Gargoyle Forum

Posted: **Wed May 09, 2012 12:28 am**

This came up in the general discussion forum. Would t be possible to implement into gargoyle the ability to have guest users on your network but without being part of your network so wouldn't be able to see your devices

Mix kindly provided this link

http://wiki.openwrt.org/doc/recipes/guest-wlan

Which shows how it is done but would need the GUI side in gargoyle

Tals

Posted: **Wed May 09, 2012 11:34 am**

Guest SSID, or multiple SSIDs in general. Basically, something similar to the way dd-wrt does it would be great.

Posted: **Mon Jun 04, 2012 10:20 am**

Yeah, this would be a great feature to have.

Posted: **Sun Jun 17, 2012 2:08 pm**

For the time being many people can achieve this using the following steps.

From the command line of your router

Code: Select all

uci set wireless.ap_g2=wifi-iface
uci set wireless.ap_g2.device=radio0
uci set wireless.ap_g2.mode=ap
uci set wireless.ap_g2.network=lan
uci set wireless.ap_g2.ssid=<Your Desired SSID>
uci set wireless.ap_g2.isolate=1
uci set wireless.ap_g2.encryption=psk2 (or 'none')
uci set wireless.ap_g2.key=<password if any>
uci commit

In the file /usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh locate the initialize_firewall() routine and add one line.

Code: Select all

initialize_firewall()
{
        iptables -I zone_lan_forward -i br-lan -o br-lan -j ACCEPT
        insert_remote_accept_rules
        insert_dmz_rule
        create_l7marker_chain
        block_static_ip_mismatches
        force_router_dns
        add_adsl_modem_routes

#Add the below lines to isolate the guest wifi from your LAN.
        ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP  
        ebtables -I FORWARD -i wlan0-1 -o eth0 -j DROP

}

After saving your modified file reboot your router and enjoy.

Sorry but this will not work with the b43 Wifi driver which most if not all Broadcom based routers are using. DD-WRT is still using the old proprietary driver so that is why they can do in on your old WRT54G. Just another reason to ditch your 54G IMHO.

Adventurous people are encouraged to try the above. Based on the experience reported it may find its way in the GUI at some point.

I will be watching.

Posted: **Thu Aug 09, 2012 11:53 am**

I would love to see the ability to manage a guest network added to the Gargoyle gui as well. I was feeling adventurous so I followed the steps provided by pbix above with my DIR-825 B1.

While it successfully created a guest wireless network, the ebtables line failed to achieve any isolation of the networks. From the guest network I still had full access to shared folders and printers on the primary network.

So I started over and followed the guide at http://wiki.openwrt.org/doc/recipes/guest-wlan and the networks seem to function as expected.

Because I wanted the guest network to be filtered by opendns without affecting my primary network I added the following lines to /etc/firewall.user :

Code: Select all

iptables -t nat -I zone_guest_prerouting -p tcp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I zone_guest_prerouting -p udp --dport 53 -j DNAT --to 208.67.222.222

The only major problem that I have found is that bandwidth usage and distribution data is not recorded for clients on the guest network (but the realtime graphs properly show activity). If anybody knows what I need to edit to enable this that would be greatly appreciated.

EDIT: I am no expert but I can generally follow a simple script. I found /etc/init.d/bwmon_gargoyle and made some changes that have successfully enabled bandwidth monitoring of the guest network. Basically I just found any lines that made reference to the lan interface, copied them, and changed "lan" to "guest". I have attached my modified file if anybody more knowledgeable would like to review it for errors or use it in their own setup.

Posted: **Tue Aug 14, 2012 9:44 am**

I tested the ebtables line I recommended and found it to work well. But that was on my Buffalo router.

Perhaps your wlan driver interface is different than "wlan0-1". Please post the output of ifconfig from your router.

Anyway following my script would prevent you from having to do any other modifications to Gargoyle and everything will work.

Posted: **Sat Aug 18, 2012 3:54 pm**

mix wrote:Guest SSID, or multiple SSIDs in general. Basically, something similar to the way dd-wrt does it would be great.

Hello everybody.
Thanks, Eric, for so good work!

Is this feature planning to be included in Gargoyle? I think a lot of people dream about it

Posted: **Mon Aug 20, 2012 2:15 pm**

Using the instructions by pbix, save for the last line being
uci commit

All green on my screen. 1.4.7 on a WR1043ND 1.7
I also added:

ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP

to isolate the guest wifi from my devices. Tested via ping, but feel free to correct me if there's a better way.

Posted: **Mon Aug 20, 2012 10:45 pm**

Sorry for the delayed response pbix, I was at the beach!

Here is my output from ifconfig:

Code: Select all

br-lan    Link encap:Ethernet  HWaddr 84:D8:C1:5D:23:30
          inet addr:192.168.192.168  Bcast:192.168.192.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26575167 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49512532 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1436207960 (1.3 GiB)  TX bytes:251204807 (239.5 MiB)

eth0      Link encap:Ethernet  HWaddr 84:D8:C1:5D:23:30
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26587376 errors:0 dropped:0 overruns:125182 frame:0
          TX packets:49521574 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1826224943 (1.7 GiB)  TX bytes:251934447 (240.2 MiB)
          Interrupt:4

eth1      Link encap:Ethernet  HWaddr 84:D8:C1:5D:23:31
          inet addr:137.41.188.235  Bcast:137.41.191.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:65511550 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29376220 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2798314355 (2.6 GiB)  TX bytes:1955454394 (1.8 GiB)
          Interrupt:5

imq0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:54186727 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54142140 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:11000
          RX bytes:1357154049 (1.2 GiB)  TX bytes:1292894146 (1.2 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2237 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2237 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:163974 (160.1 KiB)  TX bytes:163974 (160.1 KiB)

mon.wlan0 Link encap:UNSPEC  HWaddr 84-D8-C1-5D-23-2E-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6154086 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:1621864581 (1.5 GiB)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 84:D8:C1:5D:23:2E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13341 errors:0 dropped:0 overruns:0 frame:0
          TX packets:381089 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:1933326 (1.8 MiB)  TX bytes:153128533 (146.0 MiB)

wlan0-1   Link encap:Ethernet  HWaddr 86:D8:C1:5D:23:2F
          inet addr:10.10.10.10  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3092441 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4955866 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:355638060 (339.1 MiB)  TX bytes:2019833581 (1.8 GiB)

Perhaps changing br-lan to wlan0 in the ebtables line like Slacker did would have done the trick for me?

Unfortunately with work and classes both starting back up today I don't have the time to start over and test right now since it is working the way I have it. Also I think I prefer the way I did it anyhow, mostly just because by assigning a separate dhcp pool to the guest network it allows me to tell at a glance what ssid clients are connected to.

Anyhow, I really would love to see this functionality built into the UI. It may take a week or two to get settled back into classes, but I'll gladly try to find the time to test further if I can help.

Posted: **Tue Aug 21, 2012 7:36 am**

Kurze wrote:Sorry for the delayed response pbix, I was at the beach!

Perhaps changing br-lan to wlan0 in the ebtables line like Slacker did would have done the trick for me?

The

Code: Select all

ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP

was in addition to

Code: Select all

ebtables -I FORWARD -i wlan0-1 -o br-lan -j DROP

I have no LAN-attached devices, but I presume the ebtables entry with br-lan worked to isolate them from guest network, while the entry I added with wlan0 isolated the guest clients from my own wireless clients.

Enjoy the beach!

Note to anyone playing with this: It kinda confuses the gui, so if you want to make changes to your SSID settings(encryption/etc), you need to edit /etc/config/wireless

Gargoyle Forum

Guest ssid

Guest ssid

Re: Guest ssid

Re: Guest ssid

Re: Guest ssid

Re: Guest ssid

Re: Guest ssid

Re: Guest ssid

Re: Guest ssid

Re: Guest ssid

Re: Guest ssid