bengalih
Senior Member
In another post a user attempting to assist me in troubleshooting what I believe to be an unrelated problem made comments about my guest WiFi setup not being proper and that changes were introduced in the 386 FW that totally change how things are configured.
Now my current configuration was, I believe done pre 386 (I believe in 2019 or prior, maybe on 384?). However I rebuilt my router a year or so ago from scratch and manually recreated my configurations including my Guest Wifi setup.
I would like to explain what my goals were and how I configured it so I can get some better insight as to why my configuration might not be "proper" and some explanation as to how to convert it to a more "proper" configuration and what things, if any, I need to watch out for that might work differently. IOW, critique my configuration and tell me why I shouldn't be doing this (and just as important, how/why can/should I change it).
My needs are quite simple. I have 3 guest WiFi. One each of a 2.5 and a 5 that is used for visitors. The third is a 2.4 for IOT devices with a hidden SSID.
There are a few things tweaked on the IOT network, but the basic idea of all 3 was to allow internet access but not access to my internal LAN.
The way I currently have it configured I believe clients on all 3 networks can access each other (including the IOT), and while that might not be ideal, I haven't really cared about that and if I chose to I believe I can update my rules to fix that easily enough.
My LAN network and router IP is 10.10.10.1/24.
Device is RT-AC68U
These were my steps to configure the Guest WiFi networks.
1) Via the GUI > Guest Network. I simply clicked on "enable" for the first two 2.4 and the first 5 network and configured the options in the GUI. The "Access Intranet" option is disabled for all of them.
2) Found the interface names with ifconfig and then for each bound an IP to each interface:
As a point of info here. I do/did not have my Asus do any DHCP for my LAN. DHCP was/is disabled in the GUI and all my main LAN/Wifi clients (10.10.10.0/24) get their DHCP info from a Windows DHCP server on the internal network. As I did not want the external clients accessing anything internal, I defined dhcp-ranges for each Guest WiFi in my dnsmasq. For example, my 5 GHz network is defined as:
My last issue was to enable the proper routing on these wl interfaces. At the time the method I found to use had me utilize ebtables by creating the following:
My understanding is that the "DROP" on these kicks these packets from being bridged and up to the routing table.
However at this point the clients are still unable to actually get to the Asus interface to get an IP from the dnsmasq server.
To fix this I added:
That allowed access into the server itself, but the packets were not routed to the Internet. So I then add:
Finally, to protect these clients from accessing my Ausus local interface or getting into the local network I also add:
So my complete set of entries for each wl interface looks like:
Everything works as I intend and doesn't appear to have any negative consequences to anything else I've configured on the network.
So. Is there anything inherently wrong with how I have it configured? I suppose there might be other configurations that work, and maybe some that are preferred for a more complex implementation.
Can/should I change this to some newer "386 fw compatible way"? What would I benefit? What might I lose or have issues with compared to the current way I do things?
thanks.
Now my current configuration was, I believe done pre 386 (I believe in 2019 or prior, maybe on 384?). However I rebuilt my router a year or so ago from scratch and manually recreated my configurations including my Guest Wifi setup.
I would like to explain what my goals were and how I configured it so I can get some better insight as to why my configuration might not be "proper" and some explanation as to how to convert it to a more "proper" configuration and what things, if any, I need to watch out for that might work differently. IOW, critique my configuration and tell me why I shouldn't be doing this (and just as important, how/why can/should I change it).
My needs are quite simple. I have 3 guest WiFi. One each of a 2.5 and a 5 that is used for visitors. The third is a 2.4 for IOT devices with a hidden SSID.
There are a few things tweaked on the IOT network, but the basic idea of all 3 was to allow internet access but not access to my internal LAN.
The way I currently have it configured I believe clients on all 3 networks can access each other (including the IOT), and while that might not be ideal, I haven't really cared about that and if I chose to I believe I can update my rules to fix that easily enough.
My LAN network and router IP is 10.10.10.1/24.
Device is RT-AC68U
These were my steps to configure the Guest WiFi networks.
1) Via the GUI > Guest Network. I simply clicked on "enable" for the first two 2.4 and the first 5 network and configured the options in the GUI. The "Access Intranet" option is disabled for all of them.
2) Found the interface names with ifconfig and then for each bound an IP to each interface:
Code:
ifconfig wl0.1 172.20.20.1 netmask 255.255.255.0
ifconfig wl1.1 172.20.30.1 netmask 255.255.255.0
ifconfig wl0.2 10.10.20.1 netmask 255.255.255.0
As a point of info here. I do/did not have my Asus do any DHCP for my LAN. DHCP was/is disabled in the GUI and all my main LAN/Wifi clients (10.10.10.0/24) get their DHCP info from a Windows DHCP server on the internal network. As I did not want the external clients accessing anything internal, I defined dhcp-ranges for each Guest WiFi in my dnsmasq. For example, my 5 GHz network is defined as:
Code:
interface=wl1.1
dhcp-range=wl1.1,172.20.30.150,172.20.30.199,255.255.255.0,86400s
dhcp-option=wl1.1,3,172.20.30.1
dhcp-option=wl1.1,6,1.1.1.1,1.0.0.1
My last issue was to enable the proper routing on these wl interfaces. At the time the method I found to use had me utilize ebtables by creating the following:
Code:
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl1.1 -j DROP
My understanding is that the "DROP" on these kicks these packets from being bridged and up to the routing table.
However at this point the clients are still unable to actually get to the Asus interface to get an IP from the dnsmasq server.
To fix this I added:
Code:
/usr/sbin/iptables -I INPUT -i wl1.1 -j ACCEPT
That allowed access into the server itself, but the packets were not routed to the Internet. So I then add:
Code:
/usr/sbin/iptables -I FORWARD -i wl1.1 -j ACCEPT
Finally, to protect these clients from accessing my Ausus local interface or getting into the local network I also add:
Code:
/usr/sbin/iptables -I FORWARD -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl1.1 -d 10.10.10.1/24 -j DROP
So my complete set of entries for each wl interface looks like:
Code:
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl1.1 -j DROP
/usr/sbin/iptables -I FORWARD -i wl1.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl1.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl1.1 -d 10.10.10.1/24 -j DROP
Everything works as I intend and doesn't appear to have any negative consequences to anything else I've configured on the network.
So. Is there anything inherently wrong with how I have it configured? I suppose there might be other configurations that work, and maybe some that are preferred for a more complex implementation.
Can/should I change this to some newer "386 fw compatible way"? What would I benefit? What might I lose or have issues with compared to the current way I do things?
thanks.