Isolated Guest Wifi with Multiple SSIDs

Hi, first post here, so apologies if i've popped this in the wrong place!

I need to set up a guest wifi connection for a cafe I am involved with, using my Linksys WRT1900AC(V2). I installed the LEDE firmware yesterday, which was remarkably easy, and then I followed the tutorial for OpenWRT for making a guest wlan with Luci (https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface).

The only modification I made to this was adding a second radio on the 5GHz spectrum, so it is transmitting two identical SSIDs on different frequencies. I also went in via SSH and set the isolate option for each wireless interface, which I thought would ensure that different devices cannot talk to each other.

The networks are working fine, providing IPs in the 192.168.3.* subnet, and providing internet to clients. I cannot access the router from the wireless network, only the wired LAN, which I thought proved that the isolation worked. However, if I run "nmap 192.168.3.0/24" from my laptop on the wireless network, I can see two other devices, an iPhone and a Galaxy Tab. There are more than 2 devices connected to the network though, which are not showing up in my nmap scan.

Does anybody have any idea why this might be happening? My only current thought is that the isolation might be working between devices on each frequency, but maybe the two frequencies aren't isolated from each other?

Thanks!!

Ant

if your networks are joined in a bridge, then yes, it will forward between the neworks.
you may install package ebtables and add this in your /etc/firewall.user (firewall>custom rules)

ebtables -A FORWARD --logical-in br0 -j DROP
(replace br0 with your bridge device name)

In addition to the solid advice from @fuller, you can also define a guest WLAN for each SSID (just follow the same guide, but use a different network range), and have two isolated guest WLANs.

The "isolate clients" setting for wireless only impacts client-to-client packets and only on the wireless itself.

Since a router's job is to, well, route packets, it will "connect" two network segments unless you take steps to prevent it from doing so. Right now, from what I read, you've got one SSID, one subnet, and the router is doing just what is expected of it, making them all look like one.

What might better meet your expectations is

  • Two SSIDs; one for your use, one for guest (can be SSID-A and SSID-B on 2.4 and on 5 both, for most units)
  • Two, non-overlapping subnets, one for each SSID
  • A firewall that prevents FORWARD from SSID-A to SSID-B

Your choice on "client isolation" on your wireless.

(Note that with a typical setup it is not an ebtables rule as the packets are not being bridged between the two networks, but routed.)

Thanks everyone for your swift replies!

if your networks are joined in a bridge, then yes, it will forward between the neworks. you may install package ebtables and add this in your /etc/firewall.user (firewall>custom rules)

ebtables -A FORWARD --logical-in br0 -j DROP
(replace br0 with your bridge device name)

Thanks - if they are bridged, it wasn't deliberate, but thanks for the solution.

In addition to the solid advice from @fuller, you can also define a guest WLAN for each SSID (just follow the same guide, but use a different network range), and have two isolated guest WLANs.

Good idea, I hadn't thought of that!

The “isolate clients” setting for wireless only impacts client-to-client packets and only on the wireless itself.

Since a router’s job is to, well, route packets, it will “connect” two network segments unless you take steps to prevent it from doing so. Right now, from what I read, you’ve got one SSID, one subnet, and the router is doing just what is expected of it, making them all look like one.

What might better meet your expectations is

Two SSIDs; one for your use, one for guest (can be SSID-A and SSID-B on 2.4 and on 5 both, for most units)
Two, non-overlapping subnets, one for each SSID
A firewall that prevents FORWARD from SSID-A to SSID-B
Your choice on “client isolation” on your wireless.

(Note that with a typical setup it is not an ebtables rule as the packets are not being bridged between the two networks, but routed.)

Sorry for my poor explanation, I currently have 2 SSIDs transmitting for guests (we have no need for a separate network, as it is just cafe guest traffic, there is no office or anything). I achieved this (I think) by setting up one interface and subnet, but with 2 wireless interfaces feeding into it, which has caused the problem.

I think I will have a go later and see if I can figure out what my bridge is called and try to get ebtables to block it, otherwise i'll just set up the second frequency as a different network.

I realise it might be worth a new post, but i have also been asked about the security of using a wifi card reader on the network. In my somewhat limited technical expertise, I can't see why having it on a (working...) isolated guest network wouldn't be secure enough, but does anybody have a different view?

Thanks so much!

Ant

For your own protection, any business or financial systems should be on a completely different network, unconnected in any way to your guest access, on different hardware, on a different SSID, and with the strongest security and encryption available to you.

You probably can't have two ISP "modems" without getting a second account, but every reasonable step should be taken to separate the two networks logically and physically.

I'm not sure what you're trying to achieve with two SSIDs then. If they are both "public" then what traffic are you trying to block, and why? Generally, on a wired network or on most wireless networks, all attached to the same subnet can "see" each other.

For your own protection, any business or financial systems should be on a completely different network, unconnected in any way to your guest access, on different hardware, on a different SSID, and with the strongest security and encryption available to you.

You probably can’t have two ISP “modems” without getting a second account, but every reasonable step should be taken to separate the two networks logically and physically.

Thanks - I shall have to ponder further what the best way to achieve this is then.

I’m not sure what you’re trying to achieve with two SSIDs then. If they are both “public” then what traffic are you trying to block, and why? Generally, on a wired network or on most wireless networks, all attached to the same subnet can “see” each other.

Again, this is probably my poor explanation in the first post, but the second SSID is the same as the first, but on the 5GHz frequency. When I created it I had to make another SSID on the second radio, but I guess 2 radios might be a better explanation. The reason for blocking traffic was that I was under the impression that for a public guest wifi, that was a sensible precaution, but correct me if i'm wrong.

two distinct subnets are easier, but the bridged version avoids killing all tcp sessions in case the client roams/switches between networks

For the guest networks, in my opinion, no isolation between the two APs with the same SSID is needed. I, at least, don't expect client-to-client isolation. If you do want it, @fuller gives the path to achieve that. You'll likely need to install ebtables if you want to pursue that.

To get the terminology and scenario right it sounds like you have one ESSID (network name) being broadcast on two BSSIDs (radios/unique MAC addresses) and bridged together at the router, you want each client to be able to reach the internet but NOT other devices on the local network.

The right solution is the ebtables rule, or turn on iptables in the bridge and block packets with src and dst in the lan subnet. Using a user firewall rule.

As for the cardreader, Jeff gives the best solution, but a not too bad solution is to add another interface, and put a new SSID with wpa2-aes encryption using a separate key, and connect the cardreader to that. Make sure there is no forwarding between cardreader network and guest network... Or vice versa.

You might want to consider one of the inexpensive devices from

where it appears that a decent, new, OpenWRT-supported device can be had for under US$20. If all you're doing is supporting the card reader, you don't need a powerful device and most likely can get away with just 2.4 GHz wireless.

Isn't he going to have to put this device behind the existing router anyway? It seems that provides only marginal improvement over a separate, and separately encrypted SSID on the main router. Not zero, but not hugely better. And now you have to maintain two devices and two configs and two firewalls...

One thing I think is absolutely clear is do not put the cardreader on an SSID with a publicly known WPA key. It needs totally separate encryption.

At some point, without two internet connections, yes, they need to hit a common point. Having that common point not be a "public" router that potentially could be compromised by an unsavory guest or interloper, to me, seems worth US$20 and a few minutes of configuration.

Perhaps it's "as easy as" plugging both the guest OpenWRT device and the card-reader OpenWRT device into the "ISP" modem and letting it give each a "WAN" IP address.

Neither the guests nor the card reader should be concerned about "double NAT" as neither should be exposing services to the public Internet.

Yes, a credit-card reader should be reasonably secure on its own, but Home Depot made that mistaken assumption...

I agree that if you can plug 2 devices to the ISP router and each gets service... then the $20 private device to handle the point of sale equpment is a GREAT idea.

In whatever case, make sure the point of sale equipment uses WPA2 with AES and a well chosen password. I'd recommend something from the likes of:

https://www.random.org/passwords/?num=5&len=8&format=html&rnd=new

Document the network in a small binder, including the random password, and lock that in a storage cabinet or something for access by appropriate employees only.

EDIT: also, for the guest wireless, make sure the router doesn't accept INPUT from the guest interface, and set up a separate SSID for administration of the network, maybe something like "MyCafe" as your guest SSID, and "MyCafeAdmin" for accessing ssh and LUCI and adjusting settings.

I'm surprised to have so much help so quickly, thanks folks (and thanks for bearing with me and my incompetence - i'm learning though!).

To get the terminology and scenario right it sounds like you have one ESSID (network name) being broadcast on two BSSIDs (radios/unique MAC addresses) and bridged together at the router, you want each client to be able to reach the internet but NOT other devices on the local network.

That is correct - I wasn't aware of the difference between BSSIDs and ESSIDs, another lesson learnt!

The right solution is the ebtables rule, or turn on iptables in the bridge and block packets with src and dst in the lan subnet. Using a user firewall rule.

I haven't had a chance yet to try ebtables, but I don't really understand the rest of this... I was planning to get ebtables going today, but my 5GHz radio has stopped working entirely, and says it is "disabled or not associated", which is most unhelpful. I'll figure it out eventually, hopefully.

Regarding the cardreader stuff, as has been pointed out, the router in this case is behind a BT Smart Business Hub 6 (which was not smart enough for this, ironically...). I don't particularly want a third router running all the time, but even if I did connect another to the hub, surely I still somehow need to isolate it from the connection to the guest wifi, otherwise they will be able to connect through the LAN in the hub?

As for the cardreader, Jeff gives the best solution, but a not too bad solution is to add another interface, and put a new SSID with wpa2-aes encryption using a separate key, and connect the cardreader to that. Make sure there is no forwarding between cardreader network and guest network… Or vice versa.

I think this would be my preferred setup, as then there is only one extra router, and I don't understand how I would be able to isolate the second from the first if I plugged them both into the BT modem/hub. I can create another ESSID (hope that's the right term) on the 2.4GHz radio and have it connected to its own interface and IP subnet, but i'm still unsure of how to set the firewall up to block traffic between subnets. I was expecting that with the traffic blocked, an nmap scan from one subnet wouldn't show any devices in the other - is that an incorrect assumption, and if so, how do I check properly that traffic is blocked?

Sorry for all these questions, I really appreciate your assistance - I may sound (and possibly be) rather incompetent, but this is just a bit beyond my range of technical expertise, and we all have to start somewhere...

Ant

ebtables works at the layer 2 (mac/ethernet layer) it looks at what mac is sending or receiving and then allows you to forward or deny or even alter the mac addresses before forwarding to a different part of the bridge. If you have your two radios bridged together (which is the usual thing by default the radios are all bridged into br-lan) then with client isolation, each radio will not allow clients to talk to each other on the same radio, but if they aren't on the same radio, then they get sent to the bridge... and then the bridge forwards to the OTHER radio. the ebtables rule essentially says that if the packet comes in through this bridge, don't allow it to be bridged (in which case I guess it will still be routed, and if it's destined to the internet, that's fine). I'm a little unclear on why the given rule works. EDIT: specifically it seems like it'd drop all packets received by either radio, and then how would your packets get sent to the internet? I expected a brouter rule where "DROP" would mean "don't bridge, instead route" but I admit to not being an ebtables expert.

it turns out that bridges can also run iptables and do IP (layer 3) filtering as well. You need to enable it with a sysctl and then every packet that hits the bridge has its ip content examined by the firewall. I think this is less of a good solution for you.

If your topology is ISP -> BT BH6 ---> Owrt Router ---ESSID = mycafe ---> cafe customers

then you could add a second Owrt Router with it's WAN port plugged to the BT BH6 and have a totally separate network for the cardreader. Packets coming in to the wan port of the second router would be filtered by default...

On the other hand if you just add another ESSID on the existing router, and put it in its own Owrt "interface" then you can in the firewall settings make sure it allows forwarding to the internet but not to or from the guest network. if you dig around in luci you can see how to set up the firewall under network > firewall

each interface typically has a zone assigned to it, and you can specify which zones are allowed to forward to/from which zones.

IPv4 NAT is "poor man's firewall" as it is typically configured to block incoming connections but accept outgoing connections (by "punching holes" in the firewall for the return packets). Your card reader would be able to "phone home", but the combination of the firewall and NAT on the two OpenWRT routers would keep the traffic "blocked" between the guest network and the card-reader network (as well as virtually all of it originating from the "outside", unless you specifically permitted it).

Just follow this tutorial

Thanks for all the assistance folks. I've managed to get the firewall set up (I think - still figuring out how to test it...), but arp-scan and nmap return no open hosts on any subnets when I scan, so i'm pretty sure it's doing what I intended.

So my setup is BT Smart Hub 6 ---> OpenWRT router ---> various subnets and wireless networks. The one remaining non-ideal security thing is that while none of the devices on my subnets can access each other, with isolated networks and firewalls, you can still access the management page for the BT Hub, because it is further up the line. Could anybody advise me on if it's possible to set up a rule to block this, and if so, how?

Thanks!

Ant

  1. create new firewall zone for the subnet of your bthub
  2. restrict access as desired