Guest WiFi + abuse control for beginners

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 17:25, 19 February 2018 (edit)
Jeremywh7 (Talk | contribs)
(add wiki path)
← Previous diff
Current revision (20:33, 10 October 2020) (edit) (undo)
Jeremywh7 (Talk | contribs)
m (add link)
 
(14 intermediate revisions not shown.)
Line 1: Line 1:
-'''''Wiki Path''''': [[Main_Page|DD-WRT Wiki Main]] / [[Tutorials]] / [[Guest_Network]] / '''Guest WiFi with Abuse Control'''+{{Languages|Guest WiFi + abuse control for beginners}}
-*Also see [[Multiple_WLANs|Multiple WLANs]]+ 
-----+Note: This page must be reevaluated. Please, someone with better expertise should verify that the main dhcp server still works correctly after adding the insulated wlan dhcpd server. Had to hard-reset my router.. main lan/wlan was not assigning any dhcp leases anymore, yet second wlan (guest) had internet working perfectly and good dhcp server. no chance to telnet/ssh... locked out... admin interface not reachable from guest network. Thank you.
 + 
-__TOC__ 
-==Introduction== 
This tutorial is for beginners, and therefore before proceeding make sure you have working reset button This tutorial is for beginners, and therefore before proceeding make sure you have working reset button
-and have backed up you configuration (so you can reset your router and restore configuration if you stuck somewhere). This guide will show you the basics of creating and controlling Guest WiFi. +and have backed up you configuration (so you can reset your router and restore configuration if you stuck somewhere). This guide will show you the basics of creating and controlling Guest WiFi. Also see [[Guest Network]] for more details and methods.
[[Image:Guest_VAP.PNG|thumbnail|Creating Guest VAP]] [[Image:Guest_VAP.PNG|thumbnail|Creating Guest VAP]]
Line 12: Line 11:
[[Image:Interface_limiting.PNG|thumbnail|Hardcoded limiting interfaces]] [[Image:Interface_limiting.PNG|thumbnail|Hardcoded limiting interfaces]]
[[Image:max_bulk.PNG|thumbnail|Setting priorities]] [[Image:max_bulk.PNG|thumbnail|Setting priorities]]
-[[Image:OpenDNS1.png|thumbnail|Abuse control]]+[[Image:OpenDNS1.png|thumbnail|Abuse controlling]]
[[Image:OpenDNS2.png|thumbnail|Web content filtering]] [[Image:OpenDNS2.png|thumbnail|Web content filtering]]
[[Image:404.png|thumbnail|Content blocked]] [[Image:404.png|thumbnail|Content blocked]]
-==Instructions== 
-For that purpose we will first create Virtual Access Point (VAP) for Guests.  
-On the '''Wireless->Basic Settings''' tab, click 'Add' in the 'Virtual Interfaces' section. +For that purpose we will first create VAP (Virtual Access Point) for guests.
-Enable '''AP isolation''' so that guests can not see each others. AP Isolation drops all traffic between clients connected to the VAP. This is recommended if you want secure Guest WiFi to help mitigate wireless snooping attacks. Then go to the '''Wireless Security''' tab to set the security type and wireless network password.+ 
 +On '''Wireless''' -> '''Basic Setup''' tab click Add on Virtual Interfaces section.
 +'''Enable AP isolation''' so that guests can not see each others. AP Isolation drops all traffic between clients connected to the VAP.
 +If you want secure Guest WiFI its recommended to enable this feature to help mitigate Wi-Fi snooping attacks.
-Set '''Network Configuration''' to '''Unbridged''', '''Enable NAT''' (so that guest can have internet), and '''enable Net isolation''' (this creates a couple firewall rules that block guests from the private network).+Set '''Network Configuration''' to ''Unbridged'', '''Enable NAT''' (so that guest can have internet), enable '''Net isolation''' (this option creates a couple of firewall rules that blocks guest to reach your private network). Net isolation works ONLY on unbridged interface on newer builds starting from: Broadcom 23020, Atheros 24759, and Ralink (Mediatek) 25934.
-Net isolation works ONLY on an unbridged interface on newer builds, ''starting from build'':+*AP Isolation = Guests can not hack each other on guest VAP
-*Broadcom 23020, Atheros 24759, Mediatek (Ralink) 25934<br>+*Net isolation = Guests can not hack your private LAN/WLAN
-AP Isolation = Guests can not see each other on guest VAP<br>+
-Net isolation = Guests can not see your private LAN+WLAN +
'''Enable Forced DNS Redirection''' and enter the OpenDNS server IP (208.67.222.222) in the Optional DNS target field. This will prevent users from using their own DNS servers (and hence get around content filtering) '''Enable Forced DNS Redirection''' and enter the OpenDNS server IP (208.67.222.222) in the Optional DNS target field. This will prevent users from using their own DNS servers (and hence get around content filtering)
by intercepting DNS queries and forcing them to use the DNS servers you specify. by intercepting DNS queries and forcing them to use the DNS servers you specify.
-Enter the IP Address and Subnet Mask (e.g. 172.16.1.1./255.255.255.0 )+Enter the IP Address and Subnet Mask of yours newly created interface (ath0.1) 172.16.1.1./255.255.255.0
-Click ''Save'' then ''Apply'' then wait ~30sec for the new interface (e.g. ath0.1) to be created. +Click Save and Apply. Wait about 30 sec. for interface ath0.1 to be created.
Note: You still wont be able to connect to this Guest VAP. You must enable DHCP for the clients. Note: You still wont be able to connect to this Guest VAP. You must enable DHCP for the clients.
-Next step is to '''enable DHCPd''' for the guest wifi. +Next step is to '''enable DHCPd''' for the guest wifi. Go to '''Setup''' -> '''Networking''' and on DHCPd section add another dhcp server for the guest network (click add then choose ath0.1 from drop down menu). Select starting IP for guests, max number of IPs and leasetime. Again click Save and Apply. Wait about 30 sec. and try to connect to Guest WiFi. You should be able to browse Internet and shouldn't be able to reach your private network or see other clients on network discovery.
-Go to '''Setup->Networking''', in the ''DHCPd'' section add a dhcp server for the new guest network (''Add'' then choose the VLAN (e.g. ath0.1) from drop down menu. Select starting and max number of IP addresss, plus lease time. Click ''Save'' then ''Apply''. Wait about 30sec and try to connect to Guest WiFi. If not working, power cycle the router. You should be able to browse Internet but not reach your private network nor see other clients on network discovery.+
-*For a newer method that uses dnsmasq instead of dhcpd, see [[Guest_Network#New_DNSMasq_Method|Guest Network]]+
-==Quality of Service (QoS)==+====Bandwidth Limiting====
-This is for '''bandwidth limiting'''. Put the private network on ''Maximum'' and Guest to ''Bulk''. The Bulk class is only allocated the remaining bandwidth when other classes are idle. If the pipe is full of traffic from other classes, Bulk will only be allocated 1% of total set limit. This is so your guests will not affect your private speed. Alternatively, you can manually set hard-coded limits. +You can put your private network on Maximum and Guest to bulk. The bulk class is only allocated remaining bandwidth when the remaining classes are idle. If the pipe is full of traffic from other classes, Bulk will only be allocated 1% of total set limit. So, basically your guests will not affect your private speed. Or you can set hardcoded limits with manual entering.
-With '''interface limiting''' both bridged & unbridged, offers ability to rate or priority limit services or port(s) ranges. This can be exceptionally useful to control bandwidth hogs, regulate hotspots, etc. with an interface limit, to prevent guest users trying circumvent QoS limits by changing IP and/or MAC addresses. Abusive users can't bypass your rules without switching off the interface. +With '''interface limiting''' both bridged & unbridged, offers ability to rate or priority limit services or ports/port ranges. This can be exceptionally useful to control bandwidth hogs, regulate hotspots, etc. with an interface limit, a guest user can change their ip address & mac address as much as they want trying to get around qos, abusive users can't bypass ur rules without switching off the interface. Examples:
 + vlan1 512/512 0 ssl manual
 +*This means all traffic on vlan1 interface (lan ports for some routers, others use eth) is not limited or shaped, and can reach global limits, except ssl traffic being limited to 512kbps both up & down (64KB/s).
-Example:+Multiple entries are possible:
- vlan1 512/512 0 ssl manual + ath0 512/512 0 ssl manual
-This means all traffic on vlan1 interface (lan ports for some routers, others use eth) is not limited nor shaped, & goes "up to" global limits, except ssl traffic, being limited to 512kbps both up & down (64KB/s). Multiple entries are also possible, for example:+ ath0 2048/512 0 http manual
- ath0 512/512 0 ssl manual + ath0 512/512 0 ftp manual
- ath0 2048/512 0 http manual +*This is as above except for the ath0 wireless interface, and only the listed services are rate limited. You can instead do priority limits, but rate limiting & prioritizing the same service simultaneously is not supported.
- ath0 512/512 0 ftp manual +
-The same applies to what was said above, just for the ath0 wireless interface & only the listed services are rate limited. Priority limits can also be used, but simultaneous rate limiting & prioritizing on the same service is not supported.+
-==Access Restrictions==+Use [[Access Restrictions]] to block torrents and some VPNs. Determined user is very hard to block because nowdays you have free SSTP VPN services etc. On cheap routers you can not run Proxy, Squid etc so this is all we have...
-[[Access Restrictions]] can be used to block torrents and some VPNs. A determined user is very hard to block because now there are free SSTP VPN services, etc. On cheap routers you can not run Proxy, Squid, etc, so this is all we have, so to do some net abuse filtering we will use '''OpenDNS'''.+
-==What is OpenDNS?==+====OpenDNS====
-OpenDNS is a free DNS (Domain Name Server) service to make internet browsing safer and allegedly faster. By simply using their DNS servers instead of the ISP, you are automatically protected from their list of Phishing websites. However, in order to restrict e.g. adult website content, you will need to create a free account, register your IP address, and select the categories you want restricted (i.e. sexuality, nudity, pornography, lingerie, grotesque, etc.). Since most of us have DHCP assigned WAN IP addresses that change periodically, we need to instruct our router to tell OpenDNS the new IP address when it changes: see [https://www.dd-wrt.com/wiki/index.php/OpenDNS#section2/ DNS-O-MATIC]. Reboot router, clear browser cache, and manually set public dns server in your PC NIC adapter to try to avoid restrictions.+OpenDNS can be used for net abuse filtering. It is a free DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster. By simply using their DNS servers instead of your ISP's you are automatically protected from their list of Phishing websites. However, in order to restrict a variety of adult website content you will need to create a free account with them, register your IP address and select the categories you want restricted (i.e. sexuality, nude, pornography, lingerie, grotesque, etc...). Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes. See [https://www.dd-wrt.com/wiki/index.php/OpenDNS#section2/ DNS-O-MATIC]
-[[Category:Wlan]]+Reboot router, clear browser cache, and manually set public dns server in your PC NIC adapter to try to avoid restrictions...
-[[Category:Basic tutorials]]+

Current revision


Note: This page must be reevaluated. Please, someone with better expertise should verify that the main dhcp server still works correctly after adding the insulated wlan dhcpd server. Had to hard-reset my router.. main lan/wlan was not assigning any dhcp leases anymore, yet second wlan (guest) had internet working perfectly and good dhcp server. no chance to telnet/ssh... locked out... admin interface not reachable from guest network. Thank you.


This tutorial is for beginners, and therefore before proceeding make sure you have working reset button and have backed up you configuration (so you can reset your router and restore configuration if you stuck somewhere). This guide will show you the basics of creating and controlling Guest WiFi. Also see Guest Network for more details and methods.

Creating Guest VAP
Creating Guest VAP
Adding DHCP for Guests
Adding DHCP for Guests
Hardcoded limiting interfaces
Hardcoded limiting interfaces
Setting priorities
Setting priorities
Abuse controlling
Abuse controlling
Web content filtering
Web content filtering
Content blocked
Content blocked


For that purpose we will first create VAP (Virtual Access Point) for guests.

On Wireless -> Basic Setup tab click Add on Virtual Interfaces section. Enable AP isolation so that guests can not see each others. AP Isolation drops all traffic between clients connected to the VAP. If you want secure Guest WiFI its recommended to enable this feature to help mitigate Wi-Fi snooping attacks.

Set Network Configuration to Unbridged, Enable NAT (so that guest can have internet), enable Net isolation (this option creates a couple of firewall rules that blocks guest to reach your private network). Net isolation works ONLY on unbridged interface on newer builds starting from: Broadcom 23020, Atheros 24759, and Ralink (Mediatek) 25934.

  • AP Isolation = Guests can not hack each other on guest VAP
  • Net isolation = Guests can not hack your private LAN/WLAN

Enable Forced DNS Redirection and enter the OpenDNS server IP (208.67.222.222) in the Optional DNS target field. This will prevent users from using their own DNS servers (and hence get around content filtering) by intercepting DNS queries and forcing them to use the DNS servers you specify. Enter the IP Address and Subnet Mask of yours newly created interface (ath0.1) 172.16.1.1./255.255.255.0 Click Save and Apply. Wait about 30 sec. for interface ath0.1 to be created. Note: You still wont be able to connect to this Guest VAP. You must enable DHCP for the clients.

Next step is to enable DHCPd for the guest wifi. Go to Setup -> Networking and on DHCPd section add another dhcp server for the guest network (click add then choose ath0.1 from drop down menu). Select starting IP for guests, max number of IPs and leasetime. Again click Save and Apply. Wait about 30 sec. and try to connect to Guest WiFi. You should be able to browse Internet and shouldn't be able to reach your private network or see other clients on network discovery.

[edit] Bandwidth Limiting

You can put your private network on Maximum and Guest to bulk. The bulk class is only allocated remaining bandwidth when the remaining classes are idle. If the pipe is full of traffic from other classes, Bulk will only be allocated 1% of total set limit. So, basically your guests will not affect your private speed. Or you can set hardcoded limits with manual entering.

With interface limiting both bridged & unbridged, offers ability to rate or priority limit services or ports/port ranges. This can be exceptionally useful to control bandwidth hogs, regulate hotspots, etc. with an interface limit, a guest user can change their ip address & mac address as much as they want trying to get around qos, abusive users can't bypass ur rules without switching off the interface. Examples:

vlan1 512/512 0 ssl manual 
  • This means all traffic on vlan1 interface (lan ports for some routers, others use eth) is not limited or shaped, and can reach global limits, except ssl traffic being limited to 512kbps both up & down (64KB/s).

Multiple entries are possible:

ath0 512/512 0 ssl manual 
ath0 2048/512 0 http manual 
ath0 512/512 0 ftp manual 
  • This is as above except for the ath0 wireless interface, and only the listed services are rate limited. You can instead do priority limits, but rate limiting & prioritizing the same service simultaneously is not supported.

Use Access Restrictions to block torrents and some VPNs. Determined user is very hard to block because nowdays you have free SSTP VPN services etc. On cheap routers you can not run Proxy, Squid etc so this is all we have...

[edit] OpenDNS

OpenDNS can be used for net abuse filtering. It is a free DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster. By simply using their DNS servers instead of your ISP's you are automatically protected from their list of Phishing websites. However, in order to restrict a variety of adult website content you will need to create a free account with them, register your IP address and select the categories you want restricted (i.e. sexuality, nude, pornography, lingerie, grotesque, etc...). Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes. See DNS-O-MATIC

Reboot router, clear browser cache, and manually set public dns server in your PC NIC adapter to try to avoid restrictions...