25 openwrt guest network add

Many routers will have the needs of guest Networks , Host network and guest network are isolated from each other ,wifi Different passwords , And you can't access the content of the main network . The principle is that there is one more vlan, There are two network segments , Isolated from each other .

1. Visitor networks dhcp Network segment addition

We are /etc/config/network Add inside vlan Interface

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0.3 ra0.3 rai0.3'
        option ipaddr '192.168.19.1'
        option disabled '0

And then in /etc/config/dhcp Add inside dhcp Network segment configuration

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option force '1'
        option ignore '0'
        option leasetime '12h'

restart /etc/init.d/network restart

You can see it now /var/etc/dnsmasq.conf There is one more in it dhcp server Configuration of

dhcp-range=lan,192.168.18.100,192.168.18.249,255.255.255.0,15m
dhcp-range=guest,192.168.19.100,192.168.19.249,255.255.255.0,15m

2. Visitor networks wifi add to

stay /etc/config/wireless Connect inside wifi Interface , One 2.4G Of ra2, One 5G Of rai2, Both interfaces are bridged guest Under the interface .

config wifi-iface 'guest0'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option ifname 'ra2'
        option ssid 'Guest_8B5C'
        option macfilter 'deny'
        option maxstanum '32'
        option disabled '0'
        option hidden '0'
        option encryption 'mixed-psk'
        option key '12345678'

config wifi-iface 'guest1'
        option device 'radio1'
        option network 'guest'
        option mode 'ap'
        option ifname 'rai2'
        option macfilter 'deny'
        option maxstanum '32'
        option disabled '0'
        option ssid 'Guest_8B5C_5G'
        option hidden '0'
        option encryption 'mixed-psk'
        option key '12345678'

After setting up , restart wifi, You can see there are more in the bridge br-guest Bridge

[email protected]:/# brctl show
bridge name     bridge id               STP enabled     interfaces
br-guest                7fff.e4f3e8d38b5c       no              eth0.3
                                                        ra2
                                                        rai2
br-lan          7fff.e4f3e8d38b5c       no              eth0
                                                        ra0
                                                        rai0

We connect to the visitor network wifi Look at the below DHCP Request content , You can see that there is a prefix br-guest Of DHCP request

dnsmasq-dhcp[3294]: DHCPDISCOVER(br-guest) 32:ae:7b:01:d3:8f
dnsmasq-dhcp[3294]: DHCPOFFER(br-guest) 192.168.19.138 32:ae:7b:01:d3:8f
dnsmasq-dhcp[3294]: DHCPREQUEST(br-guest) 192.168.19.138 32:ae:7b:01:d3:8f
dnsmasq-dhcp[3294]: DHCPACK(br-guest) 192.168.19.138 32:ae:7b:01:d3:8f

3. Guest network firewall added

After configuring the above , Find visitors wifi You can connect to the router , Also get the visitor network segment IP Address , But I can't get on the Internet .

In fact, it is the problem of firewall , The router is nat Router , Default lan The firewall of the interface has been set , But new home guest The firewall of the interface has not been set .

config zone 'guest'
        option name 'guest'
        list network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-guest-dhcp'
        option src 'guest'
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Allow-guest-dns'
        option src 'guest'
        option proto 'udp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-guest-tcp-dns'
        option src 'guest'
        option proto 'tcp'
        option dest_port '53'
        option target 'ACCEPT'

service iptables restart /etc/init.d/firewall restart After that, the network can be connected .

4. The wired port is set as the guest network port

Sometimes we want to 4 individual lan One of the ports is set as the access network port , From this port IP The visitor network IP.

That is the lan One of the ports is set as vlan3, In this way, the data passing through this port will be marked pid=3 Of tag

config switch_vlan
    option name 'switch0'
    option vlan '3'  //VLAN3,  And the above option ifname 'eth0.3' Match 
    option ports '4 6t'