Gargoyle Forum

A forum to discuss the Gargoyle web interface for Openwrt
https://www.gargoyle-router.com/phpbb/

Security restrictions

https://www.gargoyle-router.com/phpbb/viewtopic.php?t=1761

Page 1 of 1

Security restrictions

Posted: Thu Sep 15, 2011 5:52 am
by mrnaz
We have a LAN in our office which is wired only, and containes very sensitive information (healthcare data).

We would like to privide free WiFi to our guests, and do not wish to get a whole separate internet connection for it. I have tried to set up a Gargoyle router (WRT54G-TM) to provide restricted access (mainly restricting each user's quota) to the internet. It is configuted like this:

WAN Port IP: 192.168.0.4 (Static)
LAN IP: 192.168.1.1
DHCP Server

When WiFi clients connect, they are assigned a 192.168.1.* address, and can access the internet just fine.

However, they are also able to access machines in the 192.168.0.* subnet. This is obviously not OK. Is there a way to prevent communication between the two subnets? I.e., can Gargoyle be configured to allow WiFi clients to access the internet, but no other machines on the network connected to its WAN port?

I'm thinking that my network topology may not be ideal.

Re: Security restrictions

Posted: Fri Sep 16, 2011 8:47 pm
by pbix
By changing your network topology we can quickly arrive at a solution that works well.

The topology I recommend as follows:

ISP -> Gargoyle Router (192.168.1.1) -> Office Router (192.168.0.1)

The gargoyle router WAN port is connected to your modem and the office router (192.168.0.1) is connected to one of the hardwired LAN ports of your Gargoyle router.

Configure the WAN port of the office router with static IP address 192.168.1.2

Configure the Qos on Gargoyle with default low priorty class and then a high priority class for the office router. Add a rule to direct all traffic from the 192.168.1.2 address to the high priority class.

Configure the Wifi on the Gargoyle router as you like.

Enjoy.

Re: Security restrictions

Posted: Fri Sep 16, 2011 11:31 pm
by DoesItMatter
Couldn't you just do the Wireless Client Isolation = Enabled?

Wouldn't that allow clients to connect wireless, but not be able
to access any other devices on the network?

Re: Security restrictions

Posted: Sat Sep 17, 2011 1:23 am
by pbix
I expect the isolation pick to prevent wireless clients from accessing each other. It may also prevent wireless clients from accessing other drops on the same network (never tested this myself).

However, in this case the user is asking to isolate clients on a subnet from clients on WAN side of the router. I do not think this can be done with Gargoyle but maybe someone has a better imagination that I.

Re: Security restrictions

Posted: Sat Sep 17, 2011 10:33 pm
by DoesItMatter
https://forum.openwrt.org/viewtopic.php?id=15051

There are some hints on how to do it.

You'll have to do some manual iptables rules.

I would recommend changing the DHCP subnet for the wireless range
so that the firewall rules are easier to understand.

Put it something completely different like: 10.1.1.xxx

For your DHCP range for the wireless.

Then you could use the rules below:

Code: Select all

iptables -A forwarding_rule -s 10.1.0.0/16 -d 192.168.0.0/16 -j DROP
iptables -A input_rule -s 10.1.0.0/16 -j DROP
If you want to keep the subnets you have, you may have to just use
some rules like this:

iptables -A forwarding_rule -s 192.168.1.0/24 -d 192.168.0.0/24 -j DROP
iptables -A input_rule -s 192.168.1.0/24 -j DROP

I think that would work as well.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited