Restrict wireless access to LAN on Actiontec router
I've got an Actiontec MI424-WR router and would like to configure it such that the wireless access point in it only allows access to the internet (through the WAN port) and NOT to the LAN ports. A complicating factor is that DHCP and DNS are done from a Windows Server on the LAN and the wireless clients need to be serviced by that. I may be able to work around the DNS issue if necessary.
I tried one approach, but it didn't work. Under Firewall Settings, Advanced Filtering I tried to configure a rule. I used an Outbound Rule Set, Wireless Access Point Rules, Source Address of Any, Destination Address range of all LAN addresses except for the router, and set Operation to drop. I had also set up DHCP forwarding.
My presumption (the manual is of no real help here) was that the Wireless Access Point Rules applied to the Wireless Access Point only and that my configuration would allow traffic from wireless clients only to the excluded destination address (the router).
With those settings, a device can connect to the wireless, can get an IP address from the DHCP server, but can't access anything. I tried pinging the router and several devices on the LAN and got no responses. Obviously, I'm missing something here.
The Security Log showed the following:
fw/policy/0/chain/fw_ath0_
The .1 address is the router and the .21 address is the wireless client. It appears to me that the rule that I set up is blocking the reply packets from getting back to the client.
Is it possible with this router to do the limiting that I want? If so, how would it be done?
I have considered DD-WRT, but that is not an option. I need to duplicate this scenario at a client's site and that change won't be allowed.
I tried one approach, but it didn't work. Under Firewall Settings, Advanced Filtering I tried to configure a rule. I used an Outbound Rule Set, Wireless Access Point Rules, Source Address of Any, Destination Address range of all LAN addresses except for the router, and set Operation to drop. I had also set up DHCP forwarding.
My presumption (the manual is of no real help here) was that the Wireless Access Point Rules applied to the Wireless Access Point only and that my configuration would allow traffic from wireless clients only to the excluded destination address (the router).
With those settings, a device can connect to the wireless, can get an IP address from the DHCP server, but can't access anything. I tried pinging the router and several devices on the LAN and got no responses. Obviously, I'm missing something here.
The Security Log showed the following:
fw/policy/0/chain/fw_ath0_
The .1 address is the router and the .21 address is the wireless client. It appears to me that the rule that I set up is blocking the reply packets from getting back to the client.
Is it possible with this router to do the limiting that I want? If so, how would it be done?
I have considered DD-WRT, but that is not an option. I need to duplicate this scenario at a client's site and that change won't be allowed.
ASKER
I have done what you are proposing with other clients, but unless I'm reading your post incorrectly, you have it backwards. If you are proposing that the new router is the one that supports the guest wireless, then they will have access to the LAN on the first router, which is what I am trying to avoid. The users on the first (main) router's LAN will be blocked from the wireless (and wired, for that matter) connections on the second router. I could change which router the users are connected to (i.e. protected LAN on the second router, guests on the main router), but I'm trying to avoid cascading routers in this fashion.
There are wireless routers that will expressly do the guest access that I am trying to achieve, but I would like to stay with the Actiontec for other reasons (related to VoIP support).
There are wireless routers that will expressly do the guest access that I am trying to achieve, but I would like to stay with the Actiontec for other reasons (related to VoIP support).
No, I have it correctly. In my own office, the main router has a wireless of ECC and an ip range of 192.168.0.xxx. Plugged into it, using the WAN/Internet port is another router using 192.168.1.xxx and a wireless of Eagle. Anyone connected to Eagle is foreign to ECC and can onlt tunnel through to the internet. They cannot see any device attached to ECC, at all.
ASKER
Unless there is some particular setting on either of the routers, there is no good reason that devices on the 192.168.1.xxx network cannot access devices on the 192.168.0.xxx network. Is the WAN side of the Eagle router set with a 192.168.0.xxx/24 IP address?
Yes, a subnet mask of 255.255.255.0 makes them foreign to each other and, since the DNS server is the router itself, there is no name resolution for any of the PC's on the ECC network.
I guess that if someone changed their TCP/IP settings and knew the ip address of a PC, they could access it; but, the number of people who would know how and who would try is very small.
I guess that if someone changed their TCP/IP settings and knew the ip address of a PC, they could access it; but, the number of people who would know how and who would try is very small.
ASKER
OK... That makes sense now. There IS access, just not by name.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My sincere apology for the excessive delay. Illnesses and work issues have kept me away.
The Actiontec does support VLANs, but not for the internal wireless. I will likely resolve this with a different router or with an external wireless access point and VLAN.
The Actiontec does support VLANs, but not for the internal wireless. I will likely resolve this with a different router or with an external wireless access point and VLAN.
ASKER
I had hoped for input from someone who had accomplished this task on this router (which is very common in this part of the country). The question/answer that was provided will allow a workable solution, though with additional hardware.
ASKER
I was eventually successful with this so I thought I would post the results here as someone else might find it useful.
I have set this up on two different routers, both Actiontec MI-424WR with firmware version 20.12.2.4, as supplied by Frontier Communications. Oddly enough, even though the hardware and firmware revisions were the same, the menus for restricting access were different. Both configuration methods are shown below where appropriate.
The assumptions are as follows:
The existing LAN is a 192.168.1.0/24 configuration.
Ports 1, 2, and 3 will be used for the LAN with no restrictions between them.
Port 4 will be a 192.168.253.0/24 configuration with a DHCP server active.
The router will have a LAN address on port 4 of 192.168.253.1.
Port 4 will have access to the WAN port but will be blocked from Ports 1, 2, and 3.
Ports 1, 2, and 3 will be blocked from accessing Port 4.
Ports 1, 2, and 3 WILL be able to access 192.168.253.1. (I didn't plan this; it just worked out that way. It should be easy to block, if desired.)
The process is accomplished as follows:
Connect the computer that you are using to program the routerl to port 1, 2, or 3, NOT to port 4. This will make it easier when you change the IP addressing on port 4.
Log in to router
Back up the configuration first!!! If you have serious problems, this will allow you to reset the router and restore the configuration.
Create the VLAN
My Network
Network Connections
Advanced (bottom-right button; it will say "Basic <<" if already in Advanced mode)
Add
VLAN Interface
Next
Underlying Device: Network (Home/Office)
VLAN ID: 4
Next
Traffic on this VLAN is: Untagged
VLAN Ports: Ethernet, Port 4
Next
Edit the Newly Created Connection
Finish
(wait while it applies the settings)
Internet Protocol: Use the following IP address
IP Address: 192.168.253.1
Subnet Mask: 255.255.255.0
DNS Server: Use the Following DNS Server Addresses
Primary DNS Server: (use whatever DNS you like; 4.2.2.3 can work)
Secondary DNS Server: (use whatever DNS you like; 4.2.2.4 can work)
IP Address Distribution: DHCP Server
Start IP Address: 192.168.253.100
End IP Address: 192.168.253.149
Apply
Apply
Set Tagging
My Network
Network Connections
Edit: Ethernet (Icon to far right of Ethernet line under Network (Home/Office)
Settings
Edit: Port 4 (Icon to far right of Port 4 under Ethernet)
These should already be set as follows:
Ingress Policy: Tagged
Default VLAN ID: 4
Egress Policy Untagged
Apply
Apply
(wait for changes to be applied)
Apply
Apply (Ethernet Properties)
If you wish to test that the VLAN is working (highly recommended), connect to Port 4, run ipconfig /renew (assuming you are configured for DHCP).
You should get an IP address of 192.168.253.100. If you don't get an address or if it is other than 192.168.253.x, there is a problem.
Ping a device IP address that is on Port 1, 2, or 3. It should reply properly.
Ping your device (192.168.253.100) from a device that is on Port 1, 2, or 3. It should reply properly.
Connect to port 4 (if not already connected there) and run ipconfig /renew.
Point your web browser at 192.168.253.1 and log in
This is where I saw two different menus on the two different routers. Both programming methods are shown below.
Method A (incoming and outgoing rules in same section)
Isolate the VLAN
Firewall Settings
Yes (Warning)
Advanced Filtering
Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
Source Address: Any
Destination Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter)
Add: Network (Home/Office) VLAN 4 rules (Add is below)
Source Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter
Apply (Advanced Filtering)
Method B (incoming and outgoing rules in different sections)
Isolate the VLAN
Firewall Settings
Yes (Warning)
Advanced Filtering
Input Rule Sets: Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
Source Address: Any
Destination Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter)
Ouput Rule Sets: Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
Destination Address: Any
Source Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter)
Apply (Advanced Filtering)
It should be all set!
Ping something on Port 1, 2, or 3. It should fail.
Ping the main router address (192.168.1.1), it should fail.
Ping the device on Port 4 from a device on Port 1, 2, or 3. It should fail.
Ping the VLAN router address (192.168.253.1). It should succeed.
Ping the internet address 4.2.2.2. It should succeed.
Back up the configuration (use a different file name from the original backup)!
I have set this up on two different routers, both Actiontec MI-424WR with firmware version 20.12.2.4, as supplied by Frontier Communications. Oddly enough, even though the hardware and firmware revisions were the same, the menus for restricting access were different. Both configuration methods are shown below where appropriate.
The assumptions are as follows:
The existing LAN is a 192.168.1.0/24 configuration.
Ports 1, 2, and 3 will be used for the LAN with no restrictions between them.
Port 4 will be a 192.168.253.0/24 configuration with a DHCP server active.
The router will have a LAN address on port 4 of 192.168.253.1.
Port 4 will have access to the WAN port but will be blocked from Ports 1, 2, and 3.
Ports 1, 2, and 3 will be blocked from accessing Port 4.
Ports 1, 2, and 3 WILL be able to access 192.168.253.1. (I didn't plan this; it just worked out that way. It should be easy to block, if desired.)
The process is accomplished as follows:
Connect the computer that you are using to program the routerl to port 1, 2, or 3, NOT to port 4. This will make it easier when you change the IP addressing on port 4.
Log in to router
Back up the configuration first!!! If you have serious problems, this will allow you to reset the router and restore the configuration.
Create the VLAN
My Network
Network Connections
Advanced (bottom-right button; it will say "Basic <<" if already in Advanced mode)
Add
VLAN Interface
Next
Underlying Device: Network (Home/Office)
VLAN ID: 4
Next
Traffic on this VLAN is: Untagged
VLAN Ports: Ethernet, Port 4
Next
Edit the Newly Created Connection
Finish
(wait while it applies the settings)
Internet Protocol: Use the following IP address
IP Address: 192.168.253.1
Subnet Mask: 255.255.255.0
DNS Server: Use the Following DNS Server Addresses
Primary DNS Server: (use whatever DNS you like; 4.2.2.3 can work)
Secondary DNS Server: (use whatever DNS you like; 4.2.2.4 can work)
IP Address Distribution: DHCP Server
Start IP Address: 192.168.253.100
End IP Address: 192.168.253.149
Apply
Apply
Set Tagging
My Network
Network Connections
Edit: Ethernet (Icon to far right of Ethernet line under Network (Home/Office)
Settings
Edit: Port 4 (Icon to far right of Port 4 under Ethernet)
These should already be set as follows:
Ingress Policy: Tagged
Default VLAN ID: 4
Egress Policy Untagged
Apply
Apply
(wait for changes to be applied)
Apply
Apply (Ethernet Properties)
If you wish to test that the VLAN is working (highly recommended), connect to Port 4, run ipconfig /renew (assuming you are configured for DHCP).
You should get an IP address of 192.168.253.100. If you don't get an address or if it is other than 192.168.253.x, there is a problem.
Ping a device IP address that is on Port 1, 2, or 3. It should reply properly.
Ping your device (192.168.253.100) from a device that is on Port 1, 2, or 3. It should reply properly.
Connect to port 4 (if not already connected there) and run ipconfig /renew.
Point your web browser at 192.168.253.1 and log in
This is where I saw two different menus on the two different routers. Both programming methods are shown below.
Method A (incoming and outgoing rules in same section)
Isolate the VLAN
Firewall Settings
Yes (Warning)
Advanced Filtering
Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
Source Address: Any
Destination Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter)
Add: Network (Home/Office) VLAN 4 rules (Add is below)
Source Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter
Apply (Advanced Filtering)
Method B (incoming and outgoing rules in different sections)
Isolate the VLAN
Firewall Settings
Yes (Warning)
Advanced Filtering
Input Rule Sets: Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
Source Address: Any
Destination Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter)
Ouput Rule Sets: Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
Destination Address: Any
Source Address: User Defined
Description: Main LAN
Add
Network Object Type: IP Subnet
Subnet IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Apply
Apply (Edit Network Object)
Apply (Add Advanced Filter)
Apply (Advanced Filtering)
It should be all set!
Ping something on Port 1, 2, or 3. It should fail.
Ping the main router address (192.168.1.1), it should fail.
Ping the device on Port 4 from a device on Port 1, 2, or 3. It should fail.
Ping the VLAN router address (192.168.253.1). It should succeed.
Ping the internet address 4.2.2.2. It should succeed.
Back up the configuration (use a different file name from the original backup)!
The way to setup a guest wireless is to use another router and plug its WAN port into one of the lan ports (or a switch) on the internal router. Then, connected devices can only tunnel through the LAN to the internet. The only caveat is that you need to make sure its ip address is different from the main router (i.e. Change 192.168.0.xxx to 192.168.10.xxx in the second router before you connect it)