Configure Wired Guest Network

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi everyone,

I am having trouble configuring my Wired Guest Network in such a way that Guests who connect to it should not be able to reach devices on my "private" Home/Local network. I am sharing a diagram of my setup:

mynetwork
mynetwork791Γ—581 49.5 KB

Note: I understand that WNR3500L could also serve as a WIFI for Guests, but in my case WIFI guest users are further away from the WNR3500L so that is why I also have TL-WR740N to act as a WIFI AP.

On my WNR3500L I have installed: OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a

I have been reading about how to do this and it is line with something like this:

  1. In the Network->Switch section, Create a new VLAN (but I am not sure which ports to set to off, which to Tagged/Untagged, since by default there are already two existing which conflict with the newly one I create. (They can't both be Untagged so not sure what to select):

https://imgur.com/a/H9ghrM3

  1. Then in Network->Interfaces create a new "guest interface" and select the VLAN for it. However, I don't see my newly created guest VLAN to choose for this new Interface:

https://imgur.com/a/DGxCPxR

And that is when I start choosing random stuff and expect it to work :cry:

Please advise.

Thanks!

2

Is the WR740N only used for the guest network, or will it also be a dumb AP for the trusted LAN?

Is there any reason you would ever want to broadcast the guest SSID on the WNR3500L?

The answers to these two question will affect the recommended methods to achieve your goals... any answer is fine, but we just want to make sure we optimize the solution.

3

WR740N will only be used for the guest network.

WNR3500L will have no SSID, it will not be used for WIFI.

One additional point though: I will need to access administration page for both of these devices (WR740N and WNR3500L) from my "trusted LAN".

4

Thanks.

The easiest way to do this is as follows:

  • Reset the WR740N to defaults.
  • Ensure that the lan on the WR740N is not in the same subnet as your main trusted network. If your main trusted network is using 192.168.1.0/24 as its subnet, change the LAN address on the WR740N to something else -- for example, 192.168.5.1.
    https://openwrt.org/faq/change_lan_ip
  • In the firewall, set the wan zone's INPUT rule to ACCEPT (note: this is only safe to do when the wan interface is connected to a trusted network -- in this case it is okay -- it should never be set to accept if your router is facing the internet). This will allow access from your main network.
  • Add a firewall rule to REJECT all protocols with source zone lan to destination IP/network 192.168.1.0/24 (or whatever your upstream network's subnet is).
  • Enable wifi with your desired guest SSID and password.
  • You'll probably also want to prevent access from the guest network to the WR740N itself, so you'll change the lan zone input rule to REJECT and then add rules to allow DHCP and DNS. (important: don't do this until you know you can access the device reliably from the upstream network). See the firewall section of the guest wifi network (except you'll be operating on the WR740N's lan zone).
    https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface#configure_the_firewall

That's all you should need to do and you'll have a working guest network with isolation from your primary

5

Thanks, will try it!

Will this config make sure that devices connected to LAN ports of WNR3500 (which is the only device with OpenWRT) also be isolated from my trusted LAN network, and be treated as guests too?

WR740N has stock firmware, it is just a dumb AP.

That is my concern.

Thanks

6

oh... that changes things!

You'll need to do the work on the WNR3500L instead.
Totally different process.

7

Follow the guest wifi guide, skipping over the wifi creation, but starting at the "configure the new interface" section.

We'll connect that with an ethernet port after those things are done.

8

Hi,

I have completed the tutorial except for the WiFi part - as suggested.

Here are the screenshots of my current configuration: https://imgur.com/a/RdRovBq

What is now missing is to "associate" this "guest_interface" to physical LAN ports of the device. This is what I currently have by default: https://imgur.com/a/us6jV0a

9

Hi again,

Here is a bit more information:

My main ISP router is 192.168.100.1, it has LAN/WLAN with DHCP assigning IPs 192.168.100.* to "trusted" devices.

Now I want to add a OpenWRT router that will have wired guest interface that I just want to provide with the Internet (I removed the Guest WIFI option just to make it simpler). I created the interface, associated 3 LAN ports to it, and set up DHCP to assign 192.168.77.* . And, indeed, the 77 network works, DHCP assigns IP but I can still access 100.* network. These guests must not access my devices in 100.* that is my only requirement for this setup.

mynetwork
mynetwork958Γ—581 58.7 KB

By thinking about it, what I might need here is a firewall rule that will block traffic from my new guest_interface to my upper network except 192.168.100.1 because that's where the Internet comes from.

Any ideas on how to continue with this?

10

let's see the config as it is right now:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
11

Assuming everything is properly configured up to this point (to be verified with the config files), the firewall rule is really simple:

Source zone guest, destination address/network 192.168.100.0/24, all protocols, reject.

1 Like
12

Hello, here is the current config:

root@OpenWrt:~# ubus call system board

{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "Broadcom BCM4716",
        "model": "Netgear WNR3500L",
        "board_name": "0x04CF:3500",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "bcm47xx/mips74k",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2c:6c65:a831::/48'

config interface 'wan'
        option device 'eth0.1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.1'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 8t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 8t'

config interface 'guest_interface'
        option device 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.77.1'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'

config switch_vlan
        option device 'switch0'
        option ports '1 2 3 8t'
        option vlan '10'
        option description 'guest_vlan'

root@OpenWrt:~# cat /etc/config/wireless

>>> Please note that I will have radio disabled at all times. No radio required for this excercise...

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'bcm47xx_soc/bcma0:1'
        option channel '1'
        option band '2g'
        option htmode 'NOHT'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest_interface'
        option interface 'guest_interface'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '1h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest_zone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_interface'

config forwarding
        option src 'guest_zone'
        option dest 'wan'

config rule
        option name 'Guest DNS'
        option src 'guest_zone'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest_zone'
        option dest_port '67 68'
        option target 'ACCEPT'

There is also one more rule which is currently disabled:

config rule
        option name 'block_guest'
        list proto 'all'
        option src 'guest_zone'
        list dest_ip '192.168.100.0/24'
        option target 'REJECT'
        option enabled '0'

Enabling or disabling this rule "block_guest" also blocks the Internet foe guests, probably because gateway is at 192.168.100.1?

13

Remove the gateway from the guest interface.

Change input to REJECT. This will prevent the guest network from being able to access the router itself.

This should work once enabled. Re-enable it, then restart your router. Test after the router is booted.

Also, is it your intention to have the guest dhcp server disabled?

1 Like
14

I walked out of home and just edited the post to say that enabling that final firewall rule blocks the internet actually.

I enabled DHCP for guests too, thanks.

I will try your suggestions as soon as I get back.

15

That is because you had specified the gateway. Leave it blank and the rule won’t affect internet access.

1 Like
16

Gateway removed from the guest_interface.

config interface 'guest_interface'
        option device 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.77.1'
        option netmask '255.255.255.0'

REJECT input: guests can't access router anymore - confirmed.

config zone
        option name 'guest_zone'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_interface'
        option input 'REJECT'

Rule enabled, router restarted. Internet works, but also everything else in the 192.168.100.* is still accessible. :confused:

config rule
        option name 'block_guest'
        list dest_ip '192.168.100.0/24'
        option src 'guest_zone'
        list proto 'all'
        option target 'REJECT'

I am testing this with a wired connection to the router itself, switch port no.2 (this is for the Guest interface) - and I confirm that I do get 192.168.77.* address assigned - so I really am connected as the Guest. All other network interfaces on my PC are disabled (including WiFi), only this cable is plugged in directly into the router port 2.

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : lan
Link-local IPv6 Address . . . . . : fe80::fe9c:...
IPv4 Address. . . . . . . . . . . : 192.168.77.147
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.77.1

I really appreciate your support here :slight_smile:

17

Are there any other physical connections anywhere other than a lan > wan connection and then the computer to the guest router?

18

No, it is as you described.

My ISP's router is connected via cable to WAN port of OpenWRT router.

My laptop is connected via cable to OpenWRT router poet no.2 (Guest interface).

Should I try different version of firmware?

19

A forwarding (or anti-forwarding) rule must specify both src and dest zones. If only src is specified, it's an input rule which is not what you want.

Also try option dest_ip instead of list dest_ip. I think there can only be one IP or subnet per rule.

2 Likes
20

Thanks to both of you!

I have finally managed to make it work. These are the final rules:

firewall_rules
firewall_rules703Γ—324 17 KB

Now, on the guest interface, I have Internet connection but cannot access the 192.168.100.* anymore, except the ISP's router at 192.168.100.1

finally_blocking

I don't know who's answer to mark as "Solution" since both contributed to the final solution.

Update: my rule "allow_guest_internet" is actually not required. I have just disabled it and it still works as expected. The reason is probably what @psherman suggested in this post. I thought I will need it to allow Internet, but works even without it.
The final touch was to also select the destination zone as @mk24 suggested.

Update 2: as per forum rules: point 6 (multiple posts for solution) I am marking my post as a solution.