Solved

Restrict wireless access to LAN on Actiontec router

Posted on 2014-03-27
11
889 Views
Last Modified: 2014-06-23
I've got an Actiontec MI424-WR router and would like to configure it such that the wireless access point in it only allows access to the internet (through the WAN port) and NOT to the LAN ports.  A complicating factor is that DHCP and DNS are done from a Windows Server on the LAN and the wireless clients need to be serviced by that.  I may be able to work around the DNS issue if necessary.

I tried one approach, but it didn't work.  Under Firewall Settings, Advanced Filtering I tried to configure a rule.  I used an Outbound Rule Set, Wireless Access Point Rules, Source Address of Any, Destination Address range of all LAN addresses except for the router, and set Operation to drop.  I had also set up DHCP forwarding.

My presumption (the manual is of no real help here) was that the Wireless Access Point Rules applied to the Wireless Access Point only and that my configuration would allow traffic from wireless clients only to the excluded destination address (the router).

With those settings, a device can connect to the wireless, can get an IP address from the DHCP server, but can't access anything.  I tried pinging the router and several devices on the LAN and got no responses.  Obviously, I'm missing something here.

The Security Log showed the following:
fw/policy/0/chain/fw_ath0_out/rule/0: ICMP type 0 code 0 192.168.50.1->192.168.50.21 on ath0

The .1 address is the router and the .21 address is the wireless client.  It appears to me that the rule that I set up is blocking the reply packets from getting back to the client.

Is it possible with this router to do the limiting that I want?  If so, how would it be done?

I have considered DD-WRT, but that is not an option.  I need to duplicate this scenario at a client's site and that change won't be allowed.
0
Comment
Question by:CompProbSolv
  • 6
  • 3
11 Comments
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
It ain't gonna happen (period)
The way to setup a guest wireless is to use another router and plug its WAN port into one of the lan ports (or a switch) on the internal router.  Then, connected devices can only tunnel through the LAN to the internet.  The only caveat is that you need to make sure its ip address is different from the main router (i.e. Change 192.168.0.xxx to 192.168.10.xxx in the second router before you connect it)
0
 
LVL 20

Author Comment

by:CompProbSolv
Comment Utility
I have done what you are proposing with other clients, but unless I'm reading your post incorrectly, you have it backwards.  If you are proposing that the new router is the one that supports the guest wireless, then they will have access to the LAN on the first router, which is what I am trying to avoid.  The users on the first (main) router's LAN will be blocked from the wireless (and wired, for that matter) connections on the second router.  I could change which router the users are connected to (i.e. protected LAN on the second router, guests on the main router), but I'm trying to avoid cascading routers in this fashion.

There are wireless routers that will expressly do the guest access that I am trying to achieve, but I would like to stay with the Actiontec for other reasons (related to VoIP support).
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
No, I have it correctly.  In my own office, the main router has a wireless of ECC and an ip range of 192.168.0.xxx.  Plugged into it, using the WAN/Internet port is another router using 192.168.1.xxx and a wireless of Eagle.  Anyone connected to Eagle is foreign to ECC and can onlt tunnel through to the internet.  They cannot see any device attached to ECC, at all.
0
 
LVL 20

Author Comment

by:CompProbSolv
Comment Utility
Unless there is some particular setting on either of the routers, there is no good reason that devices on the 192.168.1.xxx network cannot access devices on the 192.168.0.xxx network.  Is the WAN side of the Eagle router set with a 192.168.0.xxx/24 IP address?
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
Yes, a subnet mask of 255.255.255.0 makes them foreign to each other and, since the DNS server is the router itself, there is no name resolution for any of the PC's on the ECC network.
I guess that if someone changed their TCP/IP settings and knew the ip address of a PC, they could access it; but, the number of people who would know how and who would try is very small.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 20

Author Comment

by:CompProbSolv
Comment Utility
OK...  That makes sense now.  There IS access, just not by name.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
Does your actiontec include support for VLAns?

Using VLAns you can isolate one from the others.
0
 
LVL 20

Author Comment

by:CompProbSolv
Comment Utility
My sincere apology for the excessive delay.  Illnesses and work issues have kept me away.

The Actiontec does support VLANs, but not for the internal wireless.  I will likely resolve this with a different router or with an external wireless access point and VLAN.
0
 
LVL 20

Author Closing Comment

by:CompProbSolv
Comment Utility
I had hoped for input from someone who had accomplished this task on this router (which is very common in this part of the country).  The question/answer that was provided will allow a workable solution, though with additional hardware.
0
 
LVL 20

Author Comment

by:CompProbSolv
Comment Utility
I was eventually successful with this so I thought I would post the results here as someone else might find it useful.

I have set this up on two different routers, both Actiontec MI-424WR with firmware version 20.12.2.4, as supplied by Frontier Communications.  Oddly enough, even though the hardware and firmware revisions were the same, the menus for restricting access were different.  Both configuration methods are shown below where appropriate.

The assumptions are as follows:
The existing LAN is a 192.168.1.0/24 configuration.
Ports 1, 2, and 3 will be used for the LAN with no restrictions between them.
Port 4 will be a 192.168.253.0/24 configuration with a DHCP server active.
The router will have a LAN address on port 4 of 192.168.253.1.
Port 4 will have access to the WAN port but will be blocked from Ports 1, 2, and 3.
Ports 1, 2, and 3 will be blocked from accessing Port 4.
Ports 1, 2, and 3 WILL be able to access 192.168.253.1.  (I didn't plan this; it just worked out that way.  It should be easy to block, if desired.)

The process is accomplished as follows:

Connect the computer that you are using to program the routerl to port 1, 2, or 3, NOT to port 4.  This will make it easier when you change the IP addressing on port 4.

Log in to router
Back up the configuration first!!!  If you have serious problems, this will allow you to reset the router and restore the configuration.

Create the VLAN
      My Network
      Network Connections
      Advanced (bottom-right button; it will say "Basic <<" if already in Advanced mode)
      Add
      VLAN Interface
      Next
      Underlying Device: Network (Home/Office)
      VLAN ID: 4
      Next
      Traffic on this VLAN is: Untagged
      VLAN Ports:  Ethernet, Port 4
      Next
      Edit the Newly Created Connection
      Finish
      (wait while it applies the settings)
      Internet Protocol: Use the following IP address
      IP Address: 192.168.253.1
      Subnet Mask: 255.255.255.0
      DNS Server: Use the Following DNS Server Addresses
      Primary DNS Server: (use whatever DNS you like; 4.2.2.3 can work)
      Secondary DNS Server: (use whatever DNS you like; 4.2.2.4 can work)
      IP Address Distribution: DHCP Server
      Start IP Address: 192.168.253.100
      End IP Address: 192.168.253.149
      Apply
      Apply
Set Tagging
      My Network
      Network Connections
      Edit: Ethernet (Icon to far right of Ethernet line under Network (Home/Office)
      Settings
      Edit: Port 4 (Icon to far right of Port 4 under Ethernet)
      These should already be set as follows:
            Ingress Policy: Tagged
            Default VLAN ID: 4
            Egress Policy Untagged
      Apply
      Apply
      (wait for changes to be applied)
      Apply
      Apply (Ethernet Properties)


If you wish to test that the VLAN is working (highly recommended), connect to Port 4, run ipconfig /renew (assuming you are configured for DHCP).
      You should get an IP address of 192.168.253.100.  If you don't get an address or if it is other than 192.168.253.x, there is a problem.
      Ping a device IP address that is on Port 1, 2, or 3.  It should reply properly.
      Ping your device (192.168.253.100) from a device that is on Port 1, 2, or 3.  It should reply properly.


Connect to port 4 (if not already connected there) and run ipconfig /renew.
Point your web browser at 192.168.253.1 and log in

This is where I saw two different menus on the two different routers.  Both programming methods are shown below.

Method A (incoming and outgoing rules in same section)
Isolate the VLAN
      Firewall Settings
      Yes (Warning)
      Advanced Filtering
      Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
      Source Address: Any
      Destination Address: User Defined
            Description: Main LAN
            Add
            Network Object Type: IP Subnet
            Subnet IP Address: 192.168.1.0
            Subnet Mask: 255.255.255.0
            Apply
      Apply (Edit Network Object)
      Apply (Add Advanced Filter)
      Add: Network (Home/Office) VLAN 4 rules (Add is below)
      Source Address: User Defined
            Description: Main LAN
            Add
            Network Object Type: IP Subnet
            Subnet IP Address: 192.168.1.0
            Subnet Mask: 255.255.255.0
            Apply
      Apply (Edit Network Object)
      Apply (Add Advanced Filter
      Apply (Advanced Filtering)
      

Method B (incoming and outgoing rules in different sections)
Isolate the VLAN
      Firewall Settings
      Yes (Warning)
      Advanced Filtering
      Input Rule Sets:       Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
            Source Address: Any
            Destination Address: User Defined
                  Description: Main LAN
                  Add
                  Network Object Type: IP Subnet
                  Subnet IP Address: 192.168.1.0
                  Subnet Mask: 255.255.255.0
                  Apply
                  Apply (Edit Network Object)
            Apply (Add Advanced Filter)
      Ouput Rule Sets:       Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
            Destination Address: Any
            Source Address: User Defined
                  Description: Main LAN
                  Add
                  Network Object Type: IP Subnet
                  Subnet IP Address: 192.168.1.0
                  Subnet Mask: 255.255.255.0
                  Apply
                  Apply (Edit Network Object)
            Apply (Add Advanced Filter)
            Apply (Advanced Filtering)
It should be all set!

Ping something on Port 1, 2, or 3.  It should fail.
Ping the main router address (192.168.1.1), it should fail.
Ping the device on Port 4 from a device on Port 1, 2, or 3.  It should fail.
Ping the VLAN router address (192.168.253.1).  It should succeed.
Ping the internet address 4.2.2.2.  It should succeed.

Back up the configuration (use a different file name from the original backup)!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now