This shows you the differences between two versions of the page.
howto:use_cases:wireless:guest_ap [2016/02/15 09:23] admin [GUI] |
howto:use_cases:wireless:guest_ap [2018/05/24 09:05] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Guest AP ====== | ||
- | |||
- | A 'wireless guest ap' basically is just an VAP (__V__irtual __A__ccess-__P__oint) running on the same physically wireless interface as the normal access-point. | ||
- | However the VAP can have its own SSID with its own encryption settings which differs form the main wlan. | ||
- | |||
- | Running the guest instance as a virtual interface, makes it possible to separate it completeley from the private part of the network. | ||
- | |||
- | ===== Overview ===== | ||
- | |||
- | ==== Level of difficulty === | ||
- | |||
- | Medium | ||
- | |||
- | ==== Use-case === | ||
- | |||
- | It is quiet nice to let friends and other visitors use your wireless network to give them access to the internet. But offering the private wireless password, even to close friends, isn't a preferrable option. | ||
- | |||
- | These instructions shows how to setup an independent guest-network with the following properties: | ||
- | |||
- | ^ wireless guest access ^^ | ||
- | |SSID: | guest-wlan | | ||
- | |Passphrase: | guest-access | | ||
- | |Encryption: | WPA2-PSK (AES) | | ||
- | |Network: | 192.168.101.1 | | ||
- | |DHCP: | yes | | ||
- | |DHCP range: | 62 - 100 | | ||
- | |Internet: | yes | | ||
- | |||
- | ==== Related topics ==== | ||
- | |||
- | Aarticles: | ||
- | * [[documentation:configuration:uci|UCI]] \\ | ||
- | * [[howto:general:dhcp:multiple_dhcp|Multiple DHCP-Server instances]] \\ | ||
- | * [[howto:general:virtual_ap|Multiple virtual ap's]] \\ | ||
- | |||
- | Config-files: | ||
- | * [[documentation:configuration:config_files:config_network|/etc/config/network]] \\ | ||
- | * [[documentation:configuration:config_files:config_wireless|/etc/config/wireless]] \\ | ||
- | * [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]] \\ | ||
- | * [[documentation:configuration:config_files:config_firewall|/etc/config/firewall]] \\ | ||
- | |||
- | ===== Instructions ===== | ||
- | |||
- | ==== GUI ==== | ||
- | |||
- | In this section we will configure step-by-step the guest access point. | ||
- | |||
- | |||
- | ==== UCI Config System ==== | ||
- | |||
- | * **Define new Network** | ||
- | <code> | ||
- | uci delete network.guest | ||
- | uci set network.guest=interface | ||
- | uci set network.guest.proto=static | ||
- | uci set network.guest.ipaddr=192.168.101.1 | ||
- | uci set network.guest.netmask=255.255.255.0 | ||
- | </code> | ||
- | |||
- | * **Define virtual wireless interface** | ||
- | __Note:__ the device 'wl0' must be replaced by the device listed in your 'wifi-device' section! | ||
- | |||
- | <code> | ||
- | uci delete wireless.guest | ||
- | uci set wireless.guest=wifi-iface | ||
- | uci set wireless.guest.device=wl0 | ||
- | uci set wireless.guest.mode=ap | ||
- | uci set wireless.guest.network=guest | ||
- | uci set wireless.guest.ssid=guest-wlan | ||
- | uci set wireless.guest.encryption=mixed-psk | ||
- | uci set wireless.guest.key=guest-access | ||
- | </code> | ||
- | |||
- | * **Add DHCP server for guest network** | ||
- | <code> | ||
- | uci delete dhcp.guest | ||
- | uci set dhcp.guest=dhcp | ||
- | uci set dhcp.guest.interface=guest | ||
- | uci set dhcp.guest.start=62 | ||
- | uci set dhcp.guest.limit=38 | ||
- | uci set dhcp.guest.leasetime=1h | ||
- | </code> | ||
- | |||
- | * **Setup firewall for guest-network** | ||
- | <code> | ||
- | uci delete firewall.guest_zone | ||
- | uci set firewall.guest_zone=zone | ||
- | uci set firewall.guest_zone.name=guest | ||
- | uci set firewall.guest_zone.network=guest | ||
- | uci set firewall.guest_zone.input=REJECT | ||
- | uci set firewall.guest_zone.forward=REJECT | ||
- | uci set firewall.guest_zone.output=ACCEPT | ||
- | |||
- | uci delete firewall.guest_forwarding | ||
- | uci set firewall.guest_forwarding=forwarding | ||
- | uci set firewall.guest_forwarding.src=guest | ||
- | uci set firewall.guest_forwarding.dest=wan | ||
- | |||
- | uci delete firewall.guest_rule_dns | ||
- | uci set firewall.guest_rule_dns=rule | ||
- | uci set firewall.guest_rule_dns.name='Allow DNS Queries' | ||
- | uci set firewall.guest_rule_dns.src=guest | ||
- | uci set firewall.guest_rule_dns.dest_port=53 | ||
- | uci set firewall.guest_rule_dns.proto=udp | ||
- | uci set firewall.guest_rule_dns.target=ACCEPT | ||
- | </code> | ||
- | |||
- | * **Store changes** | ||
- | <code> | ||
- | uci commit | ||
- | </code> | ||
- | |||
- | * **Apply changes** | ||
- | <code> | ||
- | /etc/init.d/network restart | ||
- | </code> | ||
- | |||
- | ==== UCI config files (native) ==== | ||
- | |||
- | * **Define new Network** | ||
- | [[documentation:configuration:config_files:config_network|/etc/config/network]] | ||
- | <code> | ||
- | config interface 'guest' | ||
- | option proto 'static' | ||
- | option ipaddr '192.168.101.1' | ||
- | option netmask '255.255.255.0' | ||
- | </code> | ||
- | |||
- | * **Define virtual wireless interface** | ||
- | [[documentation:configuration:config_files:config_wireless|/etc/config/wireless]] | ||
- | <code> | ||
- | config wifi-iface | ||
- | option device 'wl0' | ||
- | option mode 'ap' | ||
- | option network 'guest' | ||
- | option ssid 'guest-wlan' | ||
- | option encryption 'mixed-psk' | ||
- | option key 'guest-access' | ||
- | </code> | ||
- | Note: key must contain at least 8 characters | ||
- | Note: the device 'wl0' must be replaced by the device listed in your 'wifi-device' section! | ||
- | |||
- | * **Add DHCP server for guest network** | ||
- | [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]] | ||
- | <code> | ||
- | config dhcp 'guest' | ||
- | option interface 'guest' | ||
- | option start '62' | ||
- | option limit '38' | ||
- | option leasetime '1h' | ||
- | </code> | ||
- | |||
- | * **Setup firewall for guest-network** | ||
- | [[documentation:configuration:config_files:config_firewall|/etc/config/firewall]] | ||
- | |||
- | New zone for 'guest': | ||
- | <code> | ||
- | config zone | ||
- | option name 'guest' | ||
- | list network 'guest' | ||
- | option input 'REJECT' | ||
- | option forward 'REJECT' | ||
- | option output 'ACCEPT' | ||
- | </code> | ||
- | |||
- | Allow internet access: | ||
- | <code> | ||
- | config forwarding | ||
- | option src ‘guest’ | ||
- | option dest 'wan' | ||
- | </code> | ||
- | |||
- | Allow DNS queries: | ||
- | <code> | ||
- | config rule | ||
- | option name 'Allow-DNS' | ||
- | option src 'guest' | ||
- | option dest_port '53' | ||
- | option proto 'tcpudp' | ||
- | option target 'ACCEPT' | ||
- | </code> | ||
- | |||
- | * **Apply changes** | ||
- | <code> | ||
- | /etc/init.d/network restart | ||
- | </code> | ||
- | |||
- | ===== Troubleshooting ===== | ||
- | |||
- | Not available, yet | ||
- | |||
- | |||
- | |||