Had the exact situation like you, except for the gateway (Cisco RV042G). However, my solution probably won't work on E4200 due to missing features. If it is possible by using other methods, then it is beyond my knowledge. I'm adding the answer for others that may be looking for a solution like this.
Let's assume that 10.0.0.0/24 is your main network with the gateway address 10.0.0.1 and 10.0.1.0/24 is the guest network. Steps for reproducing my solution:
- Create a different subnet for the guests on the gateway. The gateway must support this feature as it creates multiple NAT tables for routing the Internet traffic to the appropriate subnet.
- Add a firewall rule for blocking all traffic from 10.0.1.0/24 to 10.0.0.0/24 on the gateway.
- Use an OpenWrt build with kernel 2.6+. brcm-2.4 builds won't due to lack of ebtables support. I used a 12.06 build with a config based onto the default brcm47xx config. With the default image opkg fails to work while I didn't try 10.03. I do recommend a Debian 7 i386 for buildroot as it wasted enough hours of my life with amd64 and various random compile errors. You may use the ImageBuilder, I think, but I didn't try it. For ebtables you need the following packages: ebtables, ebtables-utils, kmod-ebtables-ipv4. The kernel module isn't automatically added as dependency, so be careful.
- These ebtables rules from below in /etc/firewall.user for blocking the DHCP broadcast from the gateway, if gateway doesn't support multiple DHCP pools. RV042G doesn't. Found them on the OpenWrt forums, adapted them for 12.06 which uses eth0.0 as interface name for the lan VLAN.
ebtables -F
ebtables -A INPUT --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A INPUT --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
- Optional: Configure the lan interface for the secondary subnet. You need to change the address if both the gateway and the OpenWrt AP use the defaults (192.168.1.1).
config interface lan
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr 10.0.1.2
option netmask 255.255.255.0
option gateway 10.0.1.1
option dns "8.8.8.8 8.8.4.4"
- Tell the DHCP server which gateway to broadcast as it would normally use the ipaddr from the lan interface config:
config dhcp lan
option interface lan
option start 100
option limit 100
option leasetime 1h
list 'dhcp_option' '3,10.0.1.1'
- Configure the wireless as a regular access point. Optional: encryption (recommended), client isolation (also recommended).
I found only one issue with this setup: a guest can still enter your main network if the subnet for that network is "guessed" and the network configuration is done manually for the wireless interface. Given the fact that the guests still see the arp broadcasts from the main network, it isn't that difficult for people that understand the previous statement. I think it can be fixed with some firewall rules onto the OpenWrt AP, but I have to research that part.
It seems that you are doing all configurations in command line.
I have tried OpenWRT before and I have installed the WebGUI to help, you may refer to LuCI Essentials for setting up Web User Interface by LuCI. Access through web browser to configure your router such as turning on SSH and set some other configurations will be easier through Web UI.
Edit 1.
So you have 3 questions, I separate them and try to pin point the solution one by one for easy understanding.
One things have to declare that, since my Router is turned from OpenWRT to DDWRT and then turned into Tomato. So I used VM(Virtual Machine) for screen capturing and solutions writings. Please forgive if there is 1 or 2 slight points difference. I think it is same most of the case, since I used VM to try OpenWRT before I flash to my router.
Preparations: (in case you haven't done so), the LuCi will be accessed later when your router is configured to be accessible by local area network machines. Extracted from LuCI Essentials
Install LuCi by following commands
opkg update
opkg install luci # without https OR
opkg install luci-ssl # with https support
/etc/init.d/uhttpd start # Start the web server (uHTTPd) manually
/etc/init.d/uhttpd enable # if you wish to start automatically on reboot
1. My external address (lan/eth0) provided by the ISP modem (so I can't simple block port 68 in this interface)
I suppose you mean to get the external address, right?
Actually, when you setup the router to get the DHCP from your ISP(modem) then your external address will be appeared in LuCi later.
This setting should do the work:
vim /etc/config/network # edit network settings
save
#add the following lines to config
config 'interface' 'wan' # config the interface wan
option 'proto' 'dhcp' # use protocol DHCP
option 'ifname' 'eth1' # Physical interface name to assign to, this should be the network port connected to the your ISP modem, may vary eth1 or eth0 or whatever in your case
>>>command
ifup wan # bring WAN interface up
Up to this point, when you open your client computer such as Windows 7, open a browser, type in 192.168.100.1 (your case), then you should see the OpenWRT interface in browser. Password is nothing by default.
Something like this screen:
2. DHCP provided by this router to my internal devices, with resolving of device names (DNS)
When you can connect to your router through client computer browser, you can go to Network -> Hostnames
to manually assign hostname to specific devices if those device does not have hostname or does not resolve automatically. (in my case, default have no problem)
3. Properly configure my interfaces so I can allow ssh only on internal (wan/radio0) interface
according to Secure Access document in OpenWRT
"by letting the SSH server dropbear and the web-Server uhttpd not
listen on the external/WAN port"
Here is how to do it:
vim /etc/config/dropbear
save
# add the following line to your dropbear
option Interface 'lan' # only listen to lan
>>>command
/etc/init.d/dropbear restart # or reboot if it doesn't work
I think this should illustrate the solution picture to your questions.
Edit 2.
Since it is a long time post, I just added the reference link for future audience.
Best Answer
You need to request an IPv6 prefix from your upstream provider for the machines on the LAN side of your router to use; this is called DHCPv6 prefix delegation.
Of course, this will work if and only if the upstream provider actually provides routed prefixes. In a campus dorm, this may or may not be the case. Contact your university's IT services and ask about this if you don't get a routed prefix after doing this.