Guest network support for Gargoyle 1.6.2

Want to share your OpenWrt / Gargoyle knowledge? Implemented a new feature? Let us know here.

Moderator: Moderators

Post Reply
pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

Re: Guest network support for Gargoyle 1.6.2

Post by pbix »

It would be the first inclination by any designer to create a separate subnet for the guest users. This allows the ultimate flexibility and security options for segmenting traffic.

The reason this has not been done in the past is that it would be very disruptive to the design of Gargoyle. The single subnet that Gargoyle is managing finds its way into every feature and webpage of the design. Adding a new subnet would create an incredible amount of design rework and add double the amount of configuration options in many cases. Router configuration is already complicated enough for the average home user. Reworking and otherwise stable design is no fun. It would be years before all the bugs were killed.

The approach I suggested in AA based Gargoyle relied on ebtables to provide some isolation of the Guest network while still allowing a single network subnet all the other features of Gargoyle to work. The ebtables approach does have the drawback that "Guests" still have access to router resources like any mounted USB drive. It is also not possible to classify guest traffic different than other LAN traffic
in quota rules and QoS.

Since i first proposed this approach many people have tried it out and commented on it. Now Dr. Crash proposed a UI integrated into Gargoyle for it. However I have been thinking that for BB a new approach should be introduced that addresses the know short comings and that Dr. Crash should work on it instead.

In the new approach traffic is segmented using CIDR notation within the 255 addresses that Gargoyle manages. As part of the configuration the user selects the maximum number of guest connections he wants to support. The only choices are 5,13,29,61 & 125. Then using CIDR we can segment the addresses as follows:

Code: Select all

Guests   Normal IPs     Guest IPs   Suffix
5        0-247         248-255      /29
13       0-239         240-255      /28
29       0-223         224-255      /27
61       0-191         192-255      /26
125      0-127         128-255      /25
In this approach all the features of Gargoyle like Quota, QoS, Tables, Charts and Graphs and endless other features will continue to function just as they do now.

Isolation of the LANs would be accomplished by a few iptable rules and the Guest LAN could be isolated from the router resources. Things like QoS already support CIDR notation so it would be easy to identify and treat Guest traffic differently than normal traffic.

Anyone wishing to try this new approach which would work in AA or BB would do the following:

to /etc/config/wireless add a new access point
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'password' (or none)
option ssid 'Guest'
option network 'Guest'

to /etc/config/network add a corresponding entry depending on the max guests allowed (option 5 shown here)
config interface 'Guest'
option _orig_ifname 'wlan0-1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.1.249'
option netmask '255.255.255.248

adjust /etc/config/dhcp to match the IP address ranges of each AP. This again depends on the number of allowed guests.
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '2'
option limit '245'

config dhcp 'guest'
option leasetime '12h'
option interface 'Guest'
option limit '5'
option start '250'

Well that is enough text for any one post. If someone would like to give it a go I would be interested.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
Top
Dr. Crash
Posts: 17
Joined: Fri Dec 14, 2012 6:04 pm

Re: Guest network support for Gargoyle 1.6.2

Post by Dr. Crash »

What you are describing is subnetting too.

I don't see the "single subnet that Gargoyle is managing" on every page. I see data with addresses in that subnet, of course... but managing it directly, no. It's on the LAN setup page, and on the DHCP page. That's it.

The burden that a guest network introduces in terms of double configuration will be whatever Eric wants. Do people want to see separate graphs for LAN and Guests? Separate QoS classes? Separate X and Y? Me, I would probably start with a convenience "Guests" QoS class and then let people use all the tools they already have based on IPs (and ranges, if those were added).

If Guests are served by a separate DHCP server (as you do, and as I suggested) then you can, knowing that range, both manage them effectively and also have a convenience "Guests" class in the UI whenever needed.

So really, I think what you are doing with segmentation is subnetting. The question I had at some point was based off someone saying "but Gargoyle can only deal with a single network." Since, say, 192.168.1.1 and 192.168.2.1 are part of the same 192.168.0.0/16 "network" (actually set of networks) and I see that your examples use two different names in "option interface 'name'" then I am not sure I understand whether the limitation is in the network stack, or a perceived one in the UI. But I haven't spent much time in OpenWrt and Gargoyle obviously. Can you explain what the true limitation, if any, is? I would have expected QoS just against the WAN pipe (in terms of measuring and metering) with all clients on the other side of it being able to be counted against it.
Top
pbix
Developer
Posts: 1373
Joined: Fri Aug 21, 2009 5:09 pm

Re: Guest network support for Gargoyle 1.6.2

Post by pbix »

I don't want to get into the meaning of terms like subnetting or segmenting.

To the one question you had in your post the real limitation in Gargoyle is the time that competent developers want to commit to improving the function of the interface. And that is a very limited quantity indeed.

Having done some such work myself I just caution you that most of the screen are difficult to properly modify. Saying Eric can do it while true is not a good answer. Of course users want all functions, all flexibility and everyone has their special circumstance that they want covered. But of then again most want users to invest nothing in the project as well. My philosophy is to focus on simplicity and the home user. This my understanding of the reason Gargoyle exists.

Regarding QoS the issue not the classes but how one can write rules to cause traffic to flow into classes. If you use my approach this can be done without modification to any QoS pages or scripts. Also all charts and graphs will work without modification. Other approaches can work but will be more work and pain.

I encourage you to modify your plugin to implement my approach. If you do I think you will be happy you did.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
Top
User avatar
harsini
Posts: 84
Joined: Mon Jul 22, 2013 9:59 am
Location: Iran

Re: Guest network support for Gargoyle 1.6.2

Post by harsini »

As Mr Pbix said me to share my experience in using different ip range for the Guest Network than main wireless network I continue this old thread.
I follow Mr Pbix instruction to somehow differentiate between guest network clients and main wireless network ones.I split ip range into two range one for guests with 192.168.3.128/25 and 192.168.3.0/25 for main wireless network.
I changed four configuration file:Wireless,Network,dhcp and firewall.
The main changes in these files could be seen below:
/etc/config/wireless:

Code: Select all

config wifi-iface 'ap_gn_g'
        option device 'radio0'
        option mode 'ap'
        option network 'Guest'
        option disassoc_low_ack '0'
        option is_guest_network '1'
        option macaddr 'ca:a9:47:ce:f1:fa'
        option ssid 'Guest'
        option isolate '1'
        option encryption 'psk2'
        option key '12345678'
/etc/config/network:

Code: Select all

config interface 'Guest'
        option _orig_ifname 'wlan0-1'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.3.129'
        option netmask '255.255.255.128'
config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.128'
        option ip6assign '60'
        option dns '192.168.3.1'
        option ipaddr '192.168.3.1'
/etc/config/dhcp:

Code: Select all

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option start '2'
        option limit '125'

config dhcp 'guest':
        option leasetime '12h'
        option interface 'Guest'
        option limit '100'
        option start '130
'

/etc/config/firewall:

Code: Select all

config zone
        option name 'guest'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'ACCEPT'
        option network 'Guest'
config forwarding
        option dest 'wan'
        option src 'guest'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'GusetDns'
        option src 'guest'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '67-68'
        option name 'GuestDHCP'
        option src 'guest'
Finally reboot the router.
Further firewall configuration could be seen here:
http://wiki.openwrt.org/doc/recipes/guest-wlan

A problem Could occur when using this method for limiting guest clients quota and the solution:
http://www.gargoyle-router.com/phpbb/vi ... f=5&t=7469
Top
Post Reply

Return to “Show / Tell / Contribute”