Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 997
  • Last Modified:

Restrict wireless access to LAN on Actiontec router

I've got an Actiontec MI424-WR router and would like to configure it such that the wireless access point in it only allows access to the internet (through the WAN port) and NOT to the LAN ports.  A complicating factor is that DHCP and DNS are done from a Windows Server on the LAN and the wireless clients need to be serviced by that.  I may be able to work around the DNS issue if necessary.

I tried one approach, but it didn't work.  Under Firewall Settings, Advanced Filtering I tried to configure a rule.  I used an Outbound Rule Set, Wireless Access Point Rules, Source Address of Any, Destination Address range of all LAN addresses except for the router, and set Operation to drop.  I had also set up DHCP forwarding.

My presumption (the manual is of no real help here) was that the Wireless Access Point Rules applied to the Wireless Access Point only and that my configuration would allow traffic from wireless clients only to the excluded destination address (the router).

With those settings, a device can connect to the wireless, can get an IP address from the DHCP server, but can't access anything.  I tried pinging the router and several devices on the LAN and got no responses.  Obviously, I'm missing something here.

The Security Log showed the following:
fw/policy/0/chain/fw_ath0_out/rule/0: ICMP type 0 code 0 192.168.50.1->192.168.50.21 on ath0

The .1 address is the router and the .21 address is the wireless client.  It appears to me that the rule that I set up is blocking the reply packets from getting back to the client.

Is it possible with this router to do the limiting that I want?  If so, how would it be done?

I have considered DD-WRT, but that is not an option.  I need to duplicate this scenario at a client's site and that change won't be allowed.
0
CompProbSolv
Asked:
CompProbSolv
  • 6
  • 3
1 Solution
 
Davis McCarnOwnerCommented:
It ain't gonna happen (period)
The way to setup a guest wireless is to use another router and plug its WAN port into one of the lan ports (or a switch) on the internal router.  Then, connected devices can only tunnel through the LAN to the internet.  The only caveat is that you need to make sure its ip address is different from the main router (i.e. Change 192.168.0.xxx to 192.168.10.xxx in the second router before you connect it)
0
 
CompProbSolvAuthor Commented:
I have done what you are proposing with other clients, but unless I'm reading your post incorrectly, you have it backwards.  If you are proposing that the new router is the one that supports the guest wireless, then they will have access to the LAN on the first router, which is what I am trying to avoid.  The users on the first (main) router's LAN will be blocked from the wireless (and wired, for that matter) connections on the second router.  I could change which router the users are connected to (i.e. protected LAN on the second router, guests on the main router), but I'm trying to avoid cascading routers in this fashion.

There are wireless routers that will expressly do the guest access that I am trying to achieve, but I would like to stay with the Actiontec for other reasons (related to VoIP support).
0
 
Davis McCarnOwnerCommented:
No, I have it correctly.  In my own office, the main router has a wireless of ECC and an ip range of 192.168.0.xxx.  Plugged into it, using the WAN/Internet port is another router using 192.168.1.xxx and a wireless of Eagle.  Anyone connected to Eagle is foreign to ECC and can onlt tunnel through to the internet.  They cannot see any device attached to ECC, at all.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
CompProbSolvAuthor Commented:
Unless there is some particular setting on either of the routers, there is no good reason that devices on the 192.168.1.xxx network cannot access devices on the 192.168.0.xxx network.  Is the WAN side of the Eagle router set with a 192.168.0.xxx/24 IP address?
0
 
Davis McCarnOwnerCommented:
Yes, a subnet mask of 255.255.255.0 makes them foreign to each other and, since the DNS server is the router itself, there is no name resolution for any of the PC's on the ECC network.
I guess that if someone changed their TCP/IP settings and knew the ip address of a PC, they could access it; but, the number of people who would know how and who would try is very small.
0
 
CompProbSolvAuthor Commented:
OK...  That makes sense now.  There IS access, just not by name.
0
 
arnoldCommented:
Does your actiontec include support for VLAns?

Using VLAns you can isolate one from the others.
0
 
CompProbSolvAuthor Commented:
My sincere apology for the excessive delay.  Illnesses and work issues have kept me away.

The Actiontec does support VLANs, but not for the internal wireless.  I will likely resolve this with a different router or with an external wireless access point and VLAN.
0
 
CompProbSolvAuthor Commented:
I had hoped for input from someone who had accomplished this task on this router (which is very common in this part of the country).  The question/answer that was provided will allow a workable solution, though with additional hardware.
0
 
CompProbSolvAuthor Commented:
I was eventually successful with this so I thought I would post the results here as someone else might find it useful.

I have set this up on two different routers, both Actiontec MI-424WR with firmware version 20.12.2.4, as supplied by Frontier Communications.  Oddly enough, even though the hardware and firmware revisions were the same, the menus for restricting access were different.  Both configuration methods are shown below where appropriate.

The assumptions are as follows:
The existing LAN is a 192.168.1.0/24 configuration.
Ports 1, 2, and 3 will be used for the LAN with no restrictions between them.
Port 4 will be a 192.168.253.0/24 configuration with a DHCP server active.
The router will have a LAN address on port 4 of 192.168.253.1.
Port 4 will have access to the WAN port but will be blocked from Ports 1, 2, and 3.
Ports 1, 2, and 3 will be blocked from accessing Port 4.
Ports 1, 2, and 3 WILL be able to access 192.168.253.1.  (I didn't plan this; it just worked out that way.  It should be easy to block, if desired.)

The process is accomplished as follows:

Connect the computer that you are using to program the routerl to port 1, 2, or 3, NOT to port 4.  This will make it easier when you change the IP addressing on port 4.

Log in to router
Back up the configuration first!!!  If you have serious problems, this will allow you to reset the router and restore the configuration.

Create the VLAN
      My Network
      Network Connections
      Advanced (bottom-right button; it will say "Basic <<" if already in Advanced mode)
      Add
      VLAN Interface
      Next
      Underlying Device: Network (Home/Office)
      VLAN ID: 4
      Next
      Traffic on this VLAN is: Untagged
      VLAN Ports:  Ethernet, Port 4
      Next
      Edit the Newly Created Connection
      Finish
      (wait while it applies the settings)
      Internet Protocol: Use the following IP address
      IP Address: 192.168.253.1
      Subnet Mask: 255.255.255.0
      DNS Server: Use the Following DNS Server Addresses
      Primary DNS Server: (use whatever DNS you like; 4.2.2.3 can work)
      Secondary DNS Server: (use whatever DNS you like; 4.2.2.4 can work)
      IP Address Distribution: DHCP Server
      Start IP Address: 192.168.253.100
      End IP Address: 192.168.253.149
      Apply
      Apply
Set Tagging
      My Network
      Network Connections
      Edit: Ethernet (Icon to far right of Ethernet line under Network (Home/Office)
      Settings
      Edit: Port 4 (Icon to far right of Port 4 under Ethernet)
      These should already be set as follows:
            Ingress Policy: Tagged
            Default VLAN ID: 4
            Egress Policy Untagged
      Apply
      Apply
      (wait for changes to be applied)
      Apply
      Apply (Ethernet Properties)


If you wish to test that the VLAN is working (highly recommended), connect to Port 4, run ipconfig /renew (assuming you are configured for DHCP).
      You should get an IP address of 192.168.253.100.  If you don't get an address or if it is other than 192.168.253.x, there is a problem.
      Ping a device IP address that is on Port 1, 2, or 3.  It should reply properly.
      Ping your device (192.168.253.100) from a device that is on Port 1, 2, or 3.  It should reply properly.


Connect to port 4 (if not already connected there) and run ipconfig /renew.
Point your web browser at 192.168.253.1 and log in

This is where I saw two different menus on the two different routers.  Both programming methods are shown below.

Method A (incoming and outgoing rules in same section)
Isolate the VLAN
      Firewall Settings
      Yes (Warning)
      Advanced Filtering
      Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
      Source Address: Any
      Destination Address: User Defined
            Description: Main LAN
            Add
            Network Object Type: IP Subnet
            Subnet IP Address: 192.168.1.0
            Subnet Mask: 255.255.255.0
            Apply
      Apply (Edit Network Object)
      Apply (Add Advanced Filter)
      Add: Network (Home/Office) VLAN 4 rules (Add is below)
      Source Address: User Defined
            Description: Main LAN
            Add
            Network Object Type: IP Subnet
            Subnet IP Address: 192.168.1.0
            Subnet Mask: 255.255.255.0
            Apply
      Apply (Edit Network Object)
      Apply (Add Advanced Filter
      Apply (Advanced Filtering)
      

Method B (incoming and outgoing rules in different sections)
Isolate the VLAN
      Firewall Settings
      Yes (Warning)
      Advanced Filtering
      Input Rule Sets:       Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
            Source Address: Any
            Destination Address: User Defined
                  Description: Main LAN
                  Add
                  Network Object Type: IP Subnet
                  Subnet IP Address: 192.168.1.0
                  Subnet Mask: 255.255.255.0
                  Apply
                  Apply (Edit Network Object)
            Apply (Add Advanced Filter)
      Ouput Rule Sets:       Add: Network (Home/Office) VLAN 4 rules (Add is to the right)
            Destination Address: Any
            Source Address: User Defined
                  Description: Main LAN
                  Add
                  Network Object Type: IP Subnet
                  Subnet IP Address: 192.168.1.0
                  Subnet Mask: 255.255.255.0
                  Apply
                  Apply (Edit Network Object)
            Apply (Add Advanced Filter)
            Apply (Advanced Filtering)
It should be all set!

Ping something on Port 1, 2, or 3.  It should fail.
Ping the main router address (192.168.1.1), it should fail.
Ping the device on Port 4 from a device on Port 1, 2, or 3.  It should fail.
Ping the VLAN router address (192.168.253.1).  It should succeed.
Ping the internet address 4.2.2.2.  It should succeed.

Back up the configuration (use a different file name from the original backup)!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now