User Tools

Site Tools


doc:recipes:guest-wlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:guest-wlan [2014/02/26 20:15]
valentt missing interface
doc:recipes:guest-wlan [2014/07/31 12:08] (current)
kronick network and ssid names swapped
Line 24: Line 24:
 | ''​%%[..] | ''​%%[..]
 config '​interface'​ '​guest'​ config '​interface'​ '​guest'​
-#       ​option '​type'​ '​bridge'​ 
-        option '​iface'​ '​wlan0'​ 
         option '​proto'​ '​static'​         option '​proto'​ '​static'​
         option '​ipaddr'​ '​10.0.0.1'​         option '​ipaddr'​ '​10.0.0.1'​
Line 40: Line 38:
 | ''​[..] | ''​[..]
 config '​wifi-iface'​ config '​wifi-iface'​
-        **option '​device'​ '...'**+        **option '​device'​ '???'**
         option '​mode'​ '​ap'​         option '​mode'​ '​ap'​
-        option '​network'​ '**guest**+        option '​network'​ '​guest'​ 
-        option '​ssid'​ 'guest'+        option '​ssid'​ '**openwireless.org**'
         option '​encryption'​ '​none'​         option '​encryption'​ '​none'​
 [..]''​ | [..]''​ |
-For ''​option '​device'​ '...' ''​ you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says ''​config '​wifi-device'​ '​wifi0'​ ''​ then the wifi-iface section should ​say ''​option '​device'​ '​wifi0'​ ''​+For //''​option '​device'​ '???' ''​// you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says //''​config '​wifi-device'​ '**wifi0**' ''​// then the wifi-iface section should ​be //''​option '​device'​ '**wifi0**' ''​//
  
-**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcome ​hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself. ​ --- //sup 2012/05/12 20:22//+**Note:** Your hardware may not be capable of this. For example, open source b43 driver for Broadcom ​hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself. ​ --- //sup 2012/05/12 20:22//. Worked with AR71xx + AR9280, Barrier Breaker r41336 (Kernel 3.10.36) 
 + 
 +**Note:** [[http://​openwireless.org|Open Wireless Movement]] //Wireless networks labeled with the SSID "​openwireless.org"​ are shared resources volunteered by a neighbor who is a member of the Open Wireless Movement. This person has generously offered you a portion of their bandwidth. Please be considerate when you use it.//
  
 ==== Step 3: Define a new DHCP pool ==== ==== Step 3: Define a new DHCP pool ====
Line 57: Line 57:
 config '​dhcp'​ '​guest'​ config '​dhcp'​ '​guest'​
         option '​interface'​ '​guest'​         option '​interface'​ '​guest'​
-        option '​start'​ '150+        option '​start'​ '50
-        option '​limit'​ '100'+        option '​limit'​ '200'
         option '​leasetime'​ '​1h'​         option '​leasetime'​ '​1h'​
 [..]%%''​ | [..]%%''​ |
Line 69: Line 69:
 config '​zone'​ config '​zone'​
         option '​name'​ '​guest'​         option '​name'​ '​guest'​
 +        option '​network'​ '​guest'​
         option '​input'​ '​REJECT'​         option '​input'​ '​REJECT'​
         option '​forward'​ '​REJECT'​         option '​forward'​ '​REJECT'​
Line 81: Line 82:
 # Client DNS queries ordinate from dynamic UDP ports (>​1023) ​ # Client DNS queries ordinate from dynamic UDP ports (>​1023) ​
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DNS Queries'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​53'​         option '​dest_port'​ '​53'​
Line 89: Line 91:
 # DHCP communication uses UDP ports 67-68 # DHCP communication uses UDP ports 67-68
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DHCP request'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​src_port'​ '​67-68'​         option '​src_port'​ '​67-68'​
Line 108: Line 111:
 config '​zone'​ config '​zone'​
         option '​name'​ '​guest'​         option '​name'​ '​guest'​
 +        option '​network'​ '​guest'​
         option '​input'​ '​REJECT'​         option '​input'​ '​REJECT'​
         option '​forward'​ '​REJECT'​         option '​forward'​ '​REJECT'​
Line 114: Line 118:
 # Quick rule to allow SSH in # Quick rule to allow SSH in
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow SSH in'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​22'​         option '​dest_port'​ '​22'​
Line 121: Line 126:
 # Allow DNS Guest -> Router # Allow DNS Guest -> Router
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DNS Queries'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_port'​ '​53'​         option '​dest_port'​ '​53'​
Line 128: Line 134:
 # Allow DHCP Guest -> Router # Allow DHCP Guest -> Router
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Allow DHCP request'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​src_port'​ '​67-68'​         option '​src_port'​ '​67-68'​
Line 136: Line 143:
 # Allow only specific source MAC addresses out to the WAN # Allow only specific source MAC addresses out to the WAN
 config '​rule'​ config '​rule'​
-        option '_name' '​Nintendo DS'+        option 'name' 'Allow my Nintendo DS'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest'​ '​wan'​         option '​dest'​ '​wan'​
Line 145: Line 152:
 # Drop broadcast traffic, it just fills the logs :) # Drop broadcast traffic, it just fills the logs :)
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Drop guest broadcast'​
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest_ip'​ '​172.16.62.255'​         option '​dest_ip'​ '​172.16.62.255'​
Line 151: Line 159:
 # Another explicit deny at the end. # Another explicit deny at the end.
 config '​rule'​ config '​rule'​
 +        option '​name'​ 'Deny guest -> WAN'
         option '​src'​ '​guest'​         option '​src'​ '​guest'​
         option '​dest'​ '​wan'​         option '​dest'​ '​wan'​
Line 157: Line 166:
  
 [..]%%''​ | [..]%%''​ |
 +
 +==== Step 4c: Block everything, but http and https ====
 +
 +In this configuration I shared my guest SSID, but only provide http and https connections,​ and isolate GUEST network from LAN network.
 +
 +Edit ''/​etc/​config/​firewall'',​ remove any //'​guest'//​ configurations and add new zone section covering the '​guest'​ interface, allow SSH, DNS and DHCP to guests, and http and https to the outside world, then block the rest.
 +
 +| ''​%%[..]
 +config zone                                     
 +        option name '​guest' ​                
 +        option network '​guest' ​             ​
 +        option forward '​REJECT' ​            
 +        option output '​ACCEPT' ​             ​
 +        option input '​REJECT'​
 +         
 +config forwarding ​                              
 +        option src '​guest' ​                 ​
 +        option dest '​wan'​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option src_port '​67-68' ​                
 +        option dest_port '​67-68' ​               ​
 +        option proto '​udp' ​                     ​
 +        option target '​ACCEPT' ​                 ​
 +        option name 'Allow DHCP request' ​       ​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest_port '​53' ​                  
 +        option proto '​tcpudp' ​                  
 +        option target '​ACCEPT' ​                 ​
 +        option name 'Allow DNS Queries' ​        
 +
 +config rule                                     
 +        option src '​guest' ​                             ​
 +        option target '​DROP' ​                   ​
 +        option name 'Deny Access to router' ​   ​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest '​lan' ​                      
 +        option name 'Deny Guest -> LAN' ​       ​
 +        option proto '​all' ​                     ​
 +        option target '​DROP' ​                   ​
 +
 +config rule                                     
 +        option target '​ACCEPT' ​                 ​
 +        option src '​guest' ​                     ​
 +        option dest '​wan' ​                      
 +        option name 'Allow Guest -> WAN http' ​     ​
 +        option proto '​tcp' ​                     ​
 +        option dest_port '​80' ​                  
 +
 +config rule                                 
 +        option target '​ACCEPT' ​             ​
 +        option src '​guest' ​                 ​
 +        option dest '​wan' ​                     ​
 +        option name 'Allow Guest -> WAN https'  ​
 +        option proto '​tcp' ​                 ​
 +        option dest_port '​443'​
 +
 +config rule                                     
 +        option src '​guest' ​                     ​
 +        option dest '​wan' ​                      
 +        option name 'Deny Guest -> WAN' ​
 +        option proto '​all' ​                 ​
 +        option target '​DROP'​
 +
 +[..]%%''​ |
 +
 + --- //senomoto 2014/06/26 22:01//
  
 ==== Step 5: Limit bandwidth of the connection ==== ==== Step 5: Limit bandwidth of the connection ====
doc/recipes/guest-wlan.1393442154.txt.bz2 · Last modified: 2014/02/26 20:15 by valentt