12

For reference, this is just for my home network. Anyway, I have quite a few of my neighbors ask me to share my internet with them. I'd really like to eliminate this "here's the password" portion though by just making my network publicly accessible.

Now my problems:

  1. I don't want for them to take all my bandwidth
  2. I don't want them to be able to access the wired computers on my home network
  3. I want to avoid double-NAT if possible

My setup is pretty simple at the moment. I have a wireless router that I've disabled DHCP on and have effectively made into a wireless-wired bridge. My actual router is a computer running OpenBSD(4.7 but being upgraded soon) with pf. My DSL modem is connected to my router in bridge mode over PPPoE

I don't have a whole ton of network knowledge, but I want to learn more and I figure this should be a good learning project.

What would be the best way to do this?

Iszi
  • 27,027
  • 18
  • 99
  • 163
Earlz
  • 604
  • 2
  • 6
  • 15
  • 1
    Have you had a look at http://security.stackexchange.com/questions/6542/sharing-wifi-at-a-business-bad-policy – Rory Alsop Aug 24 '11 at 21:32
  • @Rory that's what inspired this question. I didn't consider it similar enough to be a duplicate though and it had quite a few conditions that I didn't need to meet – Earlz Aug 24 '11 at 22:06

3 Answers3

3

I know how to do this.. I just don't know how to do this with pf.

  1. Forget the wireless portion, what we want to do is make two LAN's that are isolated from each other. You can then add the wireless access point to the one of the LAN's.
  2. Obviously, for 2 LAN's, you'll need 3 ethernet ports on your OpenBSD box.
  3. See the following for the types of rules you need to make. http://wiki.openwrt.org/doc/recipes/guest-wlan

Now, I don't know pf.. but, you basically need to..-

  1. Forward everything from LAN1 and LAN2 to WAN using NAT.
  2. Firewall openbsd from LAN2, and leave it open for LAN1.
  3. Open various ports for dhcp and dns.
user606723
  • 842
  • 5
  • 10
  • 1
    Ah ok then. I wasn't sure if this would require another network card or if there was a way to do it(cleanly) without it. Guess I'll scrounge up a network card somewhere – Earlz Aug 24 '11 at 20:52
  • 1
    @Earlz - The other alternative might be a new Wi-Fi AP that supports a Guest network, but there'd still have to be extra magic worked on the router's end with pf or something to handle bandwidth throttling. – Iszi Aug 24 '11 at 21:18
  • Yeah, but how would this be done with all of the following met a) using pf as a router. b) without another network card c) not using double NAT. I can't see anyway to do that... cheapest, easiest and best way is to buy another network card. – user606723 Aug 25 '11 at 07:12
  • This is what I ended up doing. In theory, it should be possible without two LANs, but it was much easier to just add a network card – Earlz Dec 21 '11 at 17:55
2

The "simple" way is an extra NIC in your OpenBSD router and a second AP, which is probably $50 outlay. But if you don't want to spend any money, or are doing this more to learn than anything else then...

DD-WRT support VLANs (virtual LANs) and VWLANs (virtual wireless LANs), and can have separate DHCP on the different VLANs. To set the DHCP on the V(W)LANs and the ipfilter rules for the traffic allowed between the VLANs and the WAN (or between the different VLANs) you need to use the "startup commands" rather than doing it all through the admin WebUI. See e.g. http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs, http://www.dd-wrt.com/wiki/index.php/VLAN_Support.

DD-WRT also supports 802.1q VLAN trunking, which allows traffic from multiple VLANs to share a single ethernet port/cable/NIC -- although the support for this depends on the specific chipset/board/device: see the previous link. OpenWRT will have similar features. Most consumer/SOHO routers won't expose such features in their stock firmware, of course.

I assume you want to keep OpenBSD as your gateway router. I don't know OpenBSD but it almost certainly supports VLANs and 802.1q VLAN trunking. So you could use DD-WRT/OpenWRT on your AP/wireless bridge and set up a VWLAN for the "guest" wifi, bridged to a corresponding VLAN, plus the normal WLAN bridged to the normal VLAN, with 802.1q tagging on the "LAN/WAN" port (which is in both VLANs) that connects the AP to the OpenBSD router. Configure OpenBSD with the same VLANs/tags and set up pf rules as needed.

Each VLAN will be in a different subnet (e.g. 192.168.1.0/24 and 192.168.2.0/24) but each will be only single-NATed to the WAN. You'll need to set up DHCP on each VLAN's subnet, presumably on OpenBSD (or you could use the AP to provide DHCP for the "guest" subnet, I guess).

Just a SMoC (simple matter of configuration)...

With either solution you'll want some QoS/throttling too, probably on your OpenBSD box. (You could do throttling on the DD-WRT WAP -- DD-WRT has some QoS functionality -- but it wouldn't know about wired traffic on the internal network, so would be limited in the scope of QoS/traffic prioritization it could enforce.)

Misha
  • 2,739
  • 2
  • 20
  • 17
  • Interesting. I never realized that VLAN tags would be available after the frame leaves the switch. This could certainly work. Also, Ethernet cards aren't $50. – user606723 Aug 26 '11 at 14:32
  • $50 was NIC + the second "public" AP. Which might still be an overestimate -- I'm not in the US. – Misha Aug 29 '11 at 13:48
  • There was to be a single public AP, from my understanding. – user606723 Sep 01 '11 at 01:58
  • OK. I thought that the OP didn't currently have a public WLAN set up, but did already have the mentioned AP ("wireless router that I've disabled DHCP on and have effectively made into a wireless-wired bridge"), so assumed he'd still need that AP for whatever he was using it for before (e.g. private WLAN, LAN bridging via WLAN, etc.) – Misha Sep 01 '11 at 06:39
0

Many newer SOHO Wi-Fi routers/APs can easily handle requirements 2 & 3, with use of a "Guest" network. However, requirement 1 will probably require some custom firmware on the router/AP and/or specialized software on something placed as a proxy/firewall on your network.

To most appropriately resolve all of the requirements, you would want to have two separate APs (one for Guest, one for "Internal"), with a firewall capable of handling the bandwidth throttling placed between the Guest AP and the rest of the network.

Iszi
  • 27,027
  • 18
  • 99
  • 163