What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Guest WiFi: secured and separated from LAN

C

ciechom

New Around Here
Hi
I've tried to find something but no success so far, so please help.

I want to configure secure guest wifi with separate LAN IP segment which will not have any access to my LAN/main WiFi network.

My config:
LAN/WiFi 1 SSID: MyWiFi -> IP subnet: 172.16.1.0/24
WiFi 2 SSID: GuestWiFi -> IP subnet: 192.168.0.1/24

Rules:
LAN/WiFi 1 -> full access to Internet, no limits

WiFi 2 -> no access to LAN/WiFi1, no access to router's web config + routers ssh etc., limited ports, limited bandwidth (if possible)


Please insctruct me how to do this ....
I've tried to figure it out by myself based on this:

http://forums.smallnetbuilder.com/showthread.php?t=22659&page=1

https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN

but no success :(

Router: ASUS RT-AC68U
Firmware: Merlin 378.50
 
Do you absolutely need separate IP ranges?

Just setup Guest networks with on intranet access.

The limited bandwidth is possible too, I think. Someone else will have to help with that though.
 
I came from DDWRT and just want to have exactly the same config as I had with DDWRT :)

Separate IP range for guests gives me more flexibility in filtering, security rules applying, bandwidth limitation, etc. With this scenario I do not have to learn all MAC addresses or something what will identify and differentiate my users from guests users. I'm able to apply rules to entire subnets without thinking who is who :).

So yes ... I'm looking for a solution in which guest wifi will be not only separated from LAN/internal wifi but will be in a separate IP range with separate rules applied.
 
If DDWRT is what you want, and you actually had it, why did you drop it?


With a Guest network enabled, you can do a lot of what you want. Don't need the separate IP to do it with.
 
on DDWRT I had problems with 5GHz wifi ... unpredictable connection drops etc., addtionally there was almost impossible to make IEEE 802.3ad dyn. link aggregations work properly, with merlin few cliks and it works :) ... last but not least I wanted to try something new :) with HW acceleration etc.

back to topic.
I'm just wondering why separate IP range may be a problem ? when I've tried to use parts from this topic https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN, I was able to have separate IP range for guest wifi but was not able to pass it throught firewall ... no internet access, some problem with iptables rules etc.
Probably i do not fully understand how routing and iptables rules are implemented in merlin FW, so that is why I decided to ask on this forum.

I know that many of my needs probably I can do based on guest wifi interface name (wl0.1 - wl1.3) but still I will not be able to identify who is who (guest or user) without clear IP range separation. It would work for me if I could have at least separate DHCP range for guest wifi. Let's say 172.16.1.100-150 for my users and 172.16.1.160-200 for guests. Both can be in the same network segment i.e. /24 for simplify. This would be enought for most of my ideas if completly separate IP subnet is not posible:)
 
Ty for the info.

Fyi; 92 users on WiFi will be a problem with almost any router or AP you can buy today. I'm assuming that your IP ranges will be fully used.

Hope someone jumps in here with the info you need. :)
 
I do not have so many users :)
Normally it is between 10 and 30 users but changes very often, so I can't lern who is who :(

Hopefully someone had the same problem and idea as I have now.
Teoretically my case is not so complicated :) but it is beyond me
 
If the Guest users are only given the Guest password, then you'll know that the Guest network is setup as you want it to be.

If the regular users use the guest password and their actions are limited to Guest restrictions; their problem. :)


Sorry, but I guess it is beyond me too.
 
ciechom said:
on DDWRT I had problems with 5GHz wifi ... unpredictable connection drops etc., addtionally there was almost impossible to make IEEE 802.3ad dyn. link aggregations work properly, with merlin few cliks and it works :) ... last but not least I wanted to try something new :) with HW acceleration etc.

back to topic.
I'm just wondering why separate IP range may be a problem ? when I've tried to use parts from this topic https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN, I was able to have separate IP range for guest wifi but was not able to pass it throught firewall ... no internet access, some problem with iptables rules etc.
Probably i do not fully understand how routing and iptables rules are implemented in merlin FW, so that is why I decided to ask on this forum.

I know that many of my needs probably I can do based on guest wifi interface name (wl0.1 - wl1.3) but still I will not be able to identify who is who (guest or user) without clear IP range separation. It would work for me if I could have at least separate DHCP range for guest wifi. Let's say 172.16.1.100-150 for my users and 172.16.1.160-200 for guests. Both can be in the same network segment i.e. /24 for simplify. This would be enought for most of my ideas if completly separate IP subnet is not posible:)
Click to expand...

I have entries in /jffs/configs/dnsmasq.conf.add:

# 2.4GHz Guest #3 via VPN uses DHCP pool 10.88.243.2 - 10.88.243.20
interface=wl0.3
dhcp-range=wl0.3,10.88.243.2,10.88.243.20,255.255.255.0,21600s
dhcp-option=wl0.3,3,10.88.243.1

# 5Ghz Guest #3 via VPN uses DHCP pool 10.88.53.2 - 10.88.53.20
interface=wl1.3
dhcp-range=wl1.3,10.88.53.2,10.88.53.20,255.255.255.0,21600s
dhcp-option=wl1.3,3,10.88.53.1
Click to expand...


So I personally chose to use the third octet to 'identify' which Guest SSID (and interface) the client is using....

e.g. by Ghz

2.4 1,2 or 3
5 1,2 or 3.

Now I currently only use this for selective routing, so clients can connect via a VPN or not.

There is then scope to add iptable/ebtable rules to ensure that they can never get to the WiFi/LAN subnet and indeed I can restrict which traffic is used via that Guest SSID interface..

e.g.

Code: 
    # Guest wireless assignment
      logger -s -t "($(basename $0))" $$ "     CMD: ifconfig $GUEST_IF $GUEST_IF_IP netmask 255.255.255.0"
      ifconfig $GUEST_IF $GUEST_IF_IP netmask 255.255.255.0
      # Guest wireless bridge
      logger -s -t "($(basename $0))" $$ "     CMD: ebtables -t broute -I BROUTING -p ipv4 -i $GUEST_IF -j DROP"
      ebtables -t broute -I BROUTING -p ipv4 -i $GUEST_IF -j DROP
      logger -s -t "($(basename $0))" $$ "     CMD: ebtables -t broute -I BROUTING -p arp -i $GUEST_IF -j DROP"
      ebtables -t broute -I BROUTING -p arp -i $GUEST_IF -j DROP
	  
      # Guest wireless firewall. VPN kill switch is in built.
	  # Ensure isolation from LAN..
      iptables -I FORWARD -i $GUEST_IF -d $LANIP/24 -j DROP
      iptables -I INPUT -i $GUEST_IF -d $LANIP/24 -j DROP				# Prevent access to Router
	  
	  # Selectively allow certain ports DNS?
      iptables -I INPUT -i $GUEST_IF -j DROP
	  logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
	  logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT
	  logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -p udp --dport 67:68 -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -p udp --dport 67:68 -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -m state --state NEW -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -m state --state NEW -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -I FORWARD -i $GUEST_IF -o $TUN_IF -j ACCEPT"
      iptables -I FORWARD -i $GUEST_IF -o $TUN_IF -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -t nat -I POSTROUTING -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -j MASQUERADE"
      iptables -t nat -I POSTROUTING -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -j MASQUERADE
      


      # Optional: Block all ports on VPN except: dns(53),http(80),https(443)
      #iptables -I FORWARD -i $GUEST_IF -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -p tcp -m multiport ! --port 53,80,443 -j DROP
      #iptables -I FORWARD -i $GUEST_IF -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -p udp -m multiport ! --port 53,443 -j DROP

Furthermore, manual QOS should be possible, but then stuff like this

# Limit download speed
#tc qdisc add dev $GUEST_IF root handle 1: htb default 10
#tc class add dev $GUEST_IF parent 1: classid 1:1 htb rate 100mbit ceil 100mbit
#tc class add dev $GUEST_IF parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit
#tc filter add dev $GUEST_IF protocol ip parent 1:0 prio 1 u32 match ip dst 0.0.0.0 flowid 1:10
Click to expand...

gets a little over my head!

Regards,
 
Last edited:
Thx Martineau :)

More or less I've tried the same but with setting eth0 (wan IF) as $TUN_IF, just to give people access to internet instead of VPN tunnel and it was not working. But maybe I did something wrong, some small mistake in scripts or something.
If this config works in your env. I will try it again ... today by night :)
 
You must log in or register to reply here.

Similar threads

man_with_the_stick
Wifi client of the guest network 1 doesn't get new IP address when changing the band
Replies
5
Views
426
man_with_the_stick
man_with_the_stick
P
Lan to Guest
Replies
13
Views
466
palito
P
FernandoF
Guest Network Pro using the same subnet - Replicating behavior from previous firmware
Replies
6
Views
502
rung
R
J
Cannot connect to the Guest Network Wifi, Will not Connect to the Guest Network Wifi
Replies
3
Views
373
dave14305
dave14305
R
Disable Intranet access for a LAN port (not the WiFi Guest network)?
Replies
13
Views
1K
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
M Allowing intranet traffic for single host to guest wifi network Asuswrt-Merlin 3
I Need Help, setting up separate WIFI MAC Filters for Main and Guest Networks Asuswrt-Merlin 16
J Cannot connect to the Guest Network Wifi, Will not Connect to the Guest Network Wifi Asuswrt-Merlin 3
man_with_the_stick Wifi client of the guest network 1 doesn't get new IP address when changing the band Asuswrt-Merlin 5
K Guest Network Pro (sdn) only 1 guest wifi broadcasting Asuswrt-Merlin 1
R Disable Intranet access for a LAN port (not the WiFi Guest network)? Asuswrt-Merlin 13
J Devices connected through wifi extender are showing up under guest IP subnet Asuswrt-Merlin 3
F Best 5ghz Guest Wifi Asuswrt-Merlin 5
gil80 No internet access on guest network Asuswrt-Merlin 7
U Need Help Setting Up 3 VLANs (Home, Guest, IoT) on ASUSWRT-Merlin (RT-AC86U) Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 735 (members: 18, guests: 717)
Back
Top