jason schaefer . com

OpenWRT, Access Point only config. LAN and PUBLIC wireless on an existing subnet

by

jason
in , , ,

In this scenario we will be implementing a openWRT as a wireless access point only. One wireless essid will be LAN accessible and the other will be segregated from the LAN but able to access the WAN. The openWRT in this example will not be the gateway to the network. Another device is the gateway and there is an existing dhcp server.

                            PUBLIC wifi
                         172.16.134.0/24
                                  |
                     public gateway and dhcp server
                            172.16.134.1
                                  \
                   Source NAT to 10.101.101.10
                                              \
ISP <-Gateway-> LAN wired 10.101.101.0/24 <-openWRT-> 
                                              /
                           LAN wifi (wpa2+aes)
                           10.101.101.0/24

1. Add a new wireless access point

wifinogw.1.add-wireless-essid

2. Settings for the new wireless access point. Create a new network interface of “public”. Don’t use any encryption, as this is for general public use.

wifinogw.2.wifi-settings

3. Edit network interface for the public network

wifinogw.3.public-interface-edit

4. Edit PUBLIC interface settings. Set to static address and enable DHCP server for this new network.

wifinogw.4.pub-int-settings

5. Edit the LAN interface. Set the lan interface to an un-used ip of the existing network. Don’t set to “dhcp client” as you will lose connectivity and need to perform a recovery on your openwrt device. Be sure to disabled the DHCP server as the existing network already has one.

wifinogw.5.lan-settings

6. Add a new zone and call it “public_zone”. Masquarade it and put it in the public network. Allow forwarding to and from “lan” zone. We will limit this later with specific firewall rules.

fw_public_zone

7. This is what the general firewall zones should look like

wifinogw.7.fw-general-overview

8. Under the Firewall -> Traffic Rules section add a new Source NAT Rule. Call it “pub2lan“. Set the “Source zone” to “public_zone” and the “Destination zone” to “lan” and set the drop down option “To source IP” to br-lan interface, in this example its 10.101.101.10. Leave “To source port” blank. This SNAT rule will translate all traffic on the public wireless network of 172.16.134.0/24 into the IP of 10.101.101.10. This is the redirect rule from /etc/config/firewall
wifinogw.8.fw-tr-snat

config redirect
option target 'SNAT'
option src 'public_zone'
option dest 'lan'
option proto 'all'
option name 'pub2lan'
option src_dip '10.101.101.10'
option enabled '1'

9. Setup a “New forward rule:” Set name to allow2gw or similar. Source zone to “public_zone” Destination zone to “lan” Click “Add and edit…” Protocols should be “Any”, Destination address is the gateway of the network. In this case 10.101.101.1. The following is the /etc/config/firewall rule for reference. This will allow traffic from the public_zone to reach the gateway of the network.

wifinogw.9.fw-tr-forward-allow2gw

config rule
option target 'ACCEPT'
option proto 'all'
option name 'allow2gw'
option src 'public_zone'
option dest 'lan'
option dest_ip '10.101.101.1'

10. Setup a “New forward rule”. Set the name to drop2lan or similar. Set the Source zone to “public_zone” and Destination zone to “lan”. Click “Add and edit…” Set Protocol to “Any”, Destination address to custom and enter the subnet of the LAN. In this case its 10.101.101.0/24, set “Action” to “drop”. You can add more rules like this one to limit access to other networks or hosts as needed.

drop2lan

config rule
option name 'drop2lan'
option src 'public_zone'
option proto 'all'
option target 'DROP'
option dest 'lan'
option dest_ip '10.101.101.0/24'

 

11. Firewall Traffic Rule overview. There is an error on this view. The following rules have “option proto ‘all’” set and the luci web interface shows “Any TCP+UDP”. This is simply a bug in the luci interface and can be ignored. The order of these rules is very important. In this case you can see we added the “Allow to 10.101.101.1” before the “Drop to 10.101.101.0/24”. If reversed, the lan including the gateway would not be accessible from the public wireless AP. Therefore, you would not be able to reach the Internet.

wifinogw.11.fw-tr-overview

Comments

10 responses to “OpenWRT, Access Point only config. LAN and PUBLIC wireless on an existing subnet”

  1. Pedro Marques Avatar
    Pedro Marques

    Hi There!
    This exactly this with my device that is acting as an AP Client Only and can’t seem to make it work with the Public wifi. No connection at all.
    My external Internet Gateway is 192.168.1.254
    I’ve configured Private wifi (DS10) as 192.168.1.252, gateway 192.168.1.254 DHCP disabled
    and public wifi (DS10-GUEST) as 172.16.134.1, DHCP enabled
    Configured Firewall rules as explained.
    I can connect to public wifi (DS10-GUEST) and optain IP address and gateway, dns, etc. but…
    The only IP i can acces is 192.168.1.254. Every other site / ip doesn’t get thru.
    You didn’t mention in the explanation anything about Bridge Interfaces. Is it necessary?

    My WAN port is disconnected, of course.

  2. jason Avatar
    jason

    Hi Pedro
    I suspect your source NAT rule is not setup properly. Go through section 8 and be sure you are translating to your openwrt lan ip of 192.168.1.252 (src_dip option).
    Also, be sure your public interface does not have a route set (section 4).

    Let me know how it goes.
    Jason

  3. Pedro Marques Avatar
    Pedro Marques

    Hi again! Checked the firewall settings and everything checks ok. Here’s the parameters. I assume the section 8 translation is to be ON (the config after the pic on section 8 leaves it off):

    config zone
    option input ‘ACCEPT’
    option forward ‘REJECT’
    oprion output ‘ACCEPT’
    option name ‘public_zone’
    option network ‘public’
    option masq ‘1’

    option redirect
    option enabled ‘1’
    option target ‘SNAT’
    option src ‘public_zone’
    option dest ‘lan’
    option proto ‘all’
    option src_dip ‘192.168.1.252’
    option name ‘pub2lan’

    config rule
    oprion target ‘ACCEPT’
    option proto ‘all’
    option name ‘allow2gw’
    option src ‘public_zone’
    option dest ‘lan’
    option dest_ip ‘192.168.1.254’

    config rule
    option name ‘pub2lan’
    option src ‘public_zone’
    option proto ‘all’
    option target ‘DROP’
    option dest ‘lan’
    option dest_ip ‘192.168.1.254’

    One more thing… my LAN cable is connected to an ethernet slot and NOT WAN slot. This is correct, right?

  4. Pedro Marques Avatar
    Pedro Marques

    Solved. Besides this tutorial, had to go to “Inter-Zone Forwarding” and check “Allow Forward to destination zones” and “Allow forward from source zones” for LAN.

  5. jason Avatar
    jason

    Hi Pedro

    Thanks for bringing this to my attention! Oddly this is not required in 12.09 so I didn’t include it in the tutorial. For some reason 12.09 ignores these forwarding rules. If you are using the latest 14.07 you will need to allow those inter-zone forwarding. I have updated the tutorial with these settings and recommend to use those settings regardless of the version you are on. Thanks for pointing this out!

  6. Ruben Tavares Avatar
    Ruben Tavares

    Cannot get this to work on my TP Link WR841N with OpenWrt Chaos Calmer 15.05.1.

    Did everything has explained. I can get guest wifi to work on ddwrt, openwrt looks like a no go :(

  7. jason Avatar
    jason

    Hi Ruben
    Nothing in this tutorial would be hardware specific. Double check the SNAT stuff, this is where most people get tripped up.

    Jason

  8. OpenWRT, firewall to block public wireless users from private lan behind wan – jason schaefer . com

    […] more modern way to do this is outlined here. It also requires more modern hardware. The wrt54gl only supports openwrt v10 […]

  9. Jonathan Avatar
    Jonathan

    Jason,

    Doesn’t image #6 need to have “forward to WAN” enabled to work …? Perhaps this has something to do with the comment about “interzone” transfers which another mentioned … i cannot find where that setting is, but regardless, only works like above ^ if I have forward to WAN enabled for pub interface … which makes sense to me … why am i wrong?

    Jonathan

  10. jason Avatar
    jason

    Hi Jonathan
    It needs to be forwarded to LAN and not WAN. The public interface is source NAT’ing through the LAN. It doesn’t interact with the WAN at all. In fact you can delete the WAN interface all-together. There is a bug in which the SNAT option disappears if the WAN interface is not there. So, be sure to add your SNAT rule before deleting WAN or just leave it alone..

Leave a Reply

Your email address will not be published. Required fields are marked *