Scott O'Brien

Ramblings and resources of my online life

throttling guest internet on Apple Airport Extreme

2013-12-18 13:09:03 +0000 +0000

I’ve been happily running my Apple Airport Extreme as m home router for the past few years (since my debian router died, and I’ve been too lazy to replace it).  One of the cool features was the ability to create a guest network (SSID) to access the internet without being able to access your trusted network.  One feature I wanted was the ability to throttle the speed guests can access the internet at.  While I couldn’t do this with the Airport Extreme alone, Add a Juniper SRX100 into the mix that the awesome Cooper Lees gave me into the mix and problem solved.

apple-airport-extreme-base-station_1

SRX100, signed by the #1 Juniper Engineer

SRX100, signed by the #1 Juniper Engineer

AirPort Utility

AirPort Utility-2

In not so many words, performing these actions will do a number of things.  The gig ethernet switch on the back of the airport will be bridged with the WAN port.  Any traffic from your normal SSID(s) and switchports will be sent out the WAN port untagged.  Traffic from your guest network will be sent .1q tagged with vlan 1003.

I popped this into fe-0/0/1 on my SRX100 and the following config works the magic.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members vlan-guest;
                }
                native-vlan-id 3;
            }
        }
    }

    vlan {
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
        unit 1003 {
            family inet {
                filter {
                    input limit_guest_upload;
                    output limit_guest_download;
                }
                address 10.0.2.1/24;
            }
        }
    }

[system services]
        dhcp {
            pool 10.0.1.0/24 {
                address-range low 10.0.1.2 high 10.0.1.199;
                router {
                    10.0.1.1;
                }
            }
            pool 10.0.2.0/24 {
                address-range low 10.0.2.2 high 10.0.2.254;
                router {
                    10.0.2.1;
                }
            }
            propagate-settings fe-0/0/0.0;
        }

[security]
    nat {
        source {
            rule-set private-to-internet {
                from zone [ guest trust ];
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone guest to-zone untrust {
            policy guest-to-internet {
                description "Allows guest access to internet";
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }

[security zones]
        security-zone guest {
            host-inbound-traffic {
                system-services {
                    dns;
                    ping;
                    traceroute;
                }
            }
            interfaces {
                vlan.1003;
            }
        }

firewall {
    policer guest-shaping {
        if-exceeding {
            bandwidth-limit 500k;
            burst-size-limit 300k;
        }
        then discard;
    }
    filter limit_guest_download {
        term guest-shaping {
            then {
                policer guest-shaping;
                accept;
            }
        }
    }
    filter limit_guest_upload {
        term guest-shaping {
            then {
                policer guest-shaping;
                accept;
            }
        }
    }
}
vlans {
    vlan-guest {
        vlan-id 1003;
        l3-interface vlan.1003;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

And there you have it! A really simple way of limiting the bandwidth of guest users on your network using the power of Junos with an Airport Extreme!

 

Throttled Speed