Restricting internet on one radio and not the other

Good Evening,

I'm trying to setup a media server (movies) for about 30 devices. Originally I was going to just do an FTP server on a new Linksys EA6350 but I've gone ahead, loaded OpenWRT, and begun learning it.

Of the two radios, I'd like the 2.4Ghz radio to not have internet access (all users) but it should have access to the external HDD plugged into the USB 3.0 port on the router.

I'd like the 5Ghz radio to have internet access and, ideally, access to the HDD on the USB port if possible, but the internet access is a must.

Essentially, the idea is that anyone that is given the password to the 2.4GHz radio is going to get access to the movies but won't be able to use the internet and kill the already very limited bandwidth. Only those that have been given the SSID and password to the hidden 5GHz radio get internet.

Can this be done? The devices on the 2.4Ghz band are constantly changing, so restricting access by MAC address would not be ideal.

Create a bridge for your “restricted” SSID (only, no other interfaces). Assign it an IP on its own subnet and set it up for DHCP. Put it on its own firewall zone. Set the rules as you desire on that zone.

Probably no forwarding allowed. You probably want to block all input except for DHCP, DNS, and whatever you use for file sharing as well.

1 Like

Ok. So in interfaces- I have a DHCP client protocol in place on an interface called "movieserver" (just for ease of knowing why it's there...for the naming), firewall has a new zone called "movieserver" with input rejected, output accepted, forward rejected. Wireless for 2.4ghz is
not saving "network" has movieserver. Always goes back to unspecified.

What are the different modes in the wireless here? I haven't seen some in a router before (like adhoc- I always remember that for just computers or other devices).

Sorry I'm very new to openwrt

Since it's going to provide connectivity to other devices, it needs a fixed address in a subnet of your choice (that is different than the other attached subnets) and it needs to serve DHCP (and likely DNS and NTP).

If you're providing an AP, that is likely the mode shown in the GUI.

https://openwrt.org/docs/guide-quick-start/start

So how would I go about setting up the separate subnet and IP and such? I don’t seem to see any of those options in LUCI?

Also- I’ve seen a lot of negative things recently about openwrt and ftp servers. Any input?

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

FTP, along with telnet, rcp, rlogin, and a lot of the early and mid-era Internet protocols (remember gopher?) were obsolete around 20 years ago. They have been replaced by more secure, robust protocols like SSH, SCP, rsync, HTTP-S and the like.

It isn't that there are "negative things" with OpenWrt and FTP -- FTP is a problem no matter where used. There are vanishingly few reasons to run an FTP server these days, even fewer for a home user.

1 Like

Now THAT made a heck of a lot more sense. Ok. Thank you very very much. So I guess if I followed all of those directions but changed the WAN connection piece, guests would only have network access, not internet access, agreed?

1 Like

So for ease of use by average users, would you run a store-bought Linksys software or openwrt? I’m still leaning store-bought because I now how to setup the internet the way I want.

Thanks.

I’d never run Linksys firmware due to security flaws, “phone home” problems, and inability to configure (and probably a few more).

(I also don’t believe that security devices like routers should be running non-essential services, like file sharing.)

1 Like

Well being that I have limited internet connectivity, some pretty hefty commercial firewalls upstream of the Linksys, and filtered streams above that from the ISP directly, I’m not too worried about the security front. This point of this- I have an “open” port in an otherwise closed network that I’m using for the router. This is going to 1. Allow a cellphone to get internet service where it otherwise wouldn’t. And 2. The primary purpose is to allow up to 25 users to access the external HDD plugged into the router for offline content (movies). Recommendations on setup? I would have stayed with the Linksys software off the bat if I could have easily regulated the users to not have internet (and only give it to the one cellphone).

Someone provided information on setup. Do you need more details?

Totally confused now. You don't usually have to open a port to make a cellphone work. Nor does an open port relate to your second point.

  • Step 1 - follow Post No. 2 above to create the Interface/DHCP
  • Step 2 - create an SSID for WiFi (optional)
  • Step 3 - place interface in a new firewall zone that does not permit forwarding to WAN
  • Step 4 - install and configure a file sharing server

Simple.

You could also edit LAN so that it doesn't forward to WAN - and only allow the IP of the cellphone - although, you may have to configure a static address in the cellphone's network/WiFi settings.

EDIT: Duplicate of - Using OpenWrt, SSH, and network config

Ok BIG NEWS!

Thanks to you all, I have two networks running thus far. Of the two, I blocked internet on the 2.4Ghz by rejecting input, output, and forwarding. Now I have Samba downloaded, the Luci app for Samba running, and I am going to start playing with that!

Ok-

Now I’m stuck again- I can’t seem to mount the NTFS drive. I’ve been trying- manually through CLI, and I can’t download most of the Usb drivers either- most kick a 255 error or similar. Drive has more than 2tb if movies.

Oh- and when I do get code that seems like it might poke through- I get a permission denied

If your initial problem (Restricting internet on one radio and not the other) is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like