Wireless guest networks and DHCP
-
So I've got an interesting conundrum that I've run into involving my home network. I'm not sure exactly how to solve this.
So, I've got a standard wireless router plugged directly into the cable modem for internet access. I've got a bunch of devices internally on a
10.x.x.x
subnet. One of them is a Windows Server machine I use as a DHCP server. This setup works fine.Here's the issue.
If I want to enable a guest network without access to the intranet, I have a problem. The intranet-access-blocked VLAN can't contact the DHCP server. So, the guest network is entirely useless, because clients won't get IP addresses.
I'm not sure exactly what to do - anyone have any ideas?
-
@sloosecannon The proper solution would be to run another DHCP server on the guest net. Unfortunately, with a consumer router, it's wildly unlikely that you can switch on DHCP just for the guest net.
-
Well, you need to setup VLANs and then isolate those from each other.
http://tomatousb.org/tut:two-isolated-separate-lan-subnetsMy two cents.
edit: Urp, Windows as DHCP. well, there goes that idea.
@Weng said in Wireless guest networks and DHCP:
@sloosecannon The proper solution would be to run another DHCP server on the guest net. Unfortunately, with a consumer router, it's wildly unlikely that you can switch on DHCP just for the guest net.
Well, mine has that ability out of the box, I can put them on a timer, even. But I also shelled out a bit of money :)
-
You can split the difference, if a device that has access to the Guest network is capable as operating as a DHCP Relay server, and is allowed to communicate with the main network (either via a second interface or via a firewall / routing rule). The Relay is configured to request information from the Windows server, and you have a central repository for leases on both the standard and guest networks, but the guest network is still {physically|virtually} separated from the main network.
-
@Weng said in Wireless guest networks and DHCP:
@sloosecannon The proper solution would be to run another DHCP server on the guest net. Unfortunately, with a consumer router, it's wildly unlikely that you can switch on DHCP just for the guest net.
Hmm, that's the conclusion I came to as well. Unfortunately that's just not possible because it's wireless only (AFAIK I can't assign a port to the guest network).
@Rhywden said in Wireless guest networks and DHCP:
Well, you need to setup VLANs and then isolate those from each other.
http://tomatousb.org/tut:two-isolated-separate-lan-subnetsMy two cents.
edit: Urp, Windows as DHCP. well, there goes that idea.
Unfortunately my router is a consumer grade (Asus RT-N66R) router, and VLANs would need to be done at the router level correct?
-
@sloosecannon said in Wireless guest networks and DHCP:
Unfortunately that's just not possible because it's wireless only (AFAIK I can't assign a port to the guest network).
That... is not true.
I have a Pi.
With wifi.Jesus that's hacky.
But I think it might work...
-
Dumb solution: RPi with a cheapie wireless doohickey = DHCP server.
-
@Weng said in Wireless guest networks and DHCP:
Dumb solution: RPi with a cheapie wireless doohickey = DHCP server.
Yeah that.
Well it's a Pi 3, so built-in WiFi. But yeah
-
@izzion said in Wireless guest networks and DHCP:
You can split the difference, if a device that has access to the Guest network is capable as operating as a DHCP Relay server, and is allowed to communicate with the main network (either via a second interface or via a firewall / routing rule). The Relay is configured to request information from the Windows server, and you have a central repository for leases on both the standard and guest networks, but the guest network is still {physically|virtually} separated from the main network.
That would probably be the easiest solution - a NAT'ed NAT
-
@Rhywden said in Wireless guest networks and DHCP:
@izzion said in Wireless guest networks and DHCP:
You can split the difference, if a device that has access to the Guest network is capable as operating as a DHCP Relay server, and is allowed to communicate with the main network (either via a second interface or via a firewall / routing rule). The Relay is configured to request information from the Windows server, and you have a central repository for leases on both the standard and guest networks, but the guest network is still {physically|virtually} separated from the main network.
That would probably be the easiest solution - a NAT'ed NAT
I thought about that too - can I force only routing to the main router's IP address? If I do that, I can use a shitty backup router with DDWRT as the guest network and force connections only to
10.25.1.1
. But I don't really know routing all that well. I do know you can modify routing tables with DDWRT though.
-
@Weng said in Wireless guest networks and DHCP:
Dumb solution: RPi with a cheapie wireless doohickey = DHCP server.
Maybe even easier: The RPi acts as an access point (i.e. gets a WLAN dongle) and then simply drops all the packets which are not directed towards the WAN/router?
Don't ask me what
iptables
commands you'll need for that, though.
-
Also, if you have a small budget (say, $50ish), you could accomplish the split networks with a MikroTik router, in line as a non-NAT router for the main network, and then performing firewall + NAT for the guest net, so that the guest network can't talk to any main network device. Though at that point, the MT would become the wireless AP as well, so $50 might not cover it if you needed better coverage than their base model.
I guess what I'm trying to say is, there's a wide number of options here, if you want to hit me up with more details about your budget and requirements I'd be happy to provide some suggestions.
-
@izzion said in Wireless guest networks and DHCP:
Also, if you have a small budget (say, $50ish), you could accomplish the split networks with a MikroTik router, in line as a non-NAT router for the main network, and then performing firewall + NAT for the guest net, so that the guest network can't talk to any main network device. Though at that point, the MT would become the wireless AP as well, so $50 might not cover it if you needed better coverage than their base model.
I guess what I'm trying to say is, there's a wide number of options here, if you want to hit me up with more details about your budget and requirements I'd be happy to provide some suggestions.
I don't have much of a budget, but I do have a good handful of consumer-grade routers that can be flashed with DD-WRT. I also have a Pi I can use with the project, so I have some stuff I can work with.
-
[AP] ---- [DHCP] ---- local net ---- [WLAN router]
The DHCP device needs 2 net interfaces, but as people mentioned here, a system-on-chip computer should already have a built in WIFI.
That device also sets the VLAN id on any packets coming from the AP.
-
@Adynathos said in Wireless guest networks and DHCP:
[AP] ---- [DHCP] ---- local net ---- [WLAN router]
The DHCP device needs 2 net interfaces, but as people mentioned here, a system-on-chip computer should already have a built in WIFI.
That device also sets the VLAN id on any packets coming from the AP.I think now that a VLAN isn't even necessary for this level of security. The AP already has full control over what gets routed from the LAN into the WLAN, so let the AP do the sorting - as the requirement is merely "Can talk to the router", we can simply drop everything else.
-
@Rhywden said in Wireless guest networks and DHCP:
@Adynathos said in Wireless guest networks and DHCP:
[AP] ---- [DHCP] ---- local net ---- [WLAN router]
The DHCP device needs 2 net interfaces, but as people mentioned here, a system-on-chip computer should already have a built in WIFI.
That device also sets the VLAN id on any packets coming from the AP.I think now that a VLAN isn't even necessary for this level of security. The AP already has full control over what gets routed from the LAN into the WLAN, so let the AP do the sorting - as the requirement is merely "Can talk to the router", we can simply drop everything else.
Hmm, yeah, I like that idea. Would it be better to use a Pi or a "real" router with ddwrt for that though? I've got both available to use...
-
@sloosecannon said in Wireless guest networks and DHCP:
@Rhywden said in Wireless guest networks and DHCP:
@Adynathos said in Wireless guest networks and DHCP:
[AP] ---- [DHCP] ---- local net ---- [WLAN router]
The DHCP device needs 2 net interfaces, but as people mentioned here, a system-on-chip computer should already have a built in WIFI.
That device also sets the VLAN id on any packets coming from the AP.I think now that a VLAN isn't even necessary for this level of security. The AP already has full control over what gets routed from the LAN into the WLAN, so let the AP do the sorting - as the requirement is merely "Can talk to the router", we can simply drop everything else.
Hmm, yeah, I like that idea. Would it be better to use a Pi or a "real" router with ddwrt for that though? I've got both available to use...
Depends on what kind of throughput you want to achieve? The "real" router should have a better antenna and LAN interface, but aside from that, the RPi might even be more powerful on the CPU / RAM side.
-
OT1H, the real router is going to have CPU and wireless hardware optimized for operating as an AP, whereas the Pi's wireless card is likely optimized for being a client. OTOH, very few router models are actually fully compatibile with / supported by DDWRT, so that's going to be a challenge to deal with. I think this is gonna fall into a "try both and see" situation.
-
@izzion said in Wireless guest networks and DHCP:
OT1H, the real router is going to have CPU and wireless hardware optimized for operating as an AP, whereas the Pi's wireless card is likely optimized for being a client. OTOH, very few router models are actually fully compatibile with / supported by DDWRT, so that's going to be a challenge to deal with. I think this is gonna fall into a "try both and see" situation.
Unless he's having clients in the double-digits connecting to that thing, I don't think CPU and RAM will really matter - I remember from my time as an admin at our students' dorm that our router wasn't really taxed by doing the routing for 500 clients, 2% CPU time was the maximum.
Granted, it was a DualXeon but still.
Got that up to 30% by doing DPI.
-
@Rhywden said in Wireless guest networks and DHCP:
@sloosecannon said in Wireless guest networks and DHCP:
@Rhywden said in Wireless guest networks and DHCP:
@Adynathos said in Wireless guest networks and DHCP:
[AP] ---- [DHCP] ---- local net ---- [WLAN router]
The DHCP device needs 2 net interfaces, but as people mentioned here, a system-on-chip computer should already have a built in WIFI.
That device also sets the VLAN id on any packets coming from the AP.I think now that a VLAN isn't even necessary for this level of security. The AP already has full control over what gets routed from the LAN into the WLAN, so let the AP do the sorting - as the requirement is merely "Can talk to the router", we can simply drop everything else.
Hmm, yeah, I like that idea. Would it be better to use a Pi or a "real" router with ddwrt for that though? I've got both available to use...
Depends on what kind of throughput you want to achieve? The "real" router should have a better antenna and LAN interface, but aside from that, the RPi might even be more powerful on the CPU / RAM side.
Hmm yeah, I'll probably do the Pi.
I really wish iptables wasn't used for firewalls right now, because all the results I'm finding are for how to make iptables only accept SSH connections from a single IP address
-
The only difference between accepting from one address and accepting from many is what you pass to the -s parameter.
That said, it's generally accepted wisdom that you don't want to accept SSH connections except from a tightly controlled set of addresses. If you leave SSH open to God and everyone, eventually you will have {North Koreans|Chinese|Russians}
visitingin control of your server.
-
@sloosecannon https://wiki.archlinux.org/index.php/Uncomplicated_Firewall#Black_listing_IP_addresses
-
@izzion said in Wireless guest networks and DHCP:
That said, it's generally accepted wisdom that you don't want to accept SSH connections except from a tightly controlled set of addresses. If you leave SSH open to God and everyone, eventually you will have {North Koreans|Chinese|Russians} visitingin control of your server.
Well I just use public key auth...
But yeah, I'm trying to find results on how to only allow packets to route through an iptables nat to one IP...
-
@Rhywden said in Wireless guest networks and DHCP:
@sloosecannon https://wiki.archlinux.org/index.php/Uncomplicated_Firewall#Black_listing_IP_addresses
Hmm, would that block routing to the main router too though?
-
@sloosecannon http://unix.stackexchange.com/questions/11851/iptables-allow-certain-ips-and-block-all-other-connection
-
@sloosecannon said in Wireless guest networks and DHCP:
But yeah, I'm trying to find results on how to only allow packets to route through an iptables nat to one IP...
Two options for that.
Door #1: drop unacceptable traffic (-s guest.net/24 -d main.net/24) in the filter chains. It's been a while since I've set up this sort of firewall rule, but it's generally best to run this sort of matching rule on the INPUT chain, to prevent the traffic from being handled by as many router facilities as possible.
Door #2: modify your NAT rule so that it only matches specific traffic, and doesn't match traffic destined for the main net. This is a little harder to set up, but can be useful so that you can initiate connections from the main network to the guest network, and response traffic will still work -- generally, the NAT chains only get run for "new" traffic, since response traffic to connections from the main network will already have a NAT table entry from the initial pass through.
In general, Door #1 is the better option. And it can be extended within native iptables rules so that response traffic for managing guest devices from the main network is possible, it's just a bit of extra code to specify NEW connections in your drop rule (allow ESTABLISHED, RELATED through).
-
Also, if you do your traffic filtering in the INPUT chain, that runs pre-NAT, so you drop traffic to the main net (but Internet traffic passes through), and then stuff gets NAT'd and it doesn't look like it's coming from the guest net any more anyways.
-
Why use the Windows Server for DHCP? Why not just enable it in the router and be done with it?
If you were using the Windows Server because you want to assign static IPs to some devices, you can probably do that in the wireless router's LAN config page.
-
@anotherusername said in Wireless guest networks and DHCP:
Why use the Windows Server for DHCP? Why not just enable it in the router and be done with it?
If you were using the Windows Server because you want to assign static IPs to some devices, you can probably do that in the wireless router's LAN config page.
Because I'm also using Windows Server for WDS and it doesn't behave if it's not the DHCP server
-
@sloosecannon said in Wireless guest networks and DHCP:
@anotherusername said in Wireless guest networks and DHCP:
Why use the Windows Server for DHCP? Why not just enable it in the router and be done with it?
If you were using the Windows Server because you want to assign static IPs to some devices, you can probably do that in the wireless router's LAN config page.
Because I'm also using Windows Server for WDS and it doesn't behave if it's not the DHCP server
-
@anotherusername said in Wireless guest networks and DHCP:
@sloosecannon said in Wireless guest networks and DHCP:
@anotherusername said in Wireless guest networks and DHCP:
Why use the Windows Server for DHCP? Why not just enable it in the router and be done with it?
If you were using the Windows Server because you want to assign static IPs to some devices, you can probably do that in the wireless router's LAN config page.
Because I'm also using Windows Server for WDS and it doesn't behave if it's not the DHCP server
Yeah......
It's really useful though!
-
@izzion said in Wireless guest networks and DHCP:
If you leave SSH open to God and everyone, eventually you will have {North Koreans|Chinese|Russians} in control of your server.
I see that advice a lot, but surely it's only true if you leave password access enabled and use a really shit password?
-
@flabdablet said in Wireless guest networks and DHCP:
if you leave password access enabled
But... But... Key authentication is so hard to set up you guise!
-
@flabdablet Once you're using keys like Holy Dennis intended, you can also use things like an aggressive fail2ban configuration to strengthen security further.
-
@sloosecannon said in Wireless guest networks and DHCP:
@anotherusername said in Wireless guest networks and DHCP:
Why use the Windows Server for DHCP? Why not just enable it in the router and be done with it?
If you were using the Windows Server because you want to assign static IPs to some devices, you can probably do that in the wireless router's LAN config page.
Because I'm also using Windows Server for WDS and it doesn't behave if it's not the DHCP server
Yeah... Mine won't start for nothing, I gave up after three days of tweaking... 👨
-
I think it's generally a safe assumption that if someone's lazy enough to not set up fail2ban or some other sort of restrictions on who can access, they're probably also lazy enough to leave password access enabled.
-
@izzion At my home, which is obviously completely under my control, I've exposed my ssh server on a randomly chosen high port number. Result: no ssh probes at all, ever.
At work, where ssh has to be on port 22 because reasons, I've installed fail2ban and set it to block for a month on three failed logins within 24 hours. Result: /var/log/syslog is no longer diluted to an irritating extent with ssh login failures.
I've left password login enabled on both networks. I use key login as a convenience feature, not so much as a security feature; on machines I log in from frequently, it's nice not to need to bother supplying a password. But it's also nice to be able to log in from boxes that don't have my ssh keys stored on them.
I use a randomly generated password with roughly 60 bits of entropy. That wouldn't be enough to resist any kind of offline crack, but I think it's plenty for ssh's own rate-limited password check.
-
@flabdablet said in Wireless guest networks and DHCP:
I use a randomly generated password with roughly 60 bits of entropy.
On all the accounts or just the one you normally log into?
-
@ben_lubar said in Wireless guest networks and DHCP:
@flabdablet said in Wireless guest networks and DHCP:
I use a randomly generated password with roughly 60 bits of entropy.
On all the accounts or just the one you normally log into?
I frequently log into all of those, so each of them has its own password of about that strength.