The reason this has not been done in the past is that it would be very disruptive to the design of Gargoyle. The single subnet that Gargoyle is managing finds its way into every feature and webpage of the design. Adding a new subnet would create an incredible amount of design rework and add double the amount of configuration options in many cases. Router configuration is already complicated enough for the average home user. Reworking and otherwise stable design is no fun. It would be years before all the bugs were killed.
The approach I suggested in AA based Gargoyle relied on ebtables to provide some isolation of the Guest network while still allowing a single network subnet all the other features of Gargoyle to work. The ebtables approach does have the drawback that "Guests" still have access to router resources like any mounted USB drive. It is also not possible to classify guest traffic different than other LAN traffic
in quota rules and QoS.
Since i first proposed this approach many people have tried it out and commented on it. Now Dr. Crash proposed a UI integrated into Gargoyle for it. However I have been thinking that for BB a new approach should be introduced that addresses the know short comings and that Dr. Crash should work on it instead.
In the new approach traffic is segmented using CIDR notation within the 255 addresses that Gargoyle manages. As part of the configuration the user selects the maximum number of guest connections he wants to support. The only choices are 5,13,29,61 & 125. Then using CIDR we can segment the addresses as follows:
Code: Select all
Guests Normal IPs Guest IPs Suffix
5 0-247 248-255 /29
13 0-239 240-255 /28
29 0-223 224-255 /27
61 0-191 192-255 /26
125 0-127 128-255 /25
Isolation of the LANs would be accomplished by a few iptable rules and the Guest LAN could be isolated from the router resources. Things like QoS already support CIDR notation so it would be easy to identify and treat Guest traffic differently than normal traffic.
Anyone wishing to try this new approach which would work in AA or BB would do the following:
to /etc/config/wireless add a new access point
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'password' (or none)
option ssid 'Guest'
option network 'Guest'
to /etc/config/network add a corresponding entry depending on the max guests allowed (option 5 shown here)
config interface 'Guest'
option _orig_ifname 'wlan0-1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.1.249'
option netmask '255.255.255.248
adjust /etc/config/dhcp to match the IP address ranges of each AP. This again depends on the number of allowed guests.
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '2'
option limit '245'
config dhcp 'guest'
option leasetime '12h'
option interface 'Guest'
option limit '5'
option start '250'
Well that is enough text for any one post. If someone would like to give it a go I would be interested.