User Tools

Site Tools


docs:guide-user:network:wifi:guestwifi:guest-wlan

Guest WLAN basic

Introduction

  • Guest WLAN provides an open wireless network which is independent from your main WLAN.
  • Guest clients are provided with internet connectivity and restricted LAN connectivity.
  • Follow Guest WLAN extras for additional tuning and Guest WLAN with LuCI to configure guest WLAN using web interface.
  • Some hardware or drivers might not support multi-SSID, e.g. Broadcom requires to use the proprietary driver.
  • Multi-SSID decreases your data bandwidth, so update the firmware or try other devices if you experience unstable network.

Goals

  • Create an open wireless network independent from the main WLAN.
  • Provide internet connectivity to guest clients and restrict LAN connectivity.

Instructions

1. Network

Set up a guest network interface.

# Configure network
uci -q delete network.guest
uci set network.guest="interface"
uci set network.guest.proto="static"
uci set network.guest.ipaddr="192.168.3.1"
uci set network.guest.netmask="255.255.255.0"
uci commit network
/etc/init.d/network restart

2. Wireless

Set up a wireless interface bound to the guest network interface.

# Configure wireless
WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"
uci -q delete wireless.guest
uci set wireless.guest="wifi-iface"
uci set wireless.guest.device="${WIFI_DEV}"
uci set wireless.guest.mode="ap"
uci set wireless.guest.network="guest"
uci set wireless.guest.ssid="guest"
uci set wireless.guest.encryption="none"
uci commit wireless
wifi reload

3. DHCP

Configure a DHCP pool for the guest network.

# Configure DHCP
uci -q delete dhcp.guest
uci set dhcp.guest="dhcp"
uci set dhcp.guest.interface="guest"
uci set dhcp.guest.start="100"
uci set dhcp.guest.limit="150"
uci set dhcp.guest.leasetime="1h"
uci commit dhcp
/etc/init.d/dnsmasq restart

4. Firewall

Configure firewall for the guest network. Allow to forward traffic from the guest network to WAN. Allow DHCP requests and DNS queries.

# Configure firewall
uci -q delete firewall.guest
uci set firewall.guest="zone"
uci set firewall.guest.name="guest"
uci set firewall.guest.network="guest"
uci set firewall.guest.input="REJECT"
uci set firewall.guest.output="ACCEPT"
uci set firewall.guest.forward="REJECT"
uci -q delete firewall.guest_wan
uci set firewall.guest_wan="forwarding"
uci set firewall.guest_wan.src="guest"
uci set firewall.guest_wan.dest="wan"
uci -q delete firewall.guest_dns
uci set firewall.guest_dns="rule"
uci set firewall.guest_dns.name="Allow-DNS-Guest"
uci set firewall.guest_dns.src="guest"
uci set firewall.guest_dns.dest_port="53"
uci set firewall.guest_dns.proto="tcpudp"
uci set firewall.guest_dns.target="ACCEPT"
uci -q delete firewall.guest_dhcp
uci set firewall.guest_dhcp="rule"
uci set firewall.guest_dhcp.name="Allow-DHCP-Guest"
uci set firewall.guest_dhcp.src="guest"
uci set firewall.guest_dhcp.dest_port="67"
uci set firewall.guest_dhcp.family="ipv4"
uci set firewall.guest_dhcp.proto="udp"
uci set firewall.guest_dhcp.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Testing

Connect to the guest WLAN. Check your internet connectivity.

Use ping, ping6 or nmap to verify your firewall configuration.

Troubleshooting

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/network restart; /etc/init.d/dnsmasq restart; /etc/init.d/firewall restart
 
# Log and status
logread; netstat -l -n -p | grep -e dnsmasq
 
# Runtime configuration
pgrep -f -a dnsmasq
ip address show; ip route show table all type unicast
ip rule show; ip -6 rule show; iptables-save; ip6tables-save
 
# Persistent configuration
uci show network; uci show wireless; uci show dhcp; uci show firewall
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/network/wifi/guestwifi/guest-wlan.txt · Last modified: 2020/09/21 14:39 by vgaetera