Networking – OpenWrt: how to give wlan clients @ 10.x Internet access via gateway @ 192.168.1.254

iptablesopenwrtroutingwireless-networking

I want to isolate guests connecting to my Wi-Fi to the 10.0.0.x subnet, while giving them Internet access. The OpenWrt router is at 192.168.1.48 ("wifi" interface has 10.0.0.1) and my gateway is at 192.168.1.254. How would I go around setting up OpenWrt so that guests access the Internet through my gateway but remain confined to the 10. subnet?

I've read the guest-wlan recipe over at the OpenWrt wiki, but I can't figure out how to do what I want to do. So far I've managed to set up a DHCP server for guests that gives out 10.x addresses.

I've also noticed that I can resolve hostnames from a laptop in the 10.x network. From dnsmasq logs I can see it knows there's a nameserver at 192.168.1.254 (because it looked in /etc/resolv.conf I assume). But how and why are the packets crossing the firewall?

I'm running Backfire 10.03.1 on a WRT54GL. The gateway is a Linksys E4200. This is my OpenWrt configuration at the moment:

/etc/config/dhcp

config 'dnsmasq'
        option 'domainneeded' '1'
        option 'boguspriv' '1'
        option 'filterwin2k' '0'
        option 'localise_queries' '1'
        option 'rebind_protection' '1'
        option 'rebind_localhost' '1'
        option 'local' '/lan/'
        option 'domain' 'lan'
        option 'expandhosts' '1'
        option 'nonegcache' '0'
        option 'authoritative' '1'
        option 'readethers' '1'
        option 'leasefile' '/tmp/dhcp.leases'
        option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'ignore' '1'

config 'dhcp' 'wan'
        option 'interface' 'wan'
        option 'ignore' '1'

config 'dhcp'
        option 'start' '100'
        option 'leasetime' '12h'
        option 'limit' '150'
        option 'interface' 'wifi'

/etc/config/network

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'ipaddr' '192.168.1.48'
        option 'gateway' '192.168.1.254'
        option 'dns' '192.168.1.254'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'dhcp'

config 'interface' 'wifi'
        option 'proto' 'static'
        option 'ipaddr' '10.0.0.1'
        option 'netmask' '255.255.255.0'

/etc/config/wireless

config 'wifi-device' 'wl0'
        option 'type' 'broadcom'
        option 'channel' '11'

config 'wifi-iface'
        option 'device' 'wl0'
        option 'mode' 'ap'
        option 'ssid' 'OpenWrt'
        option 'encryption' 'none'
        option 'network' 'wifi'

/etc/config/firewall (haven't changed it from defaults)

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        option network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             wan
        option network          'wan'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src_port         547
        option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp


### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

I realize this is more of a general networking question than a OpenWrt question, but I thought I should mention OpenWrt. I have the slightest idea that making this work involves some iptables black magic, but I can't figure out the correct incantations, so I wanted to ask for help.

Thanks in advance!

Best Answer

Had the exact situation like you, except for the gateway (Cisco RV042G). However, my solution probably won't work on E4200 due to missing features. If it is possible by using other methods, then it is beyond my knowledge. I'm adding the answer for others that may be looking for a solution like this.

Let's assume that 10.0.0.0/24 is your main network with the gateway address 10.0.0.1 and 10.0.1.0/24 is the guest network. Steps for reproducing my solution:

Create a different subnet for the guests on the gateway. The gateway must support this feature as it creates multiple NAT tables for routing the Internet traffic to the appropriate subnet.
Add a firewall rule for blocking all traffic from 10.0.1.0/24 to 10.0.0.0/24 on the gateway.
Use an OpenWrt build with kernel 2.6+. brcm-2.4 builds won't due to lack of ebtables support. I used a 12.06 build with a config based onto the default brcm47xx config. With the default image opkg fails to work while I didn't try 10.03. I do recommend a Debian 7 i386 for buildroot as it wasted enough hours of my life with amd64 and various random compile errors. You may use the ImageBuilder, I think, but I didn't try it. For ebtables you need the following packages: ebtables, ebtables-utils, kmod-ebtables-ipv4. The kernel module isn't automatically added as dependency, so be careful.
These ebtables rules from below in /etc/firewall.user for blocking the DHCP broadcast from the gateway, if gateway doesn't support multiple DHCP pools. RV042G doesn't. Found them on the OpenWrt forums, adapted them for 12.06 which uses eth0.0 as interface name for the lan VLAN.

ebtables -F

ebtables -A INPUT --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

ebtables -A INPUT --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

ebtables -A FORWARD --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

ebtables -A FORWARD --in-interface eth0.0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Optional: Configure the lan interface for the secondary subnet. You need to change the address if both the gateway and the OpenWrt AP use the defaults (192.168.1.1).

config interface lan

option type bridge

option ifname "eth0.0"

option proto static

option ipaddr 10.0.1.2

option netmask 255.255.255.0

option gateway 10.0.1.1

option dns "8.8.8.8 8.8.4.4"

Tell the DHCP server which gateway to broadcast as it would normally use the ipaddr from the lan interface config:

config dhcp lan

option interface lan

option start 100

option limit 100

option leasetime 1h

list 'dhcp_option' '3,10.0.1.1'

Configure the wireless as a regular access point. Optional: encryption (recommended), client isolation (also recommended).

I found only one issue with this setup: a guest can still enter your main network if the subnet for that network is "guessed" and the network configuration is done manually for the wireless interface. Given the fact that the guests still see the arp broadcasts from the main network, it isn't that difficult for people that understand the previous statement. I think it can be fixed with some firewall rules onto the OpenWrt AP, but I have to research that part.

Related Solutions

How to isolate WLAN clients in OpenWRT

Luci does not offer all settings all the time. If it is available isolate will be available as an Additional field for the wireless interface. Add the field and check the box. However, as I read the script, the default is to enable isolation.

If not you will need to edit /etc/config/wireless and add option isolate 1 to the wifi-iface section. The directory /lib/wireless as the wireless startup scripts where you can find the supported options.

Firewalling may be an issue as you may be allowing routing between all IPs on the switch. You should modify these rules to limit the accessible addresses. Do allow connections to the router itself, but you may not want to enable access to any other addresses.

Networking – OpenWRT: basic network configuration

It seems that you are doing all configurations in command line.

I have tried OpenWRT before and I have installed the WebGUI to help, you may refer to LuCI Essentials for setting up Web User Interface by LuCI. Access through web browser to configure your router such as turning on SSH and set some other configurations will be easier through Web UI.

Edit 1.

So you have 3 questions, I separate them and try to pin point the solution one by one for easy understanding. One things have to declare that, since my Router is turned from OpenWRT to DDWRT and then turned into Tomato. So I used VM(Virtual Machine) for screen capturing and solutions writings. Please forgive if there is 1 or 2 slight points difference. I think it is same most of the case, since I used VM to try OpenWRT before I flash to my router.

Preparations: (in case you haven't done so), the LuCi will be accessed later when your router is configured to be accessible by local area network machines. Extracted from LuCI Essentials

Install LuCi by following commands

opkg update
opkg install luci # without https OR
opkg install luci-ssl # with https support
/etc/init.d/uhttpd start # Start the web server (uHTTPd) manually
/etc/init.d/uhttpd enable # if you wish to start automatically on reboot

1. My external address (lan/eth0) provided by the ISP modem (so I can't simple block port 68 in this interface) I suppose you mean to get the external address, right? Actually, when you setup the router to get the DHCP from your ISP(modem) then your external address will be appeared in LuCi later.

This setting should do the work:

vim /etc/config/network # edit network settings
save

#add the following lines to config
config 'interface' 'wan' # config the interface wan
        option 'proto' 'dhcp' # use protocol DHCP
        option 'ifname' 'eth1' # Physical interface name to assign to, this should be the network port connected to the your ISP modem, may vary eth1 or eth0 or whatever in your case

>>>command
ifup wan # bring WAN interface up

Up to this point, when you open your client computer such as Windows 7, open a browser, type in 192.168.100.1 (your case), then you should see the OpenWRT interface in browser. Password is nothing by default.

Something like this screen:

enter image description here

2. DHCP provided by this router to my internal devices, with resolving of device names (DNS)

When you can connect to your router through client computer browser, you can go to Network -> Hostnames to manually assign hostname to specific devices if those device does not have hostname or does not resolve automatically. (in my case, default have no problem)

3. Properly configure my interfaces so I can allow ssh only on internal (wan/radio0) interface

according to Secure Access document in OpenWRT

"by letting the SSH server dropbear and the web-Server uhttpd not listen on the external/WAN port"

Here is how to do it:

vim /etc/config/dropbear
save

# add the following line to your dropbear
option Interface 'lan' # only listen to lan

>>>command
/etc/init.d/dropbear restart # or reboot if it doesn't work

I think this should illustrate the solution picture to your questions.

Edit 2. Since it is a long time post, I just added the reference link for future audience.

Best Answer

Related Solutions

How to isolate WLAN clients in OpenWRT

Networking – OpenWRT: basic network configuration

Related Question