We have a LAN in our office which is wired only, and containes very sensitive information (healthcare data).
We would like to privide free WiFi to our guests, and do not wish to get a whole separate internet connection for it. I have tried to set up a Gargoyle router (WRT54G-TM) to provide restricted access (mainly restricting each user's quota) to the internet. It is configuted like this:
WAN Port IP: 192.168.0.4 (Static)
LAN IP: 192.168.1.1
DHCP Server
When WiFi clients connect, they are assigned a 192.168.1.* address, and can access the internet just fine.
However, they are also able to access machines in the 192.168.0.* subnet. This is obviously not OK. Is there a way to prevent communication between the two subnets? I.e., can Gargoyle be configured to allow WiFi clients to access the internet, but no other machines on the network connected to its WAN port?
I'm thinking that my network topology may not be ideal.
Security restrictions
Moderator: Moderators
Re: Security restrictions
By changing your network topology we can quickly arrive at a solution that works well.
The topology I recommend as follows:
ISP -> Gargoyle Router (192.168.1.1) -> Office Router (192.168.0.1)
The gargoyle router WAN port is connected to your modem and the office router (192.168.0.1) is connected to one of the hardwired LAN ports of your Gargoyle router.
Configure the WAN port of the office router with static IP address 192.168.1.2
Configure the Qos on Gargoyle with default low priorty class and then a high priority class for the office router. Add a rule to direct all traffic from the 192.168.1.2 address to the high priority class.
Configure the Wifi on the Gargoyle router as you like.
Enjoy.
The topology I recommend as follows:
ISP -> Gargoyle Router (192.168.1.1) -> Office Router (192.168.0.1)
The gargoyle router WAN port is connected to your modem and the office router (192.168.0.1) is connected to one of the hardwired LAN ports of your Gargoyle router.
Configure the WAN port of the office router with static IP address 192.168.1.2
Configure the Qos on Gargoyle with default low priorty class and then a high priority class for the office router. Add a rule to direct all traffic from the 192.168.1.2 address to the high priority class.
Configure the Wifi on the Gargoyle router as you like.
Enjoy.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
-
DoesItMatter
- Moderator
- Posts: 1373
- Joined: Thu May 21, 2009 3:56 pm
Re: Security restrictions
Couldn't you just do the Wireless Client Isolation = Enabled?
Wouldn't that allow clients to connect wireless, but not be able
to access any other devices on the network?
Wouldn't that allow clients to connect wireless, but not be able
to access any other devices on the network?
Soylent Green Is People! 2x Asus RT-N16 = Asus 3.0.0.4.374.43 Merlin
2x Buffalo WZR-HP-G300NH V1 A0D0 = Gargoyle 1.9.x / LEDE 17.01.x
2x Engenius - ESR900 Stock 1.4.0 / OpenWRT Trunk 49400
Re: Security restrictions
I expect the isolation pick to prevent wireless clients from accessing each other. It may also prevent wireless clients from accessing other drops on the same network (never tested this myself).
However, in this case the user is asking to isolate clients on a subnet from clients on WAN side of the router. I do not think this can be done with Gargoyle but maybe someone has a better imagination that I.
However, in this case the user is asking to isolate clients on a subnet from clients on WAN side of the router. I do not think this can be done with Gargoyle but maybe someone has a better imagination that I.
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
-
DoesItMatter
- Moderator
- Posts: 1373
- Joined: Thu May 21, 2009 3:56 pm
Re: Security restrictions
https://forum.openwrt.org/viewtopic.php?id=15051
There are some hints on how to do it.
You'll have to do some manual iptables rules.
I would recommend changing the DHCP subnet for the wireless range
so that the firewall rules are easier to understand.
Put it something completely different like: 10.1.1.xxx
For your DHCP range for the wireless.
Then you could use the rules below:
If you want to keep the subnets you have, you may have to just use
some rules like this:
iptables -A forwarding_rule -s 192.168.1.0/24 -d 192.168.0.0/24 -j DROP
iptables -A input_rule -s 192.168.1.0/24 -j DROP
I think that would work as well.
There are some hints on how to do it.
You'll have to do some manual iptables rules.
I would recommend changing the DHCP subnet for the wireless range
so that the firewall rules are easier to understand.
Put it something completely different like: 10.1.1.xxx
For your DHCP range for the wireless.
Then you could use the rules below:
Code: Select all
iptables -A forwarding_rule -s 10.1.0.0/16 -d 192.168.0.0/16 -j DROP
iptables -A input_rule -s 10.1.0.0/16 -j DROP
some rules like this:
iptables -A forwarding_rule -s 192.168.1.0/24 -d 192.168.0.0/24 -j DROP
iptables -A input_rule -s 192.168.1.0/24 -j DROP
I think that would work as well.
Soylent Green Is People! 2x Asus RT-N16 = Asus 3.0.0.4.374.43 Merlin
2x Buffalo WZR-HP-G300NH V1 A0D0 = Gargoyle 1.9.x / LEDE 17.01.x
2x Engenius - ESR900 Stock 1.4.0 / OpenWRT Trunk 49400