Setting up guest WLAN on a dumb AP

psherman · December 9, 2019, 3:28am

@WRTuser - nice writeup.

One potential suggestion to consider with respect to the firewall. Consider dropping all connections from the guest network to the dumb-ap device (that is now also routing the guest network) and then selectively allowing services of interest (usually DHCP and DNS). This way, the guest network can not access the router at all, except as explicitly permitted by the firewall rules.

To do this, the default action on the guest zone would be reject for input, and two traffic rules would be enabled for DHCP (tcp+udp 67-68) and DNS (tcp 53),

Also - in your writeup, the guest zone addition to the firewall was neglected -- might be useful to show that, too.

Thanks for this writeup!!

tmomas · December 9, 2019, 7:35am

You do have rights to upload pictures.

https://openwrt.org/meta/adding_images_to_openwrt_wiki#troubleshooting

When the media manager opens,
your very first action should be to change to the media namespace, and possibly further down until you have reached the namespace to which you want to upload the picture.

WRTuser · December 9, 2019, 4:56pm

Thanks for the heads up, I have added the guest zone to the firewall on the wiki.

I have been playing around with your suggestion to Reject input and only allow DNS and DHCP, haven't gotten this to work yet.

When I reject input on the guest zone and I enable the traffic rule for DHCP.
I can ping devices on the 192.168.1.xxx subnet and ssh to them.
Also I can log into my gateway at 192.168.1.254.

config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'Guest DHCP'
        option target 'ACCEPT'
        option proto 'udp'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Guest DNS'
        option target 'ACCEPT'
        option proto 'tcp udp'

I suppose I still have to add rules to block guest -> lan

config rule
        option name 'Disable Guest LAN Access'
        option dest 'lan'
        option target 'DROP'
        option proto 'all'
        option src 'guest'
        option dest_ip '192.168.1.0/24'

With the above added, everything works as before (and I suppose even better as all other ports are blocked).
So only these 3 rules are needed ;).

psherman · December 9, 2019, 6:03pm

@WRTuser - Sorry if I caused any confusion about the rulesets. Yes, you still need the drop Guest > LAN access rule, as you have found and described. My intent was to prevent the guest network from accessing your secondary router itself (i.e. the dumb AP that is creating the guest network) on all ports except for those explicitly allowed.

That said, the three rules (plus the input reject for the guest network) is what I was aiming for, and in my experience does indeed work as intended (and hopefully is compliant with best practices -- I'm sure there are other people far more knowledgeable about firewall/security considerations who might be able to chime in if I have this wrong).

WRTuser · December 9, 2019, 6:05pm

Thanks, I have updated the wiki to reflect the changes
As far as I can tell, this is much better than what I initially had with the firewall.

tmomas · December 9, 2019, 9:48pm

Can you please cut off the unnecessary whitespace in pic5.jpg?
Whitespace is not that informative and just wastes screenspace.

Thanks!

P.S.: And next time please name the uploaded pictures in a usefull way. (Don't worry, I will do that later for the pictures uploaded by you today)

WRTuser · December 10, 2019, 7:21am

Hey @tmomas, I've updated picture 5.
I was hoping I could edit the names after uploading (can't see that option).
Thanks in advance for renaming them

glik22 · December 12, 2019, 6:22pm

Can you post your entire firewall setup for us following along?

edit: do you know if any additional setup is required if DNS over TLS was setup for your LAN?

tmomas · December 12, 2019, 11:28pm

FYI - I have renamed the pictures and also moved the page to https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap ('-' is not a word separator in the wiki, therefore replaced with '_')

WRTuser · December 14, 2019, 10:26am

Hey @glik22,

the entire firewall setup is at step 4a & 4b at
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

Everything else I haven't touched and is as it is out of the box.
For a visual representation you can check out step 3 at the webinterface config.

Also I haven't set up DNS of TLS (or HTTPS), but as I quickly scrolled the web and I think
if you set up your DNS server to 1.1.1.1 (i.e. cloudflare) they take care of it.

Don't know much about setting up a self-hosted DNS resolver, you could try setting up a Pi-Hole
as your DNS server which comes with many benefits.
https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/

Less to do with openWRT than with pihole.

p.s.
thanks @tmomas

system · December 24, 2019, 10:26am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.