WikiDevi.Wi-Cat.RU:DD-WRT/WLAN separate from LAN, with independent dhcp, etc
NOTE: This is an old unmaintained and duplicate guide. You should use one of the following currently maintained guides instead.
For a GUI based method see: Separate LAN and WLAN.
If you're separating virtual interfaces then use the instructions from the Multiple WLAN Guide.
Introduction
It took me quite a while to make all this work, so i thought i'd share all the hoops i had to jump through to get here with the community.
My goal was to migrate my existing linux box with an ethernet interface and a wifi card which was acting as a crude AP, but keep the same functionality: firewalling, separate subnets for wired and wireless, separate dhcp, etc.
Contrary to popular belief, DHCPMasq is quite capable of serving different ip ranges for different interfaces. The main problem seems to be that iptables(aka the firewall) prevents it in the default configuration.
Configuration
Step 1: Remove Wireless interface (eth1) from the LAN bridge (br0)
a) Go to the 'Setup -> VLANs' page.
b) At the bottom of the page change the "Wireless" option from "LAN" to "None"
(Above setting doesn't take place until the next reboot which is good because it kills the WLAN. We'll fix that in the next step.)
Step 2: Configure startup scripts
a1) Go to the 'Administration -> Diagnostics' page.
a2) (v23) Go to the 'Administration -> Command' page.
b) What you type here may vary, depending on your desired network. I wanted my wifi on a separate subnet from my LAN, with its own DHCP scope. In these examples, lan is 192.168.7.0/24, and wifi is 192.168.8.0/24
The following goes in the text box. Feel free to omit the lines that start with ##, as they are just comments. If you are really pressed for space, you can omit the linebreaks and just separate commands with ';'s
## configure wireless interface ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0 ## setup dnsmasq cat << EOF > /tmp/new.dnsmasq.conf interface=br0 interface=eth1 resolv-file=/tmp/resolv.conf leasefile-ro dhcp-script=/etc/lease_update.sh dhcp-lease-max=50 dhcp-option=br0,3,192.168.7.1 dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m dhcp-option=eth1,3,192.168.8.1 dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m EOF ## restart dnsmasq killall dnsmasq dnsmasq --conf-file /tmp/new.dnsmasq.conf ## configure wireless options ## I set some extra options here, see the docs for the wl command ## this may all be handled by doing 'wlconf eth1 up' instead wl -i eth1 down wl -i eth1 ap 1 wl -i eth1 infra 1 wl -i eth1 txpwr 84 wl -i eth1 up ## depending on your wifi settings, this will change. I just copied the existing command and changed the -l option killall nas nas -P /tmp/nas.wl0lan.pid -H 34954 -l eth1 -i eth1 -A -m 128 -k secretkey -s yourssid -w 2 -g 3600 &
You should be able to get the nas command line from the output of 'ps' from the shell (ssh/telnet)
c) Click the 'Save Startup' button instead of the 'Cmd' button (Don't close this window yet!)
Configure the necessary iptables rules:
The default firewalling setup is quite specific, and has no knowledge of the eth1 interface (it assumes it will be part of the LAN), so we need to add several rules to make it aware. These work under v23, you may need to tweak parts if you run a different version. Specifically, the rule #s may be different on your system.
a) Paste the following into the same text box used above but this time press the 'Save Firewall' button:
## wan: vlan1 ## lan: br0 ## wifi: eth1 ## permit incoming connections from WLAN iptables -I INPUT 9 -i eth1 -m state --state NEW -j logaccept ## fixup forwarding table ## the lan2wan target didn't work for me, replace it with straight accept iptables -R FORWARD 6 -i br0 -o vlan1 -j ACCEPT ## permit WLAN -> WAN iptables -I FORWARD 7 -i eth1 -o vlan1 -j ACCEPT ## permit WLAN -> LAN iptables -I FORWARD 7 -i eth1 -o br0 -j ACCEPT
Step 3: Turn off stock DHCPMasq
This step comes third just to make sure we have a way back into the router, since it seems to reboot everytime we save the above configs.
a) Go to the 'Setup -> Basic Setup' page.
b) Change the 'DHCP server' setting to 'disable'
c) uncheck all the DHCP-specific options
The above didn't actually disable DHCPMasq for me. I had to run the following command from the shell (ssh or telnet).
nvram set dnsmasq_enable=0 nvram commit
I think that's it. enjoy
Comment recalcitrantyouth 11:01, 23 Jan 2008 (CEST) Thanks for this! In order to make this work with v2.3 SP2 on a WRT54GL 1.1, I needed to make a couple of minor changes.
## configure wireless interface ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0 ## setup dnsmasq cat << EOF > /tmp/new.dnsmasq.conf interface=br0 interface=eth1 #resolv-file=/tmp/resolv.conf # RY - incorrect resolv file in 2.3 resolv-file=/tmp/resolv.dnsmasq leasefile-ro dhcp-script=/etc/lease_update.sh dhcp-lease-max=50 dhcp-option=br0,3,192.168.7.1 dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m dhcp-option=eth1,3,192.168.8.1 dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m EOF ## restart dnsmasq killall dnsmasq dnsmasq --conf-file /tmp/new.dnsmasq.conf ## configure wireless options ## I set some extra options here, see the docs for the wl command ## this may all be handled by doing 'wlconf eth1 up' instead wlconf eth1 up #wl -i eth1 down #wl -i eth1 ap 1 #wl -i eth1 infra 1 #wl -i eth1 txpwr 84 #wl -i eth1 up ## depending on your wifi settings, this will change. I just copied the existing command and changed the -l option # RY - if not running authentication, no need for this - the process isn't running #killall nas #nas -P /tmp/nas.wl0lan.pid -H 34954 -l eth1 -i eth1 -A -m 128 -k secretkey -s yourssid -w 2 -g 3600 &
I also found that step three was not actually necessary. Since during startup dnsmasq is being restarted anyway, forcing it not to start up shouldn't really matter.
Comment by tech128:
Well to get this to work properly on V24 SP2 I had to modify the firewall and startup somewhat
Also on atheros builds keep in mind there are no vlans (that I saw anyway) so you want to set the wireless interface to unbridged and enable nat instead. And you will need to modify the startup and firewall since the interfaces will be different. I believe it was ath0 for the wireless and eth0 for the wan instead of vlan1
First, the firewall:
## wan: vlan1 ## lan: br0 ## wifi: eth1 ## permit incoming connections from WLAN iptables -I INPUT 2 -i eth1 -m state --state NEW -j logaccept ## fixup forwarding table ## the lan2wan target didn't work for me, replace it with straight accept iptables -R FORWARD 5 -i br0 -o vlan1 -j ACCEPT ## permit WLAN -> WAN iptables -I FORWARD 7 -i eth1 -o vlan1 -j ACCEPT ## disallow WLAN -> LAN iptables -I FORWARD 7 -i eth1 -o br0 -m state --state NEW -j DROP ## disallow LAN -> WLAN iptables -I FORWARD -i br0 -o eth1 -m state --state NEW -j DROP ## disallow WLAN -> WAN subnet iptables -I FORWARD -i eth1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP ## disallow WLAN -> direct router access iptables -I INPUT -i eth1 -m state --state NEW -j DROP ## Allow WLAN -> DHCP on the router iptables -I INPUT -i eth1 -p udp --dport 67 -j ACCEPT ## Allow WLAN -> DNS on the router iptables -I INPUT -i eth1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i eth1 -p tcp --dport 53 -j ACCEPT
Next, the startup:
## configure wired interface ifconfig br0 up inet 192.168.7.1 netmask 255.255.255.0 ## configure wireless interface ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0 ## setup dnsmasq cat << EOF > /tmp/new.dnsmasq.conf interface=br0 interface=eth1 #resolv-file=/tmp/resolv.conf # RY - incorrect resolv file in 2.3 resolv-file=/tmp/resolv.dnsmasq all-servers dhcp-script=/etc/lease_update.sh dhcp-lease-max=50 dhcp-authoritative dhcp-option=br0,3,192.168.7.1 dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m dhcp-option=eth1,3,192.168.8.1 dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m stop-dns-rebind EOF ## restart dnsmasq killall dnsmasq dnsmasq --conf-file=/tmp/new.dnsmasq.conf ## configure wireless options ## I set some extra options here, see the docs for the wl command ## this may all be handled by doing 'wlconf eth1 up' instead wlconf eth1 up