3

I have a home network with various servers and routers (192.168.x.x).

I want to use the Raspberry Pi 3 to setup an isolated WiFi AP (guest AP) such as computers that connect to the Rasp WiFi have internet access but cannot connect to anything else on the home LAN.

I have used the following script (https://github.com/harryallerston/RPI-Wireless-Hotspot) go build a Rasp3 WiFi AP sharing the eth0.

However how can I disallow any access to or from other computers on the LAN but allow internet access?

ECII
  • 161
  • 1
  • 7

3 Answers3

1

Your Access Point is a router that assigns connecting clients an IP from it's own DHCP subnet. Just allow or reject traffic from the AP's DHCP subnet. There's a few ways you could stop the Pi AP's WiFi clients connecting to internal hosts:

a) In Raspberry Pi's Firewall (iptables & UFW being most common on a Pi) drop/reject traffic to all RFC 1918 subnets NOT the AP's. ie if the Pi AP is assigning addresses from the pool 192.168.01/28, and all your local stuff lives on 10.0.1.0/24 drop all traffic with a source of 192.168.01/28 to a destination of 10.0.1.0/24

b) Or, in the firewall of Router Pi AP itself is connected to, drop/reject all traffic with a source of 192.168.01/28 to a destination of 10.0.1.0/24.

Either way will have achieve the same result. Might be easier to create a rule on your router rather than setting up firewalling on the Pi itself

However, if you DO want to have rules running on the Pi itself (not a bad thing) you can download my Github repo which automates configuration of a Pi into a wireless AP in a few minutes with almost zero effort. It has a default set of UFW rules you could tailor to your own local situation:

https://raspberrypi.stackexchange.com/a/104175/97613

F1Linux
  • 1,589
  • 1
  • 9
  • 28
0

As you said, create an access point on your Pi with the range 172.16.X.X for example.

Now on your router you must create an ACL that blocks traffic from the 172.16.X.X network to the 192.168.X.X.

Now allow network traffic 172.16.X.X to the IP address 192.168.0.56 (for example) of Pi.

Then allow traffic from network 172.16.X.X to all networks (0.0.0.0)

Thus the machines connected to Wi-Fi Pi will no longer have access to your network but just Internet

Muhammad Adamou Salao
  • 37
  • 3
  • And how to do all this? And how do you restrict communication between devices that are connected to the RasPis access point with subnet 172.16.X.X? – Ingo Feb 10 '20 at 21:10
0

You didn't write whether you're using routing or bridging. With routing I assume also NAT between the guest net and your home net. In this case, add filter rules that drop all packets that come in from your guest net and which are destined to your home net, except for the router. While not always strictly necessary to exempt the router, it might be needed when its DNS proxy and other services need to be used.

With bridging, things become more difficult, as you need to add IP filter rules that are run inside the bridge; this is possible, as ebtables in Linux support this.

However, better would be to separate both home and guest net completely instead of attaching the guest net in the home net.

As I final note I suspect it far more easier and quicker to get a suitable home router that does exactly that right out of the box, but of close this lacks the lulz and lemming factor.

TheDiveO
  • 1,551
  • 1
  • 9
  • 15