LANCOM Support Knowledgebase Document No. 1804.3013.4422.RHOO - V1.10

Configuring a separate guest network (LAN & WLAN) with Public Spot and content-filter functions


Description:
The example configuration outlined here represents a typical scenario, such as for a hotel with a public LAN and wireless LAN access points:

Information: This scenario provides up to 64 user accounts for using the Public Spot. To operate a greater number of Public Spot user accounts you will require a WLAN controller with the Public Spot option.
  • A LANCOM 1821n is used as a central router. A Public Spot option and a Content Filter option (e.g. 10 users, 3 years of validity) are enabled on the device.
  • The LANCOM 1821n is already set up with two functioning DSL connections. The first Internet connection (INTERNET 1) operates via the router's WAN port (internal modem), the second Internet connection (INTERNET 2) is operated via an external modem connected to Ethernet port 3 (ETH-3).
  • The LANCOM 1821n is to be set up with a local administration network (IP: 192.168.10.0/24), which must meet the following requirements:
  • The administration network is to be configured on ports ETH-1 & ETH-2 on the LAN side, and on the WLAN side on the logical WLAN interface WLAN-1.
  • The WLAN's SSID is given the name ADMINISTRATION. Authentication in the WLAN uses the pass phrase as configured.
  • Users of the administration network may access the Internet connection INTERNET 1 only.
  • The LANCOM 1821n is set up with a separate network for the guests (IP: 192.168.20.0/24, also LAN & WLAN). This guest network must meet the following requirements:
  • The guest network requires one (cabled) LAN connection for an Internet terminal. This connection is to be configured on the port ETH-4. Access to the LAN will be implemented and controlled by the Public Spot function.
  • The guest network also offers a wireless LAN (with its own SSID, GUESTS). Access to the WLAN will be implemented and controlled by the Public Spot function.
  • The administration network is to be inaccessible from the guest network.
  • Users of the guest network may access the Internet connection INTERNET 2 only.
  • Internet pages accessed from the guest network are to be checked by the content filter. Ten users are to be allowed to use content filter per day. In case of an eleventh user (or more), Internet access is to be blocked for this/these user/s.






Requirements:
  • The latest LCOS firmware (download)
  • The latest LANtools (download)
  • Two functioning Internet connections
  • Activated Public Spot option
  • Activated Content Filter option


Setting up the local networks ADMINISTRATION and GUESTS:

1) Open the configuration dialog of the LANCOM router and navigate to the menu TCP/IP -> General -> IP networks.



2) Click on Add... to create the first network (ADMINISTRATION).



3) Enter the following parameters:
  • (Network) name: ADMINISTRATION
  • IP address: 192.168.10.1
  • Netmask: 255.255.255.0
  • Interface assignment: BRG-1 (the bridge group which, later in the course of the configuration, will group together the Ethernet ports ETH-1 & ETH-2 with the logical wireless LAN interface WLAN-1).

4) Confirm with OK and then click on Add... once again to create the network GUESTS.

5) Enter the following parameters:
  • (Network) name: GUESTS
  • IP address: 192.168.20.1
  • Netmask: 255.255.255.0
  • Interface assignment: BRG-2 (the bridge group which, later in the course of the configuration, will group together the Ethernet port ETH-4 with the logical wireless LAN interface WLAN-1-2).
  • Interface tag: 1 (this interface tag ensures that the GUEST network cannot access the ADMINISTRATION network.)




6) Accept your entries with OK. Your IP networks table should then appear as follows:



7) Click OK and you are back in the configuration dialog for the LANCOM. In the following steps we will set up the wireless LAN networks for the administration and guest networks.

8) Switch to the Wireless LAN menu and check that the physical WLAN interface is enabled. If this is not the case, activate this with the menu item Physical WLAN Settings -> WLAN interface enabled. The remaining physical WLAN settings can be left as their default values for this example configuration.

9) In the configuration area General, set the Country to Europe (or the country where the WLAN is to operate).



10) Click on Logical WLAN Settings -> WLAN network 1 and enable this logical WLAN network. As a network name, please enter WLAN_ADMINISTRATION. All other settings in this dialog can be left at the default values.

11) Close the dialog with OK.



12) Click on Logical WLAN Settings -> WLAN network 2 and enable this logical WLAN network. As a network name, please enter WLAN_GUESTS. All other settings in this dialog can be left at the default values.

13) Close the dialog with OK.



14) The next step is to configure the encryption settings for the two WLAN networks.

According to the requirements of our scenario, the administration WLAN should be encrypted and accessible with a passphrase.

Access to the guest WLAN is controlled by the Public Spot option, for which reason the encryption for this wireless network is disabled.

15) Navigate to the area 802.11i/WEP and click the button WPA or private WEP settings....



16) Select the first entry from the list (Wireless network 1) and click Edit....



17) The encryption settings for the administration WLAN should be left as WPA1/2 with TKIP/AES method. In the field Key 1/Passphrase you should now enter the passphrase for authentication. Then close the dialog with OK.



18) Select the second entry from the list (Wireless network 2) and click Edit....



19) You can deactivate the encryption settings for the guest WLAN because guests can use the Public Spot function to login and access the guest LAN and WLAN. Then close the dialog with OK.



20) In the WPA or private WEP settings... dialog, click on the OK button and you will be returned to the LANCOM's configuration dialog. This concludes the configuration of the administration and guest WLANs.

21) Whether users are in the administration or guest networks, the LAN and WLAN networks are each to be accessible at the same respective IP address. To achieve this, we must combine the logical interfaces for the LAN and WLAN into what are known as bridge groups. The following have to be grouped:
  • Network ADMINISTRATION:
  • LAN ports ETH-1 and ETH-2 are to be grouped with the logical WLAN interface WLAN-1 into bridge group 1 (BRG-1).
  • Network GUESTS:
  • LAN port ETH-4 is to be grouped with the logical WLAN interface WLAN-1-2 into bridge group 2 (BRG-2).

22) Navigate to the menu Interfaces -> LAN.

23) The physical LAN port ETH-4 is to be used to operate the guest network, so you must first assign it to a different logical LAN interface. To do this, click on Ethernet ports -> ETH 4 and, in the dialog that follows, set the interface usage to LAN-4. Then close the dialog with OK.



24) Now we begin to combine the logical LAN and WLAN interfaces into bridge groups.

25) Click on Port table -> LAN-1 and assign the logical network LAN-1 to the bridge group BRG-1. Then close the dialog with OK.

26) Similarly, click on Port table -> WLAN-1 and assign the logical network WLAN-1 to the bridge group BRG-1. Then close the dialog with OK.

27) You have now formed the bridge groups for the ADMINISTRATION network.



28) Click on Port table -> LAN-4 and assign the logical network LAN-4 to the bridge group BRG-2. Then close the dialog with OK.

29) Similarly, click on Port table -> WLAN-1-2 and assign the logical network WLAN-1-2 to the bridge group BRG-2. Then close the dialog with OK.

30) You have now formed the bridge groups for the GUESTS network.





Setting up the Public Spot function for the GUESTS network:

1) In the configuration dialog for the LANCOM router, navigate to the Public Spot menu and select the option Public Spot - authenticate with name and password.



2) Click on the Public Spot tab and enable the option for the logical interface LAN-4 and the logical WLAN interface WLAN-1-2.



3) In this example configuration, we will use the LANCOM router's internal RADIUS server to manage the Public Spot user data. For this reason, you must enter the connection data of the internal RADIUS server into the Provider list on the Public Spot Users tab.



4) Click on the Add... button.



5) Enter a name into the Provider list. In this case we will use RADIUS.

6) Since we are using the LANCOM's internal RADIUS server, you have to enter the local host address (127.0.0.1) for the LANCOM into the fields Auth. server IP address and Acc. server IP address.

7) The port numbers can be left at the default values of 1812 (Auth. server port) and 1813 (Acc. server port).



8) Accept your entries with OK.

9) Now we need to make some changes to the configuration of the LANCOM router's internal RADIUS server. Switch to the RADIUS server menu.

10) Under RADIUS service, enter the port numbers for the authentication port (1812) and the accounting port (1813).

11) A useful feature is the Automatic cleanup of the user table, so you should enable this feature as well.



12) This completes the configuration of Public Spot function for the GUESTS network.

13) Click on OK to write the new configuration for the LANCOM router back to the device.


Setting up the content filter function for the GUESTS network:

A further requirement of our scenario is for Internet access in the GUESTS network to be regulated by the content filter. In this example, a content filter license for 10 users is used. The Internet access for an eleventh (or more) content-filter user should be blocked.

Information:
In this example, we will carry out a ground-up configuration of the content filter. There are many more configuration options. Information is available in the content filter manual, or in the LANCOM Support Knowledge Base.

1) When setting up the content filter for the first time, we recommend that you use the Setup Wizard.

2) Select the option Content filter setup and confirm with Next.



3) Confirm the following dialog with Next.



4) In this example we use the basic security profile, as this suffices to set up the essential security parameters.



5) Click on Next and close the Setup Wizard by clicking on Finish.



6) Open the configuration dialog of the LANCOM router and switch to the Content filter dialog.

7) Make sure that the Activate content filter option is checked and that the option In case of license exceedance is set with the parameter forbidden. This ensures that Internet access is blocked for an eleventh (or more) users according to the requirements of our scenario.



8) Since the content filter is only to be used for Internet access from the guest network, you still have to modify the firewall rules for the content filter.

Switch to the menu Firewall/QoS and edit the CONTENT-FILTER firewall rule.



9) Click on the Stations tab. For the Connection source, remove the object LOCALNET entry and replace it with the GUESTS network.

10) To do this, select the object LOCALNET and then click on Delete.



11) Click on Add -> Add custom station.

12) In the dialog that follows, select All stations in the local network and set the network name to GUESTS.

13) Accept your entries with OK.



14) The modified firewall rule should then look as follows:



15) This concludes the configuration of the content filter.



Setting up Internet-access regulation for the networks ADMINISTRATION and GUESTS:

A further requirement for this scenario is that the GUESTS and ADMINISTRATION networks should each use their own Internet connection.

For this purpose, two DSL remote sites (INTERNET1 and INTERNET2) are set up and configured on the LANCOM router.



Internet access from the ADMINISTRATION network should run only via the Internet connection INTERNET1, and Internet access from the GUESTS network should run only via the Internet connection INTERNET2.

This is implemented by using two rules in the firewall.

1) Open the configuration dialog of the LANCOM router and navigate to the menu Firewall/QoS -> Rules -> Rules....



2) Click Add... and, on the General tab, enter a name for the firewall rule (in this case: INTERNET_ADMINISTRATION).



2) On the Actions tab, set the Action object to ACCEPT.



3) For the Connection source, select the option Connections from the following stations and, under Add... , add the custom station ADMINISTRATION.



4) For the Connection destination, select the option Connections from the following stations and, under Add... , add the custom station INTERNET1.

5) Save the firewall rule by clicking on the OK button.



6) In the firewall list, click on Add... again and, on the General tab, enter a name for the second firewall rule (in this case: INTERNET_GUESTS).



7) On the Actions tab, set the Action object to ACCEPT.



8) For the Connection source, select the option Connections from the following stations and, under Add..., add the custom station GUESTS.



9) For the Connection destination, select the option Connections from the following stations and, under Add... , add the custom station INTERNET2.

10) Save the firewall rule by clicking on the OK button.



11) This concludes the configuration of the firewall rules.



12) Confirm all configuration dialogs with the OK button and write the configuration back to the LANCOM router.

13) This concludes the configuration of the example scenario. Please carry out a function test.

Catchwords:
Please review this document! This document was helpful This document was not helpful