Wednesday, October 4, 2017

OpenWrt Guest Routed AP using VLAN with unmanaged switch

I've previously post about a Routed AP for Guest WiFi isolation based on OpenWrt, you can find that post here: http://davidegironi.blogspot.it/2017/09/openwrt-access-point-routed-ap-as-guest.html

This time I would like to make it a little structured, by simply making it modular.
I will build a Guest router, isolated from the main network, that can be used as a gateway for a Guest wired and wireless network.
My guest network should use the same cabled network of my main network, that is using unmanaged switch. Of course if you have managed switch you will get better perfomance cause you can route the guest network to any guest AP or managed swith you want, but in small office and home network managed switch can't always be found.
Our Guest router will produce one tagged VLAN, let's tag it as '2', that will distrubute our Guest network.
The guest router will also serve as a DHCP server for any guest device.
Note that any AP that we want to make act as a Guest AP must accept VLAN traffic.


The OpenWrt configuration is similar to the one proposed in the previous post linked above.

Once again let's suppose we are serving our main network on 192.168.1.0/24 ip ranges, and we would like a guest network, isolated from the 192.168.1.0/24 one, on the 192.168.2.0/24 ip range.

We will make a new switch, that is new VLAN.

On VLAN 1, we disable port 3 and 4, set 5 untagged
On VLAN 2, we enable port 0 and 3 as tagged, 2 as untagged, set 5 tagged
We are going to use port 2 as a wired guest port, port 3 as a tagged guest port for managed switch, and port 0 is the main port that will get the main network signal and "output" the VLAN 2 tagged signal.

/etc/config/network
config interface 'loopback'
 option ifname 'lo'
 option proto 'static'
 option ipaddr '127.0.0.1'
 option netmask '255.0.0.0'

config globals 'globals'
 option ula_prefix 'fd6e:e9df:eb78::/48'

config interface 'lan'
 option ifname 'eth1'
 option force_link '1'
 option type 'bridge'
 option proto 'static'
 option ipaddr '192.168.1.3'
 option netmask '255.255.255.0'
 option ip6assign '60'
 option gateway '192.168.1.1'
 option dns '192.168.1.1'

config interface 'wan'
 option ifname 'eth0'
 option proto 'dhcp'

config interface 'wan6'
 option ifname 'eth0'
 option proto 'dhcpv6'

config switch
 option name 'eth1'
 option reset '1'
 option enable_vlan '1'

config switch_vlan
 option device 'eth1'
 option vlan '1'
 option ports '0 1 5'

config switch_vlan
 option device 'eth1'
 option vlan '2'
 option ports '0t 2 3t 5t'

config interface 'guest'
 option type 'bridge'
 option proto 'static'
 option ifname 'eth1.2'
 option ipaddr '192.168.2.1'
 option netmask '255.255.255.0'

/etc/config/firewall
config defaults
 option syn_flood '1'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'REJECT'

config zone
 option name 'lan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'ACCEPT'
 option network 'lan'
 option masq '1'
 option mtu_fix '1'
 list masq_dest '!192.168.1.0/24'

config zone
 option name 'wan'
 option input 'REJECT'
 option output 'ACCEPT'
 option forward 'REJECT'
 option masq '1'
 option mtu_fix '1'
 option network 'wan wan6'

config forwarding
 option src 'lan'
 option dest 'wan'

config rule
 option name 'Allow-DHCP-Renew'
 option src 'wan'
 option proto 'udp'
 option dest_port '68'
 option target 'ACCEPT'
 option family 'ipv4'

config rule
 option name 'Allow-Ping'
 option src 'wan'
 option proto 'icmp'
 option icmp_type 'echo-request'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-IGMP'
 option src 'wan'
 option proto 'igmp'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-DHCPv6'
 option src 'wan'
 option proto 'udp'
 option src_ip 'fe80::/10'
 option src_port '547'
 option dest_ip 'fe80::/10'
 option dest_port '546'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-MLD'
 option src 'wan'
 option proto 'icmp'
 option src_ip 'fe80::/10'
 list icmp_type '130/0'
 list icmp_type '131/0'
 list icmp_type '132/0'
 list icmp_type '143/0'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Input'
 option src 'wan'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 list icmp_type 'router-solicitation'
 list icmp_type 'neighbour-solicitation'
 list icmp_type 'router-advertisement'
 list icmp_type 'neighbour-advertisement'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Forward'
 option src 'wan'
 option dest '*'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config include
 option path '/etc/firewall.user'

config rule
 option src 'wan'
 option dest 'lan'
 option proto 'esp'
 option target 'ACCEPT'

config rule
 option src 'wan'
 option dest 'lan'
 option dest_port '500'
 option proto 'udp'
 option target 'ACCEPT'

config zone
 option input 'ACCEPT'
 option forward 'REJECT'
 option output 'ACCEPT'
 option name 'guest'
 option network 'guest'

config forwarding
 option dest 'lan'
 option src 'guest'

/etc/config/dhcp
config dnsmasq
 option domainneeded '1'
 option boguspriv '1'
 option filterwin2k '0'
 option localise_queries '1'
 option rebind_protection '1'
 option rebind_localhost '1'
 option local '/lan/'
 option domain 'lan'
 option expandhosts '1'
 option nonegcache '0'
 option authoritative '1'
 option readethers '1'
 option leasefile '/tmp/dhcp.leases'
 option resolvfile '/tmp/resolv.conf.auto'
 option localservice '1'

config dhcp 'lan'
 option interface 'lan'
 option dhcpv6 'server'
 option ra 'server'
 option ignore '1'
 option ra_management '1'

config dhcp 'wan'
 option interface 'wan'
 option ignore '1'

config odhcpd 'odhcpd'
 option maindhcp '0'
 option leasefile '/tmp/hosts/odhcpd'
 option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
 option start '100'
 option leasetime '12h'
 option limit '150'
 option interface 'guest' 

Now we have to add guest firewall rules for guest interface.
This rule has to accept input, accept output, reject forward and Allow forward to destination zones -> lan, this way all the traffic will be forwared to lan.

The lan firewall rule must have enabled Masquerading and MSS clamping, it also have to Allow forward from source zones -> guest, to accept the forward traffic from guest, and Restrict Masquerading to all subnet but not the 192.168.1.0/24, by the value !192.168.1.0/24.

We can now add a guest interface, as bridge and add the VLAN 2 created on port 3.
We are going to set the guest interface with a static address, and enable DHCP for the guest interface assign the interface to the guest firewall zone.

Now we can set the guest WiFi, binding it to the guest interface.


Now we would have a primary WiFi over our main subnet 192.168.1.0/24, and a guest WiFi + a guest wired connection through port 3 of the router over our secondary subnet  192.168.2.0/24.

The Guest router also can act as a guest AP if we would like, by simply enabling the wifi interface and attaching it to the guest interface.

Now that we have build a Guest router, we have to build a AP guest.
There are a few device that can route VLAN network with stock firmware. If we would like to use an OpenWrt firmware, we must enable a VLAN 2 tagged switch on a port, on the same port the VLAN 1 should be untagged.
Then we have to create a guest interface and a guest firewall rule like we've already done.
We can leave LAN interface unmanaged if we do not need to access this AP by the main network.

That's almost all.

So what we have done now: we have a main Router on our main network on the IP range 192.168.1.0/24 and a Guest router on the IP range 192.168.2.0/24. We can use unmanaged switch and run the guest network by using VLAN tagged packets.


Notes
  • read risk disclaimer
  • excuse my bad english