WiFi on separate subnet behind corporate firewall

Definite newbie with openwrt
Much longer-term user of pFsense

I had a spare EA6350 router installed openWRT and got the initial set up done, including editing the rc.local file (btw winSCP is very useful for newbies)

Here’s what I want to do:
I want to attach my corporate LAN to my router. The device will act as a wireless Internet source for personal devices. The reason for this is that the “guest Wi-Fi” for the corporate system is incredibly slow and equally unreliable.
I have no desire to actually access the corporate network from those personal devices. And equally as important I do not want them to have access to my devices either.
Since there is only one LAN cable cable present in my office, my plan was to insert the corporate LAN network cable into the WAN port of my router. I’m hoping to be to bridge from the wan interface to LAN 1 which would be connected to my corporate desktop.
Then, hopefully allow wireless Internet to be broadcast on another subnet separate from the corporate LAN.

What has worked so far:
I am able to get wireless internet but it seems that the IP address given to my phone or laptop are on the same subnet as the corporate LAN. This was done by using the native Wireless interface that is connected to the LAN. I am able to still get corporate access via LAN1 and my corporate desktop.
I cloned the desktop MAC address for the WAN interface. In hopes of drawing less attention.

I tried to create a “Guest WiFi” using instructions here on openwrt, but when attempting to connect to the wireless interface the connection just spins and finally fails. I think DHCP is failing. If I manually set the IP and subnet on the mobile device to the. guest Wi-Fi interface subnet it will connect but has no internet access. I tried to create traffic rules and opened ports 53 for DNS and 68 for DHCP.

Are there any better instructions on how to accomplish this? I do not want to create a security risk for my corporate LAN and as I said, I don’t even want access to the corporate LAN. I just want to have reliable Internet while in my office.

Unless you own the company or are the head of IT, what you are proposing to do (connecting what amounts to a rogue access point to the corporate network) is a dismissal-level offense in most companies, if I understand your use-case correctly.

If I'm not mistaken, I'd strongly urge you to reconsider.

6 Likes

I was going to reply with exactly this sentiment... I know that in my company, this would mean immediate termination because it poses such a large security threat to the company. Especially given that you are doing this in a way that you hope will be "drawing less attention" -- it'll be really hard to argue that you didn't realize this was not acceptable.

So, I am also going to urge you not to do this unless you have the support of your corporate IT department for this (as well as their cooperation for the configuration of this device, and all of it in writing to CYA).

That said, warnings aside... I think you basically just want a standard routed configuration with a guest network. The tutorials are all available on the wiki. Do so at your own risk.

What I'd recommend instead is that you consider getting a router with a built-in cellular modem so that you can use your personal devices on a network that is presumably faster than your corp guest network, but without potentially facing termination.

2 Likes

Well, maybe just phone as USB modem, plug it to openwrt router.