Guest wifi setup on extenders

msnews · December 31, 2022, 8:53pm

Hi,

I have the following setup at home:

Main router: raspberry pi4b; 192.168.10.1, wifi is disabled.
2nd router: RT-AC68U running merlin firmware192.168.10.2, connect to main router by cable;
3rd router: 192.168.10.3 running openwrt firmware, connect to 2nd router by cable;
4th router (Netgear wifi externder ): 192.168.10.4 running official firmware, connect to 2nd router by cable.

2nd to 4th routers have wifi enabled for wireless devices, they are acting as wired and wireless AP. All devices connected to them are in the same subnet.

Now I want to enable guest wifi on 2nd and 4th router. There is option to add guest wifi on merlin firmware and Netgear firmware, see snapshot for setup on each router:

I am able to connect MYHOME_G and access internet without problem. However, I am also able to access LAN although Allow access to my local network is not checked.

How can main router know the devices are on MYHOME-G so I can limit the lan access for them in main router? Thanks

psherman · December 31, 2022, 9:01pm

Probably won't work the way you want unless you install OpenWrt or a firmware that gives you direct control over the VLANs and SSIDs. The guest networks on those devices is does not give you the ability to associate it with a VLAN of your choosing... instead, it creates its own (isolated) subnet internally and connects it to an SSID for guests.

If you enable the guest wifi via the firmware on those devices, they will not be related to the guest network you've setup via your main router and your other OpenWrt device. Instead, you'll basically have 3 independent guest networks (which will not be a good experience for guests).

It appears that you can install OpenWrt on the RT-AC68U and this would make it pretty straightforward on that device.

The netgear device may not be so simple... what is the model?

msnews · December 31, 2022, 9:14pm

Hi psherman:

It is Netgear EAX20 which is not supported by openwrt/ddwrt so I could not configure VLAN.
If my thought is not feasible, I have 2nd thought:

Gether mac addresses for all my devices and give no limit.
Any unknown mac addresses will be assumed to be the guest devices and restrict them to lan access.

do you think the 2nd thought is applicable?

psherman · December 31, 2022, 9:16pm

This seems like a lot of work, and may not function the way you expect.

What is your ultimate goal here?

msnews · December 31, 2022, 9:21pm

My goal is simple. All my own devices get lan and wan access, all visitor's devices will be in guest wifi and have internet access but no lan access.

I only need to enable guess wifi on 2nd/4th router because they are enough to cover the area for guests.

psherman · December 31, 2022, 9:25pm

By far, the easiest option here is to setup 2 independent networks on your main router (lan and guest) and then setup a guest wifi and a normal wifi using VLANs on the APs. It seems to me that this should be simple to do with the first 3 devices (provided that you install OpenWrt on the AC68U).

You can then either

use the Netgear device for just one of the networks (likely your main lan)
or
replace the Netgear device with something that can either run OpenWrt or gives you specific control over the VLANs and SSIDs.

msnews · December 31, 2022, 9:35pm

hmm, Netgear is my only Wifi6 device, so I need for both networks. Also the openwrt wiki says wifi does not work on RT-AC68U. That means I need to replace two of them for VLAN approach. I already have a list of the known mac addresses (about 40 devices), I am thinking to try 2nd thought first before spending money (budget is tight)

psherman · December 31, 2022, 9:38pm

If you run one network (just a regular lan), you will not be able to isolate devices with a MAC address based system. You might be able to restrict the internet access, but that is very different than isolating the guests so that they cannot reach your trusted lan devices.

msnews · December 31, 2022, 9:45pm

ok. will captive portal work? Guest login using guest account/password and I can implement control on access lan?

psherman · December 31, 2022, 9:46pm

not if they are on the same network... they need to be on independent networks if you want to isolate the guests from the trusted lan.

msnews · December 31, 2022, 9:52pm

I mean if they sign in with guest account, I could DHCP different subnet e.g. 10.0.0.x so they cannot access 192.168.10.x, you are saying it is not feasible as well?

psherman · December 31, 2022, 9:55pm

Nope, that is not possible. Unless, of course, you use enterprise methods (802.1x and WPA2-Enterprise). I would highly doubt that your Asus and Netgear devices support this. But even if they do, it is seriously overkill.

msnews · December 31, 2022, 9:57pm

thank you for all answers. I am looking the possibility to create vlans in the merlin firmware.

psherman · December 31, 2022, 9:59pm

If it supports VLANs (I don't know if it does or not), you need to set it up such that it can link a VLAN with an SSID, but that's all it should do. It should not perform any routing or DHCP... just what is known as a dumb AP (bridge).

slh · January 1, 2023, 4:16am

Also keep in mind that VLANs only work over wired ethernet, not wireless backhauls (well, there are possibilities, like GRE tunnels, but it's getting complex there).

msnews · January 1, 2023, 7:45pm

I managed to create vlan 10 on RT-AC68U and linked to guest AP wl0.1. Do you have simple steps to configure vlan 10 on openwrt?

msnews · January 1, 2023, 7:45pm

it has wired connection

psherman · January 1, 2023, 7:51pm

let's see your current configuration

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

msnews · January 1, 2023, 8:17pm

root@pi4:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'erspan0'
        option ipv6 '0'

root@pi4:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option enable_tftp '1'
	option tftp_root '/opt/pxe'
	option dhcp_boot 'pxelinux.0'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option start '33'
	option limit '57'
	option leasetime '1h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@pi4:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

psherman · January 1, 2023, 8:27pm

I'm making a simple entry for eth0.10 (VLAN 10) with an IP address of 192.168.100.1 for your guest network (as an example). In your network config file, it would look like this:

config interface 'guest'
        option device 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

Then, in your DHCP file, you'll have something like this:

config dhcp 'guest'
	option interface 'guest'
	option dhcpv4 'server'
	option start '50'
	option limit '150'
	option leasetime '1h'

And finally, in your firewall file:

config zone
	option name 'guest'
	list network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
        option src 'guest'
        option dest_port '53 67-68'
        option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'