Page 3 of 5
Re: Guest ssid
Posted: Sun Jan 06, 2013 4:05 am
by tals
Gargoyle is supported by a few very dedicated individuals that drive the program forward with no financial gain. If you hop into the documentation link you will see a document on info for developers if you want to see how you can assist if you have the skills.
Adding new features is down to the team and their own time though they obviously want to add features that they believe improves the product and is wanted by the community. So adding your support in here they will have noted.
Hopefully that clarifies it
Re: Guest ssid
Posted: Wed Jan 09, 2013 8:44 pm
by euklid81
Hi,
I have used the commands given to successfully create 2 ssids with different passwords. Everything is working well, except that now I cannot view any bandwidth usage statistics by host name or ip like I was able to do before..anyone know what I can do?
Re: Guest ssid
Posted: Thu Jan 10, 2013 5:33 am
by Slacker
euklid81 wrote:Hi,
I have used the commands given to successfully create 2 ssids with different passwords. Everything is working well, except that now I cannot view any bandwidth usage statistics by host name or ip like I was able to do before..anyone know what I can do?
That's peculiar, because I'd been using this guest SSID trick for a few releases now (I'm currently on 1.5.9) and b/w monitoring has never had problems.
If you're on 1.5.9 and use IE, try Firefox. I use IE and noticed that b/w monitoring + pop-up boxes do not work in IE with Enhanced Protected Mode enabled, which is how I use it. I keep FF handy for my prick-ass banking site and now Gargoyle.
Re: Guest ssid
Posted: Sun May 12, 2013 2:12 pm
by drawz
would love to see this added in the GUI.
Multi-SSID is becoming an extremely important feature advertised by manufacturers and actually desired by consumers. The lack of this feature (in the GUI) will stop a lot of people from trying Gargoyle.
Re: Guest ssid
Posted: Thu May 23, 2013 11:28 pm
by pbix
People using this technique to establish a Guest SSID will find things go smoother with v1.5.10. I made some modification there to prevent problems with the bandwidth monitor screens and the status screen when you do this.
Not exactly a complete solution but a more elegant cludge until we have formal support for this in the GUI.
Re: Guest ssid
Posted: Sat Jun 01, 2013 6:14 am
by kurjak
I can't manage to make it work.
ifconfig:
Code: Select all
br-lan Link encap:Ethernet HWaddr A0:F3:C1:D4:07:CA
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9714 errors:0 dropped:313 overruns:0 frame:0
TX packets:12144 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1201929 (1.1 MiB) TX bytes:6075827 (5.7 MiB)
eth0 Link encap:Ethernet HWaddr A0:F3:C1:D4:07:CA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:56998 errors:0 dropped:31 overruns:60987 frame:0
TX packets:21792 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16452563 (15.6 MiB) TX bytes:7333814 (6.9 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr A0:F3:C1:D4:07:CA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9478 errors:0 dropped:0 overruns:0 frame:0
TX packets:12051 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1169092 (1.1 MiB) TX bytes:6026699 (5.7 MiB)
eth0.2 Link encap:Ethernet HWaddr A0:F3:C1:D4:07:CA
inet addr:192.168.1.55 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47390 errors:0 dropped:2311 overruns:0 frame:0
TX packets:9740 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14236381 (13.5 MiB) TX bytes:1218908 (1.1 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:352 errors:0 dropped:0 overruns:0 frame:0
TX packets:352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26338 (25.7 KiB) TX bytes:26338 (25.7 KiB)
wlan0 Link encap:Ethernet HWaddr A0:F3:C1:D4:07:CA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:169 errors:0 dropped:0 overruns:0 frame:0
TX packets:959 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:27017 (26.3 KiB) TX bytes:179856 (175.6 KiB)
wlan0-1 Link encap:Ethernet HWaddr A2:F3:C1:D4:07:CB
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:102 errors:0 dropped:0 overruns:0 frame:0
TX packets:870 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:13084 (12.7 KiB) TX bytes:141370 (138.0 KiB)
ebtables --list
Code: Select all
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wlan0-1 -o eth0 -j DROP
-i wlan0-1 -o wlan0 -j DROP
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
I tried ebtables with br-lan, lan and eth0, with no success.
Re: Guest ssid
Posted: Sat Sep 21, 2013 7:42 am
by yeti_z
Hi,
Since I did not have a chance to do it before, first of all I'd like to thank pbix and other contributors as well as all openwrt developers for the work everyone is doing. I love Gargoyle and it makes me happy to see it continuously develops.
Regarding the gues ssid, I've tested the code from one of the pbix's first posts from this thread and I can report that:
1. New wifi network with separate SSID and password successfully showed up. Now I have two networks, which makes it easier to share the password with guests and change it without a need to update password for all my devices.
2. Two devices connected to the same guest network couldn't see each others open ports.
3. A device connected to guest network was unfortunately able to see open ports on device connected to either LAN(with cable) or to main wifi network.
Even though for now I am happy with what I have, I'd love to see guest network feature in GUI and with the complete isolation.
If I could perhaps help by sharing my config, here it goes.
My config:
version: 1.5.10.11 (r37768), by obsy
Model: NETGEAR WNDR3700
OpenVPN enabled.
Code: Select all
root@Dolphin:~# ifconfig
br-lan Link encap:Ethernet HWaddr C2:3F:0E:7D:1F:85
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:53972 errors:0 dropped:1983 overruns:0 frame:0
TX packets:66058 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14467615 (13.7 MiB) TX bytes:63714215 (60.7 MiB)
eth0 Link encap:Ethernet HWaddr C2:3F:0E:7D:1F:85
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22545 errors:0 dropped:34 overruns:22 frame:0
TX packets:22990 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4816057 (4.5 MiB) TX bytes:10880310 (10.3 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr C2:3F:0E:7D:1F:85
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22094 errors:0 dropped:2 overruns:0 frame:0
TX packets:22943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4380152 (4.1 MiB) TX bytes:10782842 (10.2 MiB)
eth1 Link encap:Ethernet HWaddr C0:3F:0E:7D:1F:86
inet addr:192.168.178.10 Bcast:192.168.178.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62549 errors:0 dropped:0 overruns:0 frame:0
TX packets:45247 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:62453815 (59.5 MiB) TX bytes:13661915 (13.0 MiB)
Interrupt:5
imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:1500 Metric:1
RX packets:59435 errors:0 dropped:0 overruns:0 frame:0
TX packets:59435 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:11000
RX bytes:60118638 (57.3 MiB) TX bytes:60118638 (57.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:196 errors:0 dropped:0 overruns:0 frame:0
TX packets:196 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18873 (18.4 KiB) TX bytes:18873 (18.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:31 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4276 (4.1 KiB) TX bytes:4417 (4.3 KiB)
wlan0 Link encap:Ethernet HWaddr C0:3F:0E:7D:1F:85
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:5640 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1290519 (1.2 MiB)
wlan0-1 Link encap:Ethernet HWaddr C2:3F:0E:7D:1F:85
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29833 errors:0 dropped:0 overruns:0 frame:0
TX packets:49547 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10284956 (9.8 MiB) TX bytes:54026023 (51.5 MiB)
wlan1 Link encap:Ethernet HWaddr C0:3F:0E:7D:1F:87
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4662 errors:0 dropped:0 overruns:0 frame:0
TX packets:11158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1186178 (1.1 MiB) TX bytes:3936637 (3.7 MiB)
root@Dolphin:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type=mac80211
wireless.radio0.channel=11
wireless.radio0.hwmode=11ng
wireless.radio0.macaddr=c0:3f:0e*******
wireless.radio0.htmode=HT20
wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio0.noscan=1
wireless.radio1=wifi-device
wireless.radio1.type=mac80211
wireless.radio1.hwmode=11na
wireless.radio1.macaddr=c0:3f:0e:*******
wireless.radio1.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio1.noscan=1
wireless.radio1.htmode=HT40+
wireless.radio1.channel=52
wireless.ap_g=wifi-iface
wireless.ap_g.device=radio0
wireless.ap_g.mode=ap
wireless.ap_g.network=lan
wireless.ap_g.ssid=Dolphin24
wireless.ap_g.encryption=psk2
wireless.ap_g.key=********
wireless.ap_a=wifi-iface
wireless.ap_a.device=radio1
wireless.ap_a.mode=ap
wireless.ap_a.network=lan
wireless.ap_a.ssid=Dolphin50
wireless.ap_a.encryption=psk2
wireless.ap_a.key=***********
wireless.ap_g2=wifi-iface
wireless.ap_g2.device=radio0
wireless.ap_g2.mode=ap
wireless.ap_g2.network=lan
wireless.ap_g2.isolate=1
wireless.ap_g2.ssid=Dolphin24-guest
wireless.ap_g2.key=**********
wireless.ap_g2.encryption=psk2
Re: Guest ssid
Posted: Sat Oct 19, 2013 1:12 am
by shayanjameel08
I recommended and found it to work well. But that was on my Buffalo router.
Re: Guest ssid
Posted: Sun Oct 20, 2013 7:21 pm
by pbix
Folks having trouble with isolation should pay attention to the devices used in the ebtables commands. The ones given were from my own testing on the router I had at the time (not even sure what it was). Your devices may be different if its not working for you.
Use ifconfig before making any changes to determine what devices are your main LAN wired ethernet and Wifi devices. On my router these were eth0 and wlan0 respectively. Since I do not have all the routers in the world I cannot tell you for sure what yours are.
Next make the suggested UCI changes and do another "ifconfig" to find out what the new Wifi device will be. On my router this was wlan0-1.
Modify the ebtable commands parameters appropriately. I will tell you that "br-lan" is never the correct answer for any of these. Also if the device has an IP address its not the one either. If you get it working with another router then post your results to help others.
If anyone can post a bullet proof way to figure out what these are it would help out.
Re: Guest ssid
Posted: Tue Oct 22, 2013 5:31 pm
by yeti_z
Hi,
PBIX, your explanation was very handy to me. Thanks.
I managed to configure isolation of guest network on my router: WNDR3700 (v1) from: 2.4GHz WLAN, 5GHz WLAN and LAN by using these ebtables entries:
Code: Select all
#Add the below lines to isolate the guest wifi from your LAN.
ebtables -I FORWARD -i wlan0-1 -o wlan0 -j DROP
ebtables -I FORWARD -i wlan0-1 -o wlan1 -j DROP
ebtables -I FORWARD -i wlan0-1 -o eth0.1 -j DROP
Like in previous posts it needs to be configured in this file:
Code: Select all
/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh
There are however two things I noticed which could be worth mentioning:
1. Every time the firewall is restarted this file:
Code: Select all
/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh
it is executed again and then above 3 rules are added to ebtables again while old ones are stil there. It means that ebtables keeps on growing with duplicated entries.
It's not that bad, the solution still works and 'resets' back to 3 rules after a router restarts. It's just not too clean.
2. If you have openvpn configured, then the clients in isolated network can still see other clients connected through VPN.
I tried using firewall to configure additional zone for isolated wlan and denying access to vpn zone, but I had no luck with that approach. Maybe someone else has a better idea how to do it?
I tried to use this code to block forwarding from guest wlan to VPN, (but this approach did not work)
Code: Select all
config zone
option name 'wlan_guest_zone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option device 'wlan0-1'
config rule
option name 'Deny-Wlan-VPN-Input'
option src 'wlan_guest_zone'
option dst 'vpn'
option target 'DROP'
Source:
http://wiki.openwrt.org/doc/uci/firewall