{"id":1909,"date":"2021-10-20T20:47:08","date_gmt":"2021-10-21T00:47:08","guid":{"rendered":"https:\/\/lowtek.ca\/roo\/?p=1909"},"modified":"2021-10-22T09:44:51","modified_gmt":"2021-10-22T13:44:51","slug":"openwrt-guest-network-and-beyond","status":"publish","type":"post","link":"https:\/\/lowtek.ca\/roo\/2021\/openwrt-guest-network-and-beyond\/","title":{"rendered":"OpenWRT Guest Network (and beyond)"},"content":{"rendered":"

As my kids get to the age where both they and their friends have devices, this means granting access to our internet to a growing circle of people. OpenWRT has the ability to support guest networks and I’ve been meaning to set this up for some time.<\/p>\n

Beyond simply having a guest network, I also want to setup an IoT network where I can isolate some of the network enabled things but not give them wide access to the rest of my internal infrastructure.<\/p>\n

Let’s start with a simple guest network setup. This is well documented<\/a> on the OpenWRT site. I’ll be using the CLI instructions to make these changes. FWIW this is based on the 21.02.0 version of OpenWRT.<\/p>\n

The first part of this will be pretty much copy and paste from the OpenWRT instructions:<\/p>\n

# Configure network\r\nuci -q delete network.guest_dev\r\nuci set network.guest_dev=\"device\"\r\nuci set network.guest_dev.type=\"bridge\"\r\nuci set network.guest_dev.name=\"br-guest\"\r\nuci -q delete network.guest\r\nuci set network.guest=\"interface\"\r\nuci set network.guest.proto=\"static\"\r\nuci set network.guest.device=\"br-guest\"\r\nuci set network.guest.ipaddr=\"192.168.3.1\"\r\nuci set network.guest.netmask=\"255.255.255.0\"\r\nuci commit network\r\n\/etc\/init.d\/network restart<\/pre>\n
I of course modified the ipaddr<\/code> for my setup, but pretty much used the command as is.<\/p>\n
On the Web UI (LuCI) you should now see under Network->Interfaces a new Guest network. All of the changes landed in the \/etc\/config\/network file.<\/p>\n
\"\"<\/p>\n
Now we setup a wireless network configuration with the first radio<\/p>\n
# Configure wireless\r\nWIFI_DEV=\"$(uci get wireless.@wifi-iface[0].device)\"\r\nuci -q delete wireless.guest\r\nuci set wireless.guest=\"wifi-iface\"\r\nuci set wireless.guest.device=\"${WIFI_DEV}\"\r\nuci set wireless.guest.mode=\"ap\"\r\nuci set wireless.guest.network=\"guest\"\r\nuci set wireless.guest.ssid=\"mynetwork-guest\"\r\nuci set wireless.guest.encryption=\"psk2\"\r\nuci set wireless.guest.key=\"Friend Secret\"\r\nuci set wireless.guest.isolate=\"1\"\r\nuci commit wireless\r\nwifi reload<\/pre>\n
Again, I’ve pretty much followed the directions but have customized the SSID and not shared the password. I’ve rolled in the extras<\/a> to isolate guest users and use encryption.<\/p>\n
The LuCI web UI now looks a little more concerning (Network->Wireless)<\/p>\n
\"\"<\/p>\n
But.. the previous Network->Interfaces now seems to have come to life.<\/p>\n
\"\"<\/p>\n
Still the expected changes are reflected in \/etc\/config\/wireless.<\/p>\n
It took a bit of head-scratching, but I figured out what was wrong. I had not specified a wireless.guest.key that met the minimum length (8 to 63 characters) – this apparently caused everything to go sideways. Once I fixed this my new wireless interface came to life.<\/p>\n
\"\"<\/p>\n
Let’s continue on with the DHCP configuration<\/p>\n
# Configure DHCP\r\nuci -q delete dhcp.guest\r\nuci set dhcp.guest=\"dhcp\"\r\nuci set dhcp.guest.interface=\"guest\"\r\nuci set dhcp.guest.start=\"100\"\r\nuci set dhcp.guest.limit=\"150\"\r\nuci set dhcp.guest.leasetime=\"1h\"\r\nuci commit dhcp\r\n\/etc\/init.d\/dnsmasq restart<\/pre>\n
And the Firewall<\/p>\n
# Configure firewall\r\nuci -q delete firewall.guest\r\nuci set firewall.guest=\"zone\"\r\nuci set firewall.guest.name=\"guest\"\r\nuci set firewall.guest.network=\"guest\"\r\nuci set firewall.guest.input=\"REJECT\"\r\nuci set firewall.guest.output=\"ACCEPT\"\r\nuci set firewall.guest.forward=\"REJECT\"\r\nuci -q delete firewall.guest_wan\r\nuci set firewall.guest_wan=\"forwarding\"\r\nuci set firewall.guest_wan.src=\"guest\"\r\nuci set firewall.guest_wan.dest=\"wan\"\r\nuci -q delete firewall.guest_dns\r\nuci set firewall.guest_dns=\"rule\"\r\nuci set firewall.guest_dns.name=\"Allow-DNS-Guest\"\r\nuci set firewall.guest_dns.src=\"guest\"\r\nuci set firewall.guest_dns.dest_port=\"53\"\r\nuci set firewall.guest_dns.proto=\"tcp udp\"\r\nuci set firewall.guest_dns.target=\"ACCEPT\"\r\nuci -q delete firewall.guest_dhcp\r\nuci set firewall.guest_dhcp=\"rule\"\r\nuci set firewall.guest_dhcp.name=\"Allow-DHCP-Guest\"\r\nuci set firewall.guest_dhcp.src=\"guest\"\r\nuci set firewall.guest_dhcp.dest_port=\"67\"\r\nuci set firewall.guest_dhcp.proto=\"udp\"\r\nuci set firewall.guest_dhcp.family=\"ipv4\"\r\nuci set firewall.guest_dhcp.target=\"ACCEPT\"\r\nuci commit firewall\r\n\/etc\/init.d\/firewall restart<\/pre>\n
Now not only should you be able to see the new WiFi SSID available to connect to, but when you do you will be isolated from all other devices on the network and only able to see the internet. A network scan will turn up the existence of the router, but attempts to connect the web UI fail – that’s pretty cool isolation.<\/p>\n
Devices connected to the guest network still show up in the OpenWRT status page. They are assigned a DHCP address from the network.guest.ipaddr subnet, which is distinct from my normal network.<\/p>\n
Apparently I do give up a little performance having two (or more) networks hung off of the same radio, but the utility of having a restrictive guest network is pretty cool.<\/p>\n
The Archer C7 has two radios, and we’ve not configured the guest network on the second radio. Let’s do that now.<\/p>\n
# RE-Configure wireless\r\nuci -q delete wireless.guest\r\n# Create a guest0 for radio0\r\nWIFI_DEV=\"$(uci get wireless.@wifi-iface[0].device)\"\r\nuci -q delete wireless.guest0\r\nuci set wireless.guest0=\"wifi-iface\"\r\nuci set wireless.guest0.device=\"${WIFI_DEV}\"\r\nuci set wireless.guest0.mode=\"ap\"\r\nuci set wireless.guest0.network=\"guest\"\r\nuci set wireless.guest0.ssid=\"mynetwork-guest\"\r\nuci set wireless.guest0.encryption=\"psk2\"\r\nuci set wireless.guest0.key=\"Friend Secret\"\r\nuci set wireless.guest0.isolate=\"1\"\r\n# And a second one for radio1\r\nWIFI_DEV=\"$(uci get wireless.@wifi-iface[1].device)\"\r\nuci -q delete wireless.guest1\r\nuci set wireless.guest1=\"wifi-iface\"\r\nuci set wireless.guest1.device=\"${WIFI_DEV}\"\r\nuci set wireless.guest1.mode=\"ap\"\r\nuci set wireless.guest1.network=\"guest\"\r\nuci set wireless.guest1.ssid=\"mynetwork-guest\"\r\nuci set wireless.guest1.encryption=\"psk2\"\r\nuci set wireless.guest1.key=\"Friend Secret\"\r\nuci set wireless.guest1.isolate=\"1\"\r\nuci commit wireless\r\nwifi reload<\/pre>\n
Cool – now I have a guest network that is on both radio bands. You’ll note that I run both access points with the same SSID, this mostly just works and devices figure it out. I even run my dumb AP with the same SSID. This is one approach that works and let’s people move around the house with seamless connections.<\/p>\n
I do know that some people try to force a device to a particular radio type, and will run their legacy network on a different SSID. This is of course also valid, it really depends what you’re looking to achieve. I’m taking the simple to configure devices approach, and giving the devices the responsibility to work out which radio band and which access point to connect to.<\/p>\n
Now let’s create a second ‘guest’ like network for IoT devices. This time I’ll just combine all of the steps together<\/p>\n
# Configure network\r\nuci -q delete network.iot_dev\r\nuci set network.iot_dev=\"device\"\r\nuci set network.iot_dev.type=\"bridge\"\r\nuci set network.iot_dev.name=\"br-iot\"\r\nuci -q delete network.iot\r\nuci set network.iot=\"interface\"\r\nuci set network.iot.proto=\"static\"\r\nuci set network.iot.device=\"br-iot\"\r\nuci set network.iot.ipaddr=\"192.168.4.1\"\r\nuci set network.iot.netmask=\"255.255.255.0\"\r\nuci commit network\r\n\/etc\/init.d\/network restart\r\n\r\n# Configure wireless - but only radio1 because that\u2019s the old 2.4 and most IoT things live there\r\nuci -q delete wireless.iot\r\nuci set wireless.iot=\"wifi-iface\"\r\nuci set wireless.iot.device=\"radio1\"\r\nuci set wireless.iot.mode=\"ap\"\r\nuci set wireless.iot.network=\"iot\"\r\nuci set wireless.iot.ssid=\"mynetwork-iot\"\r\nuci set wireless.iot.encryption=\"psk2\"\r\nuci set wireless.iot.key=\"IoT Secret Key\"\r\nuci set wireless.iot.isolate=\"1\"\r\nuci commit wireless\r\nwifi reload\r\n\r\n# Configure DHCP\r\nuci -q delete dhcp.iot\r\nuci set dhcp.iot=\"dhcp\"\r\nuci set dhcp.iot.interface=\"iot\"\r\nuci set dhcp.iot.start=\"100\"\r\nuci set dhcp.iot.limit=\"150\"\r\nuci set dhcp.iot.leasetime=\"24h\"\r\nuci commit dhcp\r\n\/etc\/init.d\/dnsmasq restart\r\n\r\n# Configure firewall\r\nuci -q delete firewall.iot\r\nuci set firewall.iot=\"zone\"\r\nuci set firewall.iot.name=\"iot\"\r\nuci set firewall.iot.network=\"iot\"\r\nuci set firewall.iot.input=\"REJECT\"\r\nuci set firewall.iot.output=\"ACCEPT\"\r\nuci set firewall.iot.forward=\"REJECT\"\r\nuci -q delete firewall.iot_wan\r\nuci set firewall.iot_wan=\"forwarding\"\r\nuci set firewall.iot_wan.src=\"iot\"\r\nuci set firewall.iot_wan.dest=\"wan\"\r\nuci -q delete firewall.iot_dns\r\nuci set firewall.iot_dns=\"rule\"\r\nuci set firewall.iot_dns.name=\"Allow-DNS-IoT\"\r\nuci set firewall.iot_dns.src=\"iot\"\r\nuci set firewall.iot_dns.dest_port=\"53\"\r\nuci set firewall.iot_dns.proto=\"tcp udp\"\r\nuci set firewall.iot_dns.target=\"ACCEPT\"\r\nuci -q delete firewall.iot_dhcp\r\nuci set firewall.iot_dhcp=\"rule\"\r\nuci set firewall.iot_dhcp.name=\"Allow-DHCP-IoT\"\r\nuci set firewall.iot_dhcp.src=\"iot\"\r\nuci set firewall.iot_dhcp.dest_port=\"67\"\r\nuci set firewall.iot_dhcp.proto=\"udp\"\r\nuci set firewall.iot_dhcp.family=\"ipv4\"\r\nuci set firewall.iot_dhcp.target=\"ACCEPT\"\r\nuci commit firewall\r\n\/etc\/init.d\/firewall restart<\/pre>\n
Nice – now I have a third subnet which will hand out DHCP addresses valid for 24hrs. The devices are all isolated from each other.<\/p>\n
For devices on the IoT network, while I don’t want the device to be able to see anything other than the internet – for my own monitoring and use, I’d like to be able to see the devices on the IoT network from my normal lan network. This turns out to be very easy.<\/p>\n
# Allow the lan to see iot, but not the other way around\r\nuci -q delete firewall.lan_iot\r\nuci set firewall.lan_iot=\"forwarding\"\r\nuci set firewall.lan_iot.src=\"lan\"\r\nuci set firewall.lan_iot.dest=\"iot\"\r\nuci commit firewall\r\n\/etc\/init.d\/firewall restart<\/pre>\n
Connecting to the IoT network and doing as scan, shows me that I can only see myself and the router (because the device has to send traffic somewhere). Again, with the isolation I can’t connect to the web interface of the router. However, with this new “zone->forwardings” I can from my lan network see devices on the IoT network. Super cool, and actually very easy.<\/p>\n
\"\"<\/p>\n
There plenty more tweaking we can do here, but to avoid going too far down the rabbit hole we’ll stop here.<\/p>\n","protected":false},"excerpt":{"rendered":"
As my kids get to the age where both they and their friends have devices, this means granting access to our internet to a growing circle of people. OpenWRT has the ability to support guest networks and I’ve been meaning to set this up for some time. Beyond simply having a guest network, I also … Continue reading “OpenWRT Guest Network (and beyond)”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12,21],"tags":[],"class_list":["post-1909","post","type-post","status-publish","format-standard","hentry","category-computing","category-how-to","category-network"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=1909"}],"version-history":[{"count":9,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1909\/revisions"}],"predecessor-version":[{"id":1924,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1909\/revisions\/1924"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=1909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=1909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=1909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}