Guest switch port, using LAN not WAN in dumb AP mode

charideal · July 4, 2019, 1:17pm

Hi

I have a non openWRT router on my network, and I want to setup my Linksys WRT1200AC as a dumbAP with a single switch port on the guest lan.

I'm using the LAN port opposed to the WAN port which made things a little more complex.

I found this helped:
https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/

My home network is on 172.25.25.0/24 and the guest network is on 192.168.3.0/24.

At the minute the switch ports are on my home lan as is one Wifi network and the guest is segregated, I use a single IP tables rule to keep the guests away from my home network:

iptables -I FORWARD -i wlan1-1 -d 172.25.25.0/24 -j DROP

What I now want to do is separate off one of the switch ports into the same or another guest network, basically allow internet access but no lan.

Below are my configs:

cat dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'Guest'

cat firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Disable Guest LAN Access'
        option target 'DROP'
        option dest 'lan'
        option dest_ip '172.25.25.0/24'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Guest DNS'
        option src 'guest'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network ' '

config include
        option path '/etc/firewall.user'

config zone
        option output 'ACCEPT'
        option name 'guest'
        option forward 'ACCEPT'
        option network 'Guest'
        option input 'ACCEPT'
        option masq '1'

config redirect
        option target 'SNAT'
        option src 'guest'
        option dest 'lan'
        option proto 'all'
        option name 'Allow Guest Internet'
        option src_dip '172.25.25.252'

config forwarding
        option dest 'lan'
        option src 'guest'

cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd63:bcdd:a012::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '172.25.25.252'
        option gateway '172.25.25.254'
        option dns '172.25.25.254'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'static'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'Guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

Thanks for any help!

trendy · July 4, 2019, 1:32pm

It would be better to use policy routing to redirect all the packets of the guest network directly to the router of the ISP and blackhole the LAN subnet. But if you are happy with the firewall rule then it's fine.
The masquerade option in guest is wrong, it should be in the lan firewall zone, allowing only the guest subnet to be NATed. This way you don't need the SNAT for the guest.
Regarding adding a LAN port to the guest:
Change this:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

Into this:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0 5t'

config interface 'Guest'
        option type 'bridge'
        option ifname 'eth0.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

charideal · July 4, 2019, 1:53pm

Thank you so much for the fast reply.

I changed the masquerade rule and dropped the SNAT and its working perfectly. Port 4 gives me the guest IP ranges and the other ports give me the home IP range.

Out of interest before I go sticking in drop rules what approach would you take for keeping the guest networks separated?

trendy · July 4, 2019, 2:31pm

Your solution is a bit out of the ordinary. Usually when you create a guest vlan you trunk the tagged frames upstream to the main router, where traffic control is easier. But in your case it is more complicated, since you are aggregating LAN and Guest in a device inside the LAN. So if you are happy with the firewall rule that you have, you can keep it that way. Otherwise we can investigate if something is not working for you.

charideal · July 4, 2019, 2:55pm

adding in the following works

iptables -I FORWARD -i br-Guest -d 172.25.25.0/24 -j DROP

trendy · July 4, 2019, 3:20pm

That's nice, however you can integrate this rule in OpenWrt firewall too.

config rule
    option  target      'DROP'
    option  src         'Guest'
    option  dest        'lan'
    option  dest_ip     '172.25.25.0/24'

Also change the INPUT and FORWARD in guest firewall zone to Reject or Drop.