TomatoUSB

I'm hoping to create a guest SSID that doesn't have a password but is locked down to only http/https browsing.

So far i've gotten the vlans setup and the second guest ssid setup on br1 with its own dhcp network.

How can i limit the amount of bandwidth being utilized on this second guest network? How can i also limit the user to only ports 80/443, gmail, hotmail, etc.? i don't want anyone doing bad things with my free guest wifi.

thanks!

Howdy!

I hardly think that you will be able to bandwidth limit on general GUEST. However, use iptables to allocate a quota for the GUEST interface / virtual wirelsss. Similarly, iptables can be used to limit ports,domains,destinations,etc. Do you need any help with iptables? If yes then please give your guest interface name and i will write the script for you to test.

Have a great day!

Hi! Thanks for the reply.

I wanted to limit the guest bandwidth but if that's not possible, then i'll live with restricting ports and sites heavily.

If you have a sample script, i'd love to dissect it and figure it out myself first if you don't mind. could you post it here?

thanks

Anoop

I dont have a sample but let me write it down and test at my end for you.. Please check this post in few minutes.

Edit:

Well, i tested something out as an experiment and it seems to work alright. Give this a try:

iptables -I INPUT -i br1 -p tcp —dport 80 -m state —state NEW -m recent —set
iptables -I INPUT -i br1 -p tcp —dport 443 -m state —state NEW -m recent —set
iptables -I INPUT -i br1 -p tcp —dport 80 -m state —state NEW -m recent —update —seconds 1 —hitcount 5 -j QUEUE
iptables -I INPUT -i br1 -p tcp —dport 443 -m state —state NEW -m recent —update —seconds 1 —hitcount 5 -j QUEUE

Read about the QUEUE target here : http://www.linuxtopia.org/Linux_Firewall_iptables/x4501.html . You can change the update and hitcount to fine tune / limit connections on the guest network interface.

Now if you want to block all service ports except browsing then you can do:

iptables -A INPUT -i br1 -m state —state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i br1 -p icmp -j ACCEPT
iptables -A INPUT -i br1 -j ACCEPT
iptables -A INPUT -i br1 -m udp -p udp —sport 53
iptables -A INPUT -i br1 -j DROP
iptables -A OUTPUT -i br1 -m state —state NEW -m tcp -p tcp —dport 80 -j ACCEPT
iptables -A OUTPUT -i br1 -m state —state NEW -m tcp -p tcp —dport 443 -j ACCEPT
iptables -A OUTPUT -i br1 -p icmp -j ACCEPT
iptables -A OUTPUT -i br1 -m udp -p udp —dport 53
iptables -A OUTPUT -i br1 -j REJECT —reject-with icmp-host-prohibited

You see port 53 for DNS as nothing will work without DNS lookups. I hope this helps. Please revert back with results.

Have a great day!

I hardly think that you will be able to bandwidth limit on general GUEST.

Why not ? Doesn't the QOS table apply to the WAN ? Just make the default speed setting be what you want for the guests to have and then define new classes for the more privileged devices.

@ the OP, what version of Tomato are you using ? There is a new version of the white list script that I have been wanting to test. It would provide the granular destination control that you are looking for. You can find 3 versions of it here ;
http://www.dd-wrt.com/wiki/index.php/Blocking_URLs/IPs#White_Listing

Edit -

I dont have a sample but let me write it down and test at my end for you.. Please check this post in few minutes.

Please don't let me distract you. I'm always interested in finding new tricks to do….

You are the man GeeTek but i wanted to keep it as simple as possible for the user. *Hugs*

@ anoobp

If you can accomplish what GeeTek has mentioned then there is nothing like it. Practice and try try again :)

Have a great day!

@geetek, @lucifercipher, thanks!

i'm so silly. i meant to provide the version information.

Tomato Firmware v1.28.7503 MIPSR2Toastman-RT K26 USB VLAN-VPN-NOCAT

if i can't control the bandwidth, i really only want to open up http/https and maybe imap. Definitely no smtp :)

Our pleasure :)

In that case, try this on the CLI first and if it serves the purpose then add it to firewall script under Administation — > Scripts — > Firewall

iptables -A INPUT -i br1 -m state —state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i br1 -p icmp -j ACCEPT
iptables -A INPUT -i br1 -j ACCEPT
iptables -A INPUT -i br1 -m udp -p udp —sport 53
iptables -A INPUT -i br1 -j DROP
iptables -A OUTPUT -i br1 -m state —state NEW -m tcp -p tcp —dport 80 -j ACCEPT
iptables -A OUTPUT -i br1 -m state —state NEW -m tcp -p tcp —dport 443 -j ACCEPT
iptables -A OUTPUT -i br1 -m state —state NEW -m tcp -p tcp —dport 143 -j ACCEPT
iptables -A OUTPUT -i br1 -p icmp -j ACCEPT
iptables -A OUTPUT -i br1 -m udp -p udp —dport 53
iptables -A OUTPUT -i br1 -j REJECT —reject-with icmp-host-prohibited

Basically what this script is doing is just allowing HTTP, HTTPS, IMAP and DNS on br1 guest interface. I hope this works as i tested it for you yesterday and it kinda worked out for me :D

and Have a great day!