This is an old revision of the document!

---

====== Guest AP ====== A 'wireless guest ap' basically is just an VAP (__V__irtual __A__ccess-__P__oint) running on the same physically wireless interface as the normal access-point. However the VAP can have its own SSID with its own encryption settings which differs form the main wlan. Running the guest instance as a virtual interface, makes it possible to separate it completeley from the private part of the network. ===== Overview ===== ==== Level of difficulty === Medium ==== Use-case === It is quiet nice to let friends and other visitors use your wireless network to give them access to the internet. But offering the private wireless password, even to close friends, isn't a preferrable option. These instructions shows how to setup an independent guest-network with the following properties: ^ wireless guest access ^^ |SSID: | guest-wlan | |Passphrase: | guest-access | |Encryption: | WPA2-PSK (AES) | |Network: | 192.168.101.1 | |DHCP: | yes | |DHCP range: | 62 - 100 | |Internet: | yes | ==== Related topics ==== Aarticles: * [[documentation:configuration:uci|UCI]] \\ * [[howto:general:dhcp:multiple_dhcp|Multiple DHCP-Server instances]] \\ * [[howto:general:virtual_ap|Multiple virtual ap's]] \\ Config-files: * [[documentation:configuration:config_files:config_network|/etc/config/network]] \\ * [[documentation:configuration:config_files:config_wireless|/etc/config/wireless]] \\ * [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]] \\ * [[documentation:configuration:config_files:config_firewall|/etc/config/firewall]] \\ ===== Instructions ===== ==== GUI ==== In this section we will configure step-by-step the guest access point. ==== UCI Config System ==== * **Define new Network** <code> uci delete network.guest uci set network.guest=interface uci set network.guest.proto=static uci set network.guest.ipaddr=192.168.101.1 uci set network.guest.netmask=255.255.255.0 </code> * **Define virtual wireless interface** __Note:__ the device 'wl0' must be replaced by the device listed in your 'wifi-device' section! <code> uci delete wireless.guest uci set wireless.guest=wifi-iface uci set wireless.guest.device=wl0 uci set wireless.guest.mode=ap uci set wireless.guest.network=guest uci set wireless.guest.ssid=guest-wlan uci set wireless.guest.encryption=mixed-psk uci set wireless.guest.key=guest-access </code> * **Add DHCP server for guest network** <code> uci delete dhcp.guest uci set dhcp.guest=dhcp uci set dhcp.guest.interface=guest uci set dhcp.guest.start=62 uci set dhcp.guest.limit=38 uci set dhcp.guest.leasetime=1h </code> * **Setup firewall for guest-network** <code> uci delete firewall.guest_zone uci set firewall.guest_zone=zone uci set firewall.guest_zone.name=guest uci set firewall.guest_zone.network=guest uci set firewall.guest_zone.input=REJECT uci set firewall.guest_zone.forward=REJECT uci set firewall.guest_zone.output=ACCEPT uci delete firewall.guest_forwarding uci set firewall.guest_forwarding=forwarding uci set firewall.guest_forwarding.src=guest uci set firewall.guest_forwarding.dest=wan uci delete firewall.guest_rule_dns uci set firewall.guest_rule_dns=rule uci set firewall.guest_rule_dns.name='Allow DNS Queries' uci set firewall.guest_rule_dns.src=guest uci set firewall.guest_rule_dns.dest_port=53 uci set firewall.guest_rule_dns.proto=udp uci set firewall.guest_rule_dns.target=ACCEPT </code> * **Store changes** <code> uci commit </code> * **Apply changes** <code> /etc/init.d/network restart </code> ==== UCI config files (native) ==== * **Define new Network** [[documentation:configuration:config_files:config_network|/etc/config/network]] <code> config interface 'guest' option proto 'static' option ipaddr '192.168.101.1' option netmask '255.255.255.0' </code> * **Define virtual wireless interface** [[documentation:configuration:config_files:config_wireless|/etc/config/wireless]] <code> config wifi-iface option device 'wl0' option mode 'ap' option network 'guest' option ssid 'guest-wlan' option encryption 'mixed-psk' option key 'guest-access' </code> Note: key must contain at least 8 characters Note: the device 'wl0' must be replaced by the device listed in your 'wifi-device' section! * **Add DHCP server for guest network** [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]] <code> config dhcp 'guest' option interface 'guest' option start '62' option limit '38' option leasetime '1h' </code> * **Setup firewall for guest-network** [[documentation:configuration:config_files:config_firewall|/etc/config/firewall]] New zone for 'guest': <code> config zone option name 'guest' list network 'guest' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' </code> Allow internet access: <code> config forwarding option src ‘guest’ option dest 'wan' </code> Allow DNS queries: <code> config rule option name 'Allow-DNS' option src 'guest' option dest_port '53' option proto 'tcpudp' option target 'ACCEPT' </code> * **Apply changes** <code> /etc/init.d/network restart </code> ===== Troubleshooting ===== Not available, yet