Joined: 24 Feb 2013 Posts: 1625 Location: Belgrade
Posted: Fri Jan 09, 2015 23:14 Post subject: HOW TO: Guest WiFi + abuse control for beginners
This "HOW TO" is for beginners so before proceeding make sure you have working reset button
and have backed up you configuration(so you can reset your router and restore configuration if you stuck someware).
This guide will show you the basics of creating and controling secured Guest WiFi.
For that purpose we will first create VAP (Virtual Access point). So, in Wireless->Basic Setup page click on Add in Virtual Interfaces section.
Next step is to enable DHCPD for the guest wifi. Go to Setup->Networking and add another dhcp server for the guest network as shown in the following sreenshot.
Now, lets set some limits. You can put your private network on Maximum and Guest to bulk. The bulk class is only allocated remaining bandwidth when the remaining classes are idle.
If the line is full of traffic from other classes, Bulk will only be allocated 1% of total set limit. So, basically you guests will not affect your private speed.
Or you can set hardcoded limits.
Now, check your connection. You should be able to browse internet from your guest wifi network.
Lets do some Access Restrictions. Block torrents and some VPNs. Determined user is very hard to block because nowdays you have free SSTP VPN services etc.
On cheap routers you can not run Proxy, Squid etc so this is all we have...
To do some more net abuse filtering we will use OpenDNS.
What is OpenDNS
Quote:
OpenDNS is a free DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster.
By simply using their DNS servers instead of your ISP's you are automatically protected from their list of Phishing websites.
However, in order to restrict a variety of adult website content you will need to create a free account with them,
register your IP address and select the categories you want restricted (i.e. sexuality, nude, pornography, lingerie, grotesque, etc...).
Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes.
We will go over that below.
You can prevent users from using their own DNS servers (and hence get around content filtering)
by intercepting DNS queries and forcing them to use the DNS servers you specify.
Go to the Commands tab under Administration.
In the Commands box paste the following:
Click Save Firewall (note: your WAN interface will be restarted)
OpenDNS provides an additional service for users with Dynamic DNSs.
Their DNS-O-Matic will relay the request to OpenDNS and also optionally forward this to any number of additional Dynamic DNS providers.
How to use dnsomatic you can read here
Reboot router, clear browser cache, and manually set public dns server in your PC NIC adapter to try to avoid restrictions... You will get
this kind of answer:
You can see what your guests looking on the internet...
Special thanks to Kong
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Sat Jan 10, 2015 4:04 Post subject:
very good, i agree with everything..& the DHCPD config for the vap is right, many users do the old way using the bridge interface which has problems now. note that to use multiple DHCPD u MUST be using dnsmasq, not uDHCPd.
Joined: 24 Feb 2013 Posts: 1625 Location: Belgrade
Posted: Tue Jan 13, 2015 20:36 Post subject:
Now you don't have to use this cli commands I provided. You can use Force DNS Redirect option to intercept DNS quieries and redirect them to OpenDNS where you can filter them. But note that you will force not just Guest clients but you homes too...
Joined: 24 Feb 2013 Posts: 1625 Location: Belgrade
Posted: Wed Jan 14, 2015 17:33 Post subject:
Thx. Feel free to add your suggestions, ideas to improve this tutorial. BrainSlayer added option for different "forced" DNSs on differebt interfaces. With next build you will be able to use google dns such as 8.8.8.8 for your home clients and OpenDNS 208.67.222.222 for Guests where you cal filter their DNS queries...
Joined: 04 Jan 2007 Posts: 11556 Location: Wherever the wind blows- North America
Posted: Wed Jan 14, 2015 18:04 Post subject:
tatsuya46 wrote:
very good, i agree with everything..& the DHCPD config for the vap is right, many users do the old way using the bridge interface which has problems now. note that to use multiple DHCPD u MUST be using dnsmasq, not uDHCPd.
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Wed Jan 14, 2015 22:53 Post subject:
the opendns family shield ips also work, & are meant as a zero config option & are self updated daily to block new sites, blocks porn/gambling/proxies etc. dont need an account either
Joined: 24 Feb 2013 Posts: 1625 Location: Belgrade
Posted: Thu Jan 15, 2015 7:16 Post subject:
This is off topic but I must say it. They are very good. All these years and still free of charge. Like ddwrt. They have csomethin they call domain tagging:
Quote:
Domain Tagging represents the best of people-powered security. Anyone can add a domain, but it takes a community of accurate and active voters to include it in a category. Submit a domain above or cast your votes for existing submissions below.
You can subbmit domain and community will vote. Database updates daily, you have Stop DNS rebind feature, botnet protection etc. They block popups etc. They are just very good. Not to mention they use anycast for DNS queries menaning you will be redirected to the nearest DNS...
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Thu Jan 15, 2015 7:58 Post subject:
Mile-Lile wrote:
This is off topic but I must say it. They are very good. All these years and still free of charge. Like ddwrt. They have csomethin they call domain tagging:
Quote:
Domain Tagging represents the best of people-powered security. Anyone can add a domain, but it takes a community of accurate and active voters to include it in a category. Submit a domain above or cast your votes for existing submissions below.
You can subbmit domain and community will vote. Database updates daily, you have Stop DNS rebind feature, botnet protection etc. They block popups etc. They are just very good. Not to mention they use anycast for DNS queries menaning you will be redirected to the nearest DNS...
i dont understand what is that? a router fw? or dns service? _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 24 Feb 2013 Posts: 1625 Location: Belgrade
Posted: Thu Jan 15, 2015 8:06 Post subject:
)))))) sorry. It is DNS service. But they have community like here on ddwrt. OpenDNS has proffesional DNS service wich you have to pay with more option, and they have home service wich is free of charge. You can use their services for free but you can pay them back trough dommain tagging so the base stays up to date. In taht way they are similar to ddwrt... https://community.opendns.com/domaintagging/
)))))) sorry. It is DNS service. But they have community like here on ddwrt. OpenDNS has proffesional DNS service wich you have to pay with more option, and they have home service wich is free of charge. You can use their services for free but you can pay them back trough dommain tagging so the base stays up to date. In taht way they are similar to ddwrt...