Guest ssid

[tals]

Gargoyle is supported by a few very dedicated individuals that drive the program forward with no financial gain. If you hop into the documentation link you will see a document on info for developers if you want to see how you can assist if you have the skills.

Adding new features is down to the team and their own time though they obviously want to add features that they believe improves the product and is wanted by the community. So adding your support in here they will have noted.

Hopefully that clarifies it

[euklid81]

Hi,

I have used the commands given to successfully create 2 ssids with different passwords. Everything is working well, except that now I cannot view any bandwidth usage statistics by host name or ip like I was able to do before..anyone know what I can do?

[Slacker]

Hi,

I have used the commands given to successfully create 2 ssids with different passwords. Everything is working well, except that now I cannot view any bandwidth usage statistics by host name or ip like I was able to do before..anyone know what I can do?

That's peculiar, because I'd been using this guest SSID trick for a few releases now (I'm currently on 1.5.9) and b/w monitoring has never had problems.

If you're on 1.5.9 and use IE, try Firefox. I use IE and noticed that b/w monitoring + pop-up boxes do not work in IE with Enhanced Protected Mode enabled, which is how I use it. I keep FF handy for my prick-ass banking site and now Gargoyle.

[drawz]

would love to see this added in the GUI.

Multi-SSID is becoming an extremely important feature advertised by manufacturers and actually desired by consumers. The lack of this feature (in the GUI) will stop a lot of people from trying Gargoyle.

[pbix]

People using this technique to establish a Guest SSID will find things go smoother with v1.5.10. I made some modification there to prevent problems with the bandwidth monitor screens and the status screen when you do this.

Not exactly a complete solution but a more elegant cludge until we have formal support for this in the GUI.

[kurjak]

I can't manage to make it work.
ifconfig:

Code: Select all

br-lan    Link encap:Ethernet  HWaddr A0:F3:C1:D4:07:CA
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9714 errors:0 dropped:313 overruns:0 frame:0
          TX packets:12144 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1201929 (1.1 MiB)  TX bytes:6075827 (5.7 MiB)

eth0      Link encap:Ethernet  HWaddr A0:F3:C1:D4:07:CA
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:56998 errors:0 dropped:31 overruns:60987 frame:0
          TX packets:21792 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16452563 (15.6 MiB)  TX bytes:7333814 (6.9 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr A0:F3:C1:D4:07:CA
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9478 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12051 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1169092 (1.1 MiB)  TX bytes:6026699 (5.7 MiB)
eth0.2    Link encap:Ethernet  HWaddr A0:F3:C1:D4:07:CA
          inet addr:192.168.1.55  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47390 errors:0 dropped:2311 overruns:0 frame:0
          TX packets:9740 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14236381 (13.5 MiB)  TX bytes:1218908 (1.1 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:352 errors:0 dropped:0 overruns:0 frame:0
          TX packets:352 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:26338 (25.7 KiB)  TX bytes:26338 (25.7 KiB)

wlan0     Link encap:Ethernet  HWaddr A0:F3:C1:D4:07:CA
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:169 errors:0 dropped:0 overruns:0 frame:0
          TX packets:959 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:27017 (26.3 KiB)  TX bytes:179856 (175.6 KiB)

wlan0-1   Link encap:Ethernet  HWaddr A2:F3:C1:D4:07:CB
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:102 errors:0 dropped:0 overruns:0 frame:0
          TX packets:870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:13084 (12.7 KiB)  TX bytes:141370 (138.0 KiB)

ebtables --list

Code: Select all

Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wlan0-1 -o eth0 -j DROP
-i wlan0-1 -o wlan0 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

I tried ebtables with br-lan, lan and eth0, with no success.

[yeti_z]

Hi,

Since I did not have a chance to do it before, first of all I'd like to thank pbix and other contributors as well as all openwrt developers for the work everyone is doing. I love Gargoyle and it makes me happy to see it continuously develops.

Regarding the gues ssid, I've tested the code from one of the pbix's first posts from this thread and I can report that:

1. New wifi network with separate SSID and password successfully showed up. Now I have two networks, which makes it easier to share the password with guests and change it without a need to update password for all my devices.
2. Two devices connected to the same guest network couldn't see each others open ports.
3. A device connected to guest network was unfortunately able to see open ports on device connected to either LAN(with cable) or to main wifi network.

Even though for now I am happy with what I have, I'd love to see guest network feature in GUI and with the complete isolation.

If I could perhaps help by sharing my config, here it goes.

My config:
version: 1.5.10.11 (r37768), by obsy
Model: NETGEAR WNDR3700
OpenVPN enabled.

Code: Select all

root@Dolphin:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr C2:3F:0E:7D:1F:85
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:53972 errors:0 dropped:1983 overruns:0 frame:0
          TX packets:66058 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14467615 (13.7 MiB)  TX bytes:63714215 (60.7 MiB)

eth0      Link encap:Ethernet  HWaddr C2:3F:0E:7D:1F:85
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22545 errors:0 dropped:34 overruns:22 frame:0
          TX packets:22990 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4816057 (4.5 MiB)  TX bytes:10880310 (10.3 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr C2:3F:0E:7D:1F:85
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22094 errors:0 dropped:2 overruns:0 frame:0
          TX packets:22943 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4380152 (4.1 MiB)  TX bytes:10782842 (10.2 MiB)

eth1      Link encap:Ethernet  HWaddr C0:3F:0E:7D:1F:86
          inet addr:192.168.178.10  Bcast:192.168.178.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:62549 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:62453815 (59.5 MiB)  TX bytes:13661915 (13.0 MiB)
          Interrupt:5

imq0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:59435 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59435 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:11000
          RX bytes:60118638 (57.3 MiB)  TX bytes:60118638 (57.3 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:196 errors:0 dropped:0 overruns:0 frame:0
          TX packets:196 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:18873 (18.4 KiB)  TX bytes:18873 (18.4 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:31 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:4276 (4.1 KiB)  TX bytes:4417 (4.3 KiB)

wlan0     Link encap:Ethernet  HWaddr C0:3F:0E:7D:1F:85
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5640 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1290519 (1.2 MiB)

wlan0-1   Link encap:Ethernet  HWaddr C2:3F:0E:7D:1F:85
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29833 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49547 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10284956 (9.8 MiB)  TX bytes:54026023 (51.5 MiB)

wlan1     Link encap:Ethernet  HWaddr C0:3F:0E:7D:1F:87
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4662 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11158 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1186178 (1.1 MiB)  TX bytes:3936637 (3.7 MiB)

root@Dolphin:~# uci show wireless

wireless.radio0=wifi-device
wireless.radio0.type=mac80211
wireless.radio0.channel=11
wireless.radio0.hwmode=11ng
wireless.radio0.macaddr=c0:3f:0e*******
wireless.radio0.htmode=HT20
wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio0.noscan=1
wireless.radio1=wifi-device
wireless.radio1.type=mac80211
wireless.radio1.hwmode=11na
wireless.radio1.macaddr=c0:3f:0e:*******
wireless.radio1.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio1.noscan=1
wireless.radio1.htmode=HT40+
wireless.radio1.channel=52
wireless.ap_g=wifi-iface
wireless.ap_g.device=radio0
wireless.ap_g.mode=ap
wireless.ap_g.network=lan
wireless.ap_g.ssid=Dolphin24
wireless.ap_g.encryption=psk2
wireless.ap_g.key=********
wireless.ap_a=wifi-iface
wireless.ap_a.device=radio1
wireless.ap_a.mode=ap
wireless.ap_a.network=lan
wireless.ap_a.ssid=Dolphin50
wireless.ap_a.encryption=psk2
wireless.ap_a.key=***********
wireless.ap_g2=wifi-iface
wireless.ap_g2.device=radio0
wireless.ap_g2.mode=ap
wireless.ap_g2.network=lan
wireless.ap_g2.isolate=1
wireless.ap_g2.ssid=Dolphin24-guest
wireless.ap_g2.key=**********
wireless.ap_g2.encryption=psk2

[shayanjameel08]

I recommended and found it to work well. But that was on my Buffalo router.

[pbix]

Folks having trouble with isolation should pay attention to the devices used in the ebtables commands. The ones given were from my own testing on the router I had at the time (not even sure what it was). Your devices may be different if its not working for you.

Use ifconfig before making any changes to determine what devices are your main LAN wired ethernet and Wifi devices. On my router these were eth0 and wlan0 respectively. Since I do not have all the routers in the world I cannot tell you for sure what yours are.

Next make the suggested UCI changes and do another "ifconfig" to find out what the new Wifi device will be. On my router this was wlan0-1.

Modify the ebtable commands parameters appropriately. I will tell you that "br-lan" is never the correct answer for any of these. Also if the device has an IP address its not the one either. If you get it working with another router then post your results to help others.

If anyone can post a bullet proof way to figure out what these are it would help out.

[yeti_z]

Hi,

PBIX, your explanation was very handy to me. Thanks.

I managed to configure isolation of guest network on my router: WNDR3700 (v1) from: 2.4GHz WLAN, 5GHz WLAN and LAN by using these ebtables entries:

Code: Select all

        #Add the below lines to isolate the guest wifi from your LAN.
        ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP
        ebtables -I FORWARD -i wlan0-1 -o wlan1 -j DROP
        ebtables -I FORWARD -i wlan0-1 -o eth0.1 -j DROP

Like in previous posts it needs to be configured in this file:

Code: Select all

/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh

There are however two things I noticed which could be worth mentioning:

1. Every time the firewall is restarted this file:

Code: Select all

/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh

it is executed again and then above 3 rules are added to ebtables again while old ones are stil there. It means that ebtables keeps on growing with duplicated entries.

It's not that bad, the solution still works and 'resets' back to 3 rules after a router restarts. It's just not too clean.

2. If you have openvpn configured, then the clients in isolated network can still see other clients connected through VPN.

I tried using firewall to configure additional zone for isolated wlan and denying access to vpn zone, but I had no luck with that approach. Maybe someone else has a better idea how to do it?

I tried to use this code to block forwarding from guest wlan to VPN, (but this approach did not work)

Code: Select all

config zone
option name 'wlan_guest_zone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option device 'wlan0-1'

config rule		
		option name 'Deny-Wlan-VPN-Input'
		option src 'wlan_guest_zone'
		option dst 'vpn'
		option target 'DROP'

Code: Select all

/etc/config/firewall

Source:
http://wiki.openwrt.org/doc/uci/firewall