May 232013
 
 May 23, 2013  Posted by at 10:59 am firewall, networking, wireless Tagged with: , ,  No Responses »

In this post I will outline how to use zones to create public firewalled networks. A device that can bring up multiple interfaces per radio is very attractive here. One essid for private wireless and another for open public wireless. The Atheros ath9k chipsets are very well supported in this regard because they are free software.
This post is different than my older post where we have a private LAN behind our WAN interface that we need to protect… In this scenario we have our ISP connected directly to the openWRT WAN port and we need to bring up a public wireless that is segregated from the LAN. Like so:

                                         "public wifi"
                                                 /
ISP <-openWRT fw-> LAN 192.168.1.0/24 <-public_zone-> PUBLIC 172.16.134.0/24
                        \ 
                 "private LAN wifi"

Obviously the zone can be utilized however you like. Another common option would be to firewall a open wireless network from the LAN. And forgo the insecure nature of a “secured” wireless altogether. The OpenWRT could be running openvpn, that you connect to over the “insecure” wireless, now thats secure!

The following steps are done via the web interface (luci).

1. Start by adding a new wireless interface. In this case to the 5ghz radio. You can do this again for the 2.4ghz radio. wireless 1. add

2. Set the essid and network name “public”. This will allow us to use firewall zones to segregate the networks, rather than excluding individual rfc1918 subnets like in the first example.wireless 2. new wifi settings

 

3. Edit the interface “PUBLIC” so that we can set it as a static ip.wireless 3. edit interface

4. Change the protocol to “static address” set a ip for it and a subnet. DO NOT set a gateway. This will write a new default gateway to the routing table and cause the internet to break occasionally. Setup a dhcp server for this network.wireless 4. public interface

5. In the firewall section. Setup a zone called something like “public_zone” and assign it to the “public” network. And allow it to forward to “WAN” zone.wireless 5. firewall zone

6. This is what the general firewall zone’s should look like now.wireless 6. general firewall zone

Be sure to test it. Connect to the public and try and nmap a known host on the private and vice versa. A few times I have needed to reboot the router for everything to start working properly. It could be because I tinkered too much and caused a hickup. Just something to keep in mind..

 

Oct 072009
 
 October 7, 2009  Posted by at 7:14 pm firewall, wireless Tagged with: , , ,  No Responses »

A while ago Second Street Brewery asked for a good stable public wireless internet connection. Of course, the solution was obvious, openwrt! In this case a linksys wrt54gl. The office, point of sale and public networks all share the same gateway. The problem was segregating the public wireless network from the private office lan. Sam (http://thepromisedlan.org) and I set out to setup a firewall to protect them. This is what we came up with:

         "secured office wifi"
                /
ISP <-fw-> office LAN 10.1.10.0/24 <-fw-> (linksys) "open public wifi" 
(clients on public wifi cannot reach 10.1.10.0/24 or any other private subnet)

check if the following is in /etc/config/firewall otherwise, add it

config include
option path /etc/firewall.user

and in /etc/firewall.user we put:

#Insert this into the chain, so 10.1.10.0/24 (office) can connect to public 192.168.10.0/24.
#This rule gets repeated by the setup script /etc/init.d/firewall.
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 2 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 2 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 2 -d 10.0.0.0/8 -j DROP

If you would like to have remote administration on the openwrt so you can access the luci web interface and ssh from the wan side of the router, you can change /etc/config/firewall wan zone to allow it. !!WARNING!! If you are directly connected to the internet, this will expose your open ports to the world. You should take precautions to secure them before changing this firewall rule.

config 'zone'
  option 'name' 'wan'
  option 'input' 'REJECT' #

or if you just want to allow remote ssh access

config rule
  option target 'ACCEPT'
  option src 'wan'
  option proto 'tcp'
  option dest_port '22'
  option name 'ssh'