Posted: Fri Feb 07, 2020 13:21 Post subject: 2 SSID (guest network) on a bridged wifi
Hello,
I have the following network settings at work. We would like to set up a Guest WIFI. (see attached pic)
My aim:
- is to have the guest having internet, but not access to the servers.
- in the other hand, intern SSID must have access to the internal Servers (and internet obviously).
I searched for tuto but didn't find anything like we have.
Joined: 18 Jun 2019 Posts: 18 Location: Maryland - US
Posted: Tue Feb 18, 2020 20:02 Post subject:
Will the ASUS Wireless AP be functioning as a router in this scenario, or does the other "router" in your image handle all internal routing?
Are you planning on using 802.1q VLANs to segment the two different wireless networks? Or does your environment not support VLANs?
Essentially, without knowing the answers to the above, you'll need to have two bridges on the ASUS router. You'll create your two wireless networks and assign each of them to one of the bridges. Then depending on where the routing is happening, you'll create rules to allow or deny access to the internet or other networks. If you're routing on the ASUS, you'll end up using isolation on the guest network, and some IPTables rules to prevent the guest network from reaching anything other than the internet. There are plenty of guides in this forum on isolating guest wireless.
If you can give me more information by answering the above questions, I'll try to steer you in the right direction. _________________ ----------------------------------------
| "we see things not as they are, but |
| as we are." -Talmud | ----------------------------------------
Will the ASUS Wireless AP be functioning as a router in this scenario, or does the other "router" in your image handle all internal routing?
Depend what is best and easy to do.
I can set the ASUS as a router, but then the 'internal' wi-fi will have different IP range/network... thus not having access to the servers. or there is a dns or ip table routing that makes this possible ?
Quote:
Are you planning on using 802.1q VLANs to segment the two different wireless networks? Or does your environment not support VLANs?
I could,... but I would not prefer that option.
I already looked at the Guest wifi tuto... but it didn't work for me. Either the guest has access to the server, either there is no internet access...
VAP on WAP
If you place the unbridged VAP on a wireless access point (a secondary router with a disabled WAN, no DHCP and on the same subnet as a the primary router) then you have to add the following rule to the firewall in order to get internet access from the VAP.
In the web-interface of the router: Administration/Commands save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
For isolating the WAP itself from the guest network:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
(note: not all firmwares have the multiport directive)
VAP on WAP
If you place the unbridged VAP on a wireless access point (a secondary router with a disabled WAN, no DHCP and on the same subnet as a the primary router) then you have to add the following rule to the firewall in order to get internet access from the VAP.
In the web-interface of the router: Administration/Commands save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
For isolating the WAP itself from the guest network:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
(note: not all firmwares have the multiport directive)
Note this is for Broadcom (which yours is I think)