Problem Statement
Several guests come home and ask for Wi-Fi access to connect to the internet to see emails, etc. Most times, we give them our main SSID wireless password everytime to connect. This has several disadvantages, though not limited to those listed below:
- The guest now has a permanent record of your Wireless SSID and password. It is not deleted after they leave from their device.
- Once the guest leaves, the only way to stay secure is to either change the SSID or the password. In absence of advanced options, this is the only choice left.
- If you change your router’s SSID password, then you have to tell all permanent users to change the password on their devices.
- If you use the default router firmware and not OpenWRT, you will find that the guest network may not be isolated. That is, guests have equal access to all resources like printers on the home network.
There is a solution to the above.
- Set up a guest SSID, and give that password to guests. When the guests leave, change that guest SSID password, without having any impact on the primary home wireless network.
- With the new guest SSID, the guest network can be isolated from any or all resources on the home network. That way, guest network users cannot access anything else, but the internet from the isolated guest network. They will though be able to see each other.
- Guests can get a very limited network lease time, so they do not clog the network for a long time.
- Anything in the isolated guest network cannot be accessed from the primary home network.
To implement the solution, read on. You are responsible for anything you do to your devices following the instructions below. It is only you who has to decide if you want to follow the steps below. If you are not confident about performing the steps below, do not proceed beyond this point.
Solution with the Steps to follow
| 1 | Login into the router and first take a back up of the current configuration. Click on System -> Backup / Flash Firmware then click on Generate Archive. This is the backup of your current configuration. If anything goes wrong doing the steps below, you can restore the configure and get back to the previous state. |
| 2 | Click on Network -> Wifi. Click on the Add button. |
| 3 | On the next page, scroll to the section Interface Configuration. Enter GuestsID in ESSID, in network, check create and type in GuestsID
 |
| 4 | Click on Wireless Security and set Encryption to WPA2-PSK, set Cipher to Force CCMP (AES) and enter a strong password. Then click Save.
 |
| 5 | Next, set up the Interface. Click on Network -> Interfaces. You will find the above GuestsID network interface already created. Click on the Edit button as in the figure below. It takes you to the Interface Common Configuration page. Click on the Save button.
 |
| 6 | Change Protocol to Static address and click on Switch Protocol
 
Click on the DHCP Server button to set up DHCP for this interface. The lease time to be 2 hours. Next click on the Save button.   . |
| 7 | In Common Configuration, now click on Firewall Settings. In Create/Assign Firewall Zone, select unspecified-or-create and enter guestsid as the name to give the new firewall zone. Click Save.
 |
| 8 | Next click on Network->Firewall. Enable SYN-flood protection is checked. Click on the Edit button against guestsid under Zones.
 |
| 9 | Set up the firewall. Name is guestsid, Change Input to Reject, Output to Accept, Forward to Reject, Covered Networks is GuestSID.
 Then set the Inter-Zone Fowarding. In Allow Forward to Destination Zones, check the wan option. Then click Save.  |
| 10 | Now, set up the Firewall Rules to allow DNS traffic. If this is not done, then the guest network will not be able to connect to the internet. So open desitnation port 53 on the router for the GuestSID firewall zone.
Click on Traffic Rules. Then scroll down and find Open ports on router. There, give a name to the rule, in this case, GuestSID-DNS, select TCP+UDP for Protocol and type 53 in External Port.  Once above is done, click on the Add button. You will find the rule is added to the list of rules. You can see the rule GuestSID-DNS. Click on Edit, and change the Source Zone to guestsid and click the Save button. |
| 11 | Now, set up the Firewall Rule to enable DHCP. To do this, click on Traffic Rules. Then scroll down and find Open ports on router. There, give a name to the rule, in this case, GuestSID-DHCP, select UDP for Protocol and type 67-68 in External Port.
This should be similar to the GuestSID-DHCP rule in the figure above. Once above is done, click on the Add button. You will find the rule is added to the list of rules. You can see the rule GuestSID-DHCP. Click on Edit, and change the Source Zone to guestsid and click the Save button. Verify the rule is correctly created. |
| 12 | Scroll to the top of the browser page and click on Unsaved Changes at the top right. Scroll down the page and click on Save and Apply.
The changes will be applied and the isolated guest network can now be tested. Reboot the router from System->Reboot. Click on Perform Reboot. |
Using the above method, you can set up as many isolated wireless guest networks. After a guest leaves, feel free to change the isolated guest wireless network’s password. Connect a computer to the new GuestsID wireless network and try pinging any computer on the main home network. It will not work. Test the firewall.
askmeaboutlinux 