Seperate Lan and WLan

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 08:37, 8 May 2006 (edit)
82.224.196.97 (Talk)
(Undo)
← Previous diff
Current revision (16:38, 19 June 2012) (edit) (undo)
Glenn (Talk | contribs)
(Redirecting to Separate LAN and WLAN)
 
(11 intermediate revisions not shown.)
Line 1: Line 1:
-'''You are here: ''' '''[[Main Page]]'''/'''[[DD-WRT Docu (EN)]]'''/'''[[Seperate Lan and WLan]]'''+#REDIRECT [[Separate LAN and WLAN]]
- +
-__TOC__+
- +
-'''THIS WIKI IS A WORK IN PROGRESS. PLEASE HELP'''+
-=Introduction=+
-While Linksys never intended their WRT54G/GS router to allow multiple local networks, it is possible to separate the WLan network from the Lan network and allow both to independently access the internet. Since this was not supported by the original Linksys firmware, and all custom firmwares are a derivation of this, performing this setup will yield some somewhat unexpected results when configuring certain options from the [[Web Interface]]. (For example, advanced Routing from the Web Interface, when directing to the WLan & Lan port, it will actually only go to the Lan port, etc). Users wishing to perform this setup should be very familiar with the [[Telnet/SSH and the Command Line|command line]] interface, as those [[Web Interface]] configurations broken by this setup can still be set from the [[Telnet/SSH and the Command Line|command line]] interface.+
- +
-Users wishing to configure their routers this way might choose to install the [http://www.openwrt.org OpenWRT] firmware instead as it does not offer a web interface that can get screwed up.+
- +
-Keep in mind that Brainslayer is currently in the processes of merging DD-WRT with OpenWRT. While it was already true that things said for OpenWRT were likely the same or similar for DD-WRT since they both share the same Linksys firmware roots, this statement is even more true now and will eventually read: Things said for OpenWRT can be said for DD-WRT. We are not there yet.+
- +
-=Hardware=+
-Physically the WRT54G is a 2 port router and a 6 port switch. 1 Port of the switch is connected to the router. 1 Port of the Switch is the WAN port. The other 4 ports of the switch are the 4 LAN ports seen on the back of the router. The remaining port on the router is connected to the WLAN adapter.+
- +
-By default, inside the switch exist 2 ''Virtual LANs'' (VLans), vlan0 and vlan1. vlan0 contains ports 1-4 (Lan ports) and port 6 (router). vlan1 contains port 0 (WAN) and port 6 (router). IPTables are then implemented on the router such that NAT'd routing is possible between the VLans.+
- +
-By default, inside the router there is a bridge (br0) bridging eth1 (WLAN) and eth0 (switch port 0). This is what allows the WLAN and LAN to share the same IP address. When the router needs to send information to client machines, it is broadcast out br0 (sending it to eth1 and vlan0). When the router needs to send information to the WAN port, it is sent directly to vlan1.+
- +
-Please read [http://openwrt.org/OpenWrtDocs/Configuration OpenWRT: OpenWRT DOCS/Configuration] as it is short and quite in depth.+
- +
-=Configuration Overview=+
-There are two methods for running separate IP ranges on each of the interfaces which yield two rather dissimilar results.+
- +
-==iptables method==+
-Rather than splitting up br0, some may find it adequate to use the [[Iptables command]] to allow routing between two subnets on the LAN/WLAN side. Since br0 is not being split up, there are no/fewer problems caused in the web interface. The major draw back to this is that if wireless users statically assign an IP on the LAN ip address range, the bridge will allow them access. A trick might be to set the WLAN ip range to the default (192.168.1.x) and the LAN ip range to something odd (10.15.25.x, or 192.168.152.x or something) to prevent WLAN users from guessing the ip range.+
- +
-You can use any private ip ranges you would like, but for this example I will use 192.168.1.x for the LAN ports and 192.168.2.x for the WLAN port. +
- +
-'''Basic Steps:'''+
- Enable a static route for 192.168.1.x to vlan0+
- Enable a static route for 192.168.2.x to eth1+
- Enable DHCP for 192.168.1.x for vlan0+
- Enable DHCP for 192.168.2.x for eth1+
- +
-==Bypass the bridge method==+
-In this method we will bypass the br0, disconnecting the Lan and the WLan ports ensuring that everything is processed inside the router. The down side with this is that [[Web Interface]] options that previously affected both the Wifi and Lan will now only affect the Lan.+
- +
-'''Basic Steps:'''<br>+
-After this stage, br0 is not created using the contents of lan_ifnames as would normally be the case. Services that would normally use the bridge, will now use vlan0 (since they'll query the ''lan_ifname'' variable). wifi_* variables have now been created for use with ifup. These steps need only be done once.+
- Set the ''lan_ifname'' nvram variable to vlan0+
- Set ''wifi_ifnam'' to eth1+
- Set ''wifi_proto'' to dhcp or static (run dhcp for wifi hosts?)+
- Set ''wifi_ipaddr'' to the IP you want your wifi adapter on+
- Set ''wifi_netmask'' to the your wifi netmask (probably 255.255.255.0)+
- commit to nvram +
- reboot+
- +
-The following commands will need to be done every boot (rc_firewall perhaps?)+
- Enable a static route for <wireless_network> to/from eth1 and wan+
- Enable DHCP for <wireless_network> for eth1+
- Enable DNS for <wireless_network>+
- If you want to prevent wifi and lan from accessing each other, be sure to+
- Deny traffic to <lan_adapter_network> from <wireless_network>+
- Deny traffic to <wireless_network> from <lan_adapter_netowrk>+
-To match the above example, replace <lan_adapter_network> with 192.168.1.x and <wireless_network> with 192.168.2.x+
- +
-==Vlan Web Interface method==+
-Someone experimenting in the forums discovered that by not assigning the WLAN interface to any vlan he could separate the wireless and lan to separate networks. He was unable to configure WEP/WDS on the wireless link, however. I don't intend to explore this option further in the wiki, as I can find no other documentation describing this type of method for other firmwares. If you don't care about WEP/WDS, this might be easier than the bypass method described above.+
- +
-'''Basic Steps''' (as I understand them)+
- Change "Wireless to None" under VLAN in the [Web Interface]+
- ADD "wlconf eth1 up" to rc_startup or Wlan back up.+
- Enable a static route for <lan_adapter_network> to/from vlan0 and wan+
- Enable a static route for <wireless_network> to/from eth1 and wan+
- Enable DHCP for <lan_adapter_network> for vlan0+
- Enable DHCP for <wireless_network> for eth1+
- +
-To match the above example, replace <lan_adapter_network> with 192.168.1.x and <wireless_network> with 192.168.2.x+
- +
-=Config Implementation=+
-Here we will describe the actual commands needed to accompolish the basic steps overviewed above.+
- +
-==Using iptables==+
-''needs to be written''+
- +
-==Bypassing the Bridge==+
-'''Not yet fully tested. Do not know if wep/wds work from web config of if [[wl command]] will be needed.<br> DO NOT KNOW IF MY IPTABLES COMMANDS ARE CORRECT FOR THIS OR THE SCRIPT''' +
- +
-Since the file ''/etc/network/interfaces'' file doesn't exist on DD-WRT as it does on OpenWRT, we have to use the [[ifconfig command]] to configure the interfaces and those ''wifi_*'' variables from before don't have a script to read them, so they're useless right now. But we can still do it manually.+
- +
-For this example I'm placing the wifi on 192.168.2.x and 192.168.1.1 is the LAN ip. +
- +
-'''MAKE SURE THE ROUTER IS IN AP MODE'''<br>+
-&nbsp;&nbsp;If not, set to AP mode and then reboot the router.+
- +
-===Separate the Bridge===+
- nvram set lan_ifname=vlan0+
- nvram commit+
- reboot+
- +
-===Setup the eth1 interface===+
- ifconfig eth1 down+
- ifconfig eth1 192.168.2.1 netmask 255.255.255.0+
- ifconfig eth1 up+
- +
-===Setup Routes===+
- iptables -I FORWARD -i eth1 -p tcp -j ACCEPT+
- iptables -I FORWARD -i vlan1 -p -j ACCEPT ?? required??+
- The above rule did say vlan0, should it be vlan1?<br>vlan1 is wan port... I don't think you'd want to accept everything that<br>comes in on the wan port, but maybe that's just me...+
- +
- You have to set the protocol to all to be able to surf on the net correctly if you have a router behind the Wrt+
- iptables -I FORWARD -i eth1 -p all -j ACCEPT+
- +
-===Setup DHCP & DNS on Wifi interface===+
- iptables -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT+
- iptables -I INPUT -i eth1 -p udp --dport 53 -j ACCEPT+
- killall -q -9 dnsmasq+
- sed /^interface.*/d /tmp/dnsmasq.conf > /tmp/dnsmasq.conf.new+
- echo -n "+
- pidfile /var/run/udhcpd.pid+
- start 192.168.2.100+
- end 192.168.2.149+
- max_leases 50+
- interface eth1+
- remaining yes+
- auto_time 30+
- lease_file /tmp/udhcpd.leases+
- statics_file /tmp/udhcpd.statics+
- option subnet 255.255.255.0+
- option router 192.168.2.1+
- option lease 86640+
- option dns $(nvram get wan_dns)+
- " > /tmp/udhcpdeth1.conf+
- udhcpd /tmp/udhcpdeth1.conf+
- +
-===Undo===+
-cedelamerde+
- +
-===Using a script to parse wifi_* Variables===+
-'''This stage has not been completed. This note will be removed after it has been fully tested'''+
-To make configuration easier, I've written a script that accepts wifi_* nvram variables. This is essentially how the OpenWRT firmware does this, as I understand it. After it's setup, you can change your wifi settings by simply updating the nvram variables and rebooting!+
- nvram set lan_ifname=vlan0+
- nvram set wifi_ifname=eth1+
- nvram set wifi_proto=dhcp+
- nvram set wifi_ipaddr=192.168.2.1+
- nvram set wifi_netmask=255.255.255.0+
- nvram commit+
- +
-If you don't want your wifi to use the same dhcp settings as your lan side (same number of leases, same lease time, etc) issue these commands.<br>(Example will setup dhcp from 192.168.2.100-192.168.2.14 with 120 minute leases)+
- nvram set wifi_dhcp_start=100+
- nvram set wifi_dhcp_num=15+
- nvram set wifi_dhcp_lease=120+
- nvram commit+
- +
-Now copy this script to /jffs/etc/wifi_config.sh<br>Remember, only edit scripts using *nix friendly text editors (such as TextPad or win32pad).+
-<pre>+
-# !/bin/sh+
-#+
-##### wifi_config.sh ####+
-#+
-# Wifi configuration script by Bob/Paul.+
-# Special thanks to loco on the forums for the iptables, dhcp, and dnsmasq code!!+
- +
-##Don't see the Wifi Net if not setted ;)+
-wlconf eth1 up+
- +
-####initialize the variables####+
-WIFI_INTERFACE=$(nvram get wifi_ifname)+
-WIFI_IPADDRESS=$(nvram get wifi_ipaddr)+
-WIFI_NETMASK=$(nvram get wifi_netmask)+
- +
-####Basic Check for Prerequisites, toggle error####+
-if [ "$WIFI_INTERFACE" = "" ]; then+
- ERROR="FATAL ERROR: NVRAM wifi_ifname has not been configured!"+
- RET_VAL=1+
-fi+
-if [ "$WIFI_IPADDRESS" = "" ]; then+
- ERROR="FATAL ERROR: NVRAM variable wifi_ifname has not been configured!"+
- RET_VAL=2+
-fi+
-if [ "$WIFI_NETMASK" = "" ]; then+
- ERROR="FATAL ERROR: NVRAM variable wifi_ifname has not been configured!"+
- RET_VAL=3+
-fi+
-if [ "$(nvram get lan_ifname)" = "br0" ]; then+
- ERROR="FATAL ERROR: LAN and WIFI are bridged. Set NVRAM variable lan_ifname=vlan0 to unbridge"+
- RET_VAL=4+
-fi+
-if [ "$(nvram get lan_ifname)" = "vlan1" ]; then+
- echo "ERROR: lan_ifname = vlan1"+
- echo ERROR: lan_ifname = vlan1 > /tmp/wifi_config_script.error+
- +
- if [ "$(nvram get wan_ifname)" = "vlan1" ]; then+
- ERROR="FATAL ERROR: LAN and WAN are BOTH vlan1!! There is no link to vlan0!!!"+
- RET_VAL=5+
- fi+
-fi+
- +
-#####Check for error, echo error, break####+
-if [ "$ERROR" != "" ]; then+
- echo Error separating wifi from lan!!+
- echo Error #$RET_VAL+
- echo $ERROR+
- echo Script terminating+
- +
- echo -n "+
- Error separating wifi from lan!!+
- $ERROR+
- Script terminating+
- " >> /tmp/wifi_config_script.error+
- +
- return $RET_VAL+
-fi+
- +
-#####Test for extended wifi variables (wifi_dhcp_start, wifi_dhcp_num, & wifi dhcp_lease (in minutes))####+
- +
-#Test for wifi_dhcp_lease+
-if [ "$(nvram get wifi_dhcp_lease)" = "" ]; then #default values+
- WIFI_DHCP_LEASE=$(nvram get dhcp_lease)+
-else #else configured...+
- WIFI_DHCP_LEASE=$(nvram get wifi_dhcp_lease)+
-fi+
- +
-#Test for wifi_dhcp_num+
-if [ "$(nvram get wifi_dhcp_num)" = "" ]; then+
- WIFI_DHCP_NUM=$(nvram get dhcp_num)+
-else+
- WIFI_DHCP_NUM=$(nvram get wifi_dhcp_num)+
-fi+
- +
-#Test for wifi_dhcp_start .. setup initially+
-if [ "$(nvram get wifi_dhcp_start)" = "" ]; then+
- WIFI_DHCP_START=$(nvram get dhcp_start)+
-else+
- WIFI_DHCP_START=$(nvram get wifi_dhcp_start)+
-fi+
- +
-#WIFI_DHCP_END can be configured from what we already know+
-WIFI_DHCP_END=$(echo $WIFI_IPADDRESS | cut -f1-3 -d .).$(expr $WIFI_DHCP_START + $WIFI_DHCP_NUM - 1)+
- +
-#append ip address to WIFI_DHCP_START+
-WIFI_DHCP_START=$(echo $WIFI_IPADDRESS | cut -f1-3 -d .).$WIFI_DHCP_START+
- +
- +
-#bring up the wifi interface with the ip and netmask+
-echo restarting the wifi interface+
-ifconfig $WIFI_INTERFACE down+
-ifconfig $WIFI_INTERFACE $WIFI_IPADDRESS netmask $WIFI_NETMASK+
-ifconfig $WIFI_INTERFACE up+
- +
-#setup static routes for the wifi interface+
-echo Writing the routing tables for forwards+
-iptables -I INPUT -i $WIFI_INTERFACE -p tcp -j ACCEPT+
-iptables -I FORWARD -i $WIFI_INTERFACE -p tcp -j ACCEPT+
- +
-#allow dhcp and dns mask on the wifi interface+
-echo Writing the routing tables for DNS \& DHCP+
-iptables -I INPUT -i $WIFI_INTERFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT+
-iptables -I INPUT -i $WIFI_INTERFACE -p udp --dport 53 -j ACCEPT+
- +
-#kill dns masq and bring it back up on the wifi and lan interfaces+
-echo Killing and restarting DNSMASQ+
-killall -q -9 dnsmasq+
-sed /^interface*/d /tmp/dnsmasq.conf > /tmp/dnsmasq.conf.new+
-dnsmasq --conf-file /tmp/dnsmasq.conf.new+
- +
-#write a new udhcpd script for the wifi interface to /tmp/udhcpd_wifi.conf+
-echo Writing the udhcpd script for WIFI+
-echo -n "+
-start $WIFI_DHCP_START+
-end $WIFI_DHCP_END+
-max_leases $WIFI_DHCP_NUM+
-interface $WIFI_INTERFACE+
-remaining yes+
-auto_time 30+
-lease_file /tmp/udhcpd_wifi.leases+
-statics_file /tmp/udhcpd.statics+
-option subnet $WIFI_NETMASK+
-option router $WIFI_IPADDRESS+
-option lease $WIFI_DHCP_LEASE+
-option dns $(nvram get wan_dns)+
-" > /tmp/udhcpd_wifi.conf+
- +
-#bring up udhcpd on the wifi interface+
-echo Running second dhcp server+
-udhcpd /tmp/udhcpd_wifi.conf+
-</pre>+
- +
-Now that you've save the script as a to ''/jffs/etc'', make it executable and tell it to load on startup. Since this is basically a firewall setting, we'll add it to the ''rc_firewall'' variable. You could also use any of the methods in [[Startup Scripts]]+
- chmod 700 /jffs/etc/wifi_config.sh+
- nvram set rc_firewall="$(nvram get rc_firewall)+
- /jffs/etc/wifi_config.sh $+
- "+
- nvram commit+
- +
-'''Reboot and enjoy!'''+
- +
-=External Resources=+
-[http://forum.bsr-clan.de/ftopic1413.html A DD-WRT Forum Thread on the topic]<br>+
-[http://openwrt.org/OpenWrtFaq#head-5c092037b74fd790442c17249e439490e8290cd9 OpenWRT FAQ: 13. Using OpenWRT as a router, instead of a bridge?]<br>+
-[http://openwrt.org/OpenWrtFaq#head-5c092037b74fd790442c17249e439490e8290cd9 OpenWRT FAQ: what is BR0]<br>+
-[http://openwrt.org/MiniHowtos?highlight=%28Howto%29#head-38d7e818731f5bd848da9614bfcf715f6ef39eae OpenWRT Mini howto: 3.1. Individual control of all network devices]<br>+
-[http://openwrt.org/HowtoVlans?highlight=%28Howto%29 OpenWRT: How to VLans]<br>+
-[http://openwrt.org/OpenWrtDocs/Configuration OpenWRT: The Ethernet Switch]<br>+
-[http://www.wlug.org.nz/ifup(8) WLUG-Wiki - ifup(8)]<br>+
-[http://www.tinc-vpn.org/examples/bridging Bridging]<br>+
- +
-----+
-'''You are here: ''' '''[[Main Page]]'''/'''[[DD-WRT Docu (EN)]]'''/'''[[Separate Lan and WLan]]'''+

Current revision

  1. REDIRECT Separate LAN and WLAN