User Tools

Site Tools


docs:guide-user:network:wifi:guestwifi:extras

Guest Wi-Fi extras

Introduction

  • This how-to describes the most common guest Wi-Fi tuning scenarios adapted for OpenWrt.
  • Follow Guest Wi-Fi basics for setting up guest Wi-Fi.

Extras

Dual-band

If you want to utilize dual-band. Change the interface ID if required.

# Configure wireless
WIFI_DEV="$(uci get wireless.@wifi-iface[1].device)"
uci -q delete wireless.guest2
uci set wireless.guest2="wifi-iface"
uci set wireless.guest2.device="${WIFI_DEV}"
uci set wireless.guest2.mode="ap"
uci set wireless.guest2.network="guest"
uci set wireless.guest2.ssid="guest2"
uci set wireless.guest2.encryption="none"
uci commit wireless
wifi reload

The following settings should be applied separately for each SSID/band.

Providing encryption

Secure your guest network.

# Configure wireless
WIFI_PSK="GUEST_WIFI_PASSWORD"
uci set wireless.guest.encryption="psk2"
uci set wireless.guest.key="${WIFI_PSK}"
uci commit wireless
wifi reload

Isolating clients

Isolate guest clients from each other. Some hardware or drivers might not support this option.

# Configure wireless
uci set wireless.guest.isolate="1"
uci commit wireless
wifi reload

ICMP / ICMPv6

Allow incoming ICMP and ICMPv6 traffic. Change the rule IDs if required.

# Configure firewall
uci rename firewall.@rule[1]="icmp"
uci rename firewall.@rule[5]="icmp6"
uci set firewall.icmp.src="*"
uci set firewall.icmp6.src="*"
uci commit firewall
/etc/init.d/firewall restart

IPv6

Enable IPv6 on the guest network. Allow ICMPv6, assign an IPv6 prefix, configure a DHCPv6 pool, allow DHCPv6 requests.

# Configure network
uci set network.guest.ip6assign="60"
uci commit network
/etc/init.d/network restart
 
# Configure DHCP
uci set dhcp.guest.dhcpv6="server"
uci set dhcp.guest.ra="server"
uci commit dhcp
/etc/init.d/odhcpd restart
 
# Configure firewall
uci -q delete firewall.guest_dhcp6
firewall.guest_dhcp6="rule"
firewall.guest_dhcp6.name="dhcp6"
firewall.guest_dhcp6.src="guest"
firewall.guest_dhcp6.dest_port="547"
firewall.guest_dhcp6.family="ipv6"
firewall.guest_dhcp6.proto="udp"
firewall.guest_dhcp6.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Restricting internet access

Allow guest clients to only browse websites.

# Configure firewall
uci -q delete firewall.guest_wan
uci -q delete firewall.guest_fwd
uci set firewall.guest_fwd="rule"
uci set firewall.guest_fwd.name="Allow-HTTP/HTTPS-Guest-Forward"
uci set firewall.guest_fwd.src="guest"
uci set firewall.guest_fwd.dest="wan"
uci add_list firewall.guest_fwd.dest_port="80"
uci add_list firewall.guest_fwd.dest_port="443"
uci set firewall.guest_fwd.proto="tcp"
uci set firewall.guest_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Restricting upstream access / Wireless AP

Allow guest clients to access the internet but restrict upstream access.

# Fetch upstream subnet and zone
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_subnet NET_SUB "${NET_IF}"
FW_WAN="$(fw3 -q network "${NET_IF}")"
 
# Configure firewall
uci -q delete firewall.guest_wan
uci -q delete firewall.guest_fwd
uci set firewall.guest_fwd="rule"
uci set firewall.guest_fwd.name="Allow-Guest-Forward"
uci set firewall.guest_fwd.src="guest"
uci set firewall.guest_fwd.dest="${FW_WAN}"
uci set firewall.guest_fwd.dest_ip="!${NET_SUB%.*}.0/${NET_SUB#*/}"
uci set firewall.guest_fwd.proto="all"
uci set firewall.guest_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Enable masquerading for the LAN zone when using a wireless AP.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart

Resolving race conditions

Resolve the race condition with netifd service.

# Configure DHCP
uci set dhcp.guest.force="1"
uci commit dhcp
/etc/init.d/dnsmasq restart

Limiting bandwidth

Limit the guest client bandwidth with qos-scripts or sqm-scripts.

Multiple network devices

For a network setup that involves two or more network devices (e.g. a router, one or more switches, one or more access points) you need to provide a separate VLAN. On every router, switch or AP we add an interface type bridge which will put the wired and wireless guest interfaces in one network.

HotSpot / Captive portal

If you want to setup a simple Hotspot for your guest network, take a look at Nodogsplash or WiFiDog.

For a captive portal to a commercial ChilliSpot compatible Hotspot service provider, look at CoovaChilli.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/network/wifi/guestwifi/extras.txt · Last modified: 2020/10/23 10:42 by vgaetera