Description:

This article describes, how the Content Filter and Public Spot can be configured for a guest network and how the traffic from the guest network can be routed via a separate Internet connection:

This scenario provides up to 128 user accounts for using the Public Spot. To operate a greater number of Public Spot user accounts you will require a 19xx series router, a WLAN-Controller, a Central Site Gateway with the Public Spot XL option or a vRouter (as of vRouter 500).


Requirements:

The use of the device with active Public Spot as gateway and DNS server in the Public Spot network is mandatory!

The management ports for HTTP (port 80) and HTTPS (port 443) must not be changed and have to be left on the default values! Please refer to this article in our Knowledge Base (see steps 1.8) - 1.9)).

If the integrated SSL certificate is used, a warning is displayed when invoking an HTTPS website due to an unknown certificate! Please refer to this article in our Knowledge Base (see "Security notice for the SSL-HTTPS certificate"). 


Scenario:

  • A LANCOM 1790VAW is used as a central router. A Public Spot option and a Content Filter option (e.g. 10 users, 3 years of validity) are enabled on the device.
  • The LANCOM 1790VAW is already set up with two functioning DSL connections. The first Internet connection (INTERNET1) operates via the router's VDSL modem, the second Internet connection (INTERNET2) is operated via an external modem connected to Ethernet port 4 (ETH-4).
    • The Internet connection INTERNET1 is assigned the routing tag 0.
    • The Internet connection INTERNET2 is assigned the routing tag 1.
  • The LANCOM 1790VAW is to be set up with a local administration network with the IP address range 192.168.10.0/24), which must meet the following requirements:
    • The administration network is to be configured on the port ETH-1 on the LAN side, and on the WLAN side on the logical WLAN interface WLAN-1.
    • The WLAN's SSID is given the name Administration. Authentication in the WLAN uses the encryption method WPA2.
    • Users of the administration network may access the Internet connection INTERNET1 only.
  • The LANCOM 1790VAW is to be set up with a separate network for the guests with the IP address range 192.168.20.0/24 (also LAN & WLAN). This guest network must meet the following requirements:
    • The guest network requires one (cabled) LAN connection for an Internet terminal. This connection is to be configured on the port ETH-2.
    • The guest network also offers a wireless LAN (with its own SSID, Guests and the logical interface WLAN-1-2).
    • Access to the guest network will be implemented and controlled by the Public Spot function.
    • The administration network is to be inaccessible from the guest network.
    • Users of the guest network may access the Internet connection INTERNET 2 only.
    • Internet pages accessed from the guest network are to be checked by the content filter. Ten users are to be allowed to use content filter per day. In case of an eleventh user (or more), Internet access is to be blocked for this/these user/s.

Scenario graphic for a WiFi router with a seoarate guest network and as well as Content-Filter and Public-Spot 



Procedure:

1) Setting up the local networks for administration and guests:

1.1) Open the configuration of the LANCOM router in LANconfig and navigate to the menu IPv4 → General → IP networks.

Open the menu IP networks on the router

1.2) Select the network INTRANET and click Edit. This network is used for the administration.

Edit the network INTRANET (administrattion network)

1.3) Modify the following parameters:

  • IP address: Enter an IP address from administration network (in this example 192.168.10.1).
  • Netmask: Enter the corresponding subnetmask for the administration network (in this example 255.255.255.0).
  • Interface assignment: Make sure, that the bridge group BRG-1 is selected (the bridge group which, later in the course of the configuration, will group together the Ethernet port ETH-1 with the logical wireless LAN interface WLAN-1).

Assign IP parameters and the interface for the administration network

1.4) Create a new network for the guests and enter the following parameters:

  • Network name: Enter a descriptive name (in this example GUESTS).
  • IP address: Enter an IP address from the guest network (in this example 192.168.20.1).
  • Netmask: Enter the corresponding netmask for the guest network (in this example 255.255.255.0).
  • Interface assignment: Select the bridge group BRG-2 (the bridge group which, later in the course of the configuration, will group together the Ethernet port ETH-2 with the logical wireless LAN interface WLAN-1-2).
  • Interface tag: Enter the tag 1 (this interface tag ensures that the guest network cannot access the administration network.)

Networks with an interface tag can only communicate with a network with the same tag. Networks with the interface tag 0 can communicate with all networks, regardless of the interface tag. This means, that the network INTRANET can communicate with the network GUESTS. Communication from the network GUESTS to the network INTRANET is not possible.

Assign IP parameters and the interface for the guest network

1.5) The table IP networks should then appear as follows:

Overview of the configured networks in the menu IP networks

1.6) Go to the menu IPv4 → DHCPv4 → DHCP networks.

Open the menu DHCP networks

1.7) Select the network INTRANET and click Edit.

Edit the network INTRANET (administration network)

1.8) For the parameter DHCP server enabled select the option Yes.

Activate the DHCP server for the network INTRANET (administration network)

1.9) Click Add to create a new DHCP network.

Create a new DHCP network

1.10) Modify the following parameters:

  • Network name: In the dropdown menu select the guest network created in step 1.4) (in this example GUESTS).
  • DHCP server enabled: Select the option Yes.

Activate the DHCP server for the guest network



2) Configuring the WLAN settings:

2.1) Go to the menu Wireless LAN → General and select the Country, the router is operated in (in this example United Kingdom). 

Selecting the country for the WLAN

2.2) Go to the menu Wireless LAN → General Physical WLAN settings.

Open the menu Physical WLAN settings

2.3) Set the checkbox WLAN interface enabled, to activate the WLAN interface. 

In this example, the rest of the physical parameters are left on the default settings.

Activate the WLAN module

2.4) Go to the menu Logical WLAN settings and select the WLAN network 1. This is to be used for the administration network.

Open the menu WLAN network 1

2.5) Modify the following parameters:

  • Make sure, that the checkbox WLAN network enabled is set.
  • For the Network name (SSID) enter a descriptive name for the SSID (in this example Administration).

Enter the SSID for the administration network

2.6) Change to the tab Encryption and enter a WPA key for the parameter Key 1/passphrase.

The WPA key must have at least 8 and a maxium of 63 characters.

Enter the WPA key for the administration network

2.7) In the Logical WLAN settings click on the WLAN network 2. This is to be used for the guest network.

Open the menu WLAN network 2

2.8) Modify the following parameters:

  • Activate the SSID by checking WLAN network enabled.
  • For the Network name (SSID) enter a descriptive name for the SSID (in this example Guest).
  • Set the parameter Direct traffic between stations to Deny (for all APs in LAN), so that WLAN clients in the guest WLAN cannot communicate with each other.

Enter the SSID for the guest network

2.9) Switch to the tab Encryption and untick the checkbox Encryption activated.

Encryption for the guest WLAN is not needed, as the authentication of the WLAN clients is done via the Public Spot.

Deactivate WLAN encryption for the guest network



3) Configuring the interfaces:

3.1) Go to the menu Interfaces → LAN → Ethernet ports and click on the interface ETH 2.

Open the Ethernet port for the guest network

3.2) For Interface usage, select the option LAN-2 in the dropdown menu.

Assign a separate logical LAN interface to the Ethernet port

3.3) Go to the menu LAN bridge.

Open the menu LAN bridge

3.4) Switch to the menu Port table.

Open the menu Port table in the LAN bridge

3.5) Whether users are in the administration or guest networks, the LAN and WLAN networks are each to be accessible at the same respective IP address. To achieve this, we must combine the logical interfaces for the LAN and WLAN into what are known as bridge groups. The following have to be grouped:

  • Network INTRANET:
    • LAN port ETH-1 is to be grouped with the logical WLAN interface WLAN-1 into bridge group 1 (BRG-1).
  • Network GUESTS:
    • LAN port ETH-2 is to be grouped with the logical WLAN interface WLAN-1-2 into bridge group 2 (BRG-2).


Make sure, that the logical interfaces LAN-1 and WLAN-1 are assigned the bridge group BRG-1.

Assign the bridge interface for the logical LAN interface of the administration network Assign the bridge interface for the logical WLAN interface of the administration network

For the logical interfaces WLAN-1-2 and LAN-2 assign the bridge group BRG-2.

Assign the bridge interface for the logical WLAN interface of the guest network Assign the bridge interface for the logical LAN interface of the guest network

 The port table must now look as follows:

Overview of the configured interfaces in the menu Port table



4) Setting up the Public Spot function for the GUESTS network:

4.1) Go to the menu Public-Spot → Authentication and activate the option Authenticate with name and password.

Activate the Public-Spot login with user credentials

4.2) Go to the menu Public-Spot → Server → Operational settings.

Open the menu Operational settings in the Public-Spot

4.3) Go to the menu Interfaces.

Open the menu Interfaces in the Public.-Spot Operational settings

4.4) Activate the user authentication for the interfaces WLAN-1-2 and LAN-2

Activate Public-Spot authentication for the logical WLAN interface of the guest network Activate Public-Spot authentication for the logical LAN interface of the guest network

The table Interfaces must now look as follows:

Overview of the configured Public-Spot interfaces

4.5) Go to the menu Public-Spot → Users → RADIUS server.

Open the menu RADIUS server in the Public-Spot

4.6) A reference to the integrated RADIUS server has to be entered in this menu.

In the default settings the entry  LOCAL is present. It refers to the integrated RADIUS and Accounting server .

If no entry exists, please create one and give it a descriptive name.

Make sure, that the parameters are set as follows:

  • Auth. server address: 127.0.0.1
  • Auth server port: 1812
  • Acc. server address127.0.0.1
  • Acc server port: 1813

Checking the existing entry for standard ports

4.7) Go to the menu RADIUS → Server and activate the options RADIUS authentication active, RADIUS accounting active as well as the feature Auto cleanup user table.

Activate RADIUS authentication and RADIUS accounting

4.8) Go to the menu RADIUS → Server → RADIUS services ports.

Open the menu RADIUS services ports in the RADIUS server

4.9) Make sure, that the port 1812 is used as Authentication port and the port 1813 is used as Accounting port.

Checking the entry for standard ports

4.10) The manual configuration steps are completed for now. Write the configuration back to the router.



5) Setting up the Content Filter function for the GUESTS network:

A further requirement of our scenario is for Internet access in the GUESTS network to be regulated by the Content Filter. In this example, a Content Filter license for 10 users is used. The Internet access for an eleventh (or more) content-filter user should be blocked.

When setting up the content filter for the first time, we recommend that you use the Setup Wizard.

In this example, we will carry out a basic configuration of the Content Filter. There are many more configuration options. Information is available in the Reference manual or in the LANCOM Support Knowledge Base.

5.1) Select the router in LANconfig, perform a rightclick and, in the context menu select the option Setup Wizard.

5.2) Select the option Content Filter Setup and confirm with Next.

Invoking the setup wizard Content Filter Setup in LANconfig

5.3) Confirm the following dialog with Next.

Acknowledge the information about the Content Filter

5.4) In this example we use the Basic security profile, as this suffices to set up the essential security parameters. Click Next afterwards.

Select the Content Filter profile in the setup wizard

5.5) Close the Setup Wizard by clicking on Finish.

Finish the setup wizard

5.6) Open the configuration dialog of the LANCOM router in LANconfig and go to the menu Content Filter → General.

Make sure that the Content filter is active and that the option In case of license exceedance is set to Forbidden. This ensures that Internet access is blocked for an eleventh (or more) users according to the requirements of our scenario.

Checking the configured parameters for the licence exceedance in the menu Content Filter



6) Routing the traffic from the guest network via the Internet connection INTERNET2:

Without modifying additional settings, all traffic is routed via the default route with the routing tag 0 (in this case the Internet connection INTERNET1). Therefore there is no action required for the administration network. For the guest network additional configuration steps are necessary to ensure, that its traffic is routed via the Internet connection INTERNET2.

6.1) Go to the menu Firewall/Qos → IPv4 Rules → Rules.

Open the menu Rules in the router firewall

6.2) Select the rule CONTENT-FILTER activated by the setup wizard and click Edit.

Edit the rule CONTENT-FILTER

6.3) For the parameter Routing tag enter tag 1 to ensure, that websites (HTTP and HTTPS) are routed via the Internet connection INTERNET2.

Enter the routing tag for the second Internet connection in the firewall rule

6.4) Switch to the tab Stations and delete the object LOCALNET.

The object LOCALNET contains all local networks and therefore has to be removed.

Remove the object for all local networks for the Connection source in the rule

6.5) For the Connection source click Add → Add custom station.

Add a custom station for the Connection source in the firewall rule

6.6) For the Network name select the network GUESTS, so that only this network is checked by the Content Filter.

Select the guest network as the Connection source

6.7) Click Add to create an additional firewall rule to ensure, that all traffic except HTTP and HTTPS is also routed via the Internet connection INTERNET2.

Create a new firewall rule

6.8) Enter a descriptive name and enter the Routing tag 1 to ensure, that all traffic is routed via the Internet connection INTERNET2.

Enter a name for the new firewall rule and enter the routing tag for the second Internet connection

6.9) Switch to the tab Actions and delete the object REJECT.

Remove the action object REJECT in the firewall rule

6.10) Add the object ACCEPT.

Add the action object ACCEPT in the firewall rule

6.11) Switch to the tab Stations, select the option connections from the following stations and click Add → Add custom station.

Add a custom station for the Connection source in the firewall rule

6.12) For the Network name select the network GUESTS.

Select the guest network as the Connection source

6.13) The Firewall Rules table has to look as follows:

Overview of the configured firewall rules

6.14) This concludes the configuration. Write the configuration back to the router.


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH