Configure a guest WLAN

Configuration

The changes below assume an OpenWrt default configuration, the relevant files are:

/etc/config/network
/etc/config/wireless
/etc/config/dhcp
/etc/config/firewall
/etc/config/wshaper

Step 1: Define a new network

Edit /etc/config/network and define a new interface section:

[..]
config 'interface' 'guest'
#       option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '10.0.0.1'
        option 'netmask' '255.255.255.0'
[..]

The new network interface will have to be configured as a bridge if your wireless network has multiple radios and access points, and you wish to connect more than one to the guest network.

Step 2: Copy the existing wireless network

In /etc/config/wireless, define a new, second wifi-iface section by copying the existing one and change its network option to point to the newly created interface section.

[..]
config 'wifi-iface'
        option 'device' '…'
        option 'mode' 'ap'
        option 'network' 'guest'
        option 'ssid' 'guest'
        option 'encryption' 'none'
[..]

For option 'device' '…' you should put the device listed in your 'wifi-device' section. For example, if your 'wifi-device' says config 'wifi-device' 'wifi0' then the wifi-iface section should say option 'device' 'wifi0'

Note: Your hardware may not be capable of this. For example, open source b43 driver for Broadcome hardware cannot have multiple SSIDs. You need to use the proprietary wl driver by Broadcom (with 2.6 kernel) - currently, you need to build the images yourself. — sup 2012/05/12 20:22

Step 3: Define a new DHCP pool

In order to support DHCP on 'guest' wireless, a new dhcp pool must be defined in /etc/config/dhcp:

[..]
config 'dhcp' 'guest'
        option 'interface' 'guest'
        option 'start' '150'
        option 'limit' '100'
        option 'leasetime' '1h'
[..]

Step 4a: Adjust firewall settings

Edit /etc/config/firewall and add new zone section covering the 'guest' interface, allow internet, DNS and DHCP to guests:

[..]
config 'zone'
        option 'name' 'guest'
        option 'input' 'REJECT'
        option 'forward' 'REJECT'
        option 'output' 'ACCEPT'

# Allow Guest -> Internet
config 'forwarding'
        option 'src' 'guest'
        option 'dest' 'wan'

# Allow DNS Guest -> Router
# Client DNS queries ordinate from dynamic UDP ports (>1023) 
config 'rule'
        option 'src' 'guest'
        option 'dest_port' '53'
        option 'proto' 'tcpudp'
        option 'target' 'ACCEPT'

# Allow DHCP Guest -> Router
# DHCP communication uses UDP ports 67-68
config 'rule'
        option 'src' 'guest'
        option 'src_port' '67-68'
        option 'dest_port' '67-68'
        option 'proto' 'udp'
        option 'target' 'ACCEPT'
[..]

— sartan 2011/03/17 05:45

Step 4b: Different modifications to firewall settings

I created this small set of firewall rules to completely isolate guests on the guest SSID. I had some devices that only worked with WEP or no authentication at all. WEP doesn't like to run on .11n devices in HT mode, so the only option was a wide-open SSID. I also didn't want my neighbors to quickly steal my internet… This firewall config will only allow specific, known source MACs to connect to the internet, with zero access to the rest of the network.

Edit /etc/config/firewall and add new zone section covering the 'guest' interface, allow SSH, DNS and DHCP to guests, allow only specific source MAC addresses out to the WAN, drop broadcast traffic and deny the rest of orders:

[..]

# Enable logging
config 'zone'
        option 'name' 'guest'
        option 'input' 'REJECT'
        option 'forward' 'REJECT'
        option 'output' 'ACCEPT'

# Quick rule to allow SSH in
config 'rule'
        option 'src' 'guest'
        option 'dest_port' '22'
        option 'proto' 'tcp'
        option 'target' 'ACCEPT'

# Allow DNS Guest -> Router
config 'rule'
        option 'src' 'guest'
        option 'dest_port' '53'
        option 'proto' 'tcpudp'
        option 'target' 'ACCEPT'

# Allow DHCP Guest -> Router
config 'rule'
        option 'src' 'guest'
        option 'src_port' '67-68'
        option 'dest_port' '67-68'
        option 'proto' 'udp'
        option 'target' 'ACCEPT'

# Allow only specific source MAC addresses out to the WAN
config 'rule'
        option '_name' 'Nintendo DS'
        option 'src' 'guest'
        option 'dest' 'wan'
        option 'proto' 'all'
        option 'src_mac' '00:ab:00:32:00:00'
        option 'target' 'ACCEPT'

# Drop broadcast traffic, it just fills the logs :)
config 'rule'
        option 'src' 'guest'
        option 'dest_ip' '172.16.62.255'
        option 'target' 'DROP'

# Another explicit deny at the end.
config 'rule'
        option 'src' 'guest'
        option 'dest' 'wan'
        option 'proto' 'all'
        option 'target' 'REJECT'

[..]

Step 5: Limit bandwidth of the connection

This is completely optional. Install package wshaper: opkg install wshaper

Edit /etc/config/wshaper:

config 'wshaper' 'settings'
        option 'network' '…'
        option 'downlink' '512'
        option 'uplink' '128'

For option network '…' run iwconfig and find out the interface that is running the guest WLAN.

Note: downlink and uplink options are maximal limits, but in practice the speed will be lower as wshaper also tries to prioritize traffic (so that the network stays responsive evene when someone downloads a huge file). The units are kbits.

Apply changes

Enable the new wireless network
```
wifi
```
Restart the firewall
```
/etc/init.d/firewall restart
```
Restart the DHCP service
```
/etc/init.d/dnsmasq restart
```
Start traffic shaping
```
/etc/init.d/wshaper start
```
Make traffic shaping permanent
```
/etc/init.d/wshaper enable
```

Troubleshooting

If you don't get an IP from DHCP check if you listen to the interface.

[..]
config 'dnsmasq'
        [..]
        list 'interface' 'lan'
        list 'interface' 'guest'
[..]