HOW TO: Guest WiFi + abuse control for beginners

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Fri Jan 09, 2015 23:14    Post subject: HOW TO: Guest WiFi + abuse control for beginners Reply with quote
This "HOW TO" is for beginners so before proceeding make sure you have working reset button
and have backed up you configuration(so you can reset your router and restore configuration if you stuck someware).
This guide will show you the basics of creating and controling secured Guest WiFi.
For that purpose we will first create VAP (Virtual Access point). So, in Wireless->Basic Setup page click on Add in Virtual Interfaces section.

Next step is to enable DHCPD for the guest wifi. Go to Setup->Networking and add another dhcp server for the guest network as shown in the following sreenshot.

Now, lets set some limits. You can put your private network on Maximum and Guest to bulk. The bulk class is only allocated remaining bandwidth when the remaining classes are idle.
If the line is full of traffic from other classes, Bulk will only be allocated 1% of total set limit. So, basically you guests will not affect your private speed.
Or you can set hardcoded limits.


Now, check your connection. You should be able to browse internet from your guest wifi network.

Lets do some Access Restrictions. Block torrents and some VPNs. Determined user is very hard to block because nowdays you have free SSTP VPN services etc.
On cheap routers you can not run Proxy, Squid etc so this is all we have...




To do some more net abuse filtering we will use OpenDNS.

What is OpenDNS

Quote:
OpenDNS is a free DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster.
By simply using their DNS servers instead of your ISP's you are automatically protected from their list of Phishing websites.
However, in order to restrict a variety of adult website content you will need to create a free account with them,
register your IP address and select the categories you want restricted (i.e. sexuality, nude, pornography, lingerie, grotesque, etc...).
Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes.
We will go over that below.



You can prevent users from using their own DNS servers (and hence get around content filtering)
by intercepting DNS queries and forcing them to use the DNS servers you specify.

Go to the Commands tab under Administration.
In the Commands box paste the following:
Code:
iptables -t nat -I PREROUTING -i ath0.1 -p udp --dport 53 -j DNAT --to 208.67.220.220
iptables -t nat -I PREROUTING -i ath0.1 -p tcp --dport 53 -j DNAT --to 208.67.220.220

Click Save Firewall (note: your WAN interface will be restarted)

OpenDNS provides an additional service for users with Dynamic DNSs.
Their DNS-O-Matic will relay the request to OpenDNS and also optionally forward this to any number of additional Dynamic DNS providers.
How to use dnsomatic you can read here







Reboot router, clear browser cache, and manually set public dns server in your PC NIC adapter to try to avoid restrictions... You will get
this kind of answer:


You can see what your guests looking on the internet...

Special thanks to Kong
Sponsor
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Sat Jan 10, 2015 4:04    Post subject: Reply with quote
very good, i agree with everything..& the DHCPD config for the vap is right, many users do the old way using the bridge interface which has problems now. note that to use multiple DHCPD u MUST be using dnsmasq, not uDHCPd.

should be stickied

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Sat Jan 10, 2015 4:27    Post subject: Reply with quote
one thing, ap isolation should be enabled for public hotspots

EDIT: nevermind, its on in ur screenshot

just make sure that DHCPD max clients = max clients setting on the vap settings page

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Tue Jan 13, 2015 20:36    Post subject: Reply with quote
Now you don't have to use this cli commands I provided. You can use Force DNS Redirect option to intercept DNS quieries and redirect them to OpenDNS where you can filter them. But note that you will force not just Guest clients but you homes too...
TendaW311R+
DD-WRT User


Joined: 19 Oct 2011
Posts: 354

PostPosted: Tue Jan 13, 2015 20:38    Post subject: Reply with quote
Nice HOW TO Very Happy
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Wed Jan 14, 2015 17:33    Post subject: Reply with quote
Thx. Feel free to add your suggestions, ideas to improve this tutorial. BrainSlayer added option for different "forced" DNSs on differebt interfaces. With next build you will be able to use google dns such as 8.8.8.8 for your home clients and OpenDNS 208.67.222.222 for Guests where you cal filter their DNS queries...
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Wed Jan 14, 2015 18:04    Post subject: Reply with quote
tatsuya46 wrote:
very good, i agree with everything..& the DHCPD config for the vap is right, many users do the old way using the bridge interface which has problems now. note that to use multiple DHCPD u MUST be using dnsmasq, not uDHCPd.

should be stickied




agreed....stickied for now.

redhawk

_________________
The only stupid question....is the unasked one.
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Wed Jan 14, 2015 22:53    Post subject: Reply with quote
the opendns family shield ips also work, & are meant as a zero config option & are self updated daily to block new sites, blocks porn/gambling/proxies etc. dont need an account either


208.67.222.123
208.67.220.123

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Thu Jan 15, 2015 7:16    Post subject: Reply with quote
This is off topic but I must say it. They are very good. All these years and still free of charge. Like ddwrt. They have csomethin they call domain tagging:

Quote:
Domain Tagging represents the best of people-powered security. Anyone can add a domain, but it takes a community of accurate and active voters to include it in a category. Submit a domain above or cast your votes for existing submissions below.

You can subbmit domain and community will vote. Database updates daily, you have Stop DNS rebind feature, botnet protection etc. They block popups etc. They are just very good. Not to mention they use anycast for DNS queries menaning you will be redirected to the nearest DNS...
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Thu Jan 15, 2015 7:58    Post subject: Reply with quote
Mile-Lile wrote:
This is off topic but I must say it. They are very good. All these years and still free of charge. Like ddwrt. They have csomethin they call domain tagging:

Quote:
Domain Tagging represents the best of people-powered security. Anyone can add a domain, but it takes a community of accurate and active voters to include it in a category. Submit a domain above or cast your votes for existing submissions below.

You can subbmit domain and community will vote. Database updates daily, you have Stop DNS rebind feature, botnet protection etc. They block popups etc. They are just very good. Not to mention they use anycast for DNS queries menaning you will be redirected to the nearest DNS...


i dont understand what is that? a router fw? or dns service?

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Thu Jan 15, 2015 8:06    Post subject: Reply with quote
Smile)))))) sorry. It is DNS service. But they have community like here on ddwrt. OpenDNS has proffesional DNS service wich you have to pay with more option, and they have home service wich is free of charge. You can use their services for free but you can pay them back trough dommain tagging so the base stays up to date. In taht way they are similar to ddwrt... https://community.opendns.com/domaintagging/
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Thu Jan 15, 2015 8:13    Post subject: Reply with quote
You submit domain and community decide wether is ti porn, p2p or Adware...
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Fri Jan 16, 2015 11:14    Post subject: Reply with quote
seems like Norton has this kind of service too...
voklav
DD-WRT Novice


Joined: 01 Jan 2015
Posts: 4

PostPosted: Mon Jan 26, 2015 13:14    Post subject: Reply with quote
I'm wondering - is it possible to create second virtual wireless network for guest. And authorization (password) be with web browsers

Exactly like this:
https://www.youtube.com/watch?v=5I3uYqTTXYw
->
TP-Link TL-WR842ND v2
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Mon Jan 26, 2015 13:27    Post subject: Reply with quote
Yes. It is called Captive Portal. See in my sig Hotspot howto...
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 1 of 8
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum