Guest ssid

[pbix]

I did some more testing based on the above feedback from users and found that my original statement

Code: Select all

ebtables -I FORWARD -i wlan0-1 -o br-lan-j DROP

was not working. I also found that the line recommended by Slacker provided Wifi isolation and the below line provided LAN isolation.

Code: Select all

ebtables -I FORWARD -i wlan0-1 -o eth0 -j DROP

So the correct result is to use both lines.

Code: Select all

ebtables -I FORWARD -i wlan0-1 -o eth0 -j DROP
ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP

I edited my original post to reflect this for folks who do not read this far down into this thread.

These lines work on my AR71 router. You should test yourself that you cannot ping either your LAN or other Wifi clients on your private LAN from your guest Wifi.

As noted in previous post a couple screens on the GUI will be confused by this setup but most will work fine. All functions configured through the GUI before these changes will continue to work fine including the QoS and Quota.

If you have any problems with the above please post the results of the following commands on this thread and a description of what problem you are having.

Code: Select all

ebtables --list
ifconfig

Thanks for the input from uses on this and sorry for the original confusion.

[spudstrawb]

I am a new Gargoyle user and have followed this thread to successfully establish a guest ssid. It saves a lot of trouble when the childrens' friends are around. I would like to throttle this ssid though so that the friends don't take all the bandwidth. Does anyone know how to achieve this?

[pbix]

QoS works for the guest SSID just like it does for your private one.

Make rules for all the devices on your private SSID and let all others fall through to your default class. Then set your default class as you like.

[SergeS]

For the time being many people can achieve this using the following steps.

From the command line of your router
...skip...
After saving your modified file reboot your router and enjoy.
Sorry but this will not work with the b43 Wifi driver which most if not all Broadcom based routers are using. DD-WRT is still using the old proprietary driver so that is why they can do in on your old WRT54G. Just another reason to ditch your 54G IMHO.

Adventurous people are encouraged to try the above. Based on the experience reported it may find its way in the GUI at some point.

I will be watching.

I am going to try. How can I revert everything back if i will have a problem?

Update: I've tried, my guest network appears on the wifi devices, but isolation is not working, I can access to all my internal network from guesr SSID, which makes this useless . I have already returned everything back using command "firstboot", and load saved config after that, is this correct way? I am absolutelly newbie in Linux and routers so, can anybody advise me what I am doing wrong ?

My router is Netgear WNDR3700v2, Gargoyle 1.5.8, I have performed actions exactly as pbix recommended to do in this thread, post #4 at Sun Jun 17, 2012 2:08 pm (9 lines to execute from command-line interface, add two lines in initialize_firewall() function and restart router).

ifconfig output is here: http://sergeskor.dyndns.org/Files/ifconfig.txt (I have just hide some sensitive info like my IP and MACs).

p.s. [Dream mode ON] It would be so nice if Guest SSID will be implemented in Garg UI ))

[cosmo1t]

i just went through the same steps, and w/ a wndr3700 w/ both radios enabled, i could still ping/see the non guest network.

adding:

ebtables -I FORWARD -i wlan0-1 -o wlan1 -j DROP
ebtables -I FORWARD -i wlan0-1 -o eth0.1 -j DROP

seems to have solved the problem so far

[davidstoll]

Hey guys, I heard about this on Tekzilla and I'm also tired of the complication of dd-wrt, so I'm excided to try this out. This is one of the features I am currently using with dd-wrt, so I have a couple of questions...

1) Is there a command to make the new SSID hidden?

2) Can you use:
uci set wireless.ap_g2.encryption=wep
?

Thanks so much for any help you can give me!

For the time being many people can achieve this using the following steps.

From the command line of your router

Code: Select all

uci set wireless.ap_g2=wifi-iface
uci set wireless.ap_g2.device=radio0
uci set wireless.ap_g2.mode=ap
uci set wireless.ap_g2.network=lan
uci set wireless.ap_g2.ssid=<Your Desired SSID>
uci set wireless.ap_g2.isolate=1
uci set wireless.ap_g2.encryption=psk2 (or 'none')
uci set wireless.ap_g2.key=<password if any>
uci commit

In the file /usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh locate the initialize_firewall() routine and add one line.

Code: Select all

initialize_firewall()
{
        iptables -I zone_lan_forward -i br-lan -o br-lan -j ACCEPT
        insert_remote_accept_rules
        insert_dmz_rule
        create_l7marker_chain
        block_static_ip_mismatches
        force_router_dns
        add_adsl_modem_routes

#Add the below lines to isolate the guest wifi from your LAN.
        ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP  
        ebtables -I FORWARD -i wlan0-1 -o eth0 -j DROP

}

After saving your modified file reboot your router and enjoy.

Sorry but this will not work with the b43 Wifi driver which most if not all Broadcom based routers are using. DD-WRT is still using the old proprietary driver so that is why they can do in on your old WRT54G. Just another reason to ditch your 54G IMHO.

Adventurous people are encouraged to try the above. Based on the experience reported it may find its way in the GUI at some point.

I will be watching.

[SergeS]

i just went through the same steps, and w/ a wndr3700 w/ both radios enabled, i could still ping/see the non guest network.

adding:

ebtables -I FORWARD -i wlan0-1 -o wlan1 -j DROP
ebtables -I FORWARD -i wlan0-1 -o eth0.1 -j DROP

seems to have solved the problem so far

Thank you so much, it seems working on my wndr3700v2. Do you see guests in "Connected Hosts" ?

[tals]

As the original op I still think this would add nicely to the Gargoyle feature list if this was implemented properly into the GUI great work pbix as usual with your assistance.

[SergeS]

i just went through the same steps, and w/ a wndr3700 w/ both radios enabled, i could still ping/see the non guest network.

adding:

ebtables -I FORWARD -i wlan0-1 -o wlan1 -j DROP
ebtables -I FORWARD -i wlan0-1 -o eth0.1 -j DROP

seems to have solved the problem so far

Thank you so much, it seems working on my wndr3700v2. Do you see guests in "Connected Hosts" ?

Ops! Just check again - there is no isolation! But it was there before 100%. Now each f... guest can fully see my internal network
Remove all that staff. Guys, please, make guest SSID.

[beaker1024]

Add my vote to wanting an isolated Guest Wifi SSID within the GUI, etc... I actually joined the forum just to post for this.

Does the Gargoyle code writers have:
1) a mechanism to have people submit (and/or) vote up new features?
2) a list of features already taken up to be worked on?

Any information would be greatly appreciated. Thanks!