Private and Guest WLAN separation with VLANs in simple AP mode

Hi,

I have setup OpenWRT on dumb AP Asus RT-N56U to separate Private and Guest WLAN networks as follows:

All AP clients get their IP from DHCP servers running on router (10.11.13.1/24 for VLAN1 Private and 10.11.17.0/24 for VLAN20 Guest).

All works fine, in terms of connectivity. (On router, I block any communication from VLAN20 interface to VLAN1 interface and allow only WAN interface.)

My question is whether the setup in OpenWRT AP is sufficiently secure to block Guest WLAN clients from any access to the AP and/or Private LAN/WLAN.

# /etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd92:4c1d:de7f::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.11.13.10'
	option gateway '10.11.13.1'
	option dns '10.11.13.1 8.8.8.8'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '0a:60:6e:e9:3c:89'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '08:60:6e:e9:3c:88'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 8t'

config interface 'guest'
	option proto 'static'
	option ifname 'eth0.20'
	option type 'bridge'

config switch_vlan
	option device 'switch0'
	option ports '0t 8t'
	option vlan '20'
# /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'HT20'
	option legacy_rates '0'
	option txpower '18'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxxx'
	option disassoc_low_ack '0'
	option ssid 'Private'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'platform/10180000.wmac'
	option legacy_rates '1'
	option htmode 'HT40'
	option channel '60'
	option txpower '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option ssid 'BuggedRadioWorkaround'
	option mode 'monitor'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option disassoc_low_ack '0'
	option network 'guest'
	option encryption 'psk2+ccmp'
	option key 'xxxxxxxxxxxxxxxx'
	option ssid 'Guest'
	option isolate '1'

# /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'guest'
	option forward 'ACCEPT'
	option network ' '

config forwarding
	option dest 'wan'
	option src 'guest'

What does space mean?

1 Like

@ulmwind: Thanks for the catch.

That's probably a left-over when I still had the guest interface as a managed one (with IP address assigned). I deleted that after reading the forum posts here and probably forgot about the earlier firewall setup - I'll delete it now.

The guest interface probably still has a link-local IPv6 address unless you have disabled ipv6. Set network.guest.ipv6 to 0. And maybe set firewall defaults to input reject and forward reject. With ipv6 enabled and firewall allowing input it's probably possible to connect to the link-local address of the router.

uci set network.guest.ipv6=0 did remove the link-local IPv6 address from the br-guest bridge and eth0.20 iface. However, wlan0-1 still keeps the link-local IPv6 address.

root@wifi:~# ip addr | grep -A3 br-guest
12: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP qlen 1000
    link/ether 08:60:6e:e9:3c:89 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a60:6eff:fee9:3c89/64 scope link 
       valid_lft forever preferred_lft forever
15: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 08:60:6e:e9:3c:89 brd ff:ff:ff:ff:ff:ff
16: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether 08:60:6e:e9:3c:89 brd ff:ff:ff:ff:ff:ff

I can see that wlan0-1 is automatically created for wireless wifi-iface (with ssid Guest) and the option network guest assigns it to guest network (and bridge).

Is there a way to disable IPv6 also on wlan0-1 via /etc/config files?

I recently ran into a similar situation on my OpenWrt system acting as an AP, and I'm not sure if it's a true security issue or just an annoyance.

  • bridge br-iot is configured with ipv6 disabled
  • Network IOT is configured as unmanaged
  • Wireless master network is attached to IOT network
    In this configuration, I expected to have no IPv6 active on any parts of the IOT network or its bridged pieces. Yet, the wireless network has a link-local IPv6 address assigned. I can ping it while logged into the AP, but not from any other member of the IOT network. tcpdump shows that attempts to ping it are sending neighbor solicitation messages, but it's not responding. So, the link-local address really isn't useful to anybody else, and seemingly does not pose a security threat since nobody else can get network packets delivered to it.

So then, why is there a link-local IPv6 address assigned to the wifi interface, when its bridged network has IPv6 disabled?

root@linksysAP:~# uci show network.IOT
network.IOT=interface
network.IOT.device='br-iot'
network.IOT.proto='none'

root@linksysAP:~# uci show network.@device[5]
network.cfg110f15=device
network.cfg110f15.type='bridge'
network.cfg110f15.name='br-iot'
network.cfg110f15.ports='eth0.3'
network.cfg110f15.bridge_empty='1'
network.cfg110f15.macaddr='<redacted>'
network.cfg110f15.ipv6='0'

root@linksysAP:~# uci show wireless.wifinet5
wireless.wifinet5=wifi-iface
wireless.wifinet5.device='radio1'
wireless.wifinet5.mode='ap'
wireless.wifinet5.ssid='<REDACTED>'
wireless.wifinet5.encryption='psk2+ccmp'
wireless.wifinet5.key='<redacted>'
wireless.wifinet5.ieee80211r='1'
wireless.wifinet5.ft_over_ds='1'
wireless.wifinet5.ft_psk_generate_local='1'
wireless.wifinet5.wpa_disable_eapol_key_retries='1'
wireless.wifinet5.network='IOT'
wireless.wifinet5.reassociation_deadline='20000'

root@linksysAP:~# ifconfig wlan1-1
wlan1-1   Link encap:Ethernet  HWaddr <REDACTED>  
          inet6 addr: fe80::<redacted>/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:885 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:286274 (279.5 KiB)

root@linksysAP:~# iwinfo wlan1-1 info
wlan1-1   ESSID: "<REDACTED>"
          Access Point: <REDACTED>
          Mode: Master  Channel: 11 (2.462 GHz)
          Center Channel 1: 11 2: unknown
          Tx-Power: 30 dBm  Link Quality: unknown/70
          Signal: unknown  Noise: -99 dBm
          Bit Rate: unknown
          Encryption: WPA2 PSK (CCMP)
          Type: nl80211  HW Mode(s): 802.11bgn
          Hardware: 168C:003C 168C:4019 [Qualcomm Atheros IPQ4019]
          TX power offset: none
          Frequency offset: none
          Supports VAPs: yes  PHY name: phy1