Template:Networking rutos configuration example guest wifi: Difference between revisions

From Teltonika Networks Wiki
No edit summary
(71 intermediate revisions by 3 users not shown)
Line 2: Line 2:


==Introduction==
==Introduction==
Most of us are aware, that network security is critical. If your WiFi network is not properly secured, it makes you and all of your home or office resources vulnerable to a variety of security threats. To stay ahead of the curve, many companies and home users have guest WiFi. Unlike your regular WiFi network that you or your company members use, the guest WiFi network restricts what your guests can do in your network. It gives visitors access to the Internet connection, but nothing else making you or your company a lot more secure. This chapter is a guide on configuring a guest's WiFi.
Most of us are aware, that network security is extremely important. If your WiFi network is not properly secured, it makes you and all of your home or office resources vulnerable to a variety of security threats. To stay ahead of the curve, many companies and home users have guest WiFi. Unlike your regular WiFi network that you or your company members use, the guest WiFi network restricts what your guests can do in your network. It gives visitors access to the Internet connection, but nothing else making you or your company a lot more secure. This chapter is a guide on configuring a guest WiFi.


==Configuring the router==
Before you start configuring the router <b>turn on "Advanced WebUI" mode</b>. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.
[[File:Networking_rutos_manual_webui_basic_advanced_mode_75.gif|border|center|class=tlt-border|1102x93px]]
===New WiFi AP===
----
----
If you're having trouble finding some of the parameters described here on your device's WebUI, you should <b>turn on "Advanced WebUI" mode</b>. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.


<table class="nd-othertables_2">
[[File:Networking rutx manual webui basic advanced mode v1.gif|border|class=tlt-border]]
    <tr>
        <th width=270; style="border-bottom: 1px solid white;></th>
        <th width=950; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Guest_wifi_add.png|border|class=tlt-border|800x176px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
Login to the router's WebUI, navigate to the '''Network → Wireless → SSIDs''' page. Click '''Add'''. Then you will be forwarded to the configuration window.
        </td>
    </tr>
</table>


==Configuring router (RUTX)==
===New LAN===
----
----


<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=950; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Guest_wifi_Interface_new.png|border|class=tlt-border|866x407px|right]]</th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 1 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white>
On '''General Setup''' tab do the following:
Login to the router's WebUI, switch to '''ADVANCED''' mode and navigate to the '''Network → Interfaces''' page and do the following:
<ol>
<ol>
    <li>'''Enable''' instance.</li>
     <li>Enter a custom '''name'''.</li>
    <li>Select mode '''Access Point'''.</li>
     <li>Click the '''Add''' button.</li>
     <li>Enter a custom '''SSID'''.</li>
 
     <li>Enter a custom '''Password'''.</li>
    <li>Expand the drop-down menu '''Network'''.</li>
    <li>Create a new interface, by clicking '''Add'''</li>
    <li>Enter a custom name '''GuestLan'''.</li>
</ol>
</ol>
Once done, '''Save & Apply changes'''.
         </td>
         </td>
     </tr>
     </tr>
Line 51: Line 32:
----
----


===New LAN interface===
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Lan_interface_new.png|border|class=tlt-border|843x633px|right]]</th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 2 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white>
Once you have saved the Wireless interface, a new window should pop-up. Configure it as following:
In the '''LAN interfaces''' page, do the following:
<ol>
<ol>
     <li>Select '''Protocol''' - Static.</li>
     <li>Select protocol '''Static'''.</li>
     <li>Enter a '''IPv4 address'''.</li>
     <li>Enter a '''IPv4 address'''.</li>
     <li>Enter a '''IPv4 netmask'''.</li>
     <li>Enter a '''IPv4 netmask'''.</li>
     <li>Enable '''DHCPv4'''.</li>
     <li>'''Enable''' DHCP server.</li>
     <li>Enable '''DHCPv6'''.</li>
     <li>Don't forget to '''Save&Apply''' the changes.</li>
 
</ol>
</ol>
         </td>
         </td>
     </tr>
     </tr>
</table>
</table>
===New Wireless===
----
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Lan_interface_new_firewall.png|border|class=tlt-border|843x633px|right]]</th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 3 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white>
Then move to Firewall Settings section:
Navigate to the '''Network → Wireless''' page and do the following:
<ol>
    <li>Expand '''Create / Assign firewall-zone''' menu.</li>
    <li>Add a new zone by clicking '''Add''' button</li>
    <li>Add a new '''Guest zone''' zone.</li>
</ol>
'''Save & Apply changes''' when done.
        </td>
    </tr>
</table>
===Firewall rules===
----
 
<table class="nd-othertables_2">
    <tr>
        <th width=270; style="border-bottom: 1px solid white;></th>
        <th width=950; style="border-bottom: 1px solid white;" rowspan=2>
[[File:RutOS_Guest_Wifi_7.8_firewall_zone_edit_button.png|border|class=tlt-border|785x261px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Navigate to '''Network → Firewall → General Settings'''. There edit a new '''Zone''' rule that we added in LAN interface configuration, by pressing '''Edit''' button. Then you will be forwarded to the configuration window.
<ol>
<ol>
    <li>Click '''Add'''.</li>
    <li></li>
    <li></li>
     <li></li>
     <li></li>
</ol>
</ol>
Line 110: Line 73:


----
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:RutOS_Guest_Wifi_7.8_Lan_interface_zone_config.png|border|class=tlt-border|849x578px|right]]</th>
[[File:Networking rutos configuration examples guest wifi 4 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white;>
In the '''ZONE''' page, do the following:
On '''General Setup''' tab do the following:
<ol>
<ol>
     <li>Change Input to '''Accept'''.</li>
     <li>'''Enable''' instance.</li>
     <li>Select WAN interfaces for '''Allow forward to destination zones'''.</li>
     <li>Select mode '''Access Point'''.</li>
    <li>Enter '''ESSID'''.</li>
    <li>Assign it to new '''Guest''' LAN network.</li>
</ol>
</ol>
When done, '''Save & Apply changes'''
         </td>
         </td>
     </tr>
     </tr>
Line 132: Line 97:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=250; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_add.png|border|class=tlt-border|787x116px|right]]</th>
[[File:Networking rutos configuration examples guest wifi 5 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white;>
In order to disable WebUI or SSH access to the router from Guest's_WiFi network navigate to the '''Network → Firewall → Traffic Rules''' page and do the following:
Switch to '''Wireless Security''' tab and do the following:
<ol>
<ol>
     <li>Select '''Add new forward rule'''.</li>
     <li>Select '''Encryption''' type.</li>
    <li>Enter a custom '''Name'''.</li>
     <li>Select '''Cipher''' type.</li>
     <li>Select ''"Guest_zone"'' for '''Source zone'''.</li>
     <li>Enter '''Key'''.</li>
     <li>Select ''"lan"'' for '''Destination zone'''.</li>
     <li>'''Save&Apply''' changes.</li>
     <li>Click the '''Add''' button. Then you will be forwarded to the configuration window.</li>
</ol>
</ol>
         </td>
         </td>
Line 150: Line 114:
</table>
</table>


----
<table class="nd-othertables_2">
    <tr>
        <th width=250; style="border-bottom: 1px solid white;></th>
        <th width=970; style="border-bottom: 1px solid white;" rowspan=2>
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_config.png|border|class=tlt-border|848x625px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Do the following in the '''TRAFFIC RULES''' page:
<ol>
    <li>Choose Protocols from drop down menu '''UDP TCP'''.</li>
    <li>Change the '''Destination zone''' to ''"Device (input)"''.</li>
    <li>Enter the '''Destination port''' to reject. By default ports 22, 80, 443 are used to access the web user interface and SSH.</li>
    <li>Change the '''Action''' to ''"Drop"''.</li>
</ol>
'''Save & Apply''' changes.
        </td>
    </tr>
</table>
===Alternative Firewall rules===
----
----


<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=270; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=950; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutx configuration examples guest wifi 5 v1.png|border|class=tlt-border]]</th>
[[File:RutOS_Guest_Wifi_7.8_firewall_zone_edit_button.png|border|class=tlt-border|785x261px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white>
If you wish to block all the device ports and only allow the user to access internet, then we will need to configure firewall rules alternatively. Navigate to '''Network → Firewall → General Settings'''. There edit a new '''Zone''' rule that we added in LAN interface configuration, by pressing '''Edit''' button. Then you will be forwarded to the configuration window.
Wait for configuration to apply. Two Wireless Access Points should be enabled
<ol>
<ol>
    <li></li>
    <li></li>
    <li></li>
     <li></li>
     <li></li>
</ol>
</ol>
Line 188: Line 133:
     </tr>
     </tr>
</table>
</table>
===Edit Firewall zone===
----
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:RutOS_Guest_Wifi_7.8_Lan_interface_zone_config_option_2.png|border|class=tlt-border|849x578px|right]]</th>
[[File:Networking rutx configuration examples guest wifi 6 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white;>
In the '''ZONE''' page, do the following:
Navigate to the '''Network → Firewall → General Settings''' page and do the following
<ol>
<ol>
     <li>Select WAN interfaces for '''Allow forward to destination zones'''.</li>
     <li>Click the '''Add''' button.</li>
</ol>
</ol>
When done, '''Save & Apply changes'''
         </td>
         </td>
     </tr>
     </tr>
Line 210: Line 157:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=250; style="border-bottom: 1px solid white;></th>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_add.png|border|class=tlt-border|787x116px|right]]</th>
[[File:Networking rutx configuration examples guest wifi 6 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white;>
In order to disable most of the devices access to the router from Guest's_WiFi network navigate to the '''Network → Firewall → Traffic Rules''' page and do the following:
In the '''ZONE''' page, do the following:
<ol>
<ol>
     <li>Select '''Add new forward rule'''.</li>
     <li>Enter a custom '''name'''.</li>
     <li>Enter a custom '''Name'''.</li>
     <li>Add new created Guest LAN to '''Covered networks'''.</li>
     <li>Select ''"Guest_zone"'' for '''Source zone'''.</li>
     <li>Select WAN interfaces for '''Allow forward to destination zones'''.</li>
     <li>Select ''"lan"'' for '''Destination zone'''.</li>
     <li>Select WAN interfaces for '''Allow forward from destination zones'''.</li>
     <li>Click the '''Add''' button. Then you will be forwarded to the configuration window.</li>
     <li>'''Save&Apply''' changes.</li>
    <li></li>
</ol>
</ol>
         </td>
         </td>
Line 228: Line 176:
</table>
</table>


----
<table class="nd-othertables_2">
    <tr>
        <th width=250; style="border-bottom: 1px solid white;></th>
        <th width=970; style="border-bottom: 1px solid white;" rowspan=2>
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_config_option_2.png|border|class=tlt-border|848x625px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Do the following in the '''TRAFFIC RULES''' page:
<ol>
    <li>Choose Protocols from drop down menu '''UDP TCP'''.</li>
    <li>Change the '''Destination zone''' to ''"Device (input)"''.</li>
    <li>Enter the '''Destination port''' to Accept. We will need to accept ports 67 68 in order for DHCP to work and 53 for routers DNS.</li>
    <li>Change the '''Action''' to ''"Accept"''.</li>
</ol>
'''Save & Apply''' changes.
        </td>
    </tr>
</table>
----
<table class="nd-othertables_2">
    <tr>
        <th width=250; style="border-bottom: 1px solid white;></th>
        <th width=970; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Traffic_rule_move_up.gif|border|class=tlt-border|800x325px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Then we will need to move up the traffic rule to the top, in order to be able to use these settings:
        </td>
    </tr>
</table>
==Results==
==Results==
If you've followed all the steps presented above, your configuration should be finished. If you are near a RUT, that is, in a wireless zone, turn on WiFi on your device and view the available networks. You should see the available SSID - "RUTX_WiFi_2G" and "Guest_WiFi". Select one of them and enter the appropriate WiFi password.
-----
<table class="nd-othertables_2">
    <tr>
        <th width=525; style="border-bottom: 1px solid white;"></th>
        <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 14 v1.jpg|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Wireless users connected to SSID: “'''RUTX_WIFI'''”, will be assign to “LAN”, and will get IP from main pool '''192.168.1.0/24'''.
Wireless users connected to SSID: “'''RUTX_WIFI'''”, will be assign to “LAN”, and will get IP from main pool '''192.168.1.0/24'''.
        </td>
    </tr>
</table>
----
<table class="nd-othertables_2">
    <tr>
        <th width=525; style="border-bottom: 1px solid white;"></th>
        <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 13 v1.jpg|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
LAN users are able to access any data from pool 192.168.1.0/24. For example they can access Web UI.
        <ol>
            <li></li>
            <li></li>
            <li></li>
            <li></li>
        </ol>
        </td>
    </tr>
</table>
----


<table class="nd-othertables_2">
    <tr>
        <th width=525; style="border-bottom: 1px solid white;"></th>
        <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 12 v2.jpg|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Wireless users connected to SSID: “'''GUEST'S_WIFI'''”, will be assign to LAN “Guest”, and will get IP from new pool '''10.10.10.0/24'''.
Wireless users connected to SSID: “'''GUEST'S_WIFI'''”, will be assign to LAN “Guest”, and will get IP from new pool '''10.10.10.0/24'''.
        <ol>
            <li></li>
            <li></li>
            <li></li>
        </ol>
        </td>
    </tr>
</table>
----


<table class="nd-othertables_2">
Guest hosts are unable to access any data from pool 192.168.1.0/24.
    <tr>
        <th width=525; style="border-bottom: 1px solid white;"></th>
        <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 11 v1.jpg|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Guest hosts are unable to access any data from pool 192.168.1.0/24. And access to the routers Web UI or SSH is restricted.
        <ol>
            <li></li>
            <li></li>
            <li></li>
        </ol>
        </td>
    </tr>
</table>

Revision as of 12:00, 2 July 2020

Introduction

Most of us are aware, that network security is extremely important. If your WiFi network is not properly secured, it makes you and all of your home or office resources vulnerable to a variety of security threats. To stay ahead of the curve, many companies and home users have guest WiFi. Unlike your regular WiFi network that you or your company members use, the guest WiFi network restricts what your guests can do in your network. It gives visitors access to the Internet connection, but nothing else making you or your company a lot more secure. This chapter is a guide on configuring a guest WiFi.


If you're having trouble finding some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.

Configuring router (RUTX)

New LAN


Login to the router's WebUI, switch to ADVANCED mode and navigate to the Network → Interfaces page and do the following:

  1. Enter a custom name.
  2. Click the Add button.

In the LAN interfaces page, do the following:

  1. Select protocol Static.
  2. Enter a IPv4 address.
  3. Enter a IPv4 netmask.
  4. Enable DHCP server.
  5. Don't forget to Save&Apply the changes.

New Wireless


Navigate to the Network → Wireless page and do the following:

  1. Click Add.

On General Setup tab do the following:

  1. Enable instance.
  2. Select mode Access Point.
  3. Enter ESSID.
  4. Assign it to new Guest LAN network.

Switch to Wireless Security tab and do the following:

  1. Select Encryption type.
  2. Select Cipher type.
  3. Enter Key.
  4. Save&Apply changes.

File:Networking rutx configuration examples guest wifi 5 v1.png

Wait for configuration to apply. Two Wireless Access Points should be enabled

Edit Firewall zone


File:Networking rutx configuration examples guest wifi 6 v1.png

Navigate to the Network → Firewall → General Settings page and do the following

  1. Click the Add button.

File:Networking rutx configuration examples guest wifi 6 v1.png

In the ZONE page, do the following:

  1. Enter a custom name.
  2. Add new created Guest LAN to Covered networks.
  3. Select WAN interfaces for Allow forward to destination zones.
  4. Select WAN interfaces for Allow forward from destination zones.
  5. Save&Apply changes.

Results

Wireless users connected to SSID: “RUTX_WIFI”, will be assign to “LAN”, and will get IP from main pool 192.168.1.0/24.

Wireless users connected to SSID: “GUEST'S_WIFI”, will be assign to LAN “Guest”, and will get IP from new pool 10.10.10.0/24.

Guest hosts are unable to access any data from pool 192.168.1.0/24.