Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Guest Wi-Fi extras Introduction Extras Dual-band Providing encryption Isolating clients ICMP / ICMPv6 IPv6 IPv6-only guest network Restricting internet access Restricting upstream access / Wireless AP Resolving race conditions Limiting bandwidth Multiple network devices HotSpot / Captive portal Automated Guest Wi-Fi extras This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the most common guest Wi-Fi tuning scenarios adapted for OpenWrt. Follow Guest Wi-Fi basics for setting up guest Wi-Fi. Extras Dual-band If you want to utilize dual-band. Change the interface ID if necessary. # Configure wireless WIFI_DEV="$(uci get wireless.@wifi-iface[1].device)" uci -q delete wireless.guest2 uci set wireless.guest2="wifi-iface" uci set wireless.guest2.device="${WIFI_DEV}" uci set wireless.guest2.mode="ap" uci set wireless.guest2.network="guest" uci set wireless.guest2.ssid="guest2" uci set wireless.guest2.encryption="none" uci commit wireless wifi reload The following settings should be applied separately for each SSID/band. Providing encryption Secure your guest network. # Configure wireless WIFI_PSK="GUEST_WIFI_PASSWORD" uci set wireless.guest.encryption="psk2" uci set wireless.guest.key="${WIFI_PSK}" uci commit wireless wifi reload Isolating clients Isolate guest clients from each other. Some hardware or drivers might not support this option. # Configure wireless uci set wireless.guest.isolate="1" uci commit wireless wifi reload ICMP / ICMPv6 Allow incoming ICMP and ICMPv6 traffic. Change the rule IDs if necessary. The goal here is to alter the default OpenWRT firewall rules allowing specific ICMP and ICMPv6 types from WAN to instead allow from all source zones. The rules are originally called “Allow-Ping” and “Allow-ICMPv6-Input”. # Configure firewall uci rename firewall.@rule[1]="icmp" uci rename firewall.@rule[5]="icmp6" uci set firewall.icmp.src="*" uci set firewall.icmp6.src="*" uci commit firewall /etc/init.d/firewall restart IPv6 Enable IPv6 on the guest network. Allow ICMPv6, assign an IPv6 prefix, configure a DHCPv6 pool, allow DHCPv6 requests. # Configure network uci set network.guest.ip6assign="60" uci commit network /etc/init.d/network restart # Configure DHCP uci set dhcp.guest.dhcpv6="server" uci set dhcp.guest.ra="server" uci commit dhcp /etc/init.d/odhcpd restart # Configure firewall uci -q delete firewall.guest_dhcp6 uci set firewall.guest_dhcp6="rule" uci set firewall.guest_dhcp6.name="Allow-DHCPv6-Guest" uci set firewall.guest_dhcp6.src="guest" uci set firewall.guest_dhcp6.dest_port="547" uci set firewall.guest_dhcp6.proto="udp" uci set firewall.guest_dhcp6.family="ipv6" uci set firewall.guest_dhcp6.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart IPv6-only guest network While your primary LAN may have legacy devices that only support IPv4, most modern phones, tablets, and laptops fully support IPv6 and so you may be able to run an IPv6 only guest network, by simply not allocating an IPv4 address to the network or providing and DHCPv4 addresses. To enable IPv6 guests to access legacy IPv4 only websites you need to set up DNS64 + NAT64. Set the advertised DNS servers for your guest network to Google DNS64, or your own DNS64 service Configure NAT64 on your OpenWrt router to provide network translation (similar how you would otherwise be providing NAT44 from a private IPv4 range). Restricting internet access Allow guest clients to only browse websites. # Configure firewall uci -q delete firewall.guest_wan uci -q delete firewall.guest_fwd uci set firewall.guest_fwd="rule" uci set firewall.guest_fwd.name="Allow-HTTP/HTTPS-Guest-Forward" uci set firewall.guest_fwd.src="guest" uci set firewall.guest_fwd.dest="wan" uci add_list firewall.guest_fwd.dest_port="80" uci add_list firewall.guest_fwd.dest_port="443" uci set firewall.guest_fwd.proto="tcp" uci set firewall.guest_fwd.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart Restricting upstream access / Wireless AP Allow guest clients to access the internet but restrict upstream access. # Fetch upstream subnet and zone . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_subnet NET_SUB "${NET_IF}" FW_WAN="$(fw3 -q network "${NET_IF}")" # Configure firewall uci -q delete firewall.guest_wan uci -q delete firewall.guest_fwd uci set firewall.guest_fwd="rule" uci set firewall.guest_fwd.name="Allow-Guest-Forward" uci set firewall.guest_fwd.src="guest" uci set firewall.guest_fwd.dest="${FW_WAN}" uci set firewall.guest_fwd.dest_ip="!${NET_SUB}" uci set firewall.guest_fwd.proto="all" uci set firewall.guest_fwd.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart Enable masquerading for the LAN zone when using a wireless AP. # Configure firewall uci rename firewall.@zone[0]="lan" uci set firewall.lan.masq="1" uci set firewall.lan.masq_src="!${NET_SUB}" uci commit firewall /etc/init.d/firewall restart Resolving race conditions Resolve the race condition with netifd service. # Configure DHCP uci set dhcp.guest.force="1" uci commit dhcp /etc/init.d/dnsmasq restart Limiting bandwidth Limit the bandwidth of the guest network using kb/s. opkg update opkg install qos-scripts uci -q delete qos.guest uci set qos.guest="interface" uci set qos.guest.enabled="1" uci set qos.guest.upload="5000" uci set qos.guest.download="80000" uci commit qos /etc/init.d/qos restart Multiple network devices For a network setup that involves two or more network devices (e.g. a router, one or more switches, one or more access points) you need to provide a separate VLAN. On every router, switch or AP we add an interface type bridge which will put the wired and wireless guest interfaces in one network. HotSpot / Captive portal If you want to setup a simple Hotspot for your guest network, take a look at Nodogsplash or WiFiDog. For a captive portal to a commercial ChilliSpot compatible Hotspot service provider, look at CoovaChilli. Automated Automated guest network setup. URL="https://openwrt.org/_export/code/docs/guide-user/network/wifi/guestwifi/guest-wlan" cat << EOF > guest-wlan.sh $(wget -U "" -O - "${URL}?codeblock=0") $(wget -U "" -O - "${URL}?codeblock=1") $(wget -U "" -O - "${URL}?codeblock=2") $(wget -U "" -O - "${URL}?codeblock=3") EOF sh guest-wlan.sh This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/09/20 15:43by vgaetera