Guest Network

[spammy]

I have a (possibly?) peculiar set up:

- A virtual host running:
|--- A virtual server running DNSMasq

- A ISP provided router, with DHCP/DNS disabled

- A Wireless Access Point (actually, an aftermarket router) with a single Ethernet cable connected to one of the LAN ports (as opposed to the WAN port).

These are all connected via an unmanaged switch. I'm using 10.10.0.0/16 for my network, and all of my permanent hosts have statically assigned IP addresses via the DNSMasq server. My DNSMasq config also allows unknown hosts to get an IP address, in the range 10.10.99.0-10.10.99.50.

Everything works well, and all clients (static and dynamic) can see the network, and the internet. My Wifi access point doesn't support multiple SSIDs (unless I flash OpenWRT which is a last resort option).

What I want is for those hosts dynamically assigned an IP to ONLY have internet access (ie nothing on the LAN).

1) is this possible?
2) is this worth it (ie can clients just reconfigure themselves to get LAN access anyway?)
3) what would the approach be?

I think I have a sound theoretical approach involving vlans, bridges (on the DNSMasq server maybe) and DNSMasq assigning IPs on a different subnet, but I'm struggling to actually put it all together.

Any tips?

 

[abailey]

There are several ways to do what you want. Probably the least expensive and easiest way is to just get a new Wireless AP. There are probably many but the one I am familiar with is the Ubiquiti Unifi Ap's. They can support up to 4 SSID's. One really nice thing about their AP's is that you can set up guest networks and assign them to an SSID. Then you can segregate them either by VLAN (which would require a router) or you can use the built in feature in the AP. With the built in feature you can tell the AP what the guest network is allowed to see. Meaning you can even assign the same IP range and VLAN to all users but on the guest SSID you tell the AP that the clients can only see their IP address and the internet. Thus they cannot see other things even on their subnet. Another nice thing is the Ubiquiti AP's are pro level gear, not consumer level. I have found them to be rock solid (I have had one in my house up now for 8 months without a reboot and no problems). They also can handle more clients at one time than a typical consumer AP.

 

[azazel1024]

Yes.

Maybe, only you can answer that question

You have a couple of options. Get a new router that has a guest network and network segregation. Or possibly your existing router might have network segregation (IE, WLAN can only get to the internet). My Netgear 3500L has both (you can do a guest network, but you can also set the guest network AND/OR the primary network to network segregation mode).

Alternately, you can get a router/AP that supports VLANs and then get managed switch that does VLANs and control access that way.

Lastly you can get another router and do cascading routers. Set the WLAN router as the primary out to the internet and then set your wired LAN behind the second router with the WAN port connected to router 1 (the WLAN router)'s LAN port.

Really, just get a router/AP that supports guest networks and network segregation.

 

[chadster766]

I'm assuming you DNSmasq server is a Linux box. You should be able to do this through dhcpd configuration. If you router is the DHCP server you would disable that and run a DHCP server on the Linux box and configure it to only allow know clients. The link below should get you started it you decide to test it out.

Ubuntu Secure DHCP