Guest Wi-Fi using CLI
This page provides a script that creates an additional separated guest network and a new guest firewall zone for your OpenWrt device. That is, to create a guest WLAN , that only has Internet access but cannot access your existing LAN .
Step by step
Take your time, to read this whole page, before starting any configuration. Get at least a rough idea, of what below’s code is configuring.
Create the guest WLAN as additional config on either your 2,4 or 5 GHz radio which should typically match @wifi-iface[0] or @wifi-iface[1] . The new guest networks will share the channel/frequency with your probably already existing WLANs.
Copy the whole following code block as is into a SSH command prompt of your OpenWrt device and press enter. Alternatively, create and run it as shell script on your OpenWrt device.
# Configuration parameters NET_ID="guest" WIFI_DEV="$(uci -q get wireless.@wifi-iface[0].device)" # Fetch upstream zone . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF FW_WAN="$(fw3 -q network "$")" # Set up guest WLAN uci -q batch _dev set network.$_dev=device set network.$_dev.type=bridge set network.$_dev.name=br-$ delete network.$ set network.$=interface set network.$.proto=static set network.$.device=br-$ set network.$.ipaddr=192.168.3.1 set network.$.netmask=255.255.255.0 commit network delete wireless.$ set wireless.$=wifi-iface set wireless.$.device=$ set wireless.$.mode=ap set wireless.$.network=$ set wireless.$.ssid=$ set wireless.$.encryption=none commit wireless delete dhcp.$ set dhcp.$=dhcp set dhcp.$.interface=$ set dhcp.$.start=100 set dhcp.$.limit=150 set dhcp.$.leasetime=1h set dhcp.$.netmask=255.255.255.0 commit dhcp delete firewall.$ set firewall.$=zone set firewall.$.name=$ set firewall.$.network=$ set firewall.$.input=REJECT set firewall.$.output=ACCEPT set firewall.$.forward=REJECT delete firewall.$_$ set firewall.$_$=forwarding set firewall.$_$.src=$ set firewall.$_$.dest=$ delete firewall.$_dns set firewall.$_dns=rule set firewall.$_dns.name=Allow-DNS-$ set firewall.$_dns.src=$ set firewall.$_dns.dest_port=53 add_list firewall.$_dns.proto=tcp add_list firewall.$_dns.proto=udp set firewall.$_dns.target=ACCEPT delete firewall.$_dhcp set firewall.$_dhcp=rule set firewall.$_dhcp.name=Allow-DHCP-$ set firewall.$_dhcp.src=$ set firewall.$_dhcp.dest_port=67 set firewall.$_dhcp.proto=udp set firewall.$_dhcp.family=ipv4 set firewall.$_dhcp.target=ACCEPT commit firewall EOF /etc/init.d/network reload /etc/init.d/dnsmasq restart /etc/init.d/firewall restart
Explanation of this config code
All the changes will be visible in the web interface afterwards.
a dhcp configuration is created for the “guest” network (assuming that 192.168.3.1/24 is not conflicting with something else on your home network)
Customization
There are endless of personal customization options.
Be aware that there are no special Internet firewall restrictions active for your guests in this default config. If you want to restrict your weird guests to http(s) protocol or block UDP or do whatever fancy restriction, you have to add some additional customized firewall rules yourself.
Also you may have to find individual rules/network setups for your personal situations, e.g. if your guests would like access to your printer or need to stream stuff from their smartphones to your Smart-TV. Unfortunately there is not a single one-fits-all solution for that.
You could go even further and split of a LAN -jack using a custom VLAN configuration and link that split-of LAN jack to that guest net as well, if your guests prefer a wired connection.
Manual rollback
If you ever want to get rid of the customization created by this script, simply open your OpenWrt web interface.
On demand usage
You may not have guests hanging out in your house all week long. You do not have to delete the whole config, when your guests are leaving. You can just enter the OpenWrt web interface and simply enable or disable the guest WLAN at will.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website. OK More information about cookies
Self-registration in the wiki has been disabled.
If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.
Except where otherwise noted, content on this wiki is licensed under the following license:
CC Attribution-Share Alike 4.0 International
Guest Wi-Fi using LuCI
Guest Wi-Fi provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe is based on the more comprehensive Guest Wi-Fi basics, providing a more user-friendly approach through the LuCI web interface.
Note that all MAC addresses have been redacted from the screenshots.
Create and configure a new wireless controller
After logging into the web-interface, manoeuvre to the Wireless page under Network. Click Add over the wireless controller (e.g., the 2.4 GHz radio) you want to have your guest network on. A new interface will be added as shown here:
As you can see, our new wireless controller is created, and we named it guest. Next up is configuring it. Choose the Edit option for the controller. You will need to create a new network, as you can see we named our new network guest here:
Also, be sure to set up wireless security if you want to protect the connection.
Configure the new interface
Now if you manoeuvre to the Interfaces page under Network, and you should see your new interface, looking similar to this:
You will need to configure your interface before it is useful. Choose Edit, pick the protocol Static address, and fill out your chosen IPv4 address. We chose 192.168.3.1 here, but you may have different preferences. However, avoid using 192.168.1.1 or 10.0.0.1 as they may already be in use and prevent your guests from acquiring IP -addresses. Remember to set the netmask. If you are using a newer version of the web interface, the netmask must be entered together with the IPv4 address, for example 192.168.3.1/24. You will also need to enable DHCP , we chose to go with the default options here except for the Leasetime which is only one hour, suitable for environments where a large number of guests connect and leave through a day.
Notice that you have a Firewall Settings tab to the far right of the General Setup tab. Make sure you visit this tab, and create a new zone for your guest, like we have done here:
Configure the firewall
Now you are just about done. That last thing we need to do is to allow traffic between your guest network and WAN in the firewall. Go to the Firewall page under Network, choose Edit for your guest zone. Set Input to REJECT and tick wan under Allow forward to destination zones. Correctly configured it should look like this:
Remember to click Save & Apply. The last thing we need to do is to give our guests access to the Internet.
Right now neither DNS nor DHCP traffic will be accepted. We need to create two rules, which we can do from the Traffic rules tab under the Firewall tab. Both rules can be put in under Open ports on router:. We name the first one Guest DNS here (you can name it what you want), setting both TCP and UDP traffic and port 53:
We need to configure the rule, so choose to edit it. Set Source zone to guest, and set Destination zone to Device (input) like shown here:
Similarly, create a new rule to allow DHCP for guests. We name this rule Guest DHCP , choose UDP as protocol, and set 67 for port. Again edit the rule, setting Source zone to guest, and set Destination zone to Device (input). When you are done it should look like this:
If you had firewall rules to implement Parental Control, you might have to review them now. If the Reject rules were defined with LAN as Source Zone, they will not apply to the Guest network.
Troubleshooting
If you are able to connect to the Guest wireless network and also do get an IP address from the DHCP server but can not access the internet, make sure the Guest interface has a netmask configured. If you forget to set this, the default /32 netmask will not work.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website. OK More information about cookies
Self-registration in the wiki has been disabled.
If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.
Except where otherwise noted, content on this wiki is licensed under the following license:
CC Attribution-Share Alike 4.0 International
Guest Wi-Fi basics
Set up a wireless interface bound to the guest network interface.
# Configure wireless WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)" uci -q delete wireless.guest uci set wireless.guest="wifi-iface" uci set wireless.guest.device="$ " uci set wireless.guest.mode="ap" uci set wireless.guest.network="guest" uci set wireless.guest.ssid="guest" uci set wireless.guest.encryption="none" uci commit wireless wifi reload
Secure the guest network and isolate its clients if necessary.
3. DHCP
Configure a DHCP pool for the guest network.
# Configure DHCP uci -q delete dhcp.guest uci del_list dhcp.@dnsmasq[0].interface=br-guest uci add_list dhcp.@dnsmasq[0].interface=br-guest uci set dhcp.guest="dhcp" uci set dhcp.guest.interface="guest" uci set dhcp.guest.start="100" uci set dhcp.guest.limit="150" uci set dhcp.guest.leasetime="1h" uci set dhcp.guest.netmask="255.255.255.0" uci commit dhcp /etc/init.d/dnsmasq restart
4. Firewall
Configure firewall for the guest network. Allow to forward traffic from the guest network to WAN . Allow DHCP requests and DNS queries.
# Configure firewall uci -q delete firewall.guest uci set firewall.guest="zone" uci set firewall.guest.name="guest" uci set firewall.guest.network="guest" uci set firewall.guest.input="REJECT" uci set firewall.guest.output="ACCEPT" uci set firewall.guest.forward="REJECT" uci -q delete firewall.guest_wan uci set firewall.guest_wan="forwarding" uci set firewall.guest_wan.src="guest" uci set firewall.guest_wan.dest="wan" uci -q delete firewall.guest_dns uci set firewall.guest_dns="rule" uci set firewall.guest_dns.name="Allow-DNS-Guest" uci set firewall.guest_dns.src="guest" uci set firewall.guest_dns.dest_port="53" uci set firewall.guest_dns.proto="tcp udp" uci set firewall.guest_dns.target="ACCEPT" uci -q delete firewall.guest_dhcp uci set firewall.guest_dhcp="rule" uci set firewall.guest_dhcp.name="Allow-DHCP-Guest" uci set firewall.guest_dhcp.src="guest" uci set firewall.guest_dhcp.dest_port="67" uci set firewall.guest_dhcp.proto="udp" uci set firewall.guest_dhcp.family="ipv4" uci set firewall.guest_dhcp.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart
Testing
Connect to the guest network. Check your internet connectivity.
Use ping, ping6 or nmap to verify your firewall configuration.
Troubleshooting
Collect and analyze the following information.
# Restart services /etc/init.d/log restart; /etc/init.d/network restart /etc/init.d/dnsmasq restart; /etc/init.d/firewall restart # Log and status logread; netstat -l -n -p | grep -e dnsmasq # Runtime configuration pgrep -f -a dnsmasq ip address show; ip route show table all ip rule show; ip -6 rule show; nft list ruleset head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* # Persistent configuration uci show network; uci show wireless; uci show dhcp; uci show firewall
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website. OK More information about cookies
Self-registration in the wiki has been disabled.
If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.
Except where otherwise noted, content on this wiki is licensed under the following license:
CC Attribution-Share Alike 4.0 International