How to create a wireless guest network using Omada EAPs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

How to create a wireless guest network using Omada EAPs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
How to create a wireless guest network using Omada EAPs
How to create a wireless guest network using Omada EAPs
2019-11-11 21:55:49 - last edited 2022-06-26 05:01:54

This HowTo describes how to create a wireless guest network using Omada EAPs and Omada Controller.

 

There are several ways to set up an isolated guest network on EAPs depending on your requirements and the devices you have available:

 

  1. You have a home router from your ISP and either an Omada Software Controller or an OC200 Cloud Controller. You want a guest network for friends visiting you.
  2. You have a business-class VLAN-aware router which allows multiple networks, a managed switch and an Omada Controller. You want a guest network for the broader public.
  3. You have a business-class router which supports Multi-Nets-NAT, a L2+/L3 switch and an Omada Controller. You want a guest network for the broader public.

 

 

Method 1: You have a home router from your ISP

 

This is the easiest setup suitable for home users whose router doesn't support VLANs or who don't own / want to buy a managed switch. You can define a guest network with a single click in Omada Controller, so no hassle setting up separate networks, VLANs, firewall zones etc.

 

First, create an additional SSID, say Guests, in Omada Controller's »Wireless Settings → Basic Wireless Settings« menu. Define a WLAN name (SSID) and check the »Guest Network« box to enable guest network settings. This will enable wireless client isolation as well as an access control list (ACL) to block all private (RF1918) IPs. Set »Security Mode« to either None or a WPA2 encryption depending on your needs:

 

 

 

Next, go to »Wireless ControlPortal« and create a portal for your guest network if you did choose None as »Security Mode« for the SSID. You might want an easy way for your friends to log into the guest network, so choose »Simple Password« for the authentication type. For some fun, choose the word »secret« as password and observe the reactions from your friends when telling them that the password is secret:

 

 

That's it. You now have a guest network. The »Wireless Settings« should look like this:

 

 

 

 

The Pros and Cons of this guest network setup are:

Easy to set up.

No managed switch needed.

No router settings needed.

No separate broadcast domains, non-IP traffic from the guest network will pass through to the private network.

 

To be precise, you created a guest SSID in addition to your private SSID. Both SSIDs use the same network, so non-IP traffic between the guest SSID and the LAN can still pass through. Thus, if someone with (valid) access to the guest SSID uses a network scanner, he/she can discover your LAN devices:

 

 

 

But IP access from the guest SSID to LAN devices (or to other wireless devices associated with the private or even the guest SSID) is not possible.

 

If you have friends doing network scans on your LAN – I would unfriend them then :-) – or if you are concerned with this for any reason, see the next method to deploy a more strictly isolated guest network using VLANs.

 

 

Method 2: You have a VLAN-aware router which allows multiple networks

 

This method implements a more strictly isolated guest network, not only a guest SSID. It requires much more steps as in the first method to set it up and to secure it.

 

First, let's have a look at the network topology. We will create two local networks »lan« and »guest« on our router for two SSIDs »PrivateNet« and »GuestNet«. For this, we need to create two interfaces, two VLANs and two firewall zones with appropriate rules to control access. We use VLAN trunks to connect the router and the EAP(s) to the managed Ethernet switch: 

 

 

Router configuration

 

First, we set up the router. There are many routers to choose from, for simplicity I will show a router running OpenWrt (a Linux for embedded systems) on a spare TL-WDR4300 laying around here, but you can use any other router or wireless router which can be configured to such a detail. Configuration in OpenWrt is straightforward. Let's define a new network interface »guest« in addition to the existing WAN and LAN interfaces in file /etc/config/networks

 

# WAN: VLAN 2

config interface   'wan'
    option ifname  'eth0.2'
    option proto   'dhcp'

 

# LAN: VLAN 1

config interface   'lan'
    option ifname  'eth0.1'
    option proto   'static'
    option ipaddr  '192.168.1.1'
    option netmask '255.255.255.0'

 

# GUEST: VLAN 3

config interface   'guest'
    option ifname  'eth0.3'
    option proto   'static'

    option ipaddr  '192.168.3.1'
    option netmask '255.255.255.0'

 

The WDR4300 ha a built-in switch which is VLAN-aware. The WAN port (#1 in the switch) is assigned to interface wan and the four LAN ports (#2 to #5 in the switch) are assigned to the interface lan by default. The switch port #0 is an internal (tagged trunk) link from the switch chip to the CPU. A tagged port is marked with the letter »t« following the number.

 

We want to define a tagged port with membership in both VLANs associated with the LAN and GUEST networks (a so-called »trunk« port).

 

If you want, you can additionally assign another port to the GUEST network instead of the LAN network (a so-called »access« port). This can be handy if you want to connect a wired device to the GUEST network, be it a designated »surf station« or to just test the GUEST network using a laptop connected via cable to the router.

 

First, we need to define a GUEST VLAN. I choose VLAN ID 3 for the GUEST VLAN. This is the second section in file /etc/config/networks:

 

config switch
    option name   'eth0'
    option reset  '1'
    option enable_vlan '1'

 

config switch_vlan
    option device 'eth0'
    option vlan   '2'
    option ports  '1 0t'

 

config switch_vlan
    option device 'eth0'
    option v
lan   '1'
    option ports  '
2t 3 4 5 0t'

 

config switch_vlan
    option device 'eth0'
    option vlan   '3'
    option ports  '2t 0t'

 

The option vlan in the switch_vlan section defines the VLAN ID. Option device defines the physical parent device of the VLAN, it's eth0. The virtual interface will be this name with the number from option vlan appended (e.g. eth0.3).

 

The ports option lists the ports which are member of this VLAN. Port 2 is the switch's internal notation for the physical LAN port #1 (just to remind you: switch port 0 is the CPU trunk, port 1 is the physical WAN port labeled »Internet«, port 2 is LAN port labeled #1, port 3 is LAN port labeled #2 and so on).

 

Note that port 2 (LAN#1) is set to »tagged« by adding the letter »t« and it becomes a trunk port by adding the port to more than one VLAN, here VLANs 1 and 3.

 

All VLANs always need to connect to the CPU (port 0), thus for the guest VLAN 3 the ports option is: '2t 0t'.

 

If you want to assign port 3 (LAN#2) to the GUEST network as an »untagged« access port, the ports option would be: '2t 3 0t'. In this case you must delete port 3 from the LAN network (VLAN 1), thus its port option would be: '2t 4 5 0t'.

 

Really easy. We now have a new network interface and assigned it a trunk port to be connected later with the managed switch, so we just need one cable. 

 

Next, we set up an additional DHCP server for our new network in /etc/config/dhcp:

 

config dhcp 'wan'
    option interface 'wan'
    option ignore    '1'

 

config dhcp 'lan'
    option interface 'lan'
    option start     '10'
    option limit     '240'
    option leasetime '24h'
    option force     '1'

 

config dhcp 'guest'
    option interface 'guest'
    option start     '10'
    option limit     '240'
    option leasetime '4h'

 

Done. start denotes the first available IP in the DHCP pool, limit is the number of IPs in this pool. Thus, we defined 240 addresses in the IP range 192.168.3.10 to 192.168.3.249 as available for DHCP leases.

 

The last config on the router is a firewall zone for the guest network. This is defined in /etc/config/firewall:

 

config zone
    option name    'lan'
    option network 'lan'
    option input   'ACCEPT'
    option output  'ACCEPT'
    option forward 'ACCEPT'

 

config zone
    option name    'guest'
    option network 'guest'
    option input   'ACCEPT'
    option output  'ACCEPT'
    option forward 'REJECT'

 

Option network assigns the guest network to the new firewall zone guest. Input/output from this zone to the router will be accepted (we need DHCP at least), but inter-zone forwarding will be rejected by default. To be able to grant guests access to the Internet after they logged into the Omada Wireless Captive Portal we need to permit forwarding from the guest into the wan zone:

 

config forwarding
    option src  'guest'
    option dest 'wan'

 

Since this is a stateful firewall, we don't need no other rule for traffic flowing back from wan to guest after a connection has been established successfully.

 

But we need to grant guests access to the Omada Controller's portal page. Omada Controller resides in the LAN network and will have static IP 192.168.1.46, so we define another (very limited) forwarding rule:

 

config rule
    option name    'AllowOC200'
    option src     'guest'
    option dest    'lan'
    option dest_ip '192.168.1.46'
    option dest_port '80'
    option proto   'tcp'
    option target  'ACCEPT'

 

Change dest_port 80 to dest_port 8088 if using the Omada Software Controller rather than an OC200.

 

That's all for the router. You might want to further limit access to the router's web UI from within the guest network if you plan to use the guest network using a cable over one of the remaining switch ports of the router, but for wireless clients we will limit access to the router's IP in Omada Controller anyway.

 

 

Managed switch configuration

 

Now we configure the managed switch. I use T1500G-10PS as an example. We have following port assignments:

 

 

 

  • Port 1/0/1 needs to be a tagged port which is member of VLANs 1 (LAN) and 3 (GUEST). It's the trunk to the router.
  • Port 1/0/2 needs to be an untagged port which is member of VLAN 1 only, it's PVID is 1. It's connected to Omada Controller.
  • Port 1/0/3 needs to be a tagged port which is member of VLANs 1 and 3, too. It's the trunk to the EAP.

 

After setting the VLAN memberships we have following VLAN config:

 

 

And this is the (VLAN) port config:

 

 

Important note: Tagged VLAN membership of port 3 needs to be set only after you configure the Management VLAN of the EAP in Omada Controller. This means you have to first add it as an untagged member of VLAN 1, Admit All frames (still untagged at the moment) and adopt the EAP in Omada Controller. During adoption the controller will set the Management VLAN in the EAP config and will temporarily lose the connection to the EAP. Then, just set port 3 as a tagged member of VLAN 1 to have the controller regain access to the EAP.

 

 

Omada Controller and EAP setup

 

Setup of Omada Controller and the EAP is much like in the first method for a guest network except for a very nasty setting required for all new controller versions starting from version 3.0.1.

 

Let's assume we have a SSID »PrivateNet« already. We now assign this SSID a membership in VLAN 1 in the »Basic Wireless Settings → Edit SSID« menu:

 

 

 

Then we create the new SSID »GuestNet«:

 

 

Next, we assign the SSID to be a member of VLAN 3 in »Advanced Settings«:

 

 

Note the »Access Control Rule«: You cannot set it right now, since it has not yet be defined. We will do so in a moment; if done, skip back and set it.

 

If you still use Omada Controller version 2.7 (I do for some older EAPs), enable »SSID Isolation« (which actually means »Client Isolation«) instead of »Guest Network« which is present only in controller versions above 3.0.1:

 

 

Now go to »Wireless Control → Access Control«. In case of Omada Controller V3.x we need to allow guest access to the controller's portal page. The controller is still blocked by the »Guest Network« setting.

 

For controller V2.x we have to block private IPs explicitely, you will see this in a moment. But for V3.x let's try to allow access to OC200 using an »Allow« ACL:

 

 

Oops. What the Omada Controller User's Guide doesn't tell you is the side effect of creating an explicit »Allow« rule: It will allow access only to the networks listed in this ACL, that's how ACLs work. Thus, clients do not have access to the Internt anymore!

 

Ok, so we do it in the way it was done in previous controller versions. You can use the following »Block« rule to block access to private networks and allow access to a specific device by excluding it from blocking.

 

This works in all versions of Omada Controller from V2.x to V3.x:

 

 

 

Remember to assign this ACL rule to the »GuestNet« SSID now that you have created it.

 

Finally, let's define a portal for the guest network:

 

 

This is how your wireless settings should look like now:

 

 

 

If you haven't already set the Management VLAN for the EAPs before (see »Important note« in the Switch Configuration section above), then set it now and change the VLAN config for switch port 3 from untagged to tagged in your switch:

 

 

 

You're done. If this kind of stuff is not your daily business, I guess you prefer method 1) with a single click on the new »Guest Network« setting in favour this second method, right? :-)

 

The Pros and Cons of this guest network setup are:

 VLANs and separate broadcast domains for the private an guest networks ensure strict isolation between devices.

The router's firewall let's you do many more fancy things such as redirecting web traffic through a caching proxy or sharing a network printer with your guests.

 Might be way too difficult to set up for casual users.

 

Let's see what a network scanner sees now:

 

 

 

Fine.

 

Some more tipps:

 

Q: I have no OpenWrt router, what should I do?

A: Get one. No, just kidding. Seriously, there is another possible solution if you have at least two routers (literally any routers will do). Just create a DMZ to be used for the guest network. Topology could look like this:

 

 

This uses two untagged switch ports, one for the private net (port 1), one for the guest net (port 2). The private net is isolated from the guest net by NAT happening in the second router. Of course you will need port forwarding on this second router to make Omada Controller's portal page available to guests. Alternatively, you can place the controller into the guest network and secure its credentials for web UI access. You also should secure access to the first router's web UI.

 

Yes, I know, that's not really a professional DMZ, but a nice trick to create an isolated network using standard home routers.

 

 

Q: My router is a Karl-Heinz!BOX (or similar), which has a guest network on port 4. Can I use it, too?

A: Sure you can. See the topology above, connect the router's port 4 with switch port 2 and its LAN port with port 1. Remaining setup is the same.

 

 

Q: Can I use TL-SG108PE, TL-SG108E or TL-SG105E as an Ethernet switch for such a setup?

A: Yes. You can use any VLAN-capable switch, but I recommend a PoE switch if you're deploying more than two EAPs. Ensure that the PoE power budget meets your needs.

 

 

Method 3: You have a Multi-Nets NAT-capable router


If you have a TL-ER6120,TL-ER5120, TL-R600VPN (V4) or similar router which supports Multi-Nets NAT, see this HowTo for information about deploying different networks. The setup for a VLAN-isolated guest network on Omada EAPs is basically the same as shown in Method 2 above.

 

You only have to ensure that the Omada Controller's portal page can be reached from within the guest network while every other access to devices in the LAN is denied. Since I don't own a Multi-Nets-NAT-router and no L3 switch, I couldn't test a setup, but if some is willing to extend this HowTo with detailed steps for Multi-Nets-NAT routers, I will be glad to include it here.

 

_____________________________________________________________

Hope this guest network HowTo is helpful for you. Have fun!

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  15      
  15      
#1
Options