OpenWRT NAT only for clients on certain WLAN network

1

I am using an OpenWRT powered WLAN router as an access point for my network. Everything on the network id run through a PFSense box so that I can have full control from there. I would like to have a Guest WiFi network of which the users only have internet access and cannot communicate to any other clients on the network. My router fully supports running a second AP with a different SSID and it can also be set up as a separate interface. What complicates my setup is that I want to run all DHCP for my entire LAN through the PFSense box, this is normally quite simple, I just bridge th LAN and WLAN adapters on the router and that works but then the PFSense box has no way of distinguishing users on the private network from those on the guest network. What I would like to do is bridge all clients on the private network directly with the PFSense box but translate the addresses of all the guests clients to a reserved IP that PFSense can recognize and manage accordingly. This would mean DHCP and NAT on the guest WIFI network whilst bridging the private one. How would I go about doing this?

PS. I have no desire to run DHCP for the guests users through PFSense that should preferably be done on the wireless router.

Gerharddc

Posted 2014-10-31T08:20:51.687

Reputation: 383

Answers

1

You’re trying to solve this in a rather hack-ish way. Unless you set the firewall on OpenWrt to disallow guests from accessing your regular LAN network, they will be able to access everything. And because of NAT, you won’t even know which guest it is.

Instead, I suggest you use VLAN tagging. I have no idea about pfSense, but it should support something as basic as this.

The required changes would be as follows:

  • On OpenWrt, add a guest-vlan bridge interface

    → Contains both WiFi guest network and eth0.2 (or similar)

  • On pfSense, set up an interface for VLAN 2 on your local LAN interface

    → Set it so that this network zone can only talk to the internet and not your regular network

You now have a tunnel of sorts between your guest network and your pfSense box. All DHCP and firewall stuff would be handled by pfSense. The guest clients cannot escape from their containment, but their traffic is not protected from anyone on the regular network.

Daniel B

Posted 2014-10-31T08:20:51.687

Reputation: 40 502

Sorry but I don't really have much experience with VLANs but will this work for isolation even if the WiFi router that hosts both private and guest access points only has one Ethernet interface to the PFSense box? Also, I would like the traffic from guests completely isolated from the private traffic. Also, PFSense does not need to be able to identify individual guests, it just needs to know guests packets. – Gerharddc – 2014-10-31T09:16:45.897

Yes, that’s what VLAN is all about: Supporting multiple separated networks over the same Ethernet link. Complete isolation is not possible without a dedicated physical link. – Daniel B – 2014-10-31T09:25:38.320

Ok but will there be any way for guest WiFi devices to intercept private device's packets and if so, will they at least be prevented from communication with devices on the other subnet? – Gerharddc – 2014-10-31T10:12:32.710

No, there won’t. I already clearly stated that in my answer: “The guest clients cannot escape from their containment”. – Daniel B – 2014-10-31T10:19:53.630

Ok I'll check it out – Gerharddc – 2014-10-31T10:34:12.973

Asked: 2014-10-31T08:20:51.687

Viewed: 1 030 times

Active: 2014-10-31T08:33:03.290