on the guest SSID. I had some devices that only worked with WEP or no authentication at all.  WEP doesn't like to run on .11n devices in HT mode, so the only option ​was a wide-open SSID. I also didn't want my neighbors to quickly steal my internet... This firewall config will only allow specific, known source MACs to connect to the internet, with zero access to the rest of the network.
-# Client DNS queries ordinate from dynamic UDP ports (>1023)  +
-config '​rule'​ +
-        option '​src'​ 'guest' +
-        ​option 'dest_port'​ '​53'​ +
-        option '​proto'​ '​tcpudp'​ +
-        option '​target'​ '​ACCEPT'​+
  
-# Allow DHCP Guest -> Router +Edit ''​/​etc/​config/​firewall'' ​and add new zone section covering the '​guest' ​interface, allow SSH, DNS and DHCP to guests, allow only specific source MAC addresses out to the WAN, drop broadcast traffic and deny the rest of orders:
-# DHCP communication uses UDP ports 67-68 +
-config ​'rule' +
-        option ​'src' '​guest'​ +
-        option '​src_port'​ '​67-68'​ +
-        option '​dest_port'​ '​67-68'​ +
-        option '​proto'​ '​udp'​ +
-        option '​target'​ '​ACCEPT'​ +
-[..]%%''​ |+
  
- --- //sartan 2011/03/17 05:45//+    [..] 
 +     
 +    # Enable logging 
 +    config '​zone'​ 
 +      option '​name'​ '​guest'​ 
 +      option '​network'​ '​guest'​ 
 +      option '​input'​ '​REJECT'​ 
 +      option '​forward'​ '​REJECT'​ 
 +      option '​output'​ '​ACCEPT'​ 
 +     
 +    # Quick rule to allow SSH in 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow SSH in' 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_port'​ '​22'​ 
 +      option '​proto'​ '​tcp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow DNS Guest -> Router 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DNS Queries'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_port'​ '​53'​ 
 +      option '​proto'​ '​tcpudp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow DHCP Guest -> Router 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DHCP request'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​src_port'​ '67-68' 
 +      option '​dest_port'​ '​67-68'​ 
 +      option '​proto'​ '​udp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow only specific source MAC addresses out to the WAN 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow my Nintendo DS' 
 +      option '​src'​ '​guest'​ 
 +      option '​dest'​ '​wan'​ 
 +      option '​proto'​ '​all'​ 
 +      option '​src_mac'​ '00:ab:​00:​32:​00:​00'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Drop broadcast traffic, it just fills the logs :) 
 +    config '​rule'​ 
 +      option '​name'​ 'Drop guest broadcast'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_ip'​ '​172.16.62.255'​ 
 +      option '​target'​ '​DROP'​ 
 +     
 +    # Another explicit deny at the end. 
 +    config '​rule'​ 
 +      option '​name'​ 'Deny guest -> WAN' 
 +      option '​src'​ '​guest'​ 
 +      option '​dest'​ '​wan'​ 
 +      option '​proto'​ '​all'​ 
 +      option '​target'​ '​REJECT'​ 
 +     
 +    [..]
  
-==== Step 4bDifferent modifications to firewall settings ​====+==== Step 4cBlock everything, but http and https ====
  
-created this small set of firewall rules to completely isolate guests on the guest SSID. I had some devices that only worked with WEP or no authentication at all.  WEP doesn'​t like to run on .11n devices in HT modeso the only option was a wide-open SSID. I also didn't want my neighbors to quickly steal my internet... This firewall config will only allow specificknown source MACs to connect to the internet, with zero access to the rest of the network.+In this configuration ​shared my guest SSID, but only provide http and https connectionsand isolate GUEST network from LAN network.
  
-Edit ''/​etc/​config/​firewall''​ and add new zone section covering the '​guest'​ interface, allow SSH, DNS and DHCP to guests, ​allow only specific source MAC addresses out to the WANdrop broadcast traffic and deny the rest of orders: +Edit ''/​etc/​config/​firewall''​, remove any //'​guest'//​ configurations ​and add new zone section covering the '​guest'​ interface, allow SSH, DNS and DHCP to guests, ​and http and https to the outside worldthen block the rest.
-| ''​%%[..]+
  
-# Enable logging +    [..] 
-config ​'zone'​ +    config zone                                      
-        option 'name' '​guest'​ +      option name 'guest' ​                 
-        option 'input' 'REJECT+      option ​network ​'guest' ​              
-        option 'forward' 'REJECT+      option forward '​REJECT' ​             
-        option 'output' '​ACCEPT'​+      option output '​ACCEPT' ​              
 +      option input '​REJECT'​ 
 +          
 +    config forwarding ​                               
 +      option src '​guest' ​                  
 +      ​option dest '​wan'​ 
 +     
 +    config rule                                      
 +      option src '​guest' ​                      
 +      option src_port '​67-68' ​                 
 +      option dest_port '​67-68' ​                
 +      option proto '​udp' ​                      
 +      option target '​ACCEPT' ​                  
 +      option name 'Allow DHCP request' ​        
 +     
 +    config rule                                      
 +      ​option ​src 'guest' ​                      
 +      option dest_port ​'53' ​                   
 +      option proto '​tcpudp' ​                   
 +      option target '​ACCEPT' ​                  
 +      option name 'Allow DNS Queries' ​         
 +        ​ 
 +    config rule                                      
 +      ​option ​src 'guest' ​                      
 +      option dest 'lan' ​                      ​ 
 +      ​option name 'Deny Guest -> LAN' ​        
 +      ​option ​proto 'all' ​                      
 +      option target '​DROP' ​                    
 +     
 +    config rule                                      
 +      option target ​'​ACCEPT' ​                  
 +      option src '​guest' ​                      
 +      option dest '​wan' ​                       
 +      option name 'Allow Guest -> WAN http' ​      
 +      option proto '​tcp' ​                      
 +      option dest_port '​80' ​                   
 +     
 +    config rule                                  
 +      option target '​ACCEPT' ​              
 +      option src '​guest' ​                  
 +      option dest '​wan' ​                      
 +      option name 'Allow Guest -> WAN https' ​  
 +      option proto '​tcp' ​                  
 +      option dest_port '​443'​ 
 +     
 +    config rule                                      
 +      option src '​guest' ​                      
 +      option dest '​wan' ​                       
 +      option name 'Deny Guest -> WAN'  
 +      option proto '​all' ​                  
 +      option target '​DROP'​ 
 +     
 +    [..] 
 +==== Step 5: Limit bandwidth of the connection ====
  
-# Quick rule to allow SSH in +<WRAP center round info 72%> 
-config ​'rule' +Wondershaper (wshaper) is not recommended. Better use ''​qos-scripts'' ​or ''​sqm-scripts'' ​(see the [[http://​www.bufferbloat.net/​projects/​cerowrt/​wiki/​Wondershaper_Must_Die|Bufferbloat project]]). 
-        option ​'src' 'guest' +</​WRAP>​
-        option ​'dest_port'​ '22+
-        ​option '​proto'​ '​tcp'​ +
-        option '​target'​ '​ACCEPT'​+
  
-# Allow DNS Guest -> Router +This is completely optional, but advised. Install package wshaper: 
-config ​'rule'​ +''​opkg install wshaper''​
-        option '​src'​ '​guest'​ +
-        option '​dest_port'​ '​53'​ +
-        option '​proto'​ '​tcpudp'​ +
-        option '​target' 'ACCEPT'+
  
-# Allow DHCP Guest -> Router +Edit ''​/​etc/​config/​wshaper''​:
-config ​'rule'​ +
-        option '​src'​ '​guest'​ +
-        option '​src_port'​ '​67-68'​ +
-        option '​dest_port'​ '​67-68'​ +
-        option '​proto'​ '​udp'​ +
-        option '​target' 'ACCEPT'+
  
-# Allow only specific source MAC addresses out to the WAN +    ​config ​wshaper ​'settings
-config 'rule+      option ​network ​'​guest'​ 
-        option ​'​_name'​ '​Nintendo DS' +      option ​downlink ​'64
-        option '​src' ​'​guest'​ +      option ​uplink ​'512'
-        option 'dest' 'wan+
-        option 'proto' '​all'​ +
-        option '​src_mac'​ '​00:​ab:​00:​32:​00:​00'​ +
-        option '​target'​ '​ACCEPT'+
  
-# Drop broadcast traffic, it just fills the logs :) +<WRAP center round tip 85%> 
-config ​'rule' +''​Downlink'' ​and ''​uplink'' ​options are maximal limits, but in practice the speed will be slightly lower as wshaper also tries to prioritize traffic, so that the network stays responsive even when e.gsomeone downloads a huge file - there are also wshaper options that can control this)The units are in ''​kbit''​
-        option ​'src' 'guest' +</​WRAP>​ 
-        option ​'dest_ip' ​'172.16.62.255' +==== Multiple network devices ====
-        option ​'target' 'DROP'+
  
-Another explicit deny at the end. +The basics are already covered by points 1 to 5 above. For a network setup that involves two or more network devices (e.g. a router, one or more switches, one or more access points) you need to provide a separate [[doc/​uci/​network/​switch#vlanswitch_config|VLAN]]. It is recommended to configure your VLANs through the web UI, since this offers an easier overview, but if you know what you are doing, ​the configuration files themselves are easy to edit as well.
-config '​rule'​ +
-        option '​src'​ '​guest'​ +
-        option '​dest'​ '​wan'​ +
-        option '​proto'​ '​all'​ +
-        option '​target'​ '​REJECT'​+
  
-[..]%%''​ |+**Some basics about VLANs:**
  
-==== Step 5: Limit bandwidth of the connection ==== +  * Most devices only use one VLAN by default (VLAN ID 1). The instructions that follow assume this is the case. Double check before proceeding. 
-This is completely optionalInstall package wshaper+  * VLAN IDs match the virtual interfaces listed by ifconfig, i.e. a VLAN with ID 3 will show as ethX.3 (where X is your real interface, e.g. eth0). 
-''​opkg install wshaper''​+  * VLAN IDs should be identical across all network devices. 
 +  * A port can have three statesOff (not part of a specific VLAN), Untagged (when part of a VLAN), Tagged (when part of two or more VLANs). 
 +  * If a port is part of multiple VLANs, it needs to be set to Tagged in every single VLAN it is part of. 
 +  * Every VLAN should also include the CPU (tagged by default).
  
-Edit ''/​etc/​config/​wshaper'':​+Furthermore,​ for a guest WLAN, only the port(s) connecting a network device to another one should be part of the VLAN. In practice, this means that in a router - access point setup, on each device only the port connecting to the other network device goes into the VLAN.
  
-''​config '​wshaper'​ '​settings'​ +<WRAP center round important 80%> 
-        **option '​network'​ '...'​** +Make sure you have identified the ports correctly. The VLAN definitions use **internal port numbers**. Quite a few devices (e.gthe [[toh:​netgear:​wndr3700|Netgear WNDR3700 v1]]) number their internal ports differently from the numbers on the enclosure! Tagged ports are clearly visible as such in the UI, in the configuration file they're marked by a **t** behind the port number. 
-        ​option '​downlink'​ '​512'​ +</​WRAP>​
-        option '​uplink'​ '​128'​ +
-''​+
  
-For ''​option network '...' ''​ run ''​iwconfig'' ​and find out the interface that is running ​the guest WLAN.+<WRAP center round important 80%> 
 +Creating a new VLAN with port X already part of another VLAN means port X should be set to tagged **in all the existing VLAN(s) it is part ofFailure to do so may render your switch inoperable.** We cannot stress this enough! Only certain switches support ports being untagged in one and tagged in another VLAN at the same time. 
 +</​WRAP>​
  
-**Note:** ''​downlink'' ​and ''​uplink'' ​options are maximal limitsbut in practice ​the speed will be lower as wshaper also tries to prioritize traffic ​(so that the network ​stays responsive evene when someone downloads ​huge file). The units are kbits.+===New VLAN=== 
 +Edit [[doc:​uci:​network|/​etc/​config/​network]] and define a new VLAN with ID 2 (change if ID 2 is already taken). Make sure to use the right device name - check your existing VLAN stanza. Do this on every router, switch or AP.  
 + 
 +    config switch_vlan 
 +      option device ​     '​switch0'​ 
 +      option vlan        '​2'​ 
 +      option ports       '​3t 5t' 
 +       
 +Here, internal ports 3 and 5 are part of the VLAN with ID 2, port 5 being the CPU. Both ports are tagged (indicated by the trailing **t**). Make sure port 3 (if you keep it in VLAN 1 as well) is tagged there as well. Below how it looks in LuCI: 
 + 
 +{{:​media:​vlan_example_wndr3700.png?​800|}} 
 + 
 +:!: **Note ​how port 3 is now tagged in VLAN 1 as well.** As explained above, you cannot have port X untagged in one VLAN and tagged in another. A port needs to have the same status across all the VLANs it is part of. 
 + 
 +===New interface=== 
 +Add the guest interface to your router just like in [[doc:recipes:​guest-wlan#​step_1define_a_new_network|step 1]]. The important difference is that, unlike in a single router setup, ​**we define an interface**. 
 + 
 +    config interface ​    'guest' 
 +      option ifname ​     ​'eth0.2' 
 +      option proto       'static' 
 +      option ipaddr ​     ​'10.0.0.1' 
 +      option netmask ​    '​255.255.255.0'​ 
 + 
 +On each //access point//we replicate ​the same stanza, but with two substantial differences:​ 
 + 
 +  * We add an interface type, namely //bridge// (this will put the LAN and WLAN interfaces on the AP in one network); 
 +  * We set a different static IP (typically incremented by one). 
 + 
 +Your config on your access point should look like this: 
 + 
 +    config interface ​    '​guest'​ 
 +      option ifname ​     '​eth0.2'​ 
 +      option type        '​bridge'​ 
 +      option proto       '​static'​ 
 +      option ipaddr ​     '​10.0.0.2'​ 
 +      option netmask ​    '​255.255.255.0'​ 
 +       
 +===Guest WLAN=== 
 +Like in [[http://​wiki.openwrt.org/​doc/​recipes/​guest-wlan#​step_2copy_the_existing_wireless_network|step 2]], replicate the wireless interface config in [[http://​wiki.openwrt.org/​doc/​uci/​wireless|/​etc/​config/​wireless]] on each access point. Disable the wireless on all other network devices. 
 + 
 +===DHCP, firewall and bandwidth settings=== 
 +The modifications above are the only points where a multi-device setup differs from a single-device setup. The DHCP server only runs on the main router, ​so you do not need to edit any related settings on any switches or access points; do make sure though ​that the static IPs do not conflict with the DHCP range you set. As for the firewall, you should replicate all stanzas provided above on every network ​device, if they have firewall running. 
 + 
 +To cap the bandwidth, you can use tc, or wshaper - the latter being more user-friendly. Wshaper also has a LuCI front-end. Keep in mind wshaper treats upload speed as download, and the other way around. 
 +===== Configuration by shell script ===== 
 + 
 +Here is the script that makes minimal changes required to setup guest wifi network on openwrt. 
 + 
 +<code bash> 
 +#!/bin/sh 
 + 
 +# This is supposed to be run on openwrt 
 + 
 +# Written by Stanislav German-Evtushenko,​ 2014 
 +# Based on http://​wiki.openwrt.org/​doc/​recipes/​guest-wlan 
 + 
 +# Configure guest network 
 +uci delete network.guest 
 +uci set network.guest=interface 
 +uci set network.guest.proto=static 
 +uci set network.guest.ipaddr=192.168.101.21 
 +uci set network.guest.netmask=255.255.255.0 
 + 
 +# Configure guest Wi-Fi 
 +uci delete wireless.guest 
 +uci set wireless.guest=wifi-iface 
 +uci set wireless.guest.device=radio0 
 +uci set wireless.guest.mode=ap 
 +uci set wireless.guest.network=guest 
 +uci set wireless.guest.ssid=openwireless.org 
 +uci set wireless.guest.encryption=none 
 + 
 +# Configure DHCP for guest network 
 +uci delete dhcp.guest 
 +uci set dhcp.guest=dhcp 
 +uci set dhcp.guest.interface=guest 
 +uci set dhcp.guest.start=50 
 +uci set dhcp.guest.limit=200 
 +uci set dhcp.guest.leasetime=1h 
 + 
 +# Configure firewall for guest network 
 +## Configure guest zone 
 +uci delete firewall.guest_zone 
 +uci set firewall.guest_zone=zone 
 +uci set firewall.guest_zone.name=guest 
 +uci set firewall.guest_zone.network=guest 
 +uci set firewall.guest_zone.input=REJECT 
 +uci set firewall.guest_zone.forward=REJECT 
 +uci set firewall.guest_zone.output=ACCEPT 
 +## Allow Guest -> Internet 
 +uci delete firewall.guest_forwarding 
 +uci set firewall.guest_forwarding=forwarding 
 +uci set firewall.guest_forwarding.src=guest 
 +uci set firewall.guest_forwarding.dest=wan 
 +## Allow DNS Guest -> Router 
 +uci delete firewall.guest_rule_dns 
 +uci set firewall.guest_rule_dns=rule 
 +uci set firewall.guest_rule_dns.name='​Allow DNS Queries'​ 
 +uci set firewall.guest_rule_dns.src=guest 
 +uci set firewall.guest_rule_dns.dest_port=53 
 +uci set firewall.guest_rule_dns.proto=udp 
 +uci set firewall.guest_rule_dns.target=ACCEPT 
 +## Allow DHCP Guest -> Router 
 +uci delete firewall.guest_rule_dhcp 
 +uci set firewall.guest_rule_dhcp=rule 
 +uci set firewall.guest_rule_dhcp.name='​Allow DHCP request'​ 
 +uci set firewall.guest_rule_dhcp.src=guest 
 +uci set firewall.guest_rule_dhcp.src_port=68 
 +uci set firewall.guest_rule_dhcp.dest_port=67 
 +uci set firewall.guest_rule_dhcp.proto=udp 
 +uci set firewall.guest_rule_dhcp.target=ACCEPT 
 + 
 +uci commit 
 + 
 +# Configure wshaper (optional) 
 +opkg update 
 +opkg install wshaper 
 +uci set wshaper.settings=wshaper 
 +uci set wshaper.settings.network=guest 
 +uci set wshaper.settings.downlink=500 
 +uci set wshaper.settings.uplink=2000 
 +## Work around for https://​github.com/​openwrt/​packages/​issues/​565 (wshaper: settings ​are not applied on boot) 
 +echo -e '#​!/​bin/​sh\n\n[ "​$ACTION"​ = ifup ] && /etc/init.d/wshaper enabled && /​etc/​init.d/​wshaper start || exit 0' > /​etc/​hotplug.d/​iface/​10-wshaper 
 + 
 +uci commit 
 +</​code>​
  
 ===== Apply changes ===== ===== Apply changes =====
  
-  - Enable the new wireless network<​code>​wifi</​code>​+  - Enable the new wireless network<​code>​/​etc/​init.d/​network restart</​code>​
   - Restart the firewall<​code>/​etc/​init.d/​firewall restart</​code>​   - Restart the firewall<​code>/​etc/​init.d/​firewall restart</​code>​
   - Restart the DHCP service <​code>/​etc/​init.d/​dnsmasq restart</​code>​   - Restart the DHCP service <​code>/​etc/​init.d/​dnsmasq restart</​code>​
   - Start traffic shaping <​code>/​etc/​init.d/​wshaper start</​code>​   - Start traffic shaping <​code>/​etc/​init.d/​wshaper start</​code>​
   - Make traffic shaping permanent <​code>/​etc/​init.d/​wshaper enable</​code>​   - Make traffic shaping permanent <​code>/​etc/​init.d/​wshaper enable</​code>​
 +
 +===== HotSpot (Captive Portal)=====
 +
 +If you want to setup a simple Hotspot for your guest WLAN, take a look at [[http://​wiki.openwrt.org/​doc/​howto/​wireless.hotspot.nodogsplash|Nodogsplash]] or [[http://​wiki.openwrt.org/​doc/​howto/​wireless.hotspot.wifidog|WiFiDog]].
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 191: Line 420:
         list '​interface'​ '​guest'​         list '​interface'​ '​guest'​
 [..]''​ | [..]''​ |
 +
doc/recipes/guest-wlan.1352261257.txt.bz2 · Last modified: 2012/11/07 05:07 by uvray313