User Tools

Site Tools


doc:recipes:guest-wlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:guest-wlan [2014/02/26 20:15]
valentt missing interface
doc:recipes:guest-wlan [2014/12/12 13:41] (current)
giner add "Configuration by shell script"
Line 9: Line 9:
   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]
  
-===== Configuration =====+===== Configuration ​manually ​=====
  
 The changes below assume an OpenWrt default configuration,​ the relevant files are: The changes below assume an OpenWrt default configuration,​ the relevant files are:
Line 24: Line 24:
 | ''​%%[..] | ''​%%[..]
 config '​interface'​ '​guest'​ config '​interface'​ '​guest'​
-#       ​option '​type'​ '​bridge'​ 
-        option '​iface'​ '​wlan0'​ 
         option '​proto'​ '​static'​         option '​proto'​ '​static'​
         option '​ipaddr'​ '​10.0.0.1'​         option '​ipaddr'​ '​10.0.0.1'​
Line 40: Line 38:
 | ''​[..] | ''​[..]
 config '​wifi-iface'​ config '​wifi-iface'​
-        **option '​device'​ '...'**+        **option '​device'​ '???'**
         option '​mode'​ '​ap'​         option '​mode'​ '​ap'​
-        option '​network'​ '**guest**+        option '​network'​ '​guest'​ 
-        option '​ssid'​ 'guest'+        option '​ssid'​ '**openwireless.org**'
         option '​encryption'​ '​none'​         option '​encryption'​ '​none'​
 [..]''​ | [..]''​ |
-For ''​option '​device'​ '...' ''​ you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says ''​config '​wifi-device'​ '​wifi0'​ ''​ then the wifi-iface section should ​say ''​option '​device'​ '​wifi0'​ ''​+For //''​option '​device'​ '???' ''​// you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says //''​config '​wifi-device'​ '**wifi0**' ''​// then the wifi-iface section should ​be //''​option '​device'​ '**wifi0**' ''​//
  
-**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcome ​hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself. ​ --- //sup 2012/05/12 20:22//+**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcom ​hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself. ​ --- //sup 2012/05/12 20:22//. Worked with AR71xx + AR9280, Barrier Breaker r41336 (Kernel 3.10.36) 
 + 
 +**Note:** [[http://​openwireless.org|Open Wireless Movement]] //Wireless networks labeled with the SSID "​openwireless.org"​ are shared resources volunteered by a neighbor who is a member of the Open Wireless Movement. This person has generously offered you a portion of their bandwidth. Please be considerate when you use it.//
  
 ==== Step 3: Define a new DHCP pool ==== ==== Step 3: Define a new DHCP pool ====
Line 57: Line 57:
 config '​dhcp'​ '​guest'​ config '​dhcp'​ '​guest'​
         option '​interface'​ '​guest'​         option '​interface'​ '​guest'​
-        option '​start'​ '150+        option '​start'​ '50
-        option '​limit'​ '100'+        option '​limit'​ '200'
         option '​leasetime'​ '​1h'​         option '​leasetime'​ '​1h'​
 [..]%%''​ | [..]%%''​ |
Line 69: Line 69:
 config '​zone'​ config '​zone'​
         option '​name'​ '​guest'​         option '​name'​ '​guest'​
 +        option '​network'​ '​guest'​
         option '​input'​ '​REJECT'​         option '​input'​ '​REJECT'​
         option '​forward'​ '​REJECT'​         option '​forward'​ '​REJECT'​
Line 81: Line 82:
 # Client DNS queries ordinate from dynamic UDP ports (>​1023) ​ # Client DNS queries ordinate from dynamic UDP ports (>​1023) ​
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DNS Queries'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​53'​         option '​dest_port'​ '​53'​
Line 89: Line 91:
 # DHCP communication uses UDP ports 67-68 # DHCP communication uses UDP ports 67-68
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DHCP request'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​src_port'​ '​67-68'​         option '​src_port'​ '​67-68'​
Line 108: Line 111:
 config '​zone'​ config '​zone'​
         option '​name'​ '​guest'​         option '​name'​ '​guest'​
 +        option '​network'​ '​guest'​
         option '​input'​ '​REJECT'​         option '​input'​ '​REJECT'​
         option '​forward'​ '​REJECT'​         option '​forward'​ '​REJECT'​
Line 114: Line 118:
 # Quick rule to allow SSH in # Quick rule to allow SSH in
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow SSH in'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​22'​         option '​dest_port'​ '​22'​
Line 121: Line 126:
 # Allow DNS Guest -> Router # Allow DNS Guest -> Router
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DNS Queries'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​53'​         option '​dest_port'​ '​53'​
Line 128: Line 134:
 # Allow DHCP Guest -> Router # Allow DHCP Guest -> Router
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DHCP request'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​src_port'​ '​67-68'​         option '​src_port'​ '​67-68'​
Line 136: Line 143:
 # Allow only specific source MAC addresses out to the WAN # Allow only specific source MAC addresses out to the WAN
 config '​rule'​ config '​rule'​
-        option '_name' '​Nintendo DS'+        option 'name' 'Allow my Nintendo DS'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest'​ '​wan'​         option '​dest'​ '​wan'​
Line 145: Line 152:
 # Drop broadcast traffic, it just fills the logs :) # Drop broadcast traffic, it just fills the logs :)
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Drop guest broadcast'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_ip'​ '​172.16.62.255'​         option '​dest_ip'​ '​172.16.62.255'​
Line 151: Line 159:
 # Another explicit deny at the end. # Another explicit deny at the end.
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Deny guest -> WAN'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest'​ '​wan'​         option '​dest'​ '​wan'​
Line 157: Line 166:
  
 [..]%%''​ | [..]%%''​ |
 +
 +==== Step 4c: Block everything, but http and https ====
 +
 +In this configuration I shared my guest SSID, but only provide http and https connections,​ and isolate GUEST network from LAN network.
 +
 +Edit ''/​etc/​config/​firewall'',​ remove any //'​guest'//​ configurations and add new zone section covering the '​guest'​ interface, allow SSH, DNS and DHCP to guests, and http and https to the outside world, then block the rest.
 +
 +| ''​%%[..]
 +config zone                                     
 +        option name '​guest' ​                
 +        option network '​guest' ​             ​
 +        option forward '​REJECT' ​            
 +        option output '​ACCEPT' ​             ​
 +        option input '​REJECT'​
 +         
 +config forwarding ​                              
 +        option src '​guest' ​                 ​
 +        option dest '​wan'​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option src_port '​67-68' ​                
 +        option dest_port '​67-68' ​               ​
 +        option proto '​udp' ​                     ​
 +        option target '​ACCEPT' ​                 ​
 +        option name 'Allow DHCP request' ​       ​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest_port '​53' ​                  
 +        option proto '​tcpudp' ​                  
 +        option target '​ACCEPT' ​                 ​
 +        option name 'Allow DNS Queries' ​        
 +
 +config rule                                     
 +        option src '​guest' ​                             ​
 +        option target '​DROP' ​                   ​
 +        option name 'Deny Access to router' ​   ​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest '​lan' ​                      
 +        option name 'Deny Guest -> LAN' ​       ​
 +        option proto '​all' ​                     ​
 +        option target '​DROP' ​                   ​
 +
 +config rule                                     
 +        option target '​ACCEPT' ​                 ​
 +        option src '​guest' ​                     ​
 +        option dest '​wan' ​                      
 +        option name 'Allow Guest -> WAN http' ​     ​
 +        option proto '​tcp' ​                     ​
 +        option dest_port '​80' ​                  
 +
 +config rule                                 
 +        option target '​ACCEPT' ​             ​
 +        option src '​guest' ​                 ​
 +        option dest '​wan' ​                     ​
 +        option name 'Allow Guest -> WAN https'  ​
 +        option proto '​tcp' ​                 ​
 +        option dest_port '​443'​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest '​wan' ​                      
 +        option name 'Deny Guest -> WAN' ​
 +        option proto '​all' ​                 ​
 +        option target '​DROP'​
 +
 +[..]%%''​ |
 +
 + --- //senomoto 2014/06/26 22:01//
  
 ==== Step 5: Limit bandwidth of the connection ==== ==== Step 5: Limit bandwidth of the connection ====
Line 173: Line 254:
  
 **Also note:** The ''​downlink''​ and ''​uplink''​ limits are //​reversed//​ from what one might expect, as the data is flowing in the opposite direction from wshaper'​s usual (wan) interface. **Also note:** The ''​downlink''​ and ''​uplink''​ limits are //​reversed//​ from what one might expect, as the data is flowing in the opposite direction from wshaper'​s usual (wan) interface.
 +
 +===== Configuration by shell script =====
 +
 +Here is the script that makes minimal changes required to setup guest wifi network on openwrt.
 +
 +<code bash>
 +#!/bin/sh
 +
 +# This is supposed to be run on openwrt
 +
 +# Written by Stanislav German-Evtushenko,​ 2014
 +# Based on http://​wiki.openwrt.org/​doc/​recipes/​guest-wlan
 +
 +# Configure guest network
 +uci delete network.guest
 +uci set network.guest=interface
 +uci set network.guest.proto=static
 +uci set network.guest.ipaddr=192.168.101.21
 +uci set network.guest.netmask=255.255.255.0
 +
 +# Configure guest Wi-Fi
 +uci delete wireless.guest
 +uci set wireless.guest=wifi-iface
 +uci set wireless.guest.device=radio0
 +uci set wireless.guest.mode=ap
 +uci set wireless.guest.network=guest
 +uci set wireless.guest.ssid=openwireless.org
 +uci set wireless.guest.encryption=none
 +
 +# Configure DHCP for guest network
 +uci delete dhcp.guest
 +uci set dhcp.guest=dhcp
 +uci set dhcp.guest.interface=guest
 +uci set dhcp.guest.start=50
 +uci set dhcp.guest.limit=200
 +uci set dhcp.guest.leasetime=1h
 +
 +# Configure firewall for guest network
 +## Configure guest zone
 +uci delete firewall.guest_zone
 +uci set firewall.guest_zone=zone
 +uci set firewall.guest_zone.name=guest
 +uci set firewall.guest_zone.network=guest
 +uci set firewall.guest_zone.input=REJECT
 +uci set firewall.guest_zone.forward=REJECT
 +uci set firewall.guest_zone.output=ACCEPT
 +## Allow Guest -> Internet
 +uci delete firewall.guest_forwarding
 +uci set firewall.guest_forwarding=forwarding
 +uci set firewall.guest_forwarding.src=guest
 +uci set firewall.guest_forwarding.dest=wan
 +## Allow DNS Guest -> Router
 +uci delete firewall.guest_rule_dns
 +uci set firewall.guest_rule_dns=rule
 +uci set firewall.guest_rule_dns.name='​Allow DNS Queries'​
 +uci set firewall.guest_rule_dns.src=guest
 +uci set firewall.guest_rule_dns.dest_port=53
 +uci set firewall.guest_rule_dns.proto=udp
 +uci set firewall.guest_rule_dns.target=ACCEPT
 +## Allow DHCP Guest -> Router
 +uci delete firewall.guest_rule_dhcp
 +uci set firewall.guest_rule_dhcp=rule
 +uci set firewall.guest_rule_dhcp.name='​Allow DHCP request'​
 +uci set firewall.guest_rule_dhcp.src=guest
 +uci set firewall.guest_rule_dhcp.src_port=68
 +uci set firewall.guest_rule_dhcp.dest_port=67
 +uci set firewall.guest_rule_dhcp.proto=udp
 +uci set firewall.guest_rule_dhcp.target=ACCEPT
 +
 +uci commit
 +
 +# Configure wshaper (optional)
 +opkg update
 +opkg install wshaper
 +uci set wshaper.settings=wshaper
 +uci set wshaper.settings.network=guest
 +uci set wshaper.settings.downlink=500
 +uci set wshaper.settings.uplink=2000
 +## Work around for https://​github.com/​openwrt/​packages/​issues/​565 (wshaper: settings are not applied on boot)
 +echo -e '#​!/​bin/​sh\n\n[ "​$ACTION"​ = ifup ] && /​etc/​init.d/​wshaper enabled && /​etc/​init.d/​wshaper start || exit 0' > /​etc/​hotplug.d/​iface/​10-wshaper
 +
 +uci commit
 +</​code>​
  
 ===== Apply changes ===== ===== Apply changes =====
Line 196: Line 360:
         list '​interface'​ '​guest'​         list '​interface'​ '​guest'​
 [..]''​ | [..]''​ |
 +
doc/recipes/guest-wlan.1393442154.txt.bz2 · Last modified: 2014/02/26 20:15 by valentt