Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
E: enquiries@precedence.co.uk
Network-GuestWireless

Wiki Home

Tools

Jump To: Support > KB > NetManager > Network > GuestWireless

Guest Wireless white-paper

Requirements

You have a wireless network with a specific VLAN used for guest access (configuring your wireless system and switches to do this is not covered in this document). When users connect to this wireless network, they should:

  • Have transparent Internet access without requiring a proxy to be set on the device
  • Have filtered access to the Internet
  • Be segregated and firewalled from the main LAN on a different IP address range
  • Be allocated an address by DHCP
  • Be unable to access any resources on the main LAN, e.g. fileservers, printers or web-servers

How to achieve this

N.B. This documentation is based on the NetManager having an up-to-date software release on it

Stage 1 - connect the NetManager to the configured VLAN

You need to configure your wireless system and switches so that guest wireless access is presented to the main LAN interface on your NetManager with the packets tagged with a certain VLAN (VLAN ID 100 used in this example). This will require you to create a VLAN on the switch(es). You can then either set that VLAN ID to be tagged on the port the NetManager is connected to (so the physical network with shared with the main LAN and the guest VLAN) or could be presented untagged on a separate port (so appears to NetManager as separate physical interface). If NetManager is virtualised, a virtual network will be created connected to the guest VLAN and then this will appear as a separate network card to NetManager. The procedure to set up NetManager on the guest VLAN will differ slightly, so there are two options below.

If VLAN tagged on a shared interface:

  1. View network interfaces in webadmin by going to Network > Interfaces and noting the name of your internal interface. You can do this by looking at the IP addresses of your interfaces. We'll assume it is wm0.
  2. Pick an IP address range to be used for the guest network with a suitably large number of addresses. We'll pick 192.168.100.0/255.255.252.0 which means a usable range from 192.168.100.1-192.168.103.254.
  3. Pick an IP address from the range for the NetManager. We'll pick 192.168.100.1.
  4. Create a virtual network interface on the NetManager connected to the relevant VLAN by adding the following to the main configuration file /etc/netmanager/netman.conf:
    interface_vlan="vlan100:wm0:100"
  5. Run build_server to make the configuration live (by running the relevant build scripts).
  6. Configure the new IP address on the vlan100 interface by using the standard configuration methods.
  7. Configure a DHCP range on the vlan100 interface. Leave the options as the default; the NetManager will automatically determine the right settings for firewalling, DNS and routers.
  8. Check a guest device can connect and get an IP address

If VLAN is untagged on a separate interface (or if NetManager is virtualised)

  1. View network interfaces in webadmin by going to Network > Interfaces and noting the name of interface connected to the VLAN. This will not have an existing IP address configured on it. We'll assume it is xennet2.
  2. Pick an IP address range to be used for the guest network with a suitably large number of addresses. We'll pick 192.168.100.0/255.255.252.0 which means a usable range from 192.168.100.1-192.168.103.254.
  3. Pick an IP address from the range for the NetManager. We'll pick 192.168.100.1.
  4. Configure the new IP address on the xennet2 interface by using the standard configuration methods.
  5. Configure a DHCP range on the xennet2 interface. Leave the options as the default; the NetManager will automatically determine the right settings for firewalling, DNS and routers.
  6. Check a guest device can connect and get an IP address

If you do not want users on the VLAN to be able to easily resolve internal IP addresses (depends on whether you want them to use internal resources or not), we suggest the following changes:

  • Set DHCP option 6: DNS servers on the VLAN interface (e.g. vlan100 or xennet2) to external servers (e.g. Google's 8.8.8.8 and 8.8.4.4)
  • Set DHCP option 15: Domain name on the VLAN interface (e.g. vlan100 or xennet2) to something nonexistent (e.g. guest)
To do these in the NetManager configuration file, use:
dhcp_xennet2_options="domain-name-servers=8.8.8.8,8.8.4.4 domain-name=guest"

Stage 2 - (Optionally) set up transparent proxying

You may or may not want to enforce web-filtering on your guest network. If so, using Transparent Proxying is probably easiest.

  • Look at Web Proxy > Ports in webadmin and determine a free port number. You need to pick one that is not going to be in use by any other service. We'll pick 8100 in this example.
  • Edit the NetManager configuration file and add a line similar to the following: 
    nat_transparent="vlan100:80:8100"
  • Run build_server to make the configuration live (by running the relevant build scripts).

Now all traffic on port 80 (http) going through the NetManager from the guest network will be internally redirected to proxy port 8100.

Stage 2b - if proxy server separate from NetManager

If you have a separate proxy server doing your filtering rather than the main NetManager acting as your NAT gateway (and doing the transparent proxying above), you will need to alter the configuration on each.

  1. On proxy server, create a new listening port (e.g. 3280).
  2. On main netmanager, set upstream proxy to be <proxy IP address> on the new port (e.g. 10.0.0.10:3280). You should not need any other rules or filters to be set.
  3. Back on proxy, create a filter called Guest wifi based on Local port on proxy of your new port (e.g. 3280).
  4. Use this filter to override access rules as necessary by adding If not Guest wifi to the start of the rules. N.B. rules must be along the lines of Blocked if not Guest Wifi and not Logged in, not Blocked if not Logged in and not Guest Wifi. Examples of where this might be needed:

Stage 3 - Block access to main LAN

The Firewalling on the NetManager will, by default, allow access to all locally attached LANs (except for a network attached only to the router). As the NetManager acts as a router itself, this will allow traffic to pass backwards and forwards between the main LAN and guest network. Similarly, the guest network will be allowed access to:

  • SMTP (to send mail)
  • proxy (to fetch webpages)
  • tftp area over http (often used for ThinIT configuration)
  • NTP (setting time from NetManager)
  • Dynamic updates of DNS
  • iSCSI (if not locked down by IP range or IQN)
  • Backed up resources via rsync
  • Network shares

This is because the so-called trusted networks are given access to these resources and, by default, local LANs are automatically trusted (as well as VPN networks, etc.). By setting network ranges as untrusted, they will be removed from the list of trusted networks.

  • Go to Network > Interfaces in webadmin and click on the Trusted networks tab
  • The automatically determined list of trusted networks will be displayed in the Global Trusted Networks section at the top of the page
  • Pick the relevant guest network range and enter its details in the Untrusted Networks section. Network address and subnet mask must match exactly. Click Add
  • Ensure that the range is now greyed out or marked as Explicitly untrusted in the Global Trusted Networks section and displayed in the Untrusted Networks section
To do this in the NetManager configuration file, add the network range in CIDR format to untrusted_nets. This configuration option is space-separated e.g.
untrusted_nets="172.16.100.0/22 172.16.200.0/21"

Now you need to grant access to specific NetManager services that you want the guest network to be able to access. To do this, add the network ranges as trusted for those services as per-service trusted networks take precedence over global trusted and untrusted ranges.

If you wish to use the DNS server on the NetManager rather than an external one as suggested above, you will need to add the network to the DNS trusted range:

  • Go to Network > DNS in webadmin and click on the Trusted networks tab. In the DNS Trusted Networks table, enter the guest network range (exact network address and subnet mask). Click Add.
  • To do this in the NetManager configuration file, add the network range in CIDR format to dns_trusted_nets. This configuration option is space-separated e.g.
    dns_trusted_nets="172.16.100.0/22 172.16.200.0/21"

If using transparent proxying, you will need to grant access to the web-proxy (if you skip this step, you will get Access Denied in your browser). To do this, add the network ranges as trusted for the web-proxy :

  • Go to Web Proxy > Settings in webadmin and click on the Trusted networks tab. In the Proxy Server Trusted Networks table, enter the guest network range (exact network address and subnet mask). Click Add.
  • To do this in the NetManager configuration file, add the network range in CIDR format to squid_trusted_nets. This configuration option is space-separated e.g.
    squid_trusted_nets="172.16.100.0/22 172.16.200.0/21"

Stage 4 - Let required traffic in from the guest wireless

If you are going to give full Internet access to the guest network, you need to create two firewall rules: one to block access to the main network in a way that cannot be overridden later and then another to allow access to everything.

To do this:

  1. Go to Network > Firewall in webadmin and click on the Custom configuration tab.
  2. Create a new rule with Block, In and Both from the guest network range to the main LAN range and Any port. Make sure you tick the Stop checking if rule is matched box.
  3. Create a second rule below with Allow, In and Both from the guest network range to Any address and Any port
Example lines in /etc/netmanager/ipf.additional:
##Comment##:Block Guest WiFi access to main LAN
block in quick from 172.16.200.0/21 to 10.0.0.0/16
##Comment##:Internet access for Guest WiFi
pass in from 172.16.200.0/21 to any keep state

If you want to give more fine-grained access, put the same block in place and then allow the specific traffic you want, e.g.

  • UDP and TCP port 53 for DNS
  • TCP 80 and 443 for web-access

Stage 5 - Filter access to intranet webservers (optional)

Stage 3 above will block network traffic going between the main and guest networks. However, if we are transparently proxying webaccess, the proxy on the NetManager will still grant access to webservers on the main LAN. If you don't want this:

  1. Go to Web Proxy > Filtering in webadmin
  2. Create a new filter of type Client IP addresses and enter the range of addresses on your guest network (in this example, 192.168.100.1-192.168.100.254). Call it Guest wireless
  3. Create a new filter of type Web server IP addresses and enter the range of addresses on your main LAN. Call it Main LAN webservers. You should probably miss out the IP address of the NetManager (and any other servers you do want to give access to). This may require specifying multiple ranges (e.g. 10.0.0.2-10.0.0.9, 10.0.0.11-10.0.255.255 would exclude access to 10.0.0.1 and 10.0.0.10).
  4. On the Configure tab on Web Proxy > Settings page in webadmin, ensure that Always allow access to intranet (bypass filters)? is not ticked.
  5. Create an access rule with Blocked if Guest wireless and Main LAN webservers
  6. Remember to Make Changes Live
© Copyright Precedence Technologies 1999-2024
Page last modified on January 30, 2023, at 03:26 PM by sborrill