WRT54GL How to setup a VLAN for FON on port 4?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
nunofgs
DD-WRT Novice


Joined: 08 Jan 2007
Posts: 11

PostPosted: Mon Jan 08, 2007 23:35    Post subject: WRT54GL How to setup a VLAN for FON on port 4? Reply with quote
Hi, I have been trying to create a separate VLAN for an access point that is on the roof of my house hooked up to an 8dbi omni-directional antenna. The access point is connected to port 4 of the linksys router.

I want to provide internet through the FON movement but I need to have my private network isolated from the wireless clients coming from that vlan2.

Here's the problem:
1) My routers' ports are reversed so port 4 is actually port 0 for me. When I execute:
Code:
nvram set vlan0ports "1 2 3 5*"
nvram set vlan2ports "0 5"
nvram commit
reboot


The variable vlan2ports will no longer be defined and vlan1ports will go back to "0 1 2 3 5*"!!!

I was also to able set up chillispot and it seemed to work because I could get an IP in the 192.168.182.x range, but it does not send me to the FON login page. The internet is completely accessible and so are the other computers in my network.

I also tried following the how-to here: http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp.html
but I did not setup the DHCP server for the vlan2 because chillispot will already serve IPs in the range 192.168.182.x and that is fine by me. The how-to did not help because the nvram vlan2ports variable is still undefined no matter what I do...

Any ideas?

PS: I'm using v23 sp2 std.
Sponsor
nunofgs
DD-WRT Novice


Joined: 08 Jan 2007
Posts: 11

PostPosted: Tue Jan 09, 2007 16:22    Post subject: Reply with quote
Ok, I finally found out what the problem was :P

I was doing:
Code:
nvram set vlan2ports "1 2 3 5*"

when the actual syntax is:
Code:
nvram set vlan2ports="1 2 3 5*"


Doh!

Anyway, I am still having problems with iptables now. I am trying to use these iptables rules:
Code:
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop

Everything seems to work fine (chillispot works beautifully) except that I can STILL communicate with the computers in vlan0. I need the vlan2 to be completely isolated from vlan0 Sad
nunofgs
DD-WRT Novice


Joined: 08 Jan 2007
Posts: 11

PostPosted: Thu Jan 11, 2007 21:36    Post subject: Reply with quote
ok, disregard the above post.

At the moment my vlan2 works fine, i.e., I can't access vlan0 from it but I have NO internet.

I tried every iptables rule on every howto I could find... I just can't seem to do it.

Can anyone help me with the iptables rules to make port4/vlan2 have internet?
vangrieg
DD-WRT Novice


Joined: 29 Oct 2006
Posts: 11

PostPosted: Thu Jan 11, 2007 21:50    Post subject: Reply with quote
What IP address do you have for vlan2? What does ifconfig show? Setting connection type in nvram doesn't work (at least it didn't for me), try to set it up using ifconfig.

Hope this helps.
nunofgs
DD-WRT Novice


Joined: 08 Jan 2007
Posts: 11

PostPosted: Fri Jan 12, 2007 0:43    Post subject: Reply with quote
OK!!! Everything works now! Here is a little howto:

These are instructions on how to set up a separate *completely isolated* vlan and running chillispot configured for Fon on that vlan. The new vlan will assign IPs in the 192.168.2.x range.

First create a vlan2:
(Note: in WRT54GL the ports are switched, so port 4 is actually port 0... change accordingly!)
Code:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2ports="4 5"
nvram commit


On the dd-wrt vlan management, set it according to the image at the bottom of this page: http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp_2.html

Now go to Management->Commands and paste this:
Code:

#!/bin/sh

sleep 10

echo -n '
dhcpif vlan2
net 192.168.2.0/24
dynip 192.168.2.0/24
radiusserver1 radius01.fon.com
radiusserver2 radius02.fon.com
radiussecret garrafon
uamanydns
uamserver https://login.fon.com/cp/index.php
uamsecret garrafon
uamallowed www.fon.com,acceso.fon.com,en.fon.com,es.fon.com
uamallowed www.paypal.com,www.paypalobjects.com
radiusnasid CHANGE_THIS_TO_VLAN2's_MAC_ADDRESS
' > /tmp/chilli.conf

echo `nvram get wan_dns` | sed -e 's/[0-9]/=&/' -e 's/ /%/' -e 's/=/\ndns1 /' -e 's/%/\ndns2 /' >> /tmp/chilli.conf

# Execute chillispot
/usr/sbin/chilli --conf /tmp/chilli.conf


Don't forget to change the radiusnasid and press Save Startup. Then paste this:
Code:

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o vlan2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j DROP
iptables -A INPUT -i tun0 -d 192.168.2.1 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 192.168.1.1/255.255.255.0 -j DROP

DEV="tun0"
DOWNLINK="256"
UPLINK="128"
 
tc qdisc del dev $DEV root
tc qdisc del dev $DEV ingress
 
# limit download
tc qdisc add dev $DEV root handle 1: htb
tc class add dev $DEV parent 1: classid 1:1 htb rate  ${DOWNLINK}kbit burst 6k
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst 192.168.2.1/24 flowid 1:1
 
# limit upload
tc qdisc add dev $DEV ingress handle ffff:
tc filter add dev $DEV parent ffff: protocol ip u32 match ip src 0.0.0.0/0 police rate ${UPLINK}kbit burst 10k


Now press Save Firewall. What those iptables rules do is allow the vlan2 to receive internet aswell as block access to 192.168.2.1 (which will be the router's IP). The rest of the script limits the bandwidth available to the Fon users.

Reboot. That should do it!
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Vaasa, Finland

PostPosted: Fri Jan 19, 2007 8:52    Post subject: Reply with quote
Question: Do you use FON access point in your roof or is it "generic" one? I'm asking this because I'm planning to make similar thing here too.

I mean because all that setup for vlan2, does one still need fon device / fon firmware in that second AP?

to developers: have FON readyness in DD-WRT, especially in v24 as it has virtual SSID's, that way one can have single AP if location is good Wink

_________________
Site 1:
P3 1GHz Coppermine with DD-WRT v24 as main router
2x Buffalo WHR-HP-G54 with DD-WRT v24 as AP

Site 2:
AMD64 4200+ Dualcore AM2 with DD-WRT v24 as main router
Buffalo WHR-HP-G54 with DD-WRT v24 as AP
nunofgs
DD-WRT Novice


Joined: 08 Jan 2007
Posts: 11

PostPosted: Fri Jan 19, 2007 14:12    Post subject: Reply with quote
No, I use a *generic* conceptronic access point. That's why I like this setup.

I didn't want to put a La Fonera in the roof because it forces you to create a private SSID and I don't want my private wireless network to be broadcasted all over my city Smile
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Vaasa, Finland

PostPosted: Fri Jan 19, 2007 14:41    Post subject: Reply with quote
nunofgs wrote:
No, I use a *generic* conceptronic access point. That's why I like this setup.


Yeah, I've studiedsome more and even found instructions how to make FON work on v24 and Virtual SSID's. Slowly but steadily I will get there ^^

_________________
Site 1:
P3 1GHz Coppermine with DD-WRT v24 as main router
2x Buffalo WHR-HP-G54 with DD-WRT v24 as AP

Site 2:
AMD64 4200+ Dualcore AM2 with DD-WRT v24 as main router
Buffalo WHR-HP-G54 with DD-WRT v24 as AP
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum