I have a location with CGNat and two AP's that are managed by the ISP. I'd like to offer a guest WIFI, where clients can get free access to the Internet, but not to other IPs on the local network. I have an Ethernet plug to the Fiber to Ethernet box, where I intend to connect a Shadow (GL-AR300M16-Ext), that should provide the guest WIFI.
My question is, how to go about this. Clients on the network get the following via DHCP:
Gateway: 192.168.73.1
Subnetmask: 255.255.255.0
Client: 192.168.73.181 (As an example)
If I configure the Shadow as AP, I don't seem to be able to configure the firewall (At least from the normal GUI). I could set it up in router mode. I am aware that multi level NAT is considered harmfull, but the guest WIFI is only meant for clients needing basic access to the Internet. No local servers, port forwarding or stuff. But somehow I still need to block access from the guest WIFI to anything in the local subnet except for the gateway (192.168.73.2-192.168.73.255).
The GL.inet implementation I have (OPAL,SFT1200, version 4.7.2beta and version 4.3.21) have the same setting (Visible in Luci , can also be modified)
The 2 regular wifi SSID:
access to router pages
devices can communicate to other devices
The 2 Guest SSID:
no access to router pages
In System/Advanced/Luci/Network/Wireless/ Interface settings for Guest SSID: Advanced settings: it states
"Isolate Clients : Prevents client-to-client communication" is ticked
device isolation is active (within the same SSID this is a wifi feature. Communication among other SSID and wired is to be tested, it is a Guest Network setting, as "AP Isolation" in the GUI)
Check firewall in Luci for zone GUEST/edit
Inter-Zone Forwarding
The options below control the forwarding policies between this zone (guest) and other zones. Destination zones cover forwarded traffic originating from "guest". Source zones match forwarded traffic from other zones targeted at "guest". The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.
Allow forward to destination zones:
Only different WAN zones are in this list, no LAN zone
So the only thing you need is just 1 GL.inet router. Their Guest wifi have all settings you are asking for. But if used as 2nd router, be carefull, its (whole) WAN zone is reachable, that split-up/isolation is the task of the first router LAN!
Multiple NAT layers ... don't worry ... in my large "load balanced" ... wifi campus network I have often " 4 NAT levels (the ISP provider does it, the LTE router or Starlink to ISP does it, the main edge router does it, the client travel router does it ...) And people do Teamlink connections and Netflix streaming, no problem. It is not the best connection for real time games, where every millisecond counts.
▾
Just as extra on this guest (or even IOT device) setup. It seems intuitive to connect untrusted devices in a downstream subnet (behind a router with NAT and firewall). I even see developpers do it for their test environment.
A security manager on a network will not like , and not even accept, such a setup. The untrusted or remotely managed devices cannot be controlled or managed from the main network. (They are protected by the firewall and NAT). If there is any malware it will shoot you in your back.
The less trusted environment should be closer to the internet than the trusted environment if set up in series, or in a separate split-off parallel subnet, besides, not behind the trusted environment.
I’m well aware that it’s counter intuitive and an anti-pattern.
The actual case is that the resident of a building has paid Internet access as part of the salary (compensation package). Part of the job is to host gatherings for the local community in a room that’s part of the building. For the longest time there has been only one WIFI with the password displayed in the room. So not I’m trying to segregate things “a bit” admitting that it will be hard to make it foolproof to a determined adversary.
My aim is that visitors should not be able to easily portscan the devices in the “private” part of the network, nor without effort say connect to a chromecast in the living room.
I understand quite well. The main network is there for the distribution of the access. It's installed base, and we all like it to be used, to avoid extra costs.
Problem is that having the second router communicate with the main router only (without allowing local LAN access via that first router) can be done , but is delicate with default setups.
All depends on what can be set up at the first router. There are many things if one has full control there. Separate subnet for the 2nd router, firewall rules to prohibit access from the LAN to/from the second router, a tunnel or VLAN between router 1 and 2, etc etc
If router1 cannot be modified ...
Setting the IP with a very small subnet (only including router1 LAN IP) on the 2nd router WAN, will send all router-1-LAN destination traffic to the 1st router as gateway, not as direct IP destination (via ARP).
Port forwarding rules in router 2 might also help
Maybe , who knows, the "Drop in Gateway" function of the GL.inet 2nd router, can be abused for this separation.
Since the ISP provides carrier grade NAT, I as consumer have no say at all on the router. I've got two ethernet ports on the gateway (Which is really an Fiber to Ethernet bridge) and devices plugged in there get an RFC1918 IP address in the range of 192.168.73.1xx range.
Now that I'm down the road of anti-patterns, my first try will be to setup the Shadow in default mode as router doing NAT, but using the 172.16.0.0/16 subnet to avoid collisions. And then block all outgoing traffic to 192.168.73.{2-255}. I'll keep you posted on any progress.
