This is an old revision of the document!
====== Guest AP ====== A 'wireless guest ap' basically is just an VAP (__V__irtual __A__ccess-__P__oint) running on the same physically wireless interface as the normal access-point. However the VAP can have its own SSID with its own encryption settings which differs form the main wlan. Running the guest instance as a virtual interface, makes it possible to separate it completeley from the private part of the network. ===== Overview ===== ==== Level of difficulty === Medium ==== Use-case === It is quiet nice to let friends and other visitors use your wireless network to give them access to the internet. But offering the private wireless password, even to close friends, isn't a preferrable option. These instructions shows how to setup an independent guest-network with the following properties: ^ wireless guest access ^^ |SSID: | guest-wlan | |Passphrase: | guest-access | |Encryption: | WPA2-PSK (AES) | |Network: | 192.168.101.1 | |DHCP: | yes | |DHCP range: | 62 - 100 | |Internet: | yes | ==== Related topics ==== Aarticles: * [[documentation:configuration:uci|UCI]] \\ * [[howto:general:dhcp:multiple_dhcp|Multiple DHCP-Server instances]] \\ * [[howto:general:virtual_ap|Multiple virtual ap's]] \\ Config-files: * [[documentation:configuration:config_files:config_network|/etc/config/network]] \\ * [[documentation:configuration:config_files:config_wireless|/etc/config/wireless]] \\ * [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]] \\ * [[documentation:configuration:config_files:config_firewall|/etc/config/firewall]] \\ ===== Instructions ===== ==== GUI ==== In this tutorial we will configure step-by-step the guest access point. At first you must log in to your router. Go to the __Network Settings__ tab and then to __Wireless__. {{ :howto:use_cases:wireless:nxtgui_guestap1.png?nolink&800 |}} In the under right corner you noticed a button which creates a new access point or you can use the existing one to work with. To edit the existing one click on the pencil next to the name of the access point of your choice. {{ :howto:use_cases:wireless:nxtgui_guestap2.png?nolink&800 |}} After choosing or creating your access point you must open the __Advanced__ section underneath the encryption settings. Now you must select __Bridge to__ **GUEST_LAN** and now it's separated from the other LANs. ==== UCI Config System ==== * **Define new Network** <code> uci delete network.guest uci set network.guest=interface uci set network.guest.proto=static uci set network.guest.ipaddr=192.168.101.1 uci set network.guest.netmask=255.255.255.0 </code> * **Define virtual wireless interface** __Note:__ the device 'wl0' must be replaced by the device listed in your 'wifi-device' section! <code> uci delete wireless.guest uci set wireless.guest=wifi-iface uci set wireless.guest.device=wl0 uci set wireless.guest.mode=ap uci set wireless.guest.network=guest uci set wireless.guest.ssid=guest-wlan uci set wireless.guest.encryption=mixed-psk uci set wireless.guest.key=guest-access </code> * **Add DHCP server for guest network** <code> uci delete dhcp.guest uci set dhcp.guest=dhcp uci set dhcp.guest.interface=guest uci set dhcp.guest.start=62 uci set dhcp.guest.limit=38 uci set dhcp.guest.leasetime=1h </code> * **Setup firewall for guest-network** <code> uci delete firewall.guest_zone uci set firewall.guest_zone=zone uci set firewall.guest_zone.name=guest uci set firewall.guest_zone.network=guest uci set firewall.guest_zone.input=REJECT uci set firewall.guest_zone.forward=REJECT uci set firewall.guest_zone.output=ACCEPT uci delete firewall.guest_forwarding uci set firewall.guest_forwarding=forwarding uci set firewall.guest_forwarding.src=guest uci set firewall.guest_forwarding.dest=wan uci delete firewall.guest_rule_dns uci set firewall.guest_rule_dns=rule uci set firewall.guest_rule_dns.name='Allow DNS Queries' uci set firewall.guest_rule_dns.src=guest uci set firewall.guest_rule_dns.dest_port=53 uci set firewall.guest_rule_dns.proto=udp uci set firewall.guest_rule_dns.target=ACCEPT </code> * **Store changes** <code> uci commit </code> * **Apply changes** <code> /etc/init.d/network restart </code> ==== UCI config files (native) ==== * **Define new Network** [[documentation:configuration:config_files:config_network|/etc/config/network]] <code> config interface 'guest' option proto 'static' option ipaddr '192.168.101.1' option netmask '255.255.255.0' </code> * **Define virtual wireless interface** [[documentation:configuration:config_files:config_wireless|/etc/config/wireless]] <code> config wifi-iface option device 'wl0' option mode 'ap' option network 'guest' option ssid 'guest-wlan' option encryption 'mixed-psk' option key 'guest-access' </code> Note: key must contain at least 8 characters Note: the device 'wl0' must be replaced by the device listed in your 'wifi-device' section! * **Add DHCP server for guest network** [[documentation:configuration:config_files:config_dhcp|/etc/config/dhcp]] <code> config dhcp 'guest' option interface 'guest' option start '62' option limit '38' option leasetime '1h' </code> * **Setup firewall for guest-network** [[documentation:configuration:config_files:config_firewall|/etc/config/firewall]] New zone for 'guest': <code> config zone option name 'guest' list network 'guest' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' </code> Allow internet access: <code> config forwarding option src ‘guest’ option dest 'wan' </code> Allow DNS queries: <code> config rule option name 'Allow-DNS' option src 'guest' option dest_port '53' option proto 'tcpudp' option target 'ACCEPT' </code> * **Apply changes** <code> /etc/init.d/network restart </code> ===== Troubleshooting ===== Not available, yet
