User Tools

Site Tools


doc:recipes:guest-wlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:guest-wlan [2012/11/07 05:07]
uvray313 grammer
doc:recipes:guest-wlan [2014/12/12 13:41] (current)
giner add "Configuration by shell script"
Line 9: Line 9:
   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]
  
-===== Configuration =====+===== Configuration ​manually ​=====
  
 The changes below assume an OpenWrt default configuration,​ the relevant files are: The changes below assume an OpenWrt default configuration,​ the relevant files are:
Line 24: Line 24:
 | ''​%%[..] | ''​%%[..]
 config '​interface'​ '​guest'​ config '​interface'​ '​guest'​
-#       ​option '​type'​ '​bridge'​ 
         option '​proto'​ '​static'​         option '​proto'​ '​static'​
         option '​ipaddr'​ '​10.0.0.1'​         option '​ipaddr'​ '​10.0.0.1'​
Line 39: Line 38:
 | ''​[..] | ''​[..]
 config '​wifi-iface'​ config '​wifi-iface'​
-        **option '​device'​ '...'**+        **option '​device'​ '???'**
         option '​mode'​ '​ap'​         option '​mode'​ '​ap'​
-        option '​network'​ '**guest**+        option '​network'​ '​guest'​ 
-        option '​ssid'​ 'guest'+        option '​ssid'​ '**openwireless.org**'
         option '​encryption'​ '​none'​         option '​encryption'​ '​none'​
 [..]''​ | [..]''​ |
-For ''​option '​device'​ '...' ''​ you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says ''​config '​wifi-device'​ '​wifi0'​ ''​ then the wifi-iface section should ​say ''​option '​device'​ '​wifi0'​ ''​+For //''​option '​device'​ '???' ''​// you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says //''​config '​wifi-device'​ '**wifi0**' ''​// then the wifi-iface section should ​be //''​option '​device'​ '**wifi0**' ''​//
  
-**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcome ​hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself. ​ --- //sup 2012/05/12 20:22//+**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcom ​hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself. ​ --- //sup 2012/05/12 20:22//. Worked with AR71xx + AR9280, Barrier Breaker r41336 (Kernel 3.10.36) 
 + 
 +**Note:** [[http://​openwireless.org|Open Wireless Movement]] //Wireless networks labeled with the SSID "​openwireless.org"​ are shared resources volunteered by a neighbor who is a member of the Open Wireless Movement. This person has generously offered you a portion of their bandwidth. Please be considerate when you use it.//
  
 ==== Step 3: Define a new DHCP pool ==== ==== Step 3: Define a new DHCP pool ====
Line 56: Line 57:
 config '​dhcp'​ '​guest'​ config '​dhcp'​ '​guest'​
         option '​interface'​ '​guest'​         option '​interface'​ '​guest'​
-        option '​start'​ '150+        option '​start'​ '50
-        option '​limit'​ '100'+        option '​limit'​ '200'
         option '​leasetime'​ '​1h'​         option '​leasetime'​ '​1h'​
 [..]%%''​ | [..]%%''​ |
Line 68: Line 69:
 config '​zone'​ config '​zone'​
         option '​name'​ '​guest'​         option '​name'​ '​guest'​
 +        option '​network'​ '​guest'​
         option '​input'​ '​REJECT'​         option '​input'​ '​REJECT'​
         option '​forward'​ '​REJECT'​         option '​forward'​ '​REJECT'​
Line 80: Line 82:
 # Client DNS queries ordinate from dynamic UDP ports (>​1023) ​ # Client DNS queries ordinate from dynamic UDP ports (>​1023) ​
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DNS Queries'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​53'​         option '​dest_port'​ '​53'​
Line 88: Line 91:
 # DHCP communication uses UDP ports 67-68 # DHCP communication uses UDP ports 67-68
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DHCP request'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​src_port'​ '​67-68'​         option '​src_port'​ '​67-68'​
Line 107: Line 111:
 config '​zone'​ config '​zone'​
         option '​name'​ '​guest'​         option '​name'​ '​guest'​
 +        option '​network'​ '​guest'​
         option '​input'​ '​REJECT'​         option '​input'​ '​REJECT'​
         option '​forward'​ '​REJECT'​         option '​forward'​ '​REJECT'​
Line 113: Line 118:
 # Quick rule to allow SSH in # Quick rule to allow SSH in
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow SSH in'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​22'​         option '​dest_port'​ '​22'​
Line 120: Line 126:
 # Allow DNS Guest -> Router # Allow DNS Guest -> Router
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DNS Queries'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​53'​         option '​dest_port'​ '​53'​
Line 127: Line 134:
 # Allow DHCP Guest -> Router # Allow DHCP Guest -> Router
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DHCP request'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​src_port'​ '​67-68'​         option '​src_port'​ '​67-68'​
Line 135: Line 143:
 # Allow only specific source MAC addresses out to the WAN # Allow only specific source MAC addresses out to the WAN
 config '​rule'​ config '​rule'​
-        option '_name' '​Nintendo DS'+        option 'name' 'Allow my Nintendo DS'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest'​ '​wan'​         option '​dest'​ '​wan'​
Line 144: Line 152:
 # Drop broadcast traffic, it just fills the logs :) # Drop broadcast traffic, it just fills the logs :)
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Drop guest broadcast'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_ip'​ '​172.16.62.255'​         option '​dest_ip'​ '​172.16.62.255'​
Line 150: Line 159:
 # Another explicit deny at the end. # Another explicit deny at the end.
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Deny guest -> WAN'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest'​ '​wan'​         option '​dest'​ '​wan'​
Line 156: Line 166:
  
 [..]%%''​ | [..]%%''​ |
 +
 +==== Step 4c: Block everything, but http and https ====
 +
 +In this configuration I shared my guest SSID, but only provide http and https connections,​ and isolate GUEST network from LAN network.
 +
 +Edit ''/​etc/​config/​firewall'',​ remove any //'​guest'//​ configurations and add new zone section covering the '​guest'​ interface, allow SSH, DNS and DHCP to guests, and http and https to the outside world, then block the rest.
 +
 +| ''​%%[..]
 +config zone                                     
 +        option name '​guest' ​                
 +        option network '​guest' ​             ​
 +        option forward '​REJECT' ​            
 +        option output '​ACCEPT' ​             ​
 +        option input '​REJECT'​
 +         
 +config forwarding ​                              
 +        option src '​guest' ​                 ​
 +        option dest '​wan'​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option src_port '​67-68' ​                
 +        option dest_port '​67-68' ​               ​
 +        option proto '​udp' ​                     ​
 +        option target '​ACCEPT' ​                 ​
 +        option name 'Allow DHCP request' ​       ​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest_port '​53' ​                  
 +        option proto '​tcpudp' ​                  
 +        option target '​ACCEPT' ​                 ​
 +        option name 'Allow DNS Queries' ​        
 +
 +config rule                                     
 +        option src '​guest' ​                             ​
 +        option target '​DROP' ​                   ​
 +        option name 'Deny Access to router' ​   ​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest '​lan' ​                      
 +        option name 'Deny Guest -> LAN' ​       ​
 +        option proto '​all' ​                     ​
 +        option target '​DROP' ​                   ​
 +
 +config rule                                     
 +        option target '​ACCEPT' ​                 ​
 +        option src '​guest' ​                     ​
 +        option dest '​wan' ​                      
 +        option name 'Allow Guest -> WAN http' ​     ​
 +        option proto '​tcp' ​                     ​
 +        option dest_port '​80' ​                  
 +
 +config rule                                 
 +        option target '​ACCEPT' ​             ​
 +        option src '​guest' ​                 ​
 +        option dest '​wan' ​                     ​
 +        option name 'Allow Guest -> WAN https'  ​
 +        option proto '​tcp' ​                 ​
 +        option dest_port '​443'​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest '​wan' ​                      
 +        option name 'Deny Guest -> WAN' ​
 +        option proto '​all' ​                 ​
 +        option target '​DROP'​
 +
 +[..]%%''​ |
 +
 + --- //senomoto 2014/06/26 22:01//
  
 ==== Step 5: Limit bandwidth of the connection ==== ==== Step 5: Limit bandwidth of the connection ====
-This is completely optional. Install package wshaper:+This is completely optional, but advised. Install package wshaper:
 ''​opkg install wshaper''​ ''​opkg install wshaper''​
  
 Edit ''/​etc/​config/​wshaper'':​ Edit ''/​etc/​config/​wshaper'':​
  
-''​config ​'wshaper' ​'​settings'​ +''​config wshaper '​settings'​ 
-        **option ​'network'​ '...'** + option network 'guest
-        option ​'downlink' ​'512+ option downlink '64
-        option ​'uplink' ​'128'+ option uplink '512'
 ''​ ''​
  
-For ''​option network ​'...' '' ​run ''​iwconfig'' ​and find out the interface ​that is running ​the guest WLAN.+**Note:​** ​''​downlink'' and ''​uplink''​ options are maximal limits, but in practice the speed will be slightly lower as wshaper also tries to prioritize traffic (so that the network stays responsive even when someone downloads a huge file - there are also wshaper options that can control this)The units are kbits. 
 + 
 +**Also note:** The ''​downlink'' ​and ''​uplink'' limits are //​reversed//​ from what one might expect, as the data is flowing in the opposite direction from wshaper'​s usual (wan) interface
 + 
 +===== Configuration by shell script ===== 
 + 
 +Here is the script that makes minimal changes required to setup guest wifi network on openwrt. 
 + 
 +<code bash> 
 +#!/bin/sh 
 + 
 +# This is supposed to be run on openwrt 
 + 
 +# Written by Stanislav German-Evtushenko,​ 2014 
 +# Based on http://​wiki.openwrt.org/​doc/​recipes/​guest-wlan 
 + 
 +# Configure guest network 
 +uci delete network.guest 
 +uci set network.guest=interface 
 +uci set network.guest.proto=static 
 +uci set network.guest.ipaddr=192.168.101.21 
 +uci set network.guest.netmask=255.255.255.0 
 + 
 +# Configure guest Wi-Fi 
 +uci delete wireless.guest 
 +uci set wireless.guest=wifi-iface 
 +uci set wireless.guest.device=radio0 
 +uci set wireless.guest.mode=ap 
 +uci set wireless.guest.network=guest 
 +uci set wireless.guest.ssid=openwireless.org 
 +uci set wireless.guest.encryption=none 
 + 
 +# Configure DHCP for guest network 
 +uci delete dhcp.guest 
 +uci set dhcp.guest=dhcp 
 +uci set dhcp.guest.interface=guest 
 +uci set dhcp.guest.start=50 
 +uci set dhcp.guest.limit=200 
 +uci set dhcp.guest.leasetime=1h 
 + 
 +# Configure firewall for guest network 
 +## Configure guest zone 
 +uci delete firewall.guest_zone 
 +uci set firewall.guest_zone=zone 
 +uci set firewall.guest_zone.name=guest 
 +uci set firewall.guest_zone.network=guest 
 +uci set firewall.guest_zone.input=REJECT 
 +uci set firewall.guest_zone.forward=REJECT 
 +uci set firewall.guest_zone.output=ACCEPT 
 +## Allow Guest -> Internet 
 +uci delete firewall.guest_forwarding 
 +uci set firewall.guest_forwarding=forwarding 
 +uci set firewall.guest_forwarding.src=guest 
 +uci set firewall.guest_forwarding.dest=wan 
 +## Allow DNS Guest -> Router 
 +uci delete firewall.guest_rule_dns 
 +uci set firewall.guest_rule_dns=rule 
 +uci set firewall.guest_rule_dns.name='​Allow DNS Queries'​ 
 +uci set firewall.guest_rule_dns.src=guest 
 +uci set firewall.guest_rule_dns.dest_port=53 
 +uci set firewall.guest_rule_dns.proto=udp 
 +uci set firewall.guest_rule_dns.target=ACCEPT 
 +## Allow DHCP Guest -> Router 
 +uci delete firewall.guest_rule_dhcp 
 +uci set firewall.guest_rule_dhcp=rule 
 +uci set firewall.guest_rule_dhcp.name='​Allow DHCP request'​ 
 +uci set firewall.guest_rule_dhcp.src=guest 
 +uci set firewall.guest_rule_dhcp.src_port=68 
 +uci set firewall.guest_rule_dhcp.dest_port=67 
 +uci set firewall.guest_rule_dhcp.proto=udp 
 +uci set firewall.guest_rule_dhcp.target=ACCEPT 
 + 
 +uci commit 
 + 
 +# Configure wshaper (optional) 
 +opkg update 
 +opkg install wshaper 
 +uci set wshaper.settings=wshaper 
 +uci set wshaper.settings.network=guest 
 +uci set wshaper.settings.downlink=500 
 +uci set wshaper.settings.uplink=2000 
 +## Work around for https://​github.com/​openwrt/​packages/​issues/​565 (wshaper: settings are not applied on boot) 
 +echo -e '#​!/​bin/​sh\n\n[ "​$ACTION"​ = ifup ] && /​etc/​init.d/​wshaper enabled && /​etc/​init.d/​wshaper start || exit 0' > /​etc/​hotplug.d/​iface/​10-wshaper
  
-**Note:** ''​downlink''​ and ''​uplink''​ options are maximal limits, but in practice the speed will be lower as wshaper also tries to prioritize traffic (so that the network stays responsive evene when someone downloads a huge file). The units are kbits.+uci commit 
 +</​code>​
  
 ===== Apply changes ===== ===== Apply changes =====
  
-  - Enable the new wireless network<​code>​wifi</​code>​+  - Enable the new wireless network<​code>​/​etc/​init.d/​network restart</​code>​
   - Restart the firewall<​code>/​etc/​init.d/​firewall restart</​code>​   - Restart the firewall<​code>/​etc/​init.d/​firewall restart</​code>​
   - Restart the DHCP service <​code>/​etc/​init.d/​dnsmasq restart</​code>​   - Restart the DHCP service <​code>/​etc/​init.d/​dnsmasq restart</​code>​
   - Start traffic shaping <​code>/​etc/​init.d/​wshaper start</​code>​   - Start traffic shaping <​code>/​etc/​init.d/​wshaper start</​code>​
   - Make traffic shaping permanent <​code>/​etc/​init.d/​wshaper enable</​code>​   - Make traffic shaping permanent <​code>/​etc/​init.d/​wshaper enable</​code>​
 +
 +===== HotSpot (Captive Portal)=====
 +
 +If you want to setup a simple Hotspot for your guest WLAN, take a look at [[http://​wiki.openwrt.org/​doc/​howto/​wireless.hotspot.nodogsplash|Nodogsplash]] or [[http://​wiki.openwrt.org/​doc/​howto/​wireless.hotspot.wifidog|WiFiDog]].
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 191: Line 360:
         list '​interface'​ '​guest'​         list '​interface'​ '​guest'​
 [..]''​ | [..]''​ |
 +
doc/recipes/guest-wlan.1352261257.txt.bz2 · Last modified: 2012/11/07 05:07 by uvray313