Template:Networking rutos configuration example guest wifi: Difference between revisions

From Teltonika Networks Wiki
No edit summary
 
(13 intermediate revisions by one other user not shown)
Line 2: Line 2:


==Introduction==
==Introduction==
Most of us are aware, that network security is extremely important. If your WiFi network is not properly secured, it makes you and all of your home or office resources vulnerable to a variety of security threats. To stay ahead of the curve, many companies and home users have guest WiFi. Unlike your regular WiFi network that you or your company members use, the guest WiFi network restricts what your guests can do in your network. It gives visitors access to the Internet connection, but nothing else making you or your company a lot more secure. This chapter is a guide on configuring a guest WiFi.
Most of us are aware, that network security is critical. If your WiFi network is not properly secured, it makes you and all of your home or office resources vulnerable to a variety of security threats. To stay ahead of the curve, many companies and home users have guest WiFi. Unlike your regular WiFi network that you or your company members use, the guest WiFi network restricts what your guests can do in your network. It gives visitors access to the Internet connection, but nothing else making you or your company a lot more secure. This chapter is a guide on configuring a guest's WiFi.


==Configuring router (RUTX)==
==Configuring the router==
Before you start configuring the router <b>turn on "Advanced WebUI" mode</b>. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.  
Before you start configuring the router <b>turn on "Advanced WebUI" mode</b>. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.  


[[File:Networking_rutx_manual_webui_basic_advanced_mode_v1.gif|border|class=tlt-border]]
[[File:Networking_rutos_manual_webui_basic_advanced_mode_75.gif|border|center|class=tlt-border|1102x93px]]




Line 15: Line 15:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=270; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 3 v1.png|border|class=tlt-border]]</th>
         <th width=950; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Guest_wifi_add.png|border|class=tlt-border|800x176px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 4px solid white>
Login to the router's WebUI, navigate to the '''Network → Wireless''' page. Click '''Add'''. You can use either, 2.4GHz or 5GHz WiFi. Then you will be forwarded to the configuration window.
Login to the router's WebUI, navigate to the '''Network → Wireless → SSIDs''' page. Click '''Add'''. Then you will be forwarded to the configuration window.
<ol>
    <li></li>
    <li></li>
    <li></li>
    <li></li>
</ol>
         </td>
         </td>
     </tr>
     </tr>
Line 35: Line 29:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=950; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Guest_wifi_Interface_new.png|border|class=tlt-border|866x407px|right]]</th>
[[File:Networking rutos configuration examples guest wifi 4 v2.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
Line 45: Line 38:
     <li>'''Enable''' instance.</li>
     <li>'''Enable''' instance.</li>
     <li>Select mode '''Access Point'''.</li>
     <li>Select mode '''Access Point'''.</li>
     <li>Enter a custom '''ESSID'''.</li>
     <li>Enter a custom '''SSID'''.</li>
    <li>Enter a custom '''Password'''.</li>
     <li>Expand the drop-down menu '''Network'''.</li>
     <li>Expand the drop-down menu '''Network'''.</li>
     <li>Uncheck the '''lan''' interface.</li>
     <li>Create a new interface, by clicking '''Add'''</li>
     <li>Create a new interface, enter a custom name '''Guest'''.</li>
     <li>Enter a custom name '''GuestLan'''.</li>
</ol>
</ol>
Once done, '''Save & Apply changes'''.
         </td>
         </td>
     </tr>
     </tr>
Line 56: Line 51:
----
----


===New LAN interface===
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Lan_interface_new.png|border|class=tlt-border|843x633px|right]]</th>
[[File:Networking rutos configuration examples guest wifi 5 v1.png|border|class=tlt-border]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white>
Switch to '''Wireless Security''' tab and do the following:
Once you have saved the Wireless interface, a new window should pop-up. Configure it as following:
<ol>
<ol>
     <li>Select '''Encryption''' type.</li>
     <li>Select '''Protocol''' - Static.</li>
     <li>Select '''Cipher''' type.</li>
     <li>Enter a '''IPv4 address'''.</li>
     <li>Enter '''Key'''.</li>
     <li>Enter a '''IPv4 netmask'''.</li>
     <li>'''Save&Apply''' changes.</li>
    <li>Enable '''DHCPv4'''.</li>
     <li>Enable '''DHCPv6'''.</li>
 
</ol>
</ol>
         </td>
         </td>
     </tr>
     </tr>
</table>
</table>
----
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 6 v1.png|border|class=tlt-border]]</th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>[[File:RutOS_Guest_Wifi_7.8_Lan_interface_new_firewall.png|border|class=tlt-border|843x633px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white>
Wait for configuration to apply. Two Wireless Access Points should be enabled
Then move to Firewall Settings section:
<ol>
<ol>
     <li></li>
     <li>Expand '''Create / Assign firewall-zone''' menu.</li>
    <li></li>
     <li>Add a new zone by clicking '''Add''' button</li>
     <li></li>
     <li>Add a new '''Guest zone''' zone.</li>
     <li></li>
</ol>
</ol>
'''Save & Apply changes''' when done.
         </td>
         </td>
     </tr>
     </tr>
</table>
</table>
 
===Firewall rules===
===New LAN interface===
----
----


<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=270; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration example openvpn bridge use case 12 v1.png|border|class=tlt-border]]</th>
         <th width=950; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:RutOS_Guest_Wifi_7.8_firewall_zone_edit_button.png|border|class=tlt-border|785x261px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white;>
Now go to '''Network → Interfaces''' and press '''Edit''' next to your newly created LAN interface:
Navigate to '''Network → Firewall → General Settings'''. There edit a new '''Zone''' rule that we added in LAN interface configuration, by pressing '''Edit''' button. Then you will be forwarded to the configuration window.
<ol>
<ol>
     <li></li>
     <li></li>
</ol>
        </td>
    </tr>
</table>


----
<table class="nd-othertables_2">
    <tr>
        <th width=220; style="border-bottom: 1px solid white;></th>
        <th width=970; style="border-bottom: 1px solid white;" rowspan=2>
[[File:RutOS_Guest_Wifi_7.8_Lan_interface_zone_config.png|border|class=tlt-border|849x578px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
In the '''ZONE''' page, do the following:
<ol>
    <li>Change Input to '''Accept'''.</li>
    <li>Select WAN interfaces for '''Allow forward to destination zones'''.</li>
</ol>
</ol>
When done, '''Save & Apply changes'''
         </td>
         </td>
     </tr>
     </tr>
Line 118: Line 132:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=250; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 2 v1.png|border|class=tlt-border]]</th>
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_add.png|border|class=tlt-border|787x116px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white;>
In the '''General setup''' section, do the following:
In order to disable WebUI or SSH access to the router from Guest's_WiFi network navigate to the '''Network → Firewall → Traffic Rules''' page and do the following:
<ol>
<ol>
     <li>Select '''Protocol''' - Static. Confirm by clicking "SWITCH PROTOCOL".</li>
     <li>Select '''Add new forward rule'''.</li>
     <li>Enter a '''IPv4 address'''.</li>
     <li>Enter a custom '''Name'''.</li>
     <li>Enter a '''IPv4 netmask'''.</li>
     <li>Select ''"Guest_zone"'' for '''Source zone'''.</li>
     <li>Enable '''DHCP server'''.</li>
     <li>Select ''"lan"'' for '''Destination zone'''.</li>
     <li>Press '''Save&Apply'''.</li>
     <li>Click the '''Add''' button. Then you will be forwarded to the configuration window.</li>
</ol>
</ol>
         </td>
         </td>
Line 135: Line 150:
</table>
</table>


===Firewall rules===
----
<table class="nd-othertables_2">
    <tr>
        <th width=250; style="border-bottom: 1px solid white;></th>
        <th width=970; style="border-bottom: 1px solid white;" rowspan=2>
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_config.png|border|class=tlt-border|848x625px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Do the following in the '''TRAFFIC RULES''' page:
<ol>
    <li>Choose Protocols from drop down menu '''UDP TCP'''.</li>
    <li>Change the '''Destination zone''' to ''"Device (input)"''.</li>
    <li>Enter the '''Destination port''' to reject. By default ports 22, 80, 443 are used to access the web user interface and SSH.</li>
    <li>Change the '''Action''' to ''"Drop"''.</li>
</ol>
'''Save & Apply''' changes.
        </td>
    </tr>
</table>
===Alternative Firewall rules===
----
----


<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=270; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=950; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:Networking rutos configuration example openvpn bridge use case 15 v1.png|border|class=tlt-border]]</th>
[[File:RutOS_Guest_Wifi_7.8_firewall_zone_edit_button.png|border|class=tlt-border|785x261px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white;>
Navigate to '''Network → Firewall → General Settings'''. There create a new '''Zone''' rule by pressing '''Add''' button. Then you will be forwarded to the configuration window.
If you wish to block all the device ports and only allow the user to access internet, then we will need to configure firewall rules alternatively. Navigate to '''Network → Firewall → General Settings'''. There edit a new '''Zone''' rule that we added in LAN interface configuration, by pressing '''Edit''' button. Then you will be forwarded to the configuration window.
<ol>
<ol>
     <li></li>
     <li></li>
Line 153: Line 188:
     </tr>
     </tr>
</table>
</table>
----
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=220; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:Networking rutos configuration examples guest wifi 8 v1.png|border|class=tlt-border]]</th>
[[File:RutOS_Guest_Wifi_7.8_Lan_interface_zone_config_option_2.png|border|class=tlt-border|849x578px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
Line 166: Line 199:
In the '''ZONE''' page, do the following:
In the '''ZONE''' page, do the following:
<ol>
<ol>
    <li>Enter a custom '''Name'''.</li>
    <li>Add new created ''"Guest"'' LAN to '''Covered networks'''.</li>
     <li>Select WAN interfaces for '''Allow forward to destination zones'''.</li>
     <li>Select WAN interfaces for '''Allow forward to destination zones'''.</li>
    <li>Select WAN interfaces for '''Allow forward from destination zones'''.</li>
    <li>'''Save&Apply''' changes.</li>
    <li></li>
</ol>
</ol>
When done, '''Save & Apply changes'''
         </td>
         </td>
     </tr>
     </tr>
Line 181: Line 210:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=250; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:Networking rutos configuration examples guest wifi 9 v1.png|border|class=tlt-border]]</th>
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_add.png|border|class=tlt-border|787x116px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white;>
         <td style="border-bottom: 1px solid white;>
In order to disable WebUI or SSH access to RUTX from Guest's_WiFi network navigate to the '''Network → Firewall → Traffic Rules''' page and do the following:
In order to disable most of the devices access to the router from Guest's_WiFi network navigate to the '''Network → Firewall → Traffic Rules''' page and do the following:
<ol>
<ol>
    <li>Select '''Add new forward rule'''.</li>
     <li>Enter a custom '''Name'''.</li>
     <li>Enter a custom '''Name'''.</li>
     <li>Select ''"guest_zone"'' for '''Source zone'''.</li>
     <li>Select ''"Guest_zone"'' for '''Source zone'''.</li>
     <li>Select ''"lan"'' for '''Destination zone'''.</li>
     <li>Select ''"lan"'' for '''Destination zone'''.</li>
     <li>Click the '''Add''' button. Then you will be forwarded to the configuration window.</li>
     <li>Click the '''Add''' button. Then you will be forwarded to the configuration window.</li>
Line 199: Line 229:


----
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=395; style="border-bottom: 1px solid white;></th>
         <th width=250; style="border-bottom: 1px solid white;></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>  
         <th width=970; style="border-bottom: 1px solid white;" rowspan=2>  
[[File:Networking rutos configuration examples guest wifi 10 v1.png|border|class=tlt-border]]</th>
[[File:RutOS_Guest_Wifi_7.8_firewall_traffic_rule_config_option_2.png|border|class=tlt-border|848x625px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
Line 210: Line 239:
Do the following in the '''TRAFFIC RULES''' page:
Do the following in the '''TRAFFIC RULES''' page:
<ol>
<ol>
     <li>'''Enable''' instance.</li>
     <li>Choose Protocols from drop down menu '''UDP TCP'''.</li>
     <li>Change the '''Destination zone''' to ''"Device (input)"''.</li>
     <li>Change the '''Destination zone''' to ''"Device (input)"''.</li>
     <li>Enter the '''Destination port''' to reject. By default ports 22, 80, 443 are used to access the web user interface and SSH.</li>
     <li>Enter the '''Destination port''' to Accept. We will need to accept ports 67 68 in order for DHCP to work and 53 for routers DNS.</li>
     <li>Change the '''Action''' to ''"Reject"''.</li>
     <li>Change the '''Action''' to ''"Accept"''.</li>
    <li>'''Save&Apply''' changes.</li>
    <li></li>
</ol>
</ol>
'''Save & Apply''' changes.
        </td>
    </tr>
</table>
----
<table class="nd-othertables_2">
    <tr>
        <th width=250; style="border-bottom: 1px solid white;></th>
        <th width=970; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Traffic_rule_move_up.gif|border|class=tlt-border|800x325px|right]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white;>
Then we will need to move up the traffic rule to the top, in order to be able to use these settings:
         </td>
         </td>
     </tr>
     </tr>
</table>
</table>
==Results==
==Results==
If you've followed all the steps presented above, your configuration should be finished. If you are near a RUT, that is, in a wireless zone, turn on WiFi on your device and view the available networks. You should see the available SSID - "RUTX_WiFi_2G" and "Guest_WiFi". Select one of them and enter the appropriate WiFi password.
If you've followed all the steps presented above, your configuration should be finished. If you are near a RUT, that is, in a wireless zone, turn on WiFi on your device and view the available networks. You should see the available SSID - "RUTX_WiFi_2G" and "Guest_WiFi". Select one of them and enter the appropriate WiFi password.


-----
<table class="nd-othertables_2">
    <tr>
        <th width=525; style="border-bottom: 1px solid white;"></th>
        <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 14 v1.jpg|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Wireless users connected to SSID: “'''RUTX_WIFI'''”, will be assign to “LAN”, and will get IP from main pool '''192.168.1.0/24'''.
Wireless users connected to SSID: “'''RUTX_WIFI'''”, will be assign to “LAN”, and will get IP from main pool '''192.168.1.0/24'''.
        </td>
    </tr>
</table>


Wireless users connected to SSID: “'''GUEST'S_WIFI'''”, will be assign to LAN “Guest”, and will get IP from new pool '''10.10.10.0/24'''.
----


Guest hosts are unable to access any data from pool 192.168.1.0/24.
<table class="nd-othertables_2">
    <tr>
        <th width=525; style="border-bottom: 1px solid white;"></th>
        <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 13 v1.jpg|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
LAN users are able to access any data from pool 192.168.1.0/24. For example they can access Web UI.
        <ol>
            <li></li>
            <li></li>
            <li></li>
            <li></li>
        </ol>
        </td>
    </tr>
</table>


-----
----


<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=300; style="border-bottom: 1px solid white;></th>
         <th width=525; style="border-bottom: 1px solid white;"></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 14 v1.jpg|border|class=tlt-border|728px|right]]</th>
         <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
    </tr>
[[File:Networking rutos configuration examples guest wifi 12 v2.jpg|border|class=tlt-border|300px|center]]</th>
    <tr>
        <th width=300; style="border-bottom: 1px solid white;></th>
        <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 13 v1.jpg|border|class=tlt-border|728px|right]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white>
Remote office should now be able to access HQ network resources. To verify the connection you can ping remote RUTX (HQ server) LAN IP and if you get a reply, you have successfully connected to HQ‘s internal network. Also, all LAN addresses, that belong to the work network (192.168.1.0/24), should now be leased to LAN devices by HQ router.
Wireless users connected to SSID: “'''GUEST'S_WIFI'''”, will be assign to LAN “Guest”, and will get IP from new pool '''10.10.10.0/24'''.
        <ol>
            <li></li>
            <li></li>
            <li></li>
        </ol>
         </td>
         </td>
     </tr>
     </tr>
Line 249: Line 321:


----
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=355; style="border-bottom: 1px solid white;></th>
         <th width=525; style="border-bottom: 1px solid white;"></th>
         <th width=790; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_rutos_configuration_example_openvpn_bridge_use_case_19_v2.png|border|class=tlt-border|728px|right]]</th>
         <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 11 v1.jpg|border|class=tlt-border|300px|center]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white>
In order to check the guest WiFi, you simply need to connect to the newly created WiFi AP, then check whether you have internet connectivity and try to ping OpenVPN server LAN IP - if everything is set up correctly, you should not be able to do that.  
Guest hosts are unable to access any data from pool 192.168.1.0/24. And access to the routers Web UI or SSH is restricted.
        <ol>
            <li></li>
            <li></li>
            <li></li>
        </ol>
         </td>
         </td>
     </tr>
     </tr>
</table>
</table>

Latest revision as of 12:37, 24 September 2024

Introduction

Most of us are aware, that network security is critical. If your WiFi network is not properly secured, it makes you and all of your home or office resources vulnerable to a variety of security threats. To stay ahead of the curve, many companies and home users have guest WiFi. Unlike your regular WiFi network that you or your company members use, the guest WiFi network restricts what your guests can do in your network. It gives visitors access to the Internet connection, but nothing else making you or your company a lot more secure. This chapter is a guide on configuring a guest's WiFi.

Configuring the router

Before you start configuring the router turn on "Advanced WebUI" mode. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.


New WiFi AP


Login to the router's WebUI, navigate to the Network → Wireless → SSIDs page. Click Add. Then you will be forwarded to the configuration window.


On General Setup tab do the following:

  1. Enable instance.
  2. Select mode Access Point.
  3. Enter a custom SSID.
  4. Enter a custom Password.
  5. Expand the drop-down menu Network.
  6. Create a new interface, by clicking Add
  7. Enter a custom name GuestLan.

Once done, Save & Apply changes.


New LAN interface


Once you have saved the Wireless interface, a new window should pop-up. Configure it as following:

  1. Select Protocol - Static.
  2. Enter a IPv4 address.
  3. Enter a IPv4 netmask.
  4. Enable DHCPv4.
  5. Enable DHCPv6.

Then move to Firewall Settings section:

  1. Expand Create / Assign firewall-zone menu.
  2. Add a new zone by clicking Add button
  3. Add a new Guest zone zone.

Save & Apply changes when done.

Firewall rules


Navigate to Network → Firewall → General Settings. There edit a new Zone rule that we added in LAN interface configuration, by pressing Edit button. Then you will be forwarded to the configuration window.


In the ZONE page, do the following:

  1. Change Input to Accept.
  2. Select WAN interfaces for Allow forward to destination zones.

When done, Save & Apply changes


In order to disable WebUI or SSH access to the router from Guest's_WiFi network navigate to the Network → Firewall → Traffic Rules page and do the following:

  1. Select Add new forward rule.
  2. Enter a custom Name.
  3. Select "Guest_zone" for Source zone.
  4. Select "lan" for Destination zone.
  5. Click the Add button. Then you will be forwarded to the configuration window.

Do the following in the TRAFFIC RULES page:

  1. Choose Protocols from drop down menu UDP TCP.
  2. Change the Destination zone to "Device (input)".
  3. Enter the Destination port to reject. By default ports 22, 80, 443 are used to access the web user interface and SSH.
  4. Change the Action to "Drop".

Save & Apply changes.

Alternative Firewall rules


If you wish to block all the device ports and only allow the user to access internet, then we will need to configure firewall rules alternatively. Navigate to Network → Firewall → General Settings. There edit a new Zone rule that we added in LAN interface configuration, by pressing Edit button. Then you will be forwarded to the configuration window.


In the ZONE page, do the following:

  1. Select WAN interfaces for Allow forward to destination zones.

When done, Save & Apply changes


In order to disable most of the devices access to the router from Guest's_WiFi network navigate to the Network → Firewall → Traffic Rules page and do the following:

  1. Select Add new forward rule.
  2. Enter a custom Name.
  3. Select "Guest_zone" for Source zone.
  4. Select "lan" for Destination zone.
  5. Click the Add button. Then you will be forwarded to the configuration window.

Do the following in the TRAFFIC RULES page:

  1. Choose Protocols from drop down menu UDP TCP.
  2. Change the Destination zone to "Device (input)".
  3. Enter the Destination port to Accept. We will need to accept ports 67 68 in order for DHCP to work and 53 for routers DNS.
  4. Change the Action to "Accept".

Save & Apply changes.


Then we will need to move up the traffic rule to the top, in order to be able to use these settings:

Results

If you've followed all the steps presented above, your configuration should be finished. If you are near a RUT, that is, in a wireless zone, turn on WiFi on your device and view the available networks. You should see the available SSID - "RUTX_WiFi_2G" and "Guest_WiFi". Select one of them and enter the appropriate WiFi password.


Wireless users connected to SSID: “RUTX_WIFI”, will be assign to “LAN”, and will get IP from main pool 192.168.1.0/24.


LAN users are able to access any data from pool 192.168.1.0/24. For example they can access Web UI.


Wireless users connected to SSID: “GUEST'S_WIFI”, will be assign to LAN “Guest”, and will get IP from new pool 10.10.10.0/24.


Guest hosts are unable to access any data from pool 192.168.1.0/24. And access to the routers Web UI or SSH is restricted.