Assign wired MAC to Guest WiFi

Hello

Let me start with the fact that I know this isn't a great idea and that there is a not insignificant security risk to it. Think, however, of the person owning the computer using the MAC address as a "mother in law" type person - you somehow trust her but you really don't want her easily accessing your private network.

The situation: Very basic OpenWrt setup for a wired and wireless private network (10.0.0.x) plus a guest network (10.20.0.x) as per Guest Wi-Fi. There is an unmanaged switch connected to the OpenWrt router to which most of the devices in the private network are connected to. Everything is working fine.

The challenge: A room with very limited wifi reception but a wired connection to above mentioned switch (which is not, because I know this comment will come, the prison cell or dungeon I put my mother in law in). I know the MAC of the laptop. Is there an easy way to configure a static lease for said MAC address and then route it through the guest wifi?

Is this possible? Yes.
Is it practical? No.

To do what you're asking, you can use 802.1x authentication, but this is quite complicated to setup and majorly overkill.

https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

Instead, I would suggest that the easiest way to approach the goal would be to replace the switch with a managed switch (although I recommend against the very entry level models, as long as they are managed, you can do this; alternatively, an all-in-one wifi router running OpenWrt can usually be setup as a managed switch). This way you can send VLANs through it and configure the port that leads to your MIL's room to connect to be a member of the guest network.

Too bad. I was actually hoping to "just" statically assign an IP address from guest network to this MAC and then find a way to route this address to the guest network.
Anyway, thanks for looking into this!

So is the OpenWRT device in proximity to your un-managed switch? If so does it have more than one LAN port? If so, why not just move the cable from your "mother-in-law" room directly to a LAN port on the router - then VLAN that port / isolate it?

Yes, this is my fallback solution but will mean I need to run yet another cable from the basement, which is where the switch and all the other stuff is, to my living room, which is where the router is.

Ok, so I went ahead and bought a new switch, CBS250-16P-2G to be exact, to replace the existing dump switch. I configured two of the LAN ports to tag them for VLAN 20.
All the descriptions I found for guest-wifi and VLAN assume that the tagging is happening on OpenWRT, not on a separate switch. I tried adding the VLAN 20 to my br-guest device but this somehow didn't work. Any chance you can point me towards something that helps me resolve this
I'm using OpenWrt 23.05.2 r23630-842932a63d btw.

let's take a look at your main router's configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys EA6350v3",
        "board_name": "linksys,ea6350v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd25:14cb:e40d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '60:38:e0:83:2f:0b'

config device
        option name 'lan2'
        option macaddr '60:38:e0:83:2f:0b'

config device
        option name 'lan3'
        option macaddr '60:38:e0:83:2f:0b'

config device
        option name 'lan4'
        option macaddr '60:38:e0:83:2f:0b'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '60:38:e0:83:2f:0a'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        list ipaddr '10.20.0.1/24'``

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Private'
        option encryption 'psk-mixed'
        option key 'PWD'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Private_5GHz'
        option encryption 'psk-mixed'
        option key 'PWD'
        option network 'lan'

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid 'Guest'
        option encryption 'psk-mixed'
        option key 'PWD'

config wifi-iface 'guest2'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'Guest_5GHz'
        option encryption 'psk-mixed'
        option key 'PWD'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '10.0.0.2'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.0.0.2'
        list dns 'fd3c:2167:1690::2'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
...

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'pi-hole-DNS'
        option src '*'
        option dest 'wan'
        option target 'ACCEPT'
        option dest_port '53'
        list src_ip '10.0.0.2'
        list src_ip '2601:40a:8300:9a0::2'

config rule
        option name 'pi-hole-DNSOverTLS'
        list src_ip '10.0.0.2'
        list src_ip '2601:40a:8300:9a0::2'
        option dest 'wan'
        option dest_port '853'
        option target 'ACCEPT'
        option src '*'

config rule
        option name 'Intercept-DNS'
        option src '*'
        option dest 'wan'
        option dest_port '53'
        option target 'REJECT'

config rule
        option name 'Intercept-DNSOverTLS'
        option src '*'
        option dest 'wan'
        option dest_port '853'
        option target 'REJECT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-WireGuard'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'udp'
        option dest_port '51820'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

Ok... so we need to make bridge VLANs to setup the guest network on ethernet. What port (on the router) is used to connect to the switch? And can we use one of the other ports on the router as a test port for the guest network (if so, which one)?

Thanks for the quick reply. The new switch is connected to LAN4, LAN2 is free to be used for testing

Everything happens in the network config file:

add bridge VLANs:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2:u*'
        list ports 'lan4:t'

Delete the guest bridge:

Edit the lan to use br-lan.1 and the guest to use br-lan.20:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

...
config interface 'guest'
        option proto 'static'
        option device 'br-lan.20'
        list ipaddr '10.20.0.1/24'

Restart your router. Plug a device into port lan2 and you should get an address in the guest network. When plugged into port 1 or 3, you should get a normal lan address.

Then, on your switch, you need to configure vlan 20 to be tagged on the trunk (the port that uplinks to the router), and it should be untagged + PVID on the port that connects to your MIL's room.

Thanks for this. I try to understand what you're doing, this is all fairly new to me

• You're bridging port lan1, lan3, and lan4 into vlan1
• You're bridging lan2 (untagged) and lan4 (tagged) to vlan20

Result: Everything that goes through lan1 and lan3 will see vlan1 added to it. Everything that goes through port 2 will see vlan20 added to it. Everything goes through port 4 will either see vlan1 added to it or checked and routed for vlan20.

Summary:

• I get a guest IP on Port 2 and internet is working
• My guest wifi is still working. I, however, don't understand how as this is possible without the bridge
• Access from guest wifi to private network is blocked
• A PC connected to any of the non vlan ports on the second switch still works
• A PC connected through the switch, which I believe is configured as described above for vlan 20 does not yet work. I need to toy with the router a bit before I can say more.

There is a bridge... just a different form. It is the bridge-vlan, which is mapped against a bridge device. When you use a bridge-vlan (i.e. br-lan.20) as the device for a network, you are indeed connecting the network to a bridge, so wifi will still work.

If you implemented what I suggested (and it sounds like you did), the problem is almost certainly on your switch, not the router. Verify the VLAN configuration of your switch to ensure that VLAN 20 is configured appropriately on both the uplink and downlink ports.

I believe I mostly got it (still need to read about a few things). Thank you very much for your help
One last question if I may: Wouldn't it have been enough to configure the Ethernet connection on the PC to vlan20 - I see there is an option in the windows driver - to achieve the same result but with the dump switch?

You still need a managed switch and the VLANs setup on the router. Simply setting up the PC on VLAN 20 (in the Windows environment) would not provide the security you desire as the main trusted lan would still be physically present at the physical network interface (and likely still active as a logical network interface in Windows).

In case someone finds this topic later. This is how I configured the Cisco router for vlan20. All ports to which "guest" PCs are connected to are in vlan20 untagged

VLANConfiguration496×541 44.3 KB

The uplink port connected to OpenWRT router is configured to Trunk and has vlan20 tagged. Note: I already added another vlan 10 for my IoT devices

VLANUplinkConfiguration722×283 24.1 KB

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.