Sunday, December 6, 2020

OpenWrt main and Guest network AP using VLAN with unmanaged switch

I've already talked about the building of a small network infrastructure with a Guest lan that runs on a specific VLAN using unmanaged switch.
You can find the link here: http://davidegironi.blogspot.com/2017/10/openwrt-guest-routed-ap-using-vlan-with.html
The good things about the network I described was the capabilities to run that VLAN using unmanaged switch.
This time I would like to refine the whole structure adding AP that could act as main network AP and Guest network AP.
The APs used needs to be VLAN managed and dual SSID compatible, it means that the WiFi chip must be able to manage multiple SSID simultaneously.
One again for those AP I will use OpenWrt (https://openwrt.org/)

At first we have to install our main router.

Let's suppose we are serving our main network on 192.168.1.0/24 ip ranges, and out guest network, isolated from the 192.168.1.0/24 one, on the 192.168.11.0/24 ip range.
Our router ip will be 192.168.1.1 on main network and 192.168.11.1 on the guest network.



We will use 
  • VLAN 1 as our main untagged network
  • VLAN 2 for the WAN connectivity
  • VLAN 11 for the guest network
Let's suppose we have a router with LAN 1, LAN 2, LAN 3, LAN 4, CPU, and WAN interface.

On the router side, let's start with the Switch settings.
  • the CPU port will be tagged on all VLAN
  • on VLAN 1, we mark all LAN ports as untagged, and we disable the WAN port
  • on VLAN 2, we disable all LAN ports, and we mark WAN as untagged
  • on VLAN 11, we disable all LAN ports except one (as example the number 4) that has to be tagged, and we disable the WAN port
The port with VLAN 11 tagged, and VLAN 1 untagged is the one we have to connect to our main unmanaged switch network.
Then we have to set the LAN interface as "static address" with ip 192.168.1.1 and DHCP enabled.
We can of course customize DHCP settings for both interfaces.
Same settings for the GUEST interface, which however we have to add, setted as static address with ip 192.168.11.1 and DHCP enabled.

On the firewall side we have to add GUEST firewall zone for GUEST interface.
This zone has to accept input, accept output, reject forward and "Allow forward to destination zones" -> WAN, this way all the traffic will be forwarded to the WAN interface.

If we want to enable the WiFi capabilities, we just have to add two wifi. The main one bridged with the LAN network, the GUEST one with the GUEST network.

Of course we have to set the WAN interface, that could be PPPoE, PPPoATM or any other protocol. This interface will be the one that grant the Internet connection.

For completeness, here you can find a sample configuration for the router.

/etc/config/network
config interface 'loopback'
 option ifname 'lo'
 option proto 'static'
 option ipaddr '127.0.0.1'
 option netmask '255.0.0.0'

config globals 'globals'
 option ula_prefix 'fd00:0000:0001::/48'

config interface 'lan'
 option type 'bridge'
 option proto 'static'
 option ipaddr '192.168.1.1'
 option netmask '255.255.255.0'
 option ip6assign '60'
 option _orig_ifname 'eth0.1 wlan0'
 option _orig_bridge 'true'
 option ifname 'eth0.1'

config device 'lan_dev'
 option name 'eth0.1'
 option macaddr '00:00:00:00:00:01'

config interface 'wan'
 option _orig_ifname 'eth0.2'
 option _orig_bridge 'false'
 option proto 'pppoe'
 option username 'pppoeusername'
 option password 'pppoepassword'
 option ipv6 'auto'
 option ifname 'eth0.2'

config device 'wan_dev'
 option name 'eth0.2'
 option macaddr '00:00:00:00:00:11'

config interface 'wan6'
 option _orig_ifname 'eth0.2'
 option _orig_bridge 'false'
 option ifname 'eth0.2'
 option proto 'none'

config switch
 option name 'switch0'
 option reset '1'
 option enable_vlan '1'

config switch_vlan
 option device 'switch0'
 option vlan '1'
 option vid '1'
 option ports '0 1 2 3 6t'

config switch_vlan
 option device 'switch0'
 option vlan '2'
 option vid '2'
 option ports '4 6t'

config switch_vlan
 option device 'switch0'
 option vlan '3'
 option vid '11'
 option ports '3t 6t'

config interface 'guest'
 option proto 'static'
 option ipaddr '192.168.11.1'
 option netmask '255.255.255.0'
 option type 'bridge'
 option _orig_ifname 'eth0 wlan0-1'
 option _orig_bridge 'true'
 option ifname 'eth0.11'

/etc/config/firewall
config defaults
 option syn_flood '1'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'REJECT'

config zone
 option name 'lan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option network 'lan'
 option forward 'REJECT'

config zone
 option name 'wan'
 option output 'ACCEPT'
 option masq '1'
 option mtu_fix '1'
 option input 'REJECT'
 option forward 'REJECT'
 option network 'wan wan6'

config rule
 option name 'Allow-DHCP-Renew'
 option src 'wan'
 option proto 'udp'
 option dest_port '68'
 option target 'ACCEPT'
 option family 'ipv4'

config rule
 option name 'Allow-Ping'
 option src 'wan'
 option proto 'icmp'
 option icmp_type 'echo-request'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-IGMP'
 option src 'wan'
 option proto 'igmp'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-DHCPv6'
 option src 'wan'
 option proto 'udp'
 option src_ip 'fc00::/6'
 option dest_ip 'fc00::/6'
 option dest_port '546'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-MLD'
 option src 'wan'
 option proto 'icmp'
 option src_ip 'fe80::/10'
 list icmp_type '130/0'
 list icmp_type '131/0'
 list icmp_type '132/0'
 list icmp_type '143/0'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Input'
 option src 'wan'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 list icmp_type 'router-solicitation'
 list icmp_type 'neighbour-solicitation'
 list icmp_type 'router-advertisement'
 list icmp_type 'neighbour-advertisement'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Forward'
 option src 'wan'
 option dest '*'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-IPSec-ESP'
 option src 'wan'
 option dest 'lan'
 option proto 'esp'
 option target 'ACCEPT'

config rule
 option name 'Allow-ISAKMP'
 option src 'wan'
 option dest 'lan'
 option dest_port '500'
 option proto 'udp'
 option target 'ACCEPT'

config include
 option path '/etc/firewall.user'

config zone
 option name 'guest'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option network 'guest'
 option forward 'REJECT'

config forwarding
 option dest 'wan'
 option src 'guest'

config forwarding
 option dest 'wan'
 option src 'lan'

/etc/config/dhcp
config dnsmasq
 option domainneeded '1'
 option boguspriv '1'
 option localise_queries '1'
 option rebind_protection '1'
 option rebind_localhost '1'
 option expandhosts '1'
 option authoritative '1'
 option readethers '1'
 option leasefile '/tmp/dhcp.leases'
 option resolvfile '/tmp/resolv.conf.auto'
 option localservice '1'
 option local '/lan/lab.local/'
 option domain 'lab.local'
 list server '8.8.8.8'
 list server '208.67.222.222'
 option nonwildcard '0'

config dhcp 'lan'
 option interface 'lan'
 option start '100'
 option leasetime '12h'
 option force '1'
 option limit '49'

config dhcp 'wan'
 option interface 'wan'
 option ignore '1'

config odhcpd 'odhcpd'
 option maindhcp '0'
 option leasefile '/tmp/hosts/odhcpd'
 option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
 option interface 'guest'
 option start '100'
 option leasetime '12h'
 option force '1'
 option limit '49'

/etc/config/wireless
config wifi-device 'radio0'
 option type 'mac80211'
 option channel '11'
 option hwmode '11g'
 option path 'platform/10180000.wmac'
 option htmode 'HT20'
 option country 'US'
 option txpower '20'

config wifi-iface 'default_radio0'
 option device 'radio0'
 option mode 'ap'
 option ssid 'myssid'
 option encryption 'psk-mixed'
 option key 'wifipassword'
 option network 'lan'

config wifi-iface
 option device 'radio0'
 option mode 'ap'
 option ssid 'myssid-guest'
 option encryption 'psk-mixed'
 option key 'wifipasswordguest'
 option network 'guest' 

Now we have to config the Access Point.
This AP will be able to distribute both the main WiFi and guest WiFi.
Let's start again with the switch settings, that will be the same of the main router, the point here is having the VLAN 11 with just one LAN port tagged, and the others disabled. Note that the cable from the unmanaged switch as to be connected to this port, as for the main router, the one with VLAN 11 tagged and VLAN 1 untagged.
We now have to set the LAN and GUEST interface with a "static address", let's suppose 192.168.1.5 for main network on 192.168.11.5 in this example, of course we have to set our main router addresses as Gateway, that will be 192.168.1.1 for the main network and 192.168.11.1 for the GUEST network. Both those interfaces can be set as "DHCP client" protocol if we don't want to reserve a satic address, but setting those as static would be simpler if we want to browse the AP.
On the firewall side, we don't need a GUEST zone, cause the guest traffic is firewalled by the main GUEST router firewall zone, note that we are free to add a specific firewall zone if we want.
Then we have of course to enable the WiFi capabilities, we just have to add two wifi. The main one bridged with the LAN network, the GUEST one with the GUEST network.
That's all.
This router will also act as an unmanaged switch for main VLAN. Inverting the untagged/off settings for the VLAN 1 and 11 will make that specific port unmanaged for the main or GUEST network.
If our device does not support multiple SSID, we can still add just one WiFi and use the AP for the GUEST or main network.

Again find below a sample configuration for the AP.

/etc/config/network
config interface 'loopback'
 option ifname 'lo'
 option proto 'static'
 option ipaddr '127.0.0.1'
 option netmask '255.0.0.0'

config globals 'globals'
 option ula_prefix 'fd00:0000:0005::/48'

config interface 'lan'
 option type 'bridge'
 option ifname 'eth0.1'
 option proto 'static'
 option netmask '255.255.255.0'
 option ip6assign '60'
 option ipaddr '192.168.1.5'
 option gateway '192.168.1.1'
 option dns '192.168.1.1'

config device 'lan_dev'
 option name 'eth0.1'
 option macaddr '00:00:00:00:00:05'

config interface 'wan'
 option ifname 'eth0.2'
 option proto 'dhcp'

config device 'wan_dev'
 option name 'eth0.2'
 option macaddr '00:00:00:00:00:15'

config interface 'wan6'
 option ifname 'eth0.2'
 option proto 'dhcpv6'

config switch
 option name 'switch0'
 option reset '1'
 option enable_vlan '1'

config switch_vlan
 option device 'switch0'
 option vlan '1'
 option ports '0 1 2 3 6t'
 option vid '1'

config switch_vlan
 option device 'switch0'
 option vlan '2'
 option ports '4 6t'
 option vid '2'

config switch_vlan
 option device 'switch0'
 option vlan '3'
 option ports '3t 6t'
 option vid '11'

config interface 'guest'
 option type 'bridge'
 option proto 'static'
 option ifname 'eth0.11'
 option ipaddr '192.168.11.5'
 option netmask '255.255.255.0'
 option gateway '192.168.11.1'
 option dns '192.168.11.1'

/etc/config/firewall
config defaults
 option syn_flood '1'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'REJECT'

config zone
 option name 'lan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'ACCEPT'
 option network 'lan'

config zone
 option name 'wan'
 option input 'REJECT'
 option output 'ACCEPT'
 option forward 'REJECT'
 option masq '1'
 option mtu_fix '1'
 option network 'wan wan6'

config forwarding
 option src 'lan'
 option dest 'wan'

config rule
 option name 'Allow-DHCP-Renew'
 option src 'wan'
 option proto 'udp'
 option dest_port '68'
 option target 'ACCEPT'
 option family 'ipv4'

config rule
 option name 'Allow-Ping'
 option src 'wan'
 option proto 'icmp'
 option icmp_type 'echo-request'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-IGMP'
 option src 'wan'
 option proto 'igmp'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-DHCPv6'
 option src 'wan'
 option proto 'udp'
 option src_ip 'fc00::/6'
 option dest_ip 'fc00::/6'
 option dest_port '546'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-MLD'
 option src 'wan'
 option proto 'icmp'
 option src_ip 'fe80::/10'
 list icmp_type '130/0'
 list icmp_type '131/0'
 list icmp_type '132/0'
 list icmp_type '143/0'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Input'
 option src 'wan'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 list icmp_type 'router-solicitation'
 list icmp_type 'neighbour-solicitation'
 list icmp_type 'router-advertisement'
 list icmp_type 'neighbour-advertisement'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Forward'
 option src 'wan'
 option dest '*'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-IPSec-ESP'
 option src 'wan'
 option dest 'lan'
 option proto 'esp'
 option target 'ACCEPT'

config rule
 option name 'Allow-ISAKMP'
 option src 'wan'
 option dest 'lan'
 option dest_port '500'
 option proto 'udp'
 option target 'ACCEPT'

config include
 option path '/etc/firewall.user'

/etc/config/wireless
config wifi-device 'radio0'
 option type 'mac80211'
 option hwmode '11g'
 option path 'platform/10180000.wmac'
 option htmode 'HT20'
 option channel '6'
 option country 'US'
 option legacy_rates '1'
 option txpower '20'

config wifi-iface 'default_radio0'
 option device 'radio0'
 option network 'lan'
 option mode 'ap'
 option ssid 'myssid'
 option encryption 'psk-mixed'
 option key 'wifipassword'

config wifi-iface
 option device 'radio0'
 option mode 'ap'
 option ssid 'myssid-guest'
 option network 'guest'
 option encryption 'psk-mixed'
 option key 'wifipasswordguest'

Many other changes can be done to this sample settings, you can use this as a starting point.


Notes
  • read risk disclaimer
  • excuse my bad english