Template:Networking rutos configuration example guest wifi: Difference between revisions

From Teltonika Networks Wiki
Line 224: Line 224:
If you've followed all the steps presented above, your configuration should be finished. If you are near a RUT, that is, in a wireless zone, turn on WiFi on your device and view the available networks. You should see the available SSID - "RUTX_WiFi_2G" and "Guest_WiFi". Select one of them and enter the appropriate WiFi password.
If you've followed all the steps presented above, your configuration should be finished. If you are near a RUT, that is, in a wireless zone, turn on WiFi on your device and view the available networks. You should see the available SSID - "RUTX_WiFi_2G" and "Guest_WiFi". Select one of them and enter the appropriate WiFi password.


Wireless users connected to SSID: “'''RUTX_WIFI'''”, will be assign to “LAN”, and will get IP from main pool '''192.168.1.0/24'''.
 


Wireless users connected to SSID: “'''GUEST'S_WIFI'''”, will be assign to LAN “Guest”, and will get IP from new pool '''10.10.10.0/24'''.
Wireless users connected to SSID: “'''GUEST'S_WIFI'''”, will be assign to LAN “Guest”, and will get IP from new pool '''10.10.10.0/24'''.


Guest hosts are unable to access any data from pool 192.168.1.0/24.
 


-----
-----
Line 234: Line 234:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=525; style="border-bottom: 1px solid white;></th>
         <th width=525; style="border-bottom: 1px solid white;"></th>
         <th width=620; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking rutos configuration examples guest wifi 14 v1.jpg|border|class=tlt-border|300px|center]]</th>
         <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 14 v1.jpg|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
Wireless users connected to SSID: “'''RUTX_WIFI'''”, will be assign to “LAN”, and will get IP from main pool '''192.168.1.0/24'''.
        </td>
     </tr>
     </tr>
</table>
----
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=525; style="border-bottom: 1px solid white;></th>
         <th width=525; style="border-bottom: 1px solid white;"></th>
         <th width=620; style="border-bottom: 1px solid white;" rowspan=3>[[File:Networking rutos configuration examples guest wifi 13 v1.jpg|border|class=tlt-border|300px|center]]</th>
         <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking rutos configuration examples guest wifi 13 v1.jpg|border|class=tlt-border|300px|center]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white>
Remote office should now be able to access HQ network resources. To verify the connection you can ping remote RUTX (HQ server) LAN IP and if you get a reply, you have successfully connected to HQ‘s internal network. Also, all LAN addresses, that belong to the work network (192.168.1.0/24), should now be leased to LAN devices by HQ router.
Guest hosts are unable to access any data from pool 192.168.1.0/24.
        <ol>
            <li></li>
            <li></li>
            <li></li>
            <li></li>
        </ol>
         </td>
         </td>
     </tr>
     </tr>
Line 249: Line 267:


----
----
<table class="nd-othertables_2">
    <tr>
        <th width=525; style="border-bottom: 1px solid white;"></th>
        <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking_rutos_configuration_example_l2tp_over_ipsec_android_7_v3.png|border|class=tlt-border|300px|center]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 1px solid white>
        <ol>
            <li>Write the '''DNS servers''' you are planning to use (in this example we used google DNS servers).</li>
            <li>Add '''Forwarding routes''' (RUTX LAN network).</li>
            <li>'''Save''' settings.</li>
        </ol>
        </td>
    </tr>
</table>
----
<table class="nd-othertables_2">
<table class="nd-othertables_2">
     <tr>
     <tr>
         <th width=300; style="border-bottom: 1px solid white;></th>
         <th width=525; style="border-bottom: 1px solid white;"></th>
         <th width=700; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_rutos_configuration_example_openvpn_bridge_use_case_19_v2.png|border|class=tlt-border|628px|right]]</th>
         <th width=620; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Networking_rutos_configuration_example_l2tp_over_ipsec_android_8_v2.png|border|class=tlt-border|300px|center]]</th>
     </tr>
     </tr>
     <tr>
     <tr>
         <td style="border-bottom: 1px solid white>
         <td style="border-bottom: 1px solid white>
In order to check the guest WiFi, you simply need to connect to the newly created WiFi AP, then check whether you have internet connectivity and try to ping OpenVPN server LAN IP - if everything is set up correctly, you should not be able to do that.  
Now open your newly created VPN instance and connect to it:
        <ol>
            <li>Write the '''Username''' you created in router's L2TP settings.</li>
            <li>Write the '''Password''' you created in router's L2TP settings.</li>
            <li>Press '''Connect'''.</li>
        </ol>
         </td>
         </td>
     </tr>
     </tr>
</table>
</table>

Revision as of 11:41, 22 July 2020

Introduction

Most of us are aware, that network security is extremely important. If your WiFi network is not properly secured, it makes you and all of your home or office resources vulnerable to a variety of security threats. To stay ahead of the curve, many companies and home users have guest WiFi. Unlike your regular WiFi network that you or your company members use, the guest WiFi network restricts what your guests can do in your network. It gives visitors access to the Internet connection, but nothing else making you or your company a lot more secure. This chapter is a guide on configuring a guest WiFi.

Configuring router (RUTX)

Before you start configuring the router turn on "Advanced WebUI" mode. You can do that by clicking the "Basic" button under "Mode", which is located at the top-right corner of the WebUI.


New WiFi AP


Login to the router's WebUI, navigate to the Network → Wireless page. Click Add. You can use either, 2.4GHz or 5GHz WiFi. Then you will be forwarded to the configuration window.


On General Setup tab do the following:

  1. Enable instance.
  2. Select mode Access Point.
  3. Enter a custom ESSID.
  4. Expand the drop-down menu Network.
  5. Uncheck the lan interface.
  6. Create a new interface, enter a custom name Guest.

Switch to Wireless Security tab and do the following:

  1. Select Encryption type.
  2. Select Cipher type.
  3. Enter Key.
  4. Save&Apply changes.

Wait for configuration to apply. Two Wireless Access Points should be enabled

New LAN interface


Now go to Network → Interfaces and press Edit next to your newly created LAN interface:


In the General setup section, do the following:

  1. Select Protocol - Static. Confirm by clicking "SWITCH PROTOCOL".
  2. Enter a IPv4 address.
  3. Enter a IPv4 netmask.
  4. Enable DHCP server.
  5. Press Save&Apply.

Firewall rules


Navigate to Network → Firewall → General Settings. There create a new Zone rule by pressing Add button. Then you will be forwarded to the configuration window.


In the ZONE page, do the following:

  1. Enter a custom Name.
  2. Add new created "Guest" LAN to Covered networks.
  3. Select WAN interfaces for Allow forward to destination zones.
  4. Select WAN interfaces for Allow forward from destination zones.
  5. Save&Apply changes.

In order to disable WebUI or SSH access to RUTX from Guest's_WiFi network navigate to the Network → Firewall → Traffic Rules page and do the following:

  1. Enter a custom Name.
  2. Select "guest_zone" for Source zone.
  3. Select "lan" for Destination zone.
  4. Click the Add button. Then you will be forwarded to the configuration window.

Do the following in the TRAFFIC RULES page:

  1. Enable instance.
  2. Change the Destination zone to "Device (input)".
  3. Enter the Destination port to reject. By default ports 22, 80, 443 are used to access the web user interface and SSH.
  4. Change the Action to "Reject".
  5. Save&Apply changes.

Results

If you've followed all the steps presented above, your configuration should be finished. If you are near a RUT, that is, in a wireless zone, turn on WiFi on your device and view the available networks. You should see the available SSID - "RUTX_WiFi_2G" and "Guest_WiFi". Select one of them and enter the appropriate WiFi password.


Wireless users connected to SSID: “GUEST'S_WIFI”, will be assign to LAN “Guest”, and will get IP from new pool 10.10.10.0/24.



Wireless users connected to SSID: “RUTX_WIFI”, will be assign to “LAN”, and will get IP from main pool 192.168.1.0/24.


Guest hosts are unable to access any data from pool 192.168.1.0/24.


  1. Write the DNS servers you are planning to use (in this example we used google DNS servers).
  2. Add Forwarding routes (RUTX LAN network).
  3. Save settings.

Now open your newly created VPN instance and connect to it:

  1. Write the Username you created in router's L2TP settings.
  2. Write the Password you created in router's L2TP settings.
  3. Press Connect.