Главная » Wi-Fi

Dd wrt guest wifi

На чтение 12 мин Просмотров 1 Опубликовано
Содержание
  1. Guest Network
  2. [edit] DNSMasq method
  3. [edit] 23020 and later
  4. [edit] Prior to 23020
  5. [edit] Notes
  6. [edit] No VAP at boot (Broadcom)
  7. [edit] Guest VAP Passwords
  8. [edit] Guest Access to a Network Device
  9. [edit] Multi-radio routers
  10. [edit] VAP with no WAN
  11. Guest Network
  12. [edit] DNSMasq method
  13. [edit] 23020 and later
  14. [edit] Prior to 23020
  15. [edit] Notes
  16. [edit] No VAP at boot (Broadcom)
  17. [edit] Guest VAP Passwords
  18. [edit] Guest Access to a Network Device
  19. [edit] Multi-radio routers
  20. [edit] VAP with no WAN

Guest Network

A Guest Network is a separate SSID (wireless network ID) using a virtual access point (VAP) that gives guest access to the WAN (internet) while blocking them from your LAN (local network), thereby protecting your security.

[edit] DNSMasq method

This uses DNSMasq instead of DHCPd. See VAP with no WAN for setups without a WAN (e.g. WAP), as iptables (Firewall) rules are required for internet access (Multiple DHCP Server is not available with the WAN disabled). In the DD-WRT GUI:

  • Wireless ->Basic Settings: Click Add Virtual AP under Virtual Interfaces and change the SSID if needed
    • Set Network Configuration to Unbridged
    • Enable the following options: AP Isolation, Net Isolation
    • Enable Forced DNS Redirection to prevent users from circumventing content filters (see Public DNS)
    • Set the Optional DNS Target (if needed), IP Address (e.g. 192.168.7.1), and Subnet Mask (255.255.255.0)
    • Example for Broadcom (5 GHz is wl1.1), Atheros is ath0.1 or ath1.1, but depends on the router:
    interface=wl0.1 dhcp-option=wl0.1,3,192.168.7.1 dhcp-range=wl0.1,192.168.7.100,192.168.7.200,255.255.255.0,12h

    [edit] 23020 and later

    Kong added easy Guest Network capability to DD-WRT starting with build 23020. See Guest WiFi + abuse control for beginners

    [edit] Prior to 23020

    1. Section Wireless ->Basic Settings tab
      • “Add” a “Virtual Interface”, give this guest network a separate SSID, and “Enable” “AP Isolation”.
      • Click Save, then Apply
    2. Wireless Security tab: also use a separate password, and WPA2 AES security
      • Click Save, then Apply
    3. Section Setup ->Networking tab
      • Under “Create Bridge” click “Add”, name it, then set a different subnet
      • Under “Assign to Bridge” click “Add», select the new bridge, then assign it to the new virtual interface
      • Click Save, then Apply
    4. Networking tab: under “Multiple DHCP Server” click “Add” and select the new bridge
      • Click Save, then Apply
    5. Section Administration ->Commands tab
    6. Firewall Rules to secure the private network and give the guest network internet access:
      • Copy/paste the below, then click Save Firewall
    iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr` iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

    More Firewall Rules to isolate guest and restrict services’ access:

    iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

    Test the guest network, reboot if not working

    [edit] Notes

    The Multiple WLANs wiki is deprecated (use only for old builds) and mentioned just for reference.

    [edit] No VAP at boot (Broadcom)

    If the VAP does not work at boot (fixed for some unbridged VAPs since r40564:40566), there are workarounds:

    • Administration ->Commands and try one of these startup commands then Save Startup
    sleep #; stopservice nas;stopservice wlconf;startservice wlconf;startservice nas sleep #; stopservice cron; stopservice wlconf; wlconf eth1 up; wlconf eth2 up; startservice cron sleep #; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas

    where «#» is the sleep time from ~3-20 (sec): start with 10 seconds

    [edit] Guest VAP Passwords

    To prevent unauthorized network access, you must use a different wireless password from your normal Wireless Access Point. Though isolated from the LAN, a Guest Network should have a strong password .

    [edit] Guest Access to a Network Device

    To allow the guest network access to a printer, web server, or other network device, add this rule last:

    iptables -I FORWARD -i wl0.1 -o br0 -d -m state --state NEW -j ACCEPT

    [edit] Multi-radio routers

    To have guest VAP’s from multiple radios on the same subnet, create a bridge for them. Multiple interfaces would need their own entries for DNSMasq (and the firewall, if applicable), such as for both wl0.1 and wl1.1. ‘Net Isolation’ (Networking page under br1 section) will not isolate all interfaces from the primary network.

    • This may depend on the interfaces bridged via br1, so be sure to test
    • To be safe, add firewall rules to block br1 from the subnet and router, but ensure the guest has DHCP & DNS:
    iptables -I INPUT -i br1 -m state --state NEW -j REJECT iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
    • Copy/paste these lines to Administration->Commands, then click Save Firewall
    • To allow this br1 access to a printer, web server, or other network device, add this rule last:
    iptables -I FORWARD -i br1 -o br0 -d -m state --state NEW -j ACCEPT

    [edit] VAP with no WAN

    If the router is not used as a gateway (like an AP, thus WAN and DHCP are disabled, but the same subnet as the primary gateway router), firewall rules are needed for client access restrictions and internet access.

    • Examples: Access Point (AP), Repeater Bridge (RB), & Dual-band Client Bridge + AP: see here
    • To get internet access from the bridge:
    • Administration->Commands: copy/paste these lines then click Save Firewall (Maintain the rules order):
    iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
    • Note that the bridge and/or virtual interface may be different
    • Net Isolation does not work on a WAP so keep it disabled and add this to the firewall:
    iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
    • Also to isolate the WAP itself from the guest network: [Note: not all firmwares have the multiport directive]
    iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT

    For more details on this, see this post. For more on various firewall rules’ impacts, see this post.

    • Settings DNS Target does not work on a WAP if the primary router has Forced DNS Redirection enabled. A workaround is if the AP is running DNSCrypt, set it to use OpenDNS «Family Shield DNS»: also see Guest WiFi + abuse control for beginners.

    Источник

    Guest Network

    A Guest Network is a separate SSID (wireless network ID) using a virtual access point (VAP) that gives guest access to the WAN (internet) while blocking them from your LAN (local network), thereby protecting your security.

    [edit] DNSMasq method

    This uses DNSMasq instead of DHCPd. See VAP with no WAN for setups without a WAN (e.g. WAP), as iptables (Firewall) rules are required for internet access (Multiple DHCP Server is not available with the WAN disabled). In the DD-WRT GUI:

    • Wireless ->Basic Settings: Click Add Virtual AP under Virtual Interfaces and change the SSID if needed
      • Set Network Configuration to Unbridged
      • Enable the following options: AP Isolation, Net Isolation
      • Enable Forced DNS Redirection to prevent users from circumventing content filters (see Public DNS)
      • Set the Optional DNS Target (if needed), IP Address (e.g. 192.168.7.1), and Subnet Mask (255.255.255.0)
      • Example for Broadcom (5 GHz is wl1.1), Atheros is ath0.1 or ath1.1, but depends on the router:
      interface=wl0.1 dhcp-option=wl0.1,3,192.168.7.1 dhcp-range=wl0.1,192.168.7.100,192.168.7.200,255.255.255.0,12h

      [edit] 23020 and later

      Kong added easy Guest Network capability to DD-WRT starting with build 23020. See Guest WiFi + abuse control for beginners

      [edit] Prior to 23020

      1. Section Wireless ->Basic Settings tab
        • “Add” a “Virtual Interface”, give this guest network a separate SSID, and “Enable” “AP Isolation”.
        • Click Save, then Apply
      2. Wireless Security tab: also use a separate password, and WPA2 AES security
        • Click Save, then Apply
      3. Section Setup ->Networking tab
        • Under “Create Bridge” click “Add”, name it, then set a different subnet
        • Under “Assign to Bridge” click “Add», select the new bridge, then assign it to the new virtual interface
        • Click Save, then Apply
      4. Networking tab: under “Multiple DHCP Server” click “Add” and select the new bridge
        • Click Save, then Apply
      5. Section Administration ->Commands tab
      6. Firewall Rules to secure the private network and give the guest network internet access:
        • Copy/paste the below, then click Save Firewall
      iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr` iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

      More Firewall Rules to isolate guest and restrict services’ access:

      iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

      Test the guest network, reboot if not working

      [edit] Notes

      The Multiple WLANs wiki is deprecated (use only for old builds) and mentioned just for reference.

      [edit] No VAP at boot (Broadcom)

      If the VAP does not work at boot (fixed for some unbridged VAPs since r40564:40566), there are workarounds:

      • Administration ->Commands and try one of these startup commands then Save Startup
      sleep #; stopservice nas;stopservice wlconf;startservice wlconf;startservice nas sleep #; stopservice cron; stopservice wlconf; wlconf eth1 up; wlconf eth2 up; startservice cron sleep #; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas

      where «#» is the sleep time from ~3-20 (sec): start with 10 seconds

      [edit] Guest VAP Passwords

      To prevent unauthorized network access, you must use a different wireless password from your normal Wireless Access Point. Though isolated from the LAN, a Guest Network should have a strong password .

      [edit] Guest Access to a Network Device

      To allow the guest network access to a printer, web server, or other network device, add this rule last:

      iptables -I FORWARD -i wl0.1 -o br0 -d -m state --state NEW -j ACCEPT

      [edit] Multi-radio routers

      To have guest VAP’s from multiple radios on the same subnet, create a bridge for them. Multiple interfaces would need their own entries for DNSMasq (and the firewall, if applicable), such as for both wl0.1 and wl1.1. ‘Net Isolation’ (Networking page under br1 section) will not isolate all interfaces from the primary network.

      • This may depend on the interfaces bridged via br1, so be sure to test
      • To be safe, add firewall rules to block br1 from the subnet and router, but ensure the guest has DHCP & DNS:
      iptables -I INPUT -i br1 -m state --state NEW -j REJECT iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
      • Copy/paste these lines to Administration->Commands, then click Save Firewall
      • To allow this br1 access to a printer, web server, or other network device, add this rule last:
      iptables -I FORWARD -i br1 -o br0 -d -m state --state NEW -j ACCEPT

      [edit] VAP with no WAN

      If the router is not used as a gateway (like an AP, thus WAN and DHCP are disabled, but the same subnet as the primary gateway router), firewall rules are needed for client access restrictions and internet access.

      • Examples: Access Point (AP), Repeater Bridge (RB), & Dual-band Client Bridge + AP: see here
      • To get internet access from the bridge:
      • Administration->Commands: copy/paste these lines then click Save Firewall (Maintain the rules order):
      iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
      • Note that the bridge and/or virtual interface may be different
      • Net Isolation does not work on a WAP so keep it disabled and add this to the firewall:
      iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
      • Also to isolate the WAP itself from the guest network: [Note: not all firmwares have the multiport directive]
      iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT

      For more details on this, see this post. For more on various firewall rules’ impacts, see this post.

      • Settings DNS Target does not work on a WAP if the primary router has Forced DNS Redirection enabled. A workaround is if the AP is running DNSCrypt, set it to use OpenDNS «Family Shield DNS»: also see Guest WiFi + abuse control for beginners.

      Источник

      Читайте также:  Redmi note 5ghz wifi
Оцените статью
© 2023 Posetke
Adblock
detector