Guest network routing, WLAN extension (e.g. WDS) etc

Got problems with your B2 or B3? Share and get helped!
gonk
Posts: 93
Joined: 30 May 2012, 01:53

Guest network routing, WLAN extension (e.g. WDS) etc

Post by gonk » 11 Jul 2013, 14:27

Since the B3 doesn't support a separate guest WLAN I'm trying to accomplish the following with a B3 and an old Linksys WRT54G running OpenWRT:
  • Me and my wife connect to the B3 via LAN or the WLAN SSID on the B3
  • Guests are given the SSID and password to the WLAN on the WRT54G
  • The B3 acts gateway (192.168.0.1) and DHCP in the scope 192.168.0.x
  • The WRT54G is configured with 192.168.0.2 as WAN address and acts as gateway 192.168.1.1 and DHCP in the 192.168.1.x range
  • The B3 is configured to only let the guest network (192.168.0.2 / 192.168.1.x) use the B3 WAN connection
The first four steps are pretty straight forward but I do not have any experience with iptables or similar to accomplish the last part of hindering the computers that have access via the WR54G from reaching e.g.
  • the B3 web inteface
  • ssh to B3
  • file shares on the B3
  • other services on the B3
The only thing that I want them to be able to use is to access the Internet, e.g. external HTTP, POP3, IMAP, etc servers.

Can anyone please help?

Futher... it would be nice if all of this could be done via a wireless connection from the WRT54G to the B3.
The OpwnWRT formware allows the following wireless modes Which would best fit the needs?
Does the B3 support WDS?

Puma
Posts: 227
Joined: 29 Sep 2008, 06:30

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Puma » 11 Jul 2013, 15:41

Dear Gonk,

You probarbly have a modem from your internet provider.
B3 is connected to that modem.
If the modem has more than one lan port you can connect the WRT54G directly to the modem for guests to have internet connection.
When the modem has only one lan port you might put a switch between modem and b3 that way you can connect the wrt54g on that switch.

Puma
Linux is like a wigwam - no windows, no gates, apache inside!

gonk
Posts: 93
Joined: 30 May 2012, 01:53

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by gonk » 11 Jul 2013, 16:49

Puma wrote:You probarbly have a modem from your internet provider.
Nope. I have a network socket in my home so I connect the WAN-port on the B3 directly to it.

The ISP will only provide one IP-address so I cannot connect a switch first and then the B3 and the WRT54G to that switch,
e.g.
Internet RJ45 <-> switch
switch <-> WRT54G WAN
switch <-> B3 WAN

Further, the WRT54G's throughput maxes at around 30 Mbps so routing everything through that one will make my 100 Mbps line pretty slow,
e.g.
Internet RJ45 <-> WRT54G WAN
WRT54G LAN <-> B3 WAN
B3 LAN <-> gigabit switch

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Ubi » 12 Jul 2013, 05:03

gonk wrote:
The ISP will only provide one IP-address so I cannot connect a switch first and then the B3 and the WRT54G to that switch

Why not connect that wrt to the b3 lan port then?

gonk
Posts: 93
Joined: 30 May 2012, 01:53

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by gonk » 12 Jul 2013, 08:54

Ubi wrote:Why not connect that wrt to the b3 lan port then?
That's quite possible and that's what I intend to do and explained with
gonk wrote:
  • The B3 acts gateway (192.168.0.1) and DHCP in the scope 192.168.0.x
  • The WRT54G is configured with 192.168.0.2 as WAN address and acts as gateway 192.168.1.1 and DHCP in the 192.168.1.x range
I also said
gonk wrote:The first four steps are pretty straight forward
but also that my objective is
gonk wrote:to accomplish the last part of hindering the computers that have access via the WR54G from reaching e.g.
  • the B3 web inteface
  • ssh to B3
  • file shares on the B3
  • other services on the B3
So, guests shall only have access to the internet connection, not to anything on the B3.

Is it all clear now?

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Ubi » 12 Jul 2013, 13:51

if I understand this last bit correctly, all that can be accomplished by changing the firewall on the B3. Theres a thread somewhere where Gordon describes a very elegant method for this, but I think a simple port blocking should do the trick.

Gordon
Posts: 1367
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 12 Jul 2013, 13:55

The big issue in your setup is that you have the WRT router connected to your LAN, meaning that everyone on your guest network provided by the WRT can in fact access every address on your LAN without the possibility for the B3 to block this kind of traffic. You will therefore need to configure both the WRT firewall and add a rule for the B3

On the WRT (in order):
- allow target 192.168.0.1/32
- drop target 192.168.0.0/24

On the B3:
- drop source 192.168.0.2/32 on interface br0 on chain INPUT


The most straightforward method would be to connect the WRT to the WAN line and put the B3 on the LAN side of the WRT. That will mean an additional hop for you on the LAN, meaning a marginally slower response from internet sources, but no fiddling with firewalls.

gonk
Posts: 93
Joined: 30 May 2012, 01:53

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by gonk » 13 Jul 2013, 05:41

Thanks for your reply Gordon!
Gordon wrote:The big issue in your setup is that you have the WRT router connected to your LAN, meaning that everyone on your guest network provided by the WRT can in fact access every address on your LAN without the possibility for the B3 to block this kind of traffic. You will therefore need to configure both the WRT firewall and add a rule for the B3

On the WRT (in order):
- allow target 192.168.0.1/32
- drop target 192.168.0.0/24
Why would that be needed?
Yes, it would hinder the WRT devices to contact anything on 192.168.0.x except for 192.168.0.1 but ...
Gordon wrote:On the B3:
- drop source 192.168.0.2/32 on interface br0 on chain INPUT
Why can't the something similar be accomplished on the B3-side alone by e.g.
  • as a precaution (maybe not needed) drop anything from 192.168.1.x
  • drop anything from 192.168.0.2/32 to 192.168.0.3-254 (or 255?)
  • drop anything from 192.168.0.2/32 to 192.168.0.1
    except for
    • a list of
    • services needed
    • like dns
  • forward the rest to eth0
Gordon wrote:The most straightforward method would be to connect the WRT to the WAN line and put the B3 on the LAN side of the WRT. That will mean an additional hop for you on the LAN, meaning a marginally slower response from internet sources, but no fiddling with firewalls.
That would, as explained, cut the maximum throughput on my Internet line to 30 Mbps (limited py CPU performance in the WRT) for all users and that's not what I want.

I know all of this in theory but am pretty new to networking on Linux and have been trying to get a clear picture of which interface is which and how they are logically connected, the routing etc.

Code: Select all

root@B3# ifconfig | grep "Link encap"
br0       Link encap:Ethernet  HWaddr 00:0b:6b:7e:xx:yy
eth0      Link encap:Ethernet  HWaddr 00:22:02:00:xx:yy
eth1      Link encap:Ethernet  HWaddr 00:22:02:00:xx:yy
lo        Link encap:Local Loopback
mon.wlan0 Link encap:UNSPEC  HWaddr 00-0B-6B-7E-62-xx-yy-00-00-00-00-00-00-00-00-00
wlan0     Link encap:Ethernet  HWaddr 00:0b:6b:7e:xx:yy
and

Code: Select all

root@B3# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         c-83-233-200-1. 0.0.0.0         UG    0      0        0 eth0
83.233.200.0    *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
and

Code: Select all

root@B3# cat /etc/network/interfaces
iface br0 inet static
        address 192.168.0.1
        bridge_fd 0
        bridge_maxwait 0
        bridge_ports eth1 wlan0
        netmask 255.255.255.0

iface eth0 inet dhcp

auto lo
iface lo inet loopback
From this I conclude that
  • eth0 is the WAN port
  • eth1 is the LAN port
  • wlan0 is (what a surprise) the WLAN interface
  • br0 is a logical representation of the intranet interfaces eth1 (LAN) and wlan0 (WLAN)
  • lo in not interesting
These should be the default rules since I've not made any changes and seems consistent with /etc/network/firewall.conf, from which I believe that they originate.

Code: Select all

root@B3# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

Gordon
Posts: 1367
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 13 Jul 2013, 07:51

gonk wrote:Why can't the something similar be accomplished on the B3-side alone by e.g.
  • as a precaution (maybe not needed) drop anything from 192.168.1.x
  • drop anything from 192.168.0.2/32 to 192.168.0.3-254 (or 255?)
  • drop anything from 192.168.0.2/32 to 192.168.0.1
    except for
    • a list of
    • services needed
    • like dns
  • forward the rest to eth0
Because traffic that is destined for an address within the same net range as the WAN address on your WRT will not follow the route towards the B3.

But okay, there are other less obvious methods of achieving what you want. I'm not familiar with the WRT device, but if the WAN address can be set as a static address then you could think of assigning a much smaller netmask, i.e. /30 or 255.255.255.252 depending on the notation used. Do note that in this case you can not use the address 192.168.0.3 anywhere in your network!

Another option would be to duplicate the br0 interface in a virtual br0:0 interface that has another IP range. On the B3 you could then add the earlier mentioned rule to block incoming traffic from the WRT and add a second rule to block forwarding from interface br0:0 to the 192.168.0.0/16 range.

Adding a rule to block traffic from 192.168.1.0/24, the WRT (W)LAN side, won't do anything. This is because all traffic that is initiated on this side will be translated to show the WRT WAN address as the origin; just like the B3 does with traffic from your workstation towards the internet.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Ubi » 13 Jul 2013, 15:41

Gordon wrote:Adding a rule to block traffic from 192.168.1.0/24, the WRT (W)LAN side, won't do anything. This is because all traffic that is initiated on this side will be translated to show the WRT WAN address as the origin; just like the B3 does with traffic from your workstation towards the internet.
Well, unless you do not care that you block that ip address aswell right?

Gordon
Posts: 1367
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 13 Jul 2013, 15:58

Ubi wrote:
Gordon wrote:Adding a rule to block traffic from 192.168.1.0/24, the WRT (W)LAN side, won't do anything. This is because all traffic that is initiated on this side will be translated to show the WRT WAN address as the origin; just like the B3 does with traffic from your workstation towards the internet.
Well, unless you do not care that you block that ip address aswell right?
That's what I wrote last night at 19:55 ;)

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Ubi » 13 Jul 2013, 16:08

Gordon wrote:
Ubi wrote:
Gordon wrote:Adding a rule to block traffic from 192.168.1.0/24, the WRT (W)LAN side, won't do anything. This is because all traffic that is initiated on this side will be translated to show the WRT WAN address as the origin; just like the B3 does with traffic from your workstation towards the internet.
Well, unless you do not care that you block that ip address aswell right?
That's what I wrote last night at 19:55 ;)
You did indeed, but then you did not answer the question why the firewall lines on the wrt were required :D

Gordon
Posts: 1367
Joined: 10 Aug 2011, 03:18

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Gordon » 14 Jul 2013, 05:20

Ubi wrote:You did indeed, but then you did not answer the question why the firewall lines on the wrt were required :D
I think I did... didn't I?

There's two challenges here:
  • first for the guest users not to be able to access any machine on the home network, except for the B3.
    This why you need the rules on the WRT
  • second for the guest users not to be able to access services provided by the B3, except its routing capabilities
    This is why you need the blocking rule on the B3
As said, other trickery might provide a way to drop the rules on the WRT:

Using a virtual interface on the B3, you can place the WRT in a completely different net range and thereby force it to route all traffic to the B3 - including traffic to any of the home network machines. In a mere chance that anyone would be able to break through this defence this will still make it useless because the machines on the home network need a route back to be able to answer.

Setting a much smaller net mask on the WRT would also work. Given a mask of /30 (255.255.255.252) will create a net range as follows:
  • 192.168.0.0 Net
  • 192.168.0.1 B3
  • 192.168.0.2 WRT
  • 192.168.0.3 Broadcast
I do doubt very much that you can use DHCP from the B3 to force either one of these two settings on to the WRT, so manual tweaking of that device will still be required.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by Ubi » 14 Jul 2013, 15:17

Ah, now the penny drops :D :D

gonk
Posts: 93
Joined: 30 May 2012, 01:53

Re: Guest network routing, WLAN extension (e.g. WDS) etc

Post by gonk » 14 Jul 2013, 17:02

Thanks for the explanation but I'm not very interested in protecting other client machines on the internal network from guests trying to access them since they all have their software firewalls so disallowing access to the B3 is the topic for my request.

I'll try to figure out how to manually add firewall rules that will persist reboots and software updates.

In the B3 web interface you can only set up two type of firewall rules and neither match the need of blocking some internal clients from accessing the B3 network shares, SSH to the B3, media streaming from the B3 etc.
  • 'Port forward to internal network' will open a port from Internet (WAN) to a network device in your internal network (LAN).
  • 'Open B3 port' will open a port from Internet (WAN) to B3.
Any help and experience is appreciated.

Post Reply