Creating a separate Guest Network with Tomato
A neighboor recently asked me if he could get access to my wireless network for internet access (with paying me some Euro/month for it). Problem with this was in my current setup giving access to the wireless would mean to give complete access to my network and so to all my machines smb-shares and so on. So I needed a solution to have a seperate network with the neighboors PCs that only has access to internet but not to my LAN. In the following I will explain how I did this with a Linksys WRT54GL router running the latest version of the Tomato firmware.
Prequisites
At first lets see what we need:
- basic knowledge about networks, routers, firewalls and WLAN
- a WRT54GL Router running Tomato (version 1.25 at the time of this writing, other routers capable of running Tomato may or may not work)
- a seperate Wireless Access Point for the Guest WLAN
- some time to configure and set it all up
Configuring the Router
First step is to set up the router like normal for your internal network. I will not show how this is done here since there are many guides and stuff around the net. Make sure to configure telnet or SSH on the router so you have access to the CLI. Also give the router a strong password, or your neighboor will be able to mess with your routers settings.
The first step is to setup a separate network on the router. The easiest way to do this is to create a separate VLAN. Since Tomato has no GUI for VLAN-Management this has to be done from the CLI. Once logged in perform the following steps to create a separate VLAN for the routers LAN-Port 4:
nvram set vlan0ports="3 2 1 5*" nvram set vlan2hwname=et0 nvram set vlan2ports="0 5*" nvram commit
With this we now have port 4 separated form the rest of the switch. Note that you can also have more than one port in the second vlan. just set the according port numbers in vlan0ports and vlan2ports. On the WRT54GL the ports are named internally like this:
External Port | WAN | 1 | 2 | 3 | 4 |
Port Number | 4 | 3 | 2 | 1 | 0 |
Thats all for the VLAN setup, we now can leave the CLI and continue with configuring IPs, DHCP and Firewall through the GUI.
First lets give our new VLAN an IP. This is done with the startup scripts, which can be edited inside the Web-GUI. Go to Administration → Scripts → Init an put the following code in the text-field:
sleep 10; ifconfig vlan2 192.168.11.1 netmask 255.255.255.0 up;
Adjust the IP and Netmask according to your need, and make sure the IP is not in the same subnet as your internal LAN (e.g. if your internal LAN is at the default 192.168.1.x IP-Range you can put the second one on anything other than 192.168.1.x). Of course don't forget to hit Save afterwards
Next lets setup some firewall rules to allow internet access but block access to the internal LAN. go to Firewall in the Administation → Scripts section and put the following code there:
iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o br0 -j DROP;
With this the VLAN2 now has access to the internet but not to the internal LAN. Again hit Save when done.
Last thing to do is to setup dnsmasq to give out IPs for the Guest Network. Go to Advanced → DHCP / DNS and put the following code into the Custom Configuration field:
interface=vlan2 dhcp-range=net:vlan2,192.168.11.200,192.168.11.249,255.255.255.0,1440m dhcp-option=vlan2,3,192.168.11.1 dhcp-option=vlan2,6,208.67.222.222
This will give out IPs from in the Range 192.168.11.200 - 192.168.11.249 with a lease time of 24 hours. It will also set the default gateway announced via DHCP to 192.168.11.1 (the Router) and the DNS server to 208.67.222.222 (openDNS server). Again you will have to change th IPs so they match the IP you gave to vlan2 earlier. Now hit Save again and finally reboot your router.
After reboot, you can now connect a PC to your routers port 4 (or whatever port your separate vlan is on) and see if it gets an IP from the range you configured in DHCP. Also test if you can reach the internet but not your lokal network. If it works like expected the configuration of the router is finished.
Configuring the Wireless Access Point
Next thing is to configure the Separate Access Point. the most important setting here is the IP of the Access Point. It has to be in the same subnet as the vlan2 IPs set on the router. In my example you can use anything from 192.168.11.x, for example 192.168.11.2. The even easier method is to set it to use DHCP, so it will autmoatically get an IP from the routers configured IP-range. The other settings like SSID, encryption and so on depend on your Access Point and how you want your WLAN to be configured. If you are done configuring the AP connect it to your routers port 4 and start it up. If you connect to this WLAN now you should be able to access the internet but not the LAN.
Advanced Stuff: QoS and Access Restriction
If you want some control over what is done with your bandwith you can setup some QoS rules or block access to specific services or sites with Tomatos QoS and Access Restriction settings. I won't go into detail here, just use 192.168.11.0/24 as the Source address for the rules. Also for QoS make sure to put the rule restricting the Guest Network first since the first matching rule will be used (so if you for example have a rule priorising HTTP-Traffic before the Guest-Rule it Tomato will also priorise HTTP-Traffic from the Guest Network).
Thats it, I hope this works as well for you as it did for me. If you have questions or suggestions leave a note below.