Posted: Mon Jul 21, 2014 17:51 Post subject: Guest Wifi (router is acting solely as AP, no internet)
Hello All,
I just picked up a new Wifi Router to be used for office use (Tablets) and public Wifi upstairs for vendors/cell phones.
I have been trying to wrap my head around this for a little bit now, aside from VLANs and pushing traffic around that way (seeing as the router doesn't want to do what I want it to -- with the morning dedicated to Googling).
Specs:
Netgear K7000
8GB USB3 for opt/swap/jffs (if needed -- eventually catsplash for guest -- will run zabbix likely as well)
Kong build 24500M (07-Jul-2014)
Details:
It is connected via the LAN1 port to the corporate network
Router is setup with static IP on LAN
DHCP Forwarding is enabled to our DHCP server
DNS is handled by DC/GC in Domain
2.4 & 5Ghz WIFI are setup with office SSIDs
2.4Ghz WIFI has sub-int of 0.1 with guest SSID
5.0Ghz WIFI has sub-int of 1.1 with guest SSID
LAN and Office WIFI works in the above configuration.
Guest WIFI does not work. I have assigned IPs in a completely different IP class (172.18 office & 192.168 guest), setup guest wifi unbridged with NAT, and setup DHCPd with DHCP scopes for the new IP range.
I have played with the Guest WIFI with LAN Isolation off and on. AP Isolation is off.
The trick is that I can simply setup the Guest wifi with a DNS of 8.8.8.8/4.4.4.4 (Open Google Servers) to keep people "out" *using that term very loosely* of the network. No one here knows how to access the servers by IP, it's all handled by DNS, network scripts, logon scripts, mapped drives, etc etc.
Using dnsmasq I can push dhcp scopes, dns servers, gateway, etc to the Guest Wifi (with the Office Wifi & lan ports still working fine) but I cannot get traffic to flow from wl0.1 or wl1.1 to br0 to get out. I have played with iptables to allow traffic, tried playing with advanced routes, etc (source for dnsmasq here: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=637576).
I'm now trying to setup the router more as a 'router' as opposed to 'ap'.
New Test:
It is connected via the WAN port to the corporate network
Router is setup with static IP on WAN (172.1 & LAN (192.168)
DHCP Server is enabled on LAN
DNS is handled by router
2.4 & 5Ghz WIFI are setup with guest SSIDs
2.4Ghz WIFI has sub-int of 0.1 with office SSID
5.0Ghz WIFI has sub-int of 1.1 with office SSID
Seeing as no one will be physically plugged into the router -- it's going to be in the ceiling, I figured it can't hurt. Hoping that I can go no-nat and bridge it to the wan port.
UPDATE:
All guest services are working great, but when I connect to the Office SSIDs, I don't get an IP. I have LAN/AP Isolation disabled here. The office WLAN-SUBIF have IPs in the WAN range, all looks good in the routing, and the network routes/map look good. I need to setup DHCP-forwarding in dnsmasq.
I'm not going to be able to get DHCP Relay/Forwarding working from the wl0.1 / wl1.1 subinterfaces to the WAN.
I think I have a better chance of using the first attempted config.
I'm going back to LAN interface setup with the static IP on the 172.18 network. The 2.4 and 5Ghz WIFI will then be setup with the office SSIDs, and the WIFI sub-interaces will be the guest SSIDs again.
At least this way, I got DHCP Forwarding on the LAN/WIFI side, and DHCP Server on the WIFI-SUBIF side. I get an IP all around. Traffic only flows properly on the non-guest network.
Then I just need to get HTTP/DNS traffic forwarding from the wl0.1/wl1.1 through br0 (or make br1 and assign the sub-ifs to it... not sure yet).
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
#Allow br1 to access DHCP and DNS on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT