WikiDevi.Wi-Cat.RU:DD-WRT/WLAN separate from LAN, with independent dhcp, etc

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

NOTE: This is an old unmaintained and duplicate guide. You should use one of the following currently maintained guides instead.

For a GUI based method see: Separate LAN and WLAN.

If you're separating virtual interfaces then use the instructions from the Multiple WLAN Guide.

Introduction

It took me quite a while to make all this work, so i thought i'd share all the hoops i had to jump through to get here with the community.

My goal was to migrate my existing linux box with an ethernet interface and a wifi card which was acting as a crude AP, but keep the same functionality: firewalling, separate subnets for wired and wireless, separate dhcp, etc.

Contrary to popular belief, DHCPMasq is quite capable of serving different ip ranges for different interfaces. The main problem seems to be that iptables(aka the firewall) prevents it in the default configuration.

Configuration

Step 1: Remove Wireless interface (eth1) from the LAN bridge (br0)

a) Go to the 'Setup -> VLANs' page.

b) At the bottom of the page change the "Wireless" option from "LAN" to "None"

(Above setting doesn't take place until the next reboot which is good because it kills the WLAN. We'll fix that in the next step.)

Step 2: Configure startup scripts

a1) Go to the 'Administration -> Diagnostics' page.

a2) (v23) Go to the 'Administration -> Command' page.

b) What you type here may vary, depending on your desired network. I wanted my wifi on a separate subnet from my LAN, with its own DHCP scope. In these examples, lan is 192.168.7.0/24, and wifi is 192.168.8.0/24

The following goes in the text box. Feel free to omit the lines that start with ##, as they are just comments. If you are really pressed for space, you can omit the linebreaks and just separate commands with ';'s

## configure wireless interface
ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0

## setup dnsmasq
cat << EOF > /tmp/new.dnsmasq.conf
interface=br0
interface=eth1
resolv-file=/tmp/resolv.conf
leasefile-ro
dhcp-script=/etc/lease_update.sh
dhcp-lease-max=50
dhcp-option=br0,3,192.168.7.1
dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m
dhcp-option=eth1,3,192.168.8.1
dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m
EOF

## restart dnsmasq
killall dnsmasq
dnsmasq --conf-file /tmp/new.dnsmasq.conf 

## configure wireless options
## I set some extra options here, see the docs for the wl command
## this may all be handled by doing 'wlconf eth1 up' instead
wl -i eth1 down
wl -i eth1 ap 1
wl -i eth1 infra 1
wl -i eth1 txpwr 84
wl -i eth1 up

## depending on your wifi settings, this will change. I just copied the existing command and changed the -l option
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l eth1 -i eth1 -A -m 128 -k secretkey -s yourssid -w 2 -g 3600 &

You should be able to get the nas command line from the output of 'ps' from the shell (ssh/telnet)

c) Click the 'Save Startup' button instead of the 'Cmd' button (Don't close this window yet!)

Configure the necessary iptables rules:

The default firewalling setup is quite specific, and has no knowledge of the eth1 interface (it assumes it will be part of the LAN), so we need to add several rules to make it aware. These work under v23, you may need to tweak parts if you run a different version. Specifically, the rule #s may be different on your system.

a) Paste the following into the same text box used above but this time press the 'Save Firewall' button:

## wan:  vlan1
## lan:  br0
## wifi: eth1
## permit incoming connections from WLAN
iptables -I INPUT 9 -i eth1 -m state --state NEW -j logaccept
## fixup forwarding table
## the lan2wan target didn't work for me, replace it with straight accept
iptables -R FORWARD 6 -i br0  -o vlan1 -j ACCEPT
## permit WLAN -> WAN
iptables -I FORWARD 7 -i eth1 -o vlan1 -j ACCEPT
## permit WLAN -> LAN
iptables -I FORWARD 7 -i eth1 -o br0  -j ACCEPT

Step 3: Turn off stock DHCPMasq

This step comes third just to make sure we have a way back into the router, since it seems to reboot everytime we save the above configs.

a) Go to the 'Setup -> Basic Setup' page.

b) Change the 'DHCP server' setting to 'disable'

c) uncheck all the DHCP-specific options

The above didn't actually disable DHCPMasq for me. I had to run the following command from the shell (ssh or telnet).

 nvram set dnsmasq_enable=0
 nvram commit


I think that's it. enjoy


Comment recalcitrantyouth 11:01, 23 Jan 2008 (CEST) Thanks for this! In order to make this work with v2.3 SP2 on a WRT54GL 1.1, I needed to make a couple of minor changes.

## configure wireless interface
ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0

## setup dnsmasq
cat << EOF > /tmp/new.dnsmasq.conf
interface=br0
interface=eth1
#resolv-file=/tmp/resolv.conf
# RY - incorrect resolv file in 2.3
resolv-file=/tmp/resolv.dnsmasq

leasefile-ro
dhcp-script=/etc/lease_update.sh
dhcp-lease-max=50
dhcp-option=br0,3,192.168.7.1
dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m
dhcp-option=eth1,3,192.168.8.1
dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m
EOF

## restart dnsmasq
killall dnsmasq
dnsmasq --conf-file /tmp/new.dnsmasq.conf 

## configure wireless options
## I set some extra options here, see the docs for the wl command
## this may all be handled by doing 'wlconf eth1 up' instead
wlconf eth1 up

#wl -i eth1 down
#wl -i eth1 ap 1
#wl -i eth1 infra 1
#wl -i eth1 txpwr 84
#wl -i eth1 up

## depending on your wifi settings, this will change. I just copied the existing command and changed the -l option
# RY - if not running authentication, no need for this - the process isn't running
#killall nas
#nas -P /tmp/nas.wl0lan.pid -H 34954 -l eth1 -i eth1 -A -m 128 -k secretkey -s yourssid -w 2 -g 3600 &

I also found that step three was not actually necessary. Since during startup dnsmasq is being restarted anyway, forcing it not to start up shouldn't really matter.

Comment by tech128:

Well to get this to work properly on V24 SP2 I had to modify the firewall and startup somewhat

Also on atheros builds keep in mind there are no vlans (that I saw anyway) so you want to set the wireless interface to unbridged and enable nat instead. And you will need to modify the startup and firewall since the interfaces will be different. I believe it was ath0 for the wireless and eth0 for the wan instead of vlan1

First, the firewall:

## wan:  vlan1
## lan:  br0
## wifi: eth1
## permit incoming connections from WLAN
iptables -I INPUT 2 -i eth1 -m state --state NEW -j logaccept
## fixup forwarding table
## the lan2wan target didn't work for me, replace it with straight accept
iptables -R FORWARD 5 -i br0  -o vlan1 -j ACCEPT
## permit WLAN -> WAN
iptables -I FORWARD 7 -i eth1 -o vlan1 -j ACCEPT
## disallow WLAN -> LAN
iptables -I FORWARD 7 -i eth1 -o br0  -m state --state NEW -j DROP
## disallow LAN -> WLAN
iptables -I FORWARD -i br0 -o eth1 -m state --state NEW -j DROP
## disallow WLAN -> WAN subnet
iptables -I FORWARD -i eth1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
## disallow WLAN -> direct router access
iptables -I INPUT -i eth1 -m state --state NEW -j DROP
## Allow WLAN -> DHCP on the router
iptables -I INPUT -i eth1 -p udp --dport 67 -j ACCEPT
## Allow WLAN -> DNS on the router
iptables -I INPUT -i eth1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 53 -j ACCEPT

Next, the startup:

## configure wired interface
ifconfig br0 up inet 192.168.7.1 netmask 255.255.255.0
## configure wireless interface
ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0

## setup dnsmasq
cat << EOF > /tmp/new.dnsmasq.conf
interface=br0
interface=eth1
#resolv-file=/tmp/resolv.conf
# RY - incorrect resolv file in 2.3
resolv-file=/tmp/resolv.dnsmasq
all-servers

dhcp-script=/etc/lease_update.sh
dhcp-lease-max=50
dhcp-authoritative
dhcp-option=br0,3,192.168.7.1
dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m
dhcp-option=eth1,3,192.168.8.1
dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m
stop-dns-rebind
EOF

## restart dnsmasq
killall dnsmasq
dnsmasq --conf-file=/tmp/new.dnsmasq.conf 

## configure wireless options
## I set some extra options here, see the docs for the wl command
## this may all be handled by doing 'wlconf eth1 up' instead
wlconf eth1 up

References

Separate LAN and WLAN