[openwrt] This script will create a guest network fully isolated from the main one, also supports bandwith control

openwrt_add_guest.sh

#!/bin/sh

#
# FOR USE IN OPENWRT
# This script creates a guest network fully isolated from the main one.
# Tested on a Xiaomi AX3000T router; should work on any OpenWRT-powered router.
#
# Ensure the Wi-Fi interfaces retain their default names (radio0 and radio1).
#
# Info about OpenWRT support on AX3000T:
# https://openwrt.org/inbox/toh/xiaomi/ax3000t
#

# Guest interface configuration
INTERFACE='guest'
NETWORK='192.168.6.1/24'
GUEST_DNS_SERVER='8.8.8.8,8.8.4.4' # DNS server for the guest network, split by commas if multiple (e.g. 8.8.8.8,8.8.4.4)

# Your current LAN interface configuration, needed by firewall rules
LAN_INTERFACE='lan'
LAN_RANGE='192.168.1.1/24'

# Wi-Fi SSID and Password
RADIO_SSID='my-guest-wifi' # Choose your Wi-Fi network name here
RADIO_KEY='my-guest-password' # BE SURE TO CHANGE THE PASSWORD!!!

RADIO1_ENABLE=1 # Set to 1 to enable radio1; comment out to use only the radio0 interface.

# IMPORTANT: Install the required packages: sqm-scripts
SQM_ENABLE=1 # Set to 1 to enable SQM (Smart Queue Management) for bandwidth control; comment out to disable.
DOWNLOAD_LIMIT='10000' # Download limit in Kbps, e.g. 10000 for 10 Mbps
UPLOAD_LIMIT='10000' # Upload limit in Kbps, e.g. 10000 for 10 Mbps

#
# Configuration below this line should not require modification.
#

# Configure network bridge
uci -q delete network.${INTERFACE}_dev
uci set network.${INTERFACE}_dev="device"
uci set network.${INTERFACE}_dev.type="bridge"
uci set network.${INTERFACE}_dev.name="br-${INTERFACE}"

# Configure network interface
uci -q delete network.${INTERFACE}
uci set network.${INTERFACE}="interface"
uci set network.${INTERFACE}.proto="static"
uci set network.${INTERFACE}.device="br-${INTERFACE}"
uci set network.${INTERFACE}.ipaddr="${NETWORK}"

uci commit network
service network restart

# Configure dhcp server
uci -q delete dhcp.${INTERFACE}
uci set dhcp.${INTERFACE}="dhcp"
uci set dhcp.${INTERFACE}.interface="${INTERFACE}"
uci set dhcp.${INTERFACE}.start="100"
uci set dhcp.${INTERFACE}.limit="150"
uci set dhcp.${INTERFACE}.leasetime="1h"
uci add_list dhcp.${INTERFACE}.dhcp_option="6,${GUEST_DNS_SERVER}"

uci commit dhcp
service dnsmasq restart

# Add firewall group
uci -q delete firewall.${INTERFACE}
uci set firewall.${INTERFACE}='zone'
uci set firewall.${INTERFACE}.name="${INTERFACE}"
uci set firewall.${INTERFACE}.network="${INTERFACE}"
uci set firewall.${INTERFACE}.input='REJECT'
uci set firewall.${INTERFACE}.output='ACCEPT'
uci set firewall.${INTERFACE}.forward='REJECT'

# FW Rule: Allow DNS
uci -q delete firewall.${INTERFACE}_dns
uci set firewall.${INTERFACE}_dns='rule'
uci set firewall.${INTERFACE}_dns.name="${INTERFACE}_dns"
uci set firewall.${INTERFACE}_dns.src="${INTERFACE}"
uci set firewall.${INTERFACE}_dns.dest="${LAN_INTERFACE}"
uci set firewall.${INTERFACE}_dns.dest_port='53'
uci set firewall.${INTERFACE}_dns.proto='tcp udp'
uci set firewall.${INTERFACE}_dns.target='ACCEPT'

# FW Rule: Allow DHCP
uci -q delete firewall.${INTERFACE}_dhcp
uci set firewall.${INTERFACE}_dhcp='rule'
uci set firewall.${INTERFACE}_dhcp.name="${INTERFACE}_dhcp"
uci set firewall.${INTERFACE}_dhcp.src="${INTERFACE}"
uci set firewall.${INTERFACE}_dhcp.dest_port='67-68'
uci set firewall.${INTERFACE}_dhcp.target='ACCEPT'
uci set firewall.${INTERFACE}_dhcp.proto='tcp udp'

# FW Rule: Isolate network from local LAN
uci -q delete firewall.${INTERFACE}_iso
uci set firewall.${INTERFACE}_iso='rule'
uci set firewall.${INTERFACE}_iso.name="${INTERFACE}_iso"
uci set firewall.${INTERFACE}_iso.src="${INTERFACE}"
uci set firewall.${INTERFACE}_iso.dest="${LAN_INTERFACE}"
uci set firewall.${INTERFACE}_iso.dest_ip="${LAN_RANGE}"
uci set firewall.${INTERFACE}_iso.target='REJECT'

# Add forwarding to lan
uci -q delete firewall.${INTERFACE}_forward
uci set firewall.${INTERFACE}_forward='forwarding'
uci set firewall.${INTERFACE}_forward.src="${INTERFACE}"
uci set firewall.${INTERFACE}_forward.dest="${LAN_INTERFACE}"

uci commit firewall
service firewall restart

# Create radio0 wifi network
uci -q delete wireless.${INTERFACE}
uci set wireless.${INTERFACE}=wifi-iface
uci set wireless.${INTERFACE}.device='radio0'
uci set wireless.${INTERFACE}.mode='ap'
uci set wireless.${INTERFACE}.network="${INTERFACE}"
uci set wireless.${INTERFACE}.ssid="${RADIO_SSID}"
uci set wireless.${INTERFACE}.encryption='sae-mixed'
uci set wireless.${INTERFACE}.key="${RADIO_KEY}"
uci set wireless.${INTERFACE}.isolate='1'

# Create radio1 wifi network
if [ ! -z "${RADIO1_ENABLE}" ]; then
  uci -q delete wireless.${INTERFACE}_1
  uci set wireless.${INTERFACE}_1=wifi-iface
  uci set wireless.${INTERFACE}_1.device='radio1'
  uci set wireless.${INTERFACE}_1.mode='ap'
  uci set wireless.${INTERFACE}_1.network="${INTERFACE}"
  uci set wireless.${INTERFACE}_1.ssid="${RADIO_SSID}"
  uci set wireless.${INTERFACE}_1.encryption='sae-mixed'
  uci set wireless.${INTERFACE}_1.key="${RADIO_KEY}"
  uci set wireless.${INTERFACE}_1.isolate='1'
fi

uci commit wireless
wifi reload

# Configure SQM (Smart Queue Management) for bandwidth control
if [ ! -z "${SQM_ENABLE}" ]; then
  uci del sqm.${INTERFACE}
  uci set sqm.${INTERFACE}=queue
  uci set sqm.${INTERFACE}.enabled="1"
  uci set sqm.${INTERFACE}.interface="br-${INTERFACE}"
  uci set sqm.${INTERFACE}.download="${UPLOAD_LIMIT}" # upload from the guest network to the internet
  uci set sqm.${INTERFACE}.upload="${DOWNLOAD_LIMIT}" # download from internet to the guest network
  uci set sqm.${INTERFACE}.debug_logging='0'
  uci set sqm.${INTERFACE}.verbosity='5'
  uci set sqm.${INTERFACE}.qdisc="cake"
  uci set sqm.${INTERFACE}.script='piece_of_cake.qos'
  uci set sqm.${INTERFACE}.linklayer='none'
fi

uci commit sqm
/etc/init.d/sqm restart