Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
F: +44 (0)8456 446 899 / +44 (0)1223 359459
E: enquiries@precedence.co.uk
Network-GuestWireless

Jump To: Support > KB > NetManager > Network > GuestWireless

Guest Wireless white-paper

Requirements

You have a wireless network with a specific VLAN used for guest access (configuring your wireless system and switches to do this is not covered in this document). When users connect to this wireless network, they should:

  • Have transparent Internet access without requiring a proxy to be set on the device
  • Have filtered access to the Internet
  • Be segregated from the main LAN on a different IP address range
  • Be allocated an address by DHCP
  • Be unable to access any resources on the main LAN, e.g. fileservers, printers or web-servers

How to achieve this

N.B. This documentation is based on the NetManager having an up-to-date software release on it

Stage 1 - connect the NetManager to the configured VLAN

You need to configure your wireless system and switches so that guest wireless access is presented to the main LAN interface on your NetManager with the packets tagged with a certain VLAN (VLAN id 100 used in this example). This will require you to create a VLAN on the switch(es). You can then either set that VLAN id to be tagged on the port the NetManager is connected to (so the physical network with shared with the main LAN and the guest VLAN) or could be presented untagged on a separate port (so appears to NetManager as separate physical interface). If NetManager is virtualised, a virtual network will be created connected to the guest VLAN and then this will appear as a separate network card to NetManager. The procedure to set up NetManager on the guest VLAN will differ slightly, so there are two options below.

If VLAN tagged on a shared interface:

  1. View network interfaces in webadmin by going to Network > Interfaces and noting the name of your internal interface. You can do this by looking at the IP addresses of your interfaces. We'll assume it is wm0.
  2. Pick an IP address range to be used for the guest network with a suitably large number of addresses. We'll pick 192.168.100.0/255.255.252.0 which means a usable range from 192.168.100.1-192.168.103.254.
  3. Pick an IP address from the range for the NetManager. We'll pick 192.168.100.1.
  4. Create a virtual network interface on the NetManager connected to the relevant VLAN by adding the following to the main configuration file /etc/netmanager/netman.conf:
    interface_vlan="vlan100:wm0:100"
    
  5. Run build_server to make the configuration live (by running the relevant build scripts).
  6. Configure the new IP address on the vlan100 interface by using the standard configuration methods.
  7. Configure a DHCP range? on the vlan100 interface. Leave the options as the default; the NetManager will automatically determine the right settings for firewalling, DNS and routers.
  8. Check a guest device can connect and get an IP address

If VLAN is untagged on a separate interface (or if NetManager is virtualised)

  1. View network interfaces in webadmin by going to Network > Interfaces and noting the name of interface connected to the VLAN. This will not have an existing IP address configured on it. We'll assume it is xennet2.
  2. Pick an IP address range to be used for the guest network with a suitably large number of addresses. We'll pick 192.168.100.0/255.255.252.0 which means a usable range from 192.168.100.1-192.168.103.254.
  3. Pick an IP address from the range for the NetManager. We'll pick 192.168.100.1.
  4. Configure the new IP address on the xennet2 interface by using the standard configuration methods.
  5. Configure a DHCP range? on the vlan100 interface. Leave the options as the default; the NetManager will automatically determine the right settings for firewalling, DNS and routers.
  6. Check a guest device can connect and get an IP address

If you do not want users on the VLAN to be able to easily resolve internal IP addresses (depends on whether you want them to use internal resources or not), set DHCP option 15: Domain name on the VLAN interface (e.g. vlan100 or xennet2) to something non-existent (e.g. guest).

Stage 2 - set up transparent proxying

  • Look at Web Proxy > Ports in webadmin and determine a free port number. You need to pick one that is not going to be in use by any other service. We'll pick 8100 in this example.
  • Edit the NetManager configuration file and add a line similar to the following:
    nat_transparent="vlan100:80:8100"
    
  • Run build_server to make the configuration live (by running the relevant build scripts).

Now all traffic on port 80 (http) going through the NetManager from the guest network will be internally redirected to proxy port 8100.

Stage 2b - if proxy server separate from NetManager

If you have a separate proxy server doing your filtering rather than the main NetManager acting as your NAT gateway (and doing the transparent proxying above), you will need to alter the configuration on each.

  1. On proxy server, create a new listening port (e.g. 3280).
  2. On main netmanager, set upstream proxy to be <proxy IP address> on the new port (e.g. 10.0.0.10:3280). You should not need any other rules or filters to be set.
  3. Back on proxy, create a filter called Guest wifi based on Local port on proxy of your new port (e.g. 3280).
  4. Use this filter to override access rules as necessary by adding If not Guest wifi to the start of the rules. N.B. rules must be along the lines of Blocked if not Guest Wifi and not Logged in, not Blocked if not Logged in and not Guest Wifi. Examples of where this might be needed:

Stage 3 - Block access to main LAN

The Firewalling on the NetManager will, by default, allow access to all locally attached LANs (except for a network attached only to the router). As the NetManager acts as a router itself, this will allow traffic to pass backwards and forwards between the main LAN and guest network. Similarly, the guest network will be allowed access to:

  • SMTP (to send mail)
  • proxy (to fetch webpages)
  • tftp area over http (often used for ThinIT configuration)
  • NTP (setting time from NetManager)
  • Dynamic updates of DNS
  • iSCSI (if not locked down by IP range or IQN)
  • Backed up resources via rsync
  • Network shares

This is because the so-called trusted networks are given access to these resources and, by default, local LANs are automatically trusted (as well as VPN networks, etc.). By setting network ranges as untrusted, they will be removed from the list of trusted networks.

  • Go to Network > Interfaces in webadmin and click on the Trusted networks tab
  • The automatically determined list of trusted networks will be displayed in the Global Trusted Networks section at the top of the page
  • Pick the relevant guest network range and enter its details in the Untrusted Networks section. Network address and subnet mask must match exactly. Click Add
  • Ensure that the range is now greyed out or marked as Explicitly untrusted in the Global Trusted Networks section and displayed in the Untrusted Networks section

Now you need to grant access to specific services that you want the guest network to be able to access. This is probably just the web-proxy (if you skip this step, the transparent proxying will not work - you will get Access Denied). To do this, add the network ranges as trusted for the web-proxy (per-service trusted networks take precedence over global trusted and untrusted ranges).

  • Go to Web Proxy > Settings in webadmin and click on the Trusted networks tab. In the Proxy Server Trusted Networks table, enter the guest network range (exact network address and subnet mask). Click Add.

Stage 4 - Let required traffic in from the guest wireless

For client devices to be able to browse the web, they will need to be able to do DNS lookups. As the guest network is untrusted, by default these will be blocked. There are two methods you can use to add a firewall rule to allow DNS lookups:

  1. Allow DNS requests to all NetManager addresses. This will work if NetManager is doing DHCP as it will give out its own address for DNS lookups
    • Go to Network > Firewall in webadmin and click on the Incoming ports tab.
    • Tick the Name server (DNS) checkbox and then click on Set ports
  2. Allow all DNS requests through the firewall. This will be required if guests are using other DNS servers (one site we've seen has a layer 3 switch giving out the upstream ISP's DNS servers)
    • Go to Network > Firewall in webadmin and click on the Custom configuration tab.
    • Create a new rule with Allow In UDP from guest network range to Any address to port 53.

As the guest wireless network is untrusted in the firewall, it will not be able to speak to the outside world over NAT. As transparent proxying only works for HTTP, secure site (HTTPS) will be blocked. To allow HTTPS access:

  • Go to Network > Firewall in webadmin and click on the Custom configuration tab.
  • Create a new rule with Allow In TCP from guest network range to Any address to port 443.

Stage 5 - Filter access to intranet webservers (optional)

Stage 3 above will block network traffic going between the main and guest networks. However, as we are transparently proxying webaccess, the proxy on the NetManager will still grant access to webservers on the main LAN. If you don't want this:

  • Go to Network > Firewall in webadmin and click on Custom configuration
  • Create a new filter of type Client IP addresses and enter the range of addresses on your guest network (in this example, 192.168.100.1-192.168.100.254). Call it Guest wireless
  • Create a new filter of type Web server IP addresses and enter the range of addresses on your main LAN. Call it Main LAN webservers. You should probably miss out the IP address of the NetManager (and any other servers you do want to give access to). This may require specifying multiple ranges (e.g. 10.0.0.2-10.0.0.9, 10.0.0.11-10.0.255.255 would exclude access to 10.0.0.1 and 10.0.0.10).
  • On the Configure tab on Web Proxy > Settings page in webadmin, ensure that Always allow access to intranet (bypass filters)? is not ticked.
  • Create an access rule with Blocked if Guest wireless and Main LAN webservers
  • Remember to Make Changes Live
© Copyright Precedence Technologies 1999-2017
Page last modified on May 07, 2015, at 02:25 PM by sborrill