Guest Network Setup

[jthg]

My goal was to create an open guest network that was at maximum 1% of my bandwidth when fully utilized. I tried following the instructions on this site and OpenWRT. I ended up trying to create a new guest SSID on it's own network with it's own DHCP network so that QoS was easier to configure by matching on IP address ranges. Now, it seems that my wired connections are using my guest IP ranges... and thus using my guest QoS. What am I doing wrong?

Here are my additions:

/etc/wireless.je

Code: Select all

config wifi-iface 'ap_g2'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option ssid 'beer24-guest'
	option isolate '1'
	option encryption 'none'

/etc/config/network

Code: Select all

# guest network
config interface 'guest'
        option ifname 'eth0.1'
        option type 'bridge' 
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.0.0.0'
        option dns '8.8.8.8 8.8.4.4'

/etc/config/dhcp

Code: Select all

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

/etc/config/firewall

Code: Select all

config zone
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config 'forwarding'       
        option 'src' 'guest'
        option 'dest' 'wan'

# Allow DNS Guest -> Router           
# Client DNS queries ordinate from dynamic UDP ports (>1023)
config 'rule'                                               
        option 'src' 'guest'                                
        option 'dest_port' '53'                             
        option 'proto' 'tcpudp'                             
        option 'target' 'ACCEPT'                            
                                                            
# Allow DHCP Guest -> Router                                
# DHCP communication uses UDP ports 67-68                   
        config 'rule'                                       
        option 'src' 'guest'                                
        option 'src_port' '67-68'                           
        option 'dest_port' '67-68'                          
        option 'proto' 'udp'                                
        option 'target' 'ACCEPT'                            
                                                            
# Another explicit deny at the end.                         
config 'rule'                                               
        option 'src' 'guest'                                
        option 'dest' 'lan'                                 
        option 'proto' 'all'                                
        option 'target' 'REJECT' 

And, finally in Gargoyle's QoS, I created a new Service Class called guest and then added rule to the top of the list that matched "Source: 10.0.0.0/8." for upload and "Destination: 10.0.0.0/8" for downloads.

Am I doing this right? Is there a better way? Why is my wired connections getting my 10.0.0 DHCP addresses?

[pbix]

QoS will not work if you create a separate LAN for your Guest SSID.

This is why you should follow the instructions on the Gargoyle forum that you referenced and not instructions from the OpenWRT site.

Also to do what you stated you wanted you will need to assign static IPs to all your devices and make classes and rules for them. Then use the default class to route all your Guests into.

[jthg]

First, pbix, thanks for the wonderful QoS article - that really helped me to understand how QoS is done in Gargoyle!

I think QoS is working for me - I am getting traffic in all of my classes.

If I reconfigured back to your previous post and assigned static ip addresses... I have a couple of questions:

• * If I had the DHCP < 127, and statically assigned > 128, I could match with the CIDR of 192.168.0.1/25, right?
  * What keeps a rogue client from statically assigning itself to one of these privileged IP addresses?

[pbix]

* If I had the DHCP < 127, and statically assigned > 128, I could match with the CIDR of 192.168.0.1/25, right?

Yes

* What keeps a rogue client from statically assigning itself to one of these privileged IP addresses?

There is no protection against this contemplated in the post I wrote. However, if you wanted to contribute you could experiment on your own. Read about ebtables and the ip-source match option. Looks like the command

Code: Select all

ebtables -i wlan0-1 -p IPv4 --ip-src ! 192.168.0.1/25 -j DROP

added after the other ebtable lines should cause ebtables to drop all traffic from IP addresses over 127 which come in on the guest interface. But I have not tested this so you will have to read and experiment on your own.
If you have success please post on that guest SSID thread so other can benefit.

[jthg]

A couple of items: Gargoyle refuses to persist configuration across reboots and I think it is working?

DDD
I am trying to do test out that configuration... I think it will work. However, whenever I make changes, they get reset on reboot. I don't think the changes are being saved out to the system. This happens for the uci commands and also on the QoS pages.

Code: Select all

-rw-r--r--    1 root     root          2924 Feb  2 16:04 qos_gargoyle

Obviously, the update timestamp should be today. When I log in and log out, it appears that the configuration sticks, but on reboot, it reverts.

So, I have updated the files manually.

DDD
I made the routing changes by running the command:

Code: Select all

ebtables -I FORWARD -i wlan0-1 -p IPv4 --ip-source ! 192.168.1.128/25 -j DROP
ebtables -I INPUT -i wlan0-1 -p IPv4 --ip-source ! 192.168.1.128/25 -j DROP

THIS seems to be working. I will test more in the future. A couple of questions. What is the difference between FORWARD and INPUT? It seems that FORWARD didn't do anything, but the INPUT command did. Does INPUT do the routing stuff to WAN and FORWARD allow for access to the router? If so, I reckon I don't need the forward command, right?

Thanks again for all of your help!

Some links that I found useful (for future readers):
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
http://www.subnet-calculator.com/cidr.php

[jthg]

OOPS! The above commands do NOT work.

Code: Select all

ebtables -I INPUT -i wlan0-1 -p IPv4 --ip-source ! 192.168.1.128/25 -j DROP

The line does what I want once clients are already connected, but it doesn't allow new clients to connect. I think I have to explicitly allow for the initial wireless handshake and DHCP flows. That will take some time... I will have to look into that.

And, then after that, I have to write some rules that only allows the clients to use the router for DNS and... any other protocols necessary?

[pbix]

Your use of INPUT chain is causing your problems with DHCP. How did you test that FORWARD is not working? Did you try and access the internet or just the router?

I believe DHCP discovery originates from IP address 0.0.0.0. So if you persist with using INPUT you will need to add a line like

Code: Select all

ebtables -I INPUT -i wlan0-1 -p IPv4 --ip-source 0.0.0.0 -j ACCEPT

in front of your DROP line. You should have no issues with other things like DNS. Are you?

The link you provided on ebtables was interesting. At the end it discusses using iptables and the "physdev" match module. That would be another way to go rather than using ebtables and might not interfere with DHCP. You should try both and compare.

Not sure why you are trying to modify qos_gargoyle. This is not the file recommended in the thread on Guest SSID.

[jthg]

I think I have it working now.

I edited /usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh :

Code: Select all

	# Isolate the guest wifi from your LAN.
	ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP 
	ebtables -I FORWARD -i wlan0-1 -o eth0 -j DROP
	
	# Accept DNS and DHCP to Gargoyle on guest wifi; drop everything else
	ebtables -A INPUT -p IPv4 -i wlan0-1 --ip-proto tcp --ip-dport 53 -j ACCEPT
	ebtables -A INPUT -p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 53 -j ACCEPT 
	ebtables -A INPUT -p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 67:68 -j ACCEPT 
	ebtables -A INPUT -p IPv4 -i wlan0-1 --ip-dst 192.168.1.1 -j DROP 

	# Require IPs > .128 for guest wifi for QoS purposes
	ebtables -A INPUT -p IPv4 -i wlan0-1 --ip-src ! 192.168.1.128/25 -j DROP

And, it seems to be working:
* guest are isolated from router and other networks
* guests are required to have > .128 IP addresses
* QoS is able to select guests very well.

A couple more questions:
- Do I need to explicitly deny all guest traffic to 192.*?
- Do I need to explicitly deny all LAN traffic TO the guest network?
- Are there other network services that I should open for Gargoyle for the guests?

I will be on holiday for the next week or so, do not expect a reply in that time frame.

Of course, after a bit more testing, I will add this comment to the other thread. Thanks for all of the help!

[jthg]

Your use of INPUT chain is causing your problems with DHCP. How did you test that FORWARD is not working? Did you try and access the internet or just the router?

It didn't appear that FORWARD had any effect. I think that router access and internet access (through NAT) is all through the INPUT chain.

I believe DHCP discovery originates from IP address 0.0.0.0. So if you persist with using INPUT you will need to add a line like

Code: Select all

ebtables -I INPUT -i wlan0-1 -p IPv4 --ip-source 0.0.0.0 -j ACCEPT

in front of your DROP line. You should have no issues with other things like DNS. Are you?

Hmm... that may work as well. I ended up just opening up UDP 67-68.

Not sure why you are trying to modify qos_gargoyle. This is not the file recommended in the thread on Guest SSID.

So... that is in reference to the issue with the Gargoyle web interface not saving my QoS modifications upon reboots. Also, when I ran the uci commands, /etc/config/wireless was not modified. Maybe Gargoyle is getting confused with the multiple wireless LANs?

[jthg]

I will be on holiday for the next week or so, do not expect a reply in that time frame.

Of course, after a bit more testing, I will add this comment to the other thread. Thanks for all of the help!

It seems to be working! I think I will continue to test before updating that other thread. To confirm my understanding of the network configuration...

A couple more questions:
- Do I need to explicitly deny all guest traffic to 192.*?
- Do I need to explicitly deny all LAN traffic TO the guest network?
- Are there other network services that I should open for Gargoyle for the guests?

Most importantly... does my setup look correct?

Thanks!