Guest Wi-Fi extras

• This how-to describes the most common guest Wi-Fi tuning scenarios adapted for OpenWrt.
• Follow Guest Wi-Fi basics for setting up guest Wi-Fi.

If you want to utilize dual-band. Change the interface ID if necessary.

# Configure wireless
WIFI_DEV="$(uci get wireless.@wifi-iface[1].device)"
uci -q delete wireless.guest2
uci set wireless.guest2="wifi-iface"
uci set wireless.guest2.device="${WIFI_DEV}"
uci set wireless.guest2.mode="ap"
uci set wireless.guest2.network="guest"
uci set wireless.guest2.ssid="guest2"
uci set wireless.guest2.encryption="none"
uci commit wireless
wifi reload

The following settings should be applied separately for each SSID/band.

Secure your guest network.

# Configure wireless
WIFI_PSK="GUEST_WIFI_PASSWORD"
uci set wireless.guest.encryption="psk2"
uci set wireless.guest.key="${WIFI_PSK}"
uci commit wireless
wifi reload

Isolate guest clients from each other. Some hardware or drivers might not support this option.

# Configure wireless
uci set wireless.guest.isolate="1"
uci commit wireless
wifi reload

Allow incoming ICMP and ICMPv6 traffic. Change the rule IDs if necessary. The goal here is to alter the default OpenWRT firewall rules allowing specific ICMP and ICMPv6 types from WAN to instead allow from all source zones. The rules are originally called “Allow-Ping” and “Allow-ICMPv6-Input”.

# Configure firewall
uci rename firewall.@rule[1]="icmp"
uci rename firewall.@rule[5]="icmp6"
uci set firewall.icmp.src="*"
uci set firewall.icmp6.src="*"
uci commit firewall
/etc/init.d/firewall restart

Enable IPv6 on the guest network. Allow ICMPv6, assign an IPv6 prefix, configure a DHCPv6 pool, allow DHCPv6 requests.

# Configure network
uci set network.guest.ip6assign="60"
uci commit network
/etc/init.d/network restart
 
# Configure DHCP
uci set dhcp.guest.dhcpv6="server"
uci set dhcp.guest.ra="server"
uci commit dhcp
/etc/init.d/odhcpd restart
 
# Configure firewall
uci -q delete firewall.guest_dhcp6
uci set firewall.guest_dhcp6="rule"
uci set firewall.guest_dhcp6.name="Allow-DHCPv6-Guest"
uci set firewall.guest_dhcp6.src="guest"
uci set firewall.guest_dhcp6.dest_port="547"
uci set firewall.guest_dhcp6.proto="udp"
uci set firewall.guest_dhcp6.family="ipv6"
uci set firewall.guest_dhcp6.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

While your primary LAN may have legacy devices that only support IPv4, most modern phones, tablets, and laptops fully support IPv6 and so you may be able to run an IPv6 only guest network, by simply not allocating an IPv4 address to the network or providing and DHCPv4 addresses.

To enable IPv6 guests to access legacy IPv4 only websites you need to set up DNS64 + NAT64.

• Set the advertised DNS servers for your guest network to Google DNS64, or your own DNS64 service
• Configure NAT64 on your OpenWrt router to provide network translation (similar how you would otherwise be providing NAT44 from a private IPv4 range).

Allow guest clients to only browse websites.

# Configure firewall
uci -q delete firewall.guest_wan
uci -q delete firewall.guest_fwd
uci set firewall.guest_fwd="rule"
uci set firewall.guest_fwd.name="Allow-HTTP/HTTPS-Guest-Forward"
uci set firewall.guest_fwd.src="guest"
uci set firewall.guest_fwd.dest="wan"
uci add_list firewall.guest_fwd.dest_port="80"
uci add_list firewall.guest_fwd.dest_port="443"
uci set firewall.guest_fwd.proto="tcp"
uci set firewall.guest_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Allow guest clients to access the internet but restrict upstream access.

# Fetch upstream subnet and zone
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_subnet NET_SUB "${NET_IF}"
FW_WAN="$(fw3 -q network "${NET_IF}")"
 
# Configure firewall
uci -q delete firewall.guest_wan
uci -q delete firewall.guest_fwd
uci set firewall.guest_fwd="rule"
uci set firewall.guest_fwd.name="Allow-Guest-Forward"
uci set firewall.guest_fwd.src="guest"
uci set firewall.guest_fwd.dest="${FW_WAN}"
uci set firewall.guest_fwd.dest_ip="!${NET_SUB}"
uci set firewall.guest_fwd.proto="all"
uci set firewall.guest_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Enable masquerading for the LAN zone when using a wireless AP.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci set firewall.lan.masq="1"
uci set firewall.lan.masq_src="!${NET_SUB}"
uci commit firewall
/etc/init.d/firewall restart

Resolve the race condition with netifd service.

# Configure DHCP
uci set dhcp.guest.force="1"
uci commit dhcp
/etc/init.d/dnsmasq restart

Limit the bandwidth of the guest network using kb/s.

opkg update
opkg install qos-scripts
uci -q delete qos.guest
uci set qos.guest="interface"
uci set qos.guest.enabled="1"
uci set qos.guest.upload="5000"
uci set qos.guest.download="80000"
uci commit qos
/etc/init.d/qos restart

For a network setup that involves two or more network devices (e.g. a router, one or more switches, one or more access points) you need to provide a separate VLAN. On every router, switch or AP we add an interface type bridge which will put the wired and wireless guest interfaces in one network.

If you want to setup a simple Hotspot for your guest network, take a look at Nodogsplash or WiFiDog.

For a captive portal to a commercial ChilliSpot compatible Hotspot service provider, look at CoovaChilli.

Automated guest network setup.

URL="https://openwrt.org/_export/code/docs/guide-user/network/wifi/guestwifi/guest-wlan"
cat << EOF > guest-wlan.sh
$(wget -U "" -O - "${URL}?codeblock=0")
$(wget -U "" -O - "${URL}?codeblock=1")
$(wget -U "" -O - "${URL}?codeblock=2")
$(wget -U "" -O - "${URL}?codeblock=3")
EOF
sh guest-wlan.sh