User Tools

Site Tools


doc:recipes:guest-wlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:guest-wlan [2014/07/31 12:08]
kronick network and ssid names swapped
doc:recipes:guest-wlan [2015/07/24 02:54] (current)
googol-1 [Step 2: Copy the existing wireless network] added option 'isolate' 1
Line 1: Line 1:
 ====== Configure a guest WLAN ====== ====== Configure a guest WLAN ======
 +
 +<WRAP center round important 70%>
 +People looking for a way to configure a guest WLAN through the web interface should read [[doc:​recipes:​guest-wlan-webinterface|the LuCI guest WLAN recipe]].</​WRAP>​
  
 Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe contains information provided by our forums members and one blogger as showed below: Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe contains information provided by our forums members and one blogger as showed below:
Line 9: Line 12:
   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]   * [[http://​jwalanta.blogspot.com/​2012/​03/​multiple-ssid-on-openwrt-with-bandwidth.html|Limiting bandwidth of the guest connection]]
  
-===== Configuration ​=====+===== Manual configuration ​=====
  
 The changes below assume an OpenWrt default configuration,​ the relevant files are: The changes below assume an OpenWrt default configuration,​ the relevant files are:
Line 18: Line 21:
   * [[doc:​uci:​firewall|/​etc/​config/​firewall]]   * [[doc:​uci:​firewall|/​etc/​config/​firewall]]
   * [[doc:​uci:​wshaper|/​etc/​config/​wshaper]]   * [[doc:​uci:​wshaper|/​etc/​config/​wshaper]]
 +
 +:!: A guest WLAN (or plain guest network) [[doc:​recipes:​guest-wlan#​multiple_network_devices|across multiple network devices]] requires a separate VLAN.
  
 ==== Step 1: Define a new network ==== ==== Step 1: Define a new network ====
  
-Edit ''​/​etc/​config/​network'' ​and define a new ''​[[doc:​uci:​network#​interfaces|interface]]''​ section: +Edit [[doc:​uci:​network|/​etc/​config/​network]] and define a new ''​[[doc:​uci:​network#​interfaces|interface]]''​ section: 
-| ''​%%[..]+<​code>​
 config '​interface'​ '​guest'​ config '​interface'​ '​guest'​
         option '​proto'​ '​static'​         option '​proto'​ '​static'​
         option '​ipaddr'​ '​10.0.0.1'​         option '​ipaddr'​ '​10.0.0.1'​
         option '​netmask'​ '​255.255.255.0'​         option '​netmask'​ '​255.255.255.0'​
-[..]%%''​ | +</​code>​
- +
-The new network interface will have to be configured as a bridge if your wireless network has +
-multiple radios and access points, and you wish to connect more than one to the guest network. +
 ==== Step 2: Copy the existing wireless network ==== ==== Step 2: Copy the existing wireless network ====
  
-In /​etc/​config/​wireless,​ define a new, second ​wifi-iface section by copying the existing one and change ​its network option to point to the newly created interface section.+In [[doc:​uci:​wireless|/​etc/​config/​wireless]], define a new wifi-iface section by copying the existing one and changing ​its network option to point to the newly created interface section.
  
-| ''​[..]+<​code>​
 config '​wifi-iface'​ config '​wifi-iface'​
-        ​**option '​device'​ '???'​** +        option '​device' ​    ​'???'​ 
-        option '​mode'​ '​ap'​ +        option '​mode' ​      ​'​ap'​ 
-        option '​network'​ '​guest'​ +        option '​network' ​   '​guest'​ 
-        option '​ssid'​ '**openwireless.org**'+        option '​ssid' ​      ​'guest'
         option '​encryption'​ '​none'​         option '​encryption'​ '​none'​
-[..]''​ |+</​code>​
 For //''​option '​device'​ '???'​ ''//​ you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says //''​config '​wifi-device'​ '​**wifi0**'​ ''//​ then the wifi-iface section should be //''​option '​device'​ '​**wifi0**'​ ''//​ For //''​option '​device'​ '???'​ ''//​ you should put the device listed in your '​wifi-device'​ section. For example, if your '​wifi-device'​ says //''​config '​wifi-device'​ '​**wifi0**'​ ''//​ then the wifi-iface section should be //''​option '​device'​ '​**wifi0**'​ ''//​
  
-**Note:** Your hardware ​may not be capable of thisFor example, open source ​b43 driver for Broadcom hardware ​cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, ​you need to [[doc:​howto:​obtain.firmware.generate|build]] the images yourself --- //sup 2012/05/12 20:22//. Worked with AR71xx + AR9280, Barrier Breaker r41336 (Kernel 3.10.36)+| {{:meta:​icons:​tango:​48px-emblem-important.svg.png?​nolink}} | Some hardware ​or drivers might not support multiple SSIDsThis is the case for e.g. the FOSS b43 driver for Broadcom hardware. If you want multiple SSIDs with Broadcom ​you'​ll ​need to use the [[doc/​hardware/​soc/​soc.broadcom.bcm47xx#​broadcom-wl|proprietary wl driver]]. |
  
-**Note:** [[http://​openwireless.org|Open Wireless Movement]] //Wireless networks labeled with the SSID "​openwireless.org"​ are shared resources volunteered by a neighbor who is a member ​of the Open Wireless MovementThis person has generously offered you a portion of their bandwidth. Please be considerate when you use it.//+To prevent connections between clients of the guest network, add the following line at the end of the configuration block 
 +<​code>​ 
 +        option '​isolate'​ 1 
 +</​code>​ 
 +Some hardware or drivers might not support this option.
  
 ==== Step 3: Define a new DHCP pool ==== ==== Step 3: Define a new DHCP pool ====
Line 54: Line 59:
 In order to support DHCP on '​guest'​ wireless, a new ''​[[doc:​uci:​dhcp#​dhcp.pools|dhcp]]''​ pool must be defined in ''/​etc/​config/​dhcp'':​ In order to support DHCP on '​guest'​ wireless, a new ''​[[doc:​uci:​dhcp#​dhcp.pools|dhcp]]''​ pool must be defined in ''/​etc/​config/​dhcp'':​
  
-| ''​%%[..] +    ​[..] 
-config '​dhcp'​ '​guest'​ +    config '​dhcp'​ '​guest'​ 
-        option '​interface'​ '​guest'​ +      option '​interface'​ '​guest'​ 
-        option '​start'​ '​50'​ +      option '​start'​ '​50'​ 
-        option '​limit'​ '​200'​ +      option '​limit'​ '​200'​ 
-        option '​leasetime'​ '​1h'​ +      option '​leasetime'​ '​1h'​ 
-[..]%%''​ |+    [..]
  
 ==== Step 4a: Adjust firewall settings ==== ==== Step 4a: Adjust firewall settings ====
Line 66: Line 71:
 Edit ''/​etc/​config/​firewall''​ and add new zone section covering the '​guest'​ interface, allow internet, DNS and DHCP to guests: Edit ''/​etc/​config/​firewall''​ and add new zone section covering the '​guest'​ interface, allow internet, DNS and DHCP to guests:
  
-| ''​%%[..] +    ​[..] 
-config '​zone'​ +    config '​zone'​ 
-        option '​name'​ '​guest'​ +      option '​name'​ '​guest'​ 
-        option '​network'​ '​guest'​ +      option '​network'​ '​guest'​ 
-        option '​input'​ '​REJECT'​ +      option '​input'​ '​REJECT'​ 
-        option '​forward'​ '​REJECT'​ +      option '​forward'​ '​REJECT'​ 
-        option '​output'​ '​ACCEPT'​+      option '​output'​ '​ACCEPT'​ 
 +     
 +    # Allow Guest -> Internet 
 +    config '​forwarding'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest'​ '​wan'​ 
 +      
 +    # Allow DNS Guest -> Router 
 +    # Client DNS queries ordinate from dynamic UDP ports (>1023)  
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DNS Queries'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_port'​ '​53'​ 
 +      option '​proto'​ '​tcpudp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow DHCP Guest -> Router 
 +    # DHCP communication uses UDP ports 67-68 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DHCP request'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​src_port'​ '​67-68'​ 
 +      option '​dest_port'​ '​67-68'​ 
 +      option '​proto'​ '​udp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +    [..]
  
-# Allow Guest -> Internet +==== Step 4b: Different modifications to firewall settings ====
-config '​forwarding'​ +
-        option '​src'​ '​guest'​ +
-        option '​dest'​ '​wan'​+
  
-# Allow DNS Guest -> Router +I created this small set of firewall rules to completely isolate guests on the guest SSID. I had some devices that only worked with WEP or no authentication at all.  WEP doesn't like to run on .11n devices in HT mode, so the only option ​was a wide-open SSID. I also didn't want my neighbors to quickly steal my internet... This firewall config will only allow specific, known source MACs to connect to the internet, with zero access to the rest of the network.
-# Client DNS queries ordinate from dynamic UDP ports (>1023)  +
-config '​rule'​ +
-        option '​name'​ 'Allow DNS Queries'​ +
-        option '​src'​ 'guest' +
-        ​option 'dest_port'​ '​53'​ +
-        option '​proto'​ '​tcpudp'​ +
-        option '​target'​ '​ACCEPT'​+
  
-# Allow DHCP Guest -> Router +Edit ''​/​etc/​config/​firewall'' ​and add new zone section covering the '​guest' ​interface, allow SSH, DNS and DHCP to guests, allow only specific source MAC addresses out to the WAN, drop broadcast traffic and deny the rest of orders:
-# DHCP communication uses UDP ports 67-68 +
-config ​'rule' +
-        option ​'name' 'Allow DHCP request'​ +
-        option 'src' '​guest'​ +
-        option '​src_port'​ '​67-68'​ +
-        option '​dest_port'​ '​67-68'​ +
-        option '​proto'​ '​udp'​ +
-        option '​target'​ '​ACCEPT'​ +
-[..]%%''​ |+
  
- --- //sartan 2011/03/17 05:45//+    [..] 
 +     
 +    # Enable logging 
 +    config '​zone'​ 
 +      option '​name'​ '​guest'​ 
 +      option '​network'​ '​guest'​ 
 +      option '​input'​ '​REJECT'​ 
 +      option '​forward'​ '​REJECT'​ 
 +      option '​output'​ '​ACCEPT'​ 
 +     
 +    # Quick rule to allow SSH in 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow SSH in' 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_port'​ '​22'​ 
 +      option '​proto'​ '​tcp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow DNS Guest -> Router 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DNS Queries'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_port'​ '​53'​ 
 +      option '​proto'​ '​tcpudp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow DHCP Guest -> Router 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow DHCP request'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​src_port'​ '67-68' 
 +      option '​dest_port'​ '​67-68'​ 
 +      option '​proto'​ '​udp'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Allow only specific source MAC addresses out to the WAN 
 +    config '​rule'​ 
 +      option '​name'​ 'Allow my Nintendo DS' 
 +      option '​src'​ '​guest'​ 
 +      option '​dest'​ '​wan'​ 
 +      option '​proto'​ '​all'​ 
 +      option '​src_mac'​ '00:ab:​00:​32:​00:​00'​ 
 +      option '​target'​ '​ACCEPT'​ 
 +     
 +    # Drop broadcast traffic, it just fills the logs :) 
 +    config '​rule'​ 
 +      option '​name'​ 'Drop guest broadcast'​ 
 +      option '​src'​ '​guest'​ 
 +      option '​dest_ip'​ '​172.16.62.255'​ 
 +      option '​target'​ '​DROP'​ 
 +     
 +    # Another explicit deny at the end. 
 +    config '​rule'​ 
 +      option '​name'​ 'Deny guest -> WAN' 
 +      option '​src'​ '​guest'​ 
 +      option '​dest'​ '​wan'​ 
 +      option '​proto'​ '​all'​ 
 +      option '​target'​ '​REJECT'​ 
 +     
 +    [..]
  
-==== Step 4bDifferent modifications to firewall settings ​====+==== Step 4cBlock everything, but http and https ====
  
-created this small set of firewall rules to completely isolate guests on the guest SSID. I had some devices that only worked with WEP or no authentication at all.  WEP doesn'​t like to run on .11n devices in HT modeso the only option was a wide-open SSID. I also didn't want my neighbors to quickly steal my internet... This firewall config will only allow specificknown source MACs to connect to the internet, with zero access to the rest of the network.+In this configuration ​shared my guest SSID, but only provide http and https connectionsand isolate GUEST network from LAN network.
  
-Edit ''/​etc/​config/​firewall''​ and add new zone section covering the '​guest'​ interface, allow SSH, DNS and DHCP to guests, ​allow only specific source MAC addresses out to the WANdrop broadcast traffic and deny the rest of orders: +Edit ''/​etc/​config/​firewall''​, remove any //'​guest'//​ configurations ​and add new zone section covering the '​guest'​ interface, allow SSH, DNS and DHCP to guests, ​and http and https to the outside worldthen block the rest.
-| ''​%%[..]+
  
-# Enable logging +    [..] 
-config ​'zone'​ +    config zone                                      
-        option 'name' '​guest'​ +      option name 'guest' ​                 
-        option 'network' '​guest'​ +      option ​network ​'guest' ​              
-        option 'input' 'REJECT+      option forward '​REJECT' ​             
-        option 'forward' 'REJECT+      option output '​ACCEPT' ​              
-        option 'output' '​ACCEPT'​+      option input '​REJECT'​ 
 +          
 +    config forwarding ​                               
 +      option src '​guest' ​                  
 +      option ​dest 'wan' 
 +     
 +    config rule                                      
 +      option src '​guest' ​                      
 +      ​option src_port '​67-68' ​                 
 +      option dest_port '​67-68' ​                
 +      option proto '​udp' ​                      
 +      option target '​ACCEPT' ​                  
 +      option name 'Allow DHCP request' ​        
 +     
 +    config rule                                      
 +      ​option ​src 'guest' ​                      
 +      option dest_port ​'53' ​                   
 +      option proto '​tcpudp' ​                   
 +      option target '​ACCEPT' ​                  
 +      option name 'Allow DNS Queries' ​         
 +        ​ 
 +    config rule                                      
 +      ​option ​src 'guest' ​                      
 +      option dest 'lan' ​                      ​ 
 +      ​option name 'Deny Guest -> LAN' ​        
 +      ​option ​proto 'all' ​                      
 +      option target '​DROP' ​                    
 +     
 +    config rule                                      
 +      option target ​'​ACCEPT' ​                  
 +      option src '​guest' ​                      
 +      option dest '​wan' ​                       
 +      option name 'Allow Guest -> WAN http' ​      
 +      option proto '​tcp' ​                      
 +      option dest_port '​80' ​                   
 +     
 +    config rule                                  
 +      option target '​ACCEPT' ​              
 +      option src '​guest' ​                  
 +      option dest '​wan' ​                      
 +      option name 'Allow Guest -> WAN https' ​  
 +      option proto '​tcp' ​                  
 +      option dest_port '​443'​ 
 +     
 +    config rule                                      
 +      option src '​guest' ​                      
 +      option dest '​wan' ​                       
 +      option name 'Deny Guest -> WAN'  
 +      option proto '​all' ​                  
 +      option target '​DROP'​ 
 +     
 +    [..] 
 +==== Step 5: Limit bandwidth of the connection ====
  
-# Quick rule to allow SSH in +<WRAP center round info 72%> 
-config ​'rule' +Wondershaper (wshaper) is not recommended. Better use ''​qos-scripts'' ​or ''​sqm-scripts'' ​(see the [[http://​www.bufferbloat.net/​projects/​cerowrt/​wiki/​Wondershaper_Must_Die|Bufferbloat project]]). 
-        option ​'name' 'Allow SSH in' +</​WRAP>​
-        option ​'src' 'guest+
-        ​option '​dest_port'​ '​22'​ +
-        option '​proto'​ '​tcp'​ +
-        option '​target'​ '​ACCEPT'​+
  
-# Allow DNS Guest -> Router +This is completely optional, but advised. Install package wshaper: 
-config ​'rule'​ +''​opkg install wshaper''​
-        option '​name'​ 'Allow DNS Queries'​ +
-        option '​src'​ '​guest'​ +
-        option '​dest_port'​ '​53'​ +
-        option '​proto'​ '​tcpudp'​ +
-        option '​target' 'ACCEPT'+
  
-# Allow DHCP Guest -> Router +Edit ''​/​etc/​config/​wshaper''​:
-config ​'rule'​ +
-        option '​name'​ 'Allow DHCP request'​ +
-        option '​src'​ '​guest'​ +
-        option '​src_port'​ '​67-68'​ +
-        option '​dest_port'​ '​67-68'​ +
-        option '​proto'​ '​udp'​ +
-        option '​target' 'ACCEPT'+
  
-# Allow only specific source MAC addresses out to the WAN +    ​config ​wshaper ​'settings
-config 'rule+      option ​network ​'​guest'​ 
-        option ​'​name'​ 'Allow my Nintendo DS' +      option ​downlink ​'64
-        option '​src' ​'​guest'​ +      option ​uplink ​'512'
-        option 'dest' 'wan+
-        option 'proto' '​all'​ +
-        option '​src_mac'​ '​00:​ab:​00:​32:​00:​00'​ +
-        option '​target'​ '​ACCEPT'+
  
-# Drop broadcast traffic, it just fills the logs :) +<WRAP center round tip 85%> 
-config ​'rule' +''​Downlink'' ​and ''​uplink'' ​options are maximal limits, but in practice the speed will be slightly lower as wshaper also tries to prioritize traffic, so that the network stays responsive even when e.gsomeone downloads a huge file - there are also wshaper options that can control this)The units are in ''​kbit''​
-        option ​'name' 'Drop guest broadcast' +</​WRAP>​ 
-        option ​'src' ​'​guest'​ +==== Multiple network devices ====
-        option '​dest_ip'​ '172.16.62.255' +
-        option ​'target' 'DROP'+
  
-Another explicit deny at the end. +The basics are already covered by points 1 to 5 above. For a network setup that involves two or more network devices (e.g. a router, one or more switches, one or more access points) you need to provide a separate [[doc/​uci/​network/​switch#vlanswitch_config|VLAN]]. It is recommended to configure your VLANs through the web UI, since this offers an easier overview, but if you know what you are doing, ​the configuration files themselves are easy to edit as well.
-config '​rule'​ +
-        option '​name'​ 'Deny guest -> WAN' +
-        option '​src'​ '​guest'​ +
-        option '​dest'​ '​wan'​ +
-        option '​proto'​ '​all'​ +
-        option '​target'​ '​REJECT'​+
  
-[..]%%''​ |+**Some basics about VLANs:**
  
-==== Step 4cBlock everythingbut http and https ====+  * Most devices only use one VLAN by default (VLAN ID 1). The instructions that follow assume this is the case. Double check before proceeding. 
 +  * VLAN IDs match the virtual interfaces listed by ifconfig, i.e. a VLAN with ID 3 will show as ethX.3 (where X is your real interface, e.g. eth0). 
 +  * VLAN IDs should be identical across all network devices. 
 +  * A port can have three statesOff (not part of a specific VLAN), Untagged (when part of a VLAN), Tagged (when part of two or more VLANs). 
 +  * If a port is part of multiple VLANsit needs to be set to Tagged in every single VLAN it is part of. 
 +  * Every VLAN should also include the CPU (tagged by default).
  
-In this configuration I shared my guest SSIDbut only provide http and https connections,​ and isolate GUEST network ​from LAN network.+Furthermore,​ for a guest WLAN, only the port(s) connecting a network ​device to another one should be part of the VLAN. In practice, this means that in a router - access point setup, on each device only the port connecting to the other network ​device goes into the VLAN.
  
-Edit ''/​etc/​config/​firewall''​remove any //'​guest'//​ configurations and add new zone section covering ​the 'guest' interface, allow SSH, DNS and DHCP to guests, and http and https to the outside world, then block the rest.+<WRAP center round important 80%> 
 +Make sure you have identified the ports correctly. The VLAN definitions use **internal port numbers**. Quite a few devices (e.g. the [[toh:​netgear:​wndr3700|Netgear WNDR3700 v1]]) number their internal ports differently from the numbers on the enclosure! Tagged ports are clearly visible as such in the UIin the configuration file they're marked by a **t** behind ​the port number. 
 +</​WRAP>​
  
-| ''​%%[..+<WRAP center round important 80%
-config zone                                      +Creating a new VLAN with port X already part of another VLAN means port X should be set to tagged **in all the existing VLAN(s) it is part ofFailure to do so may render your switch inoperable.** We cannot stress this enough! Only certain switches support ports being untagged in one and tagged in another VLAN at the same time
-        option name '​guest' ​                 +</​WRAP>​
-        option network '​guest' ​              +
-        option forward '​REJECT' ​             +
-        option output '​ACCEPT' ​              +
-        option input '​REJECT'​ +
-          +
-config forwarding ​                               +
-        option src '​guest' ​                 ​ +
-        ​option dest '​wan'​+
  
-config ​rule                                      +===New VLAN=== 
-        option src '​guest' ​                      +Edit [[doc:​uci:​network|/​etc/​config/network]] and define a new VLAN with ID 2 (change if ID 2 is already taken). Make sure to use the right device name check your existing VLAN stanza. Do this on every router, switch or AP. 
-        option src_port '67-68' ​                 +
-        option dest_port '​67-68' ​                +
-        option proto '​udp' ​                      +
-        option target '​ACCEPT' ​                  +
-        option name 'Allow DHCP request' ​       ​+
  
-config ​rule                                      +    ​config ​switch_vlan 
-        option ​src 'guest' ​                      +      option ​device ​     ​'switch0
-        option ​dest_port '​53' ​                   +      option ​vlan        '​2
-        option proto 'tcpudp' ​                  ​ +      option ​ports       '3t 5t
-        option ​target ​'ACCEPT' ​                  +       
-        ​option name 'Allow DNS Queries' ​        +Here, internal ports 3 and 5 are part of the VLAN with ID 2, port 5 being the CPU. Both ports are tagged (indicated by the trailing **t**). Make sure port 3 (if you keep it in VLAN 1 as well) is tagged there as well. Below how it looks in LuCI:
  
-config rule                                      +{{:​media:​vlan_example_wndr3700.png?​800|}}
-        option src '​guest' ​                              +
-        option target '​DROP' ​                    +
-        option name 'Deny Access to router' ​   ​+
  
-config rule                                      +:!: **Note how port 3 is now tagged in VLAN 1 as well.** As explained above, you cannot have port X untagged in one VLAN and tagged in another. A port needs to have the same status across ​all the VLANs it is part of.
-        option src '​guest' ​                      +
-        option dest '​lan' ​                       +
-        option name 'Deny Guest -> LAN' ​        +
-        option proto 'all' ​                      +
-        option target '​DROP' ​                   ​+
  
-config rule                                      +===New interface=== 
-        ​option target '​ACCEPT' ​                  +Add the guest interface to your router just like in [[doc:​recipes:​guest-wlan#​step_1define_a_new_network|step 1]]. The important difference is that, unlike in a single router setup, **we define an interface**.
-        option src 'guest' ​                      +
-        option dest '​wan' ​                       +
-        option name 'Allow Guest -> WAN http' ​      +
-        option proto '​tcp' ​                      +
-        option dest_port '​80' ​                  +
  
-config ​rule                                  +    ​config ​interface ​    '​guest'​ 
-        option target '​ACCEPT' ​              +      option ​ifname ​     ​'eth0.2
-        option src '​guest' ​                  +      option ​proto       'static
-        option ​dest 'wan' ​                      +      option ​ipaddr ​     ​'10.0.0.1
-        option ​name 'Allow Guest -> WAN https' ​  +      option ​netmask ​    '255.255.255.0'
-        option ​proto 'tcp' ​                  +
-        option ​dest_port ​'443'+
  
-config rule                                      +On each //access point//, we replicate the same stanza, but with two substantial differences:​
-        option src '​guest' ​                      +
-        option dest '​wan' ​                       +
-        option name 'Deny Guest -> WAN'  +
-        option proto '​all' ​                  +
-        option target '​DROP'​+
  
-[..]%%''​ |+  * We add an interface type, namely //bridge// (this will put the LAN and WLAN interfaces on the AP in one network); 
 +  * We set a different static IP (typically incremented by one).
  
- --- //senomoto 2014/06/26 22:01//+Your config on your access point should look like this:
  
-==== Step 5: Limit bandwidth of the connection ==== +    config interface ​    '​guest'​ 
-This is completely optional, but advisedInstall package wshaper: +      option ifname ​     '​eth0.2'​ 
-''​opkg install wshaper''​+      option type        '​bridge'​ 
 +      option proto       '​static'​ 
 +      option ipaddr ​     '​10.0.0.2'​ 
 +      option netmask ​    '​255.255.255.0'​ 
 +       
 +===Guest WLAN=== 
 +Like in [[http://​wiki.openwrt.org/​doc/​recipes/​guest-wlan#​step_2copy_the_existing_wireless_network|step 2]], replicate the wireless interface config in [[http://​wiki.openwrt.org/​doc/​uci/​wireless|/​etc/​config/​wireless]] on each access point. Disable the wireless on all other network devices.
  
-Edit ''​/etc/config/wshaper''​:+===DHCP, firewall and bandwidth settings=== 
 +The modifications above are the only points where a multi-device setup differs from a single-device setup. The DHCP server only runs on the main router, so you do not need to edit any related settings on any switches or access points; do make sure though that the static IPs do not conflict with the DHCP range you set. As for the firewall, you should replicate all stanzas provided above on every network device, if they have a firewall running. 
 + 
 +To cap the bandwidth, you can use tc, or wshaper - the latter being more user-friendly. Wshaper also has a LuCI front-end. Keep in mind wshaper treats upload speed as download, and the other way around. 
 +===== Configuration by shell script ===== 
 + 
 +Here is the script that makes minimal changes required to setup guest wifi network on openwrt. 
 + 
 +<code bash> 
 +#!/bin/sh 
 + 
 +# This is supposed to be run on openwrt 
 + 
 +# Written by Stanislav German-Evtushenko,​ 2014 
 +# Based on http://​wiki.openwrt.org/​doc/​recipes/​guest-wlan 
 + 
 +# Configure guest network 
 +uci delete network.guest 
 +uci set network.guest=interface 
 +uci set network.guest.proto=static 
 +uci set network.guest.ipaddr=192.168.101.21 
 +uci set network.guest.netmask=255.255.255.0 
 + 
 +# Configure guest Wi-Fi 
 +uci delete wireless.guest 
 +uci set wireless.guest=wifi-iface 
 +uci set wireless.guest.device=radio0 
 +uci set wireless.guest.mode=ap 
 +uci set wireless.guest.network=guest 
 +uci set wireless.guest.ssid=openwireless.org 
 +uci set wireless.guest.encryption=none 
 + 
 +# Configure DHCP for guest network 
 +uci delete dhcp.guest 
 +uci set dhcp.guest=dhcp 
 +uci set dhcp.guest.interface=guest 
 +uci set dhcp.guest.start=50 
 +uci set dhcp.guest.limit=200 
 +uci set dhcp.guest.leasetime=1h 
 + 
 +# Configure firewall for guest network 
 +## Configure guest zone 
 +uci delete firewall.guest_zone 
 +uci set firewall.guest_zone=zone 
 +uci set firewall.guest_zone.name=guest 
 +uci set firewall.guest_zone.network=guest 
 +uci set firewall.guest_zone.input=REJECT 
 +uci set firewall.guest_zone.forward=REJECT 
 +uci set firewall.guest_zone.output=ACCEPT 
 +## Allow Guest -> Internet 
 +uci delete firewall.guest_forwarding 
 +uci set firewall.guest_forwarding=forwarding 
 +uci set firewall.guest_forwarding.src=guest 
 +uci set firewall.guest_forwarding.dest=wan 
 +## Allow DNS Guest -> Router 
 +uci delete firewall.guest_rule_dns 
 +uci set firewall.guest_rule_dns=rule 
 +uci set firewall.guest_rule_dns.name='Allow DNS Queries' 
 +uci set firewall.guest_rule_dns.src=guest 
 +uci set firewall.guest_rule_dns.dest_port=53 
 +uci set firewall.guest_rule_dns.proto=udp 
 +uci set firewall.guest_rule_dns.target=ACCEPT 
 +## Allow DHCP Guest -> Router 
 +uci delete firewall.guest_rule_dhcp 
 +uci set firewall.guest_rule_dhcp=rule 
 +uci set firewall.guest_rule_dhcp.name='​Allow DHCP request'​ 
 +uci set firewall.guest_rule_dhcp.src=guest 
 +uci set firewall.guest_rule_dhcp.src_port=68 
 +uci set firewall.guest_rule_dhcp.dest_port=67 
 +uci set firewall.guest_rule_dhcp.proto=udp 
 +uci set firewall.guest_rule_dhcp.target=ACCEPT
  
-''​config wshaper '​settings'​ +uci commit
- option network '​guest'​ +
- option downlink '​64'​ +
- option uplink '​512'​ +
-''​+
  
-**Note:** ''​downlink''​ and ''​uplink''​ options are maximal limits, but in practice the speed will be slightly lower as wshaper ​also tries to prioritize traffic ​(so that the network ​stays responsive even when someone downloads a huge file - there are also wshaper ​options that can control this)The units are kbits.+# Configure ​wshaper (optional) 
 +opkg update 
 +opkg install wshaper 
 +uci set wshaper.settings=wshaper 
 +uci set wshaper.settings.network=guest 
 +uci set wshaper.settings.downlink=500 
 +uci set wshaper.settings.uplink=2000 
 +## Work around for https://​github.com/​openwrt/​packages/​issues/​565 (wshaper: settings ​are not applied on boot) 
 +echo -e '#​!/​bin/​sh\n\n[ "​$ACTION"​ = ifup ] && /etc/init.d/wshaper enabled && /​etc/​init.d/​wshaper start || exit 0' > /​etc/​hotplug.d/​iface/​10-wshaper
  
-**Also note:** The ''​downlink''​ and ''​uplink''​ limits are //reversed// from what one might expect, as the data is flowing in the opposite direction from wshaper'​s usual (wan) interface.+uci commit 
 +</code>
  
 ===== Apply changes ===== ===== Apply changes =====
Line 277: Line 426:
         list '​interface'​ '​guest'​         list '​interface'​ '​guest'​
 [..]''​ | [..]''​ |
 +
doc/recipes/guest-wlan.1406801322.txt.bz2 · Last modified: 2014/07/31 12:08 by kronick