Multiple SSIDs & Separate Subnets w/v24

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Sat Jul 26, 2008 18:34    Post subject: Reply with quote
Just turn on QoS Wink
_________________
Q: How do I do ...? A: Read the tutorials or Search forums
Sponsor
rjmcinty
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 4

PostPosted: Thu Jul 31, 2008 5:52    Post subject: Help with virtual WAPs in v24-SP1! Reply with quote
I'm having a heck of a time getting this to work:

Using WRT54GL v1.1, running v24-SP1 Std.

I want to have 2 wireless networks, the default (wl0), which is connected to the wired switch, and wl0.1 which is isolated from everything else.

Using the instructions here:
http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_2

Or from the first post in this thread.

I've configured the wl0.1 VAP, added these dnsmasq entries:
interface=wl0.1
dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m
dhcp-option=wl0.1,3,192.168.2.1
dhcp-option=wl0.1,6,192.168.1.1

And my rc_firewall is thus:
iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept
iptables -I FORWARD -i wl0.1 -o br0 -j logdrop
iptables -I FORWARD -i br0 -o wl0.1 -j logdrop

At this point, here's my problems:
1. the wl0.1 VAP won't work with any sort of encryption/authentication
2. making the wl0.1 VAP open will allow connection, and even serve up an IP, but I can't ping anything, or reach anything at all (inside or outside of my network).

My thought is that the iptables is blocking anything coming from wl0.1. It's not bridged anywhere, and there's no forwarding rule to send it to anything... But, I'm just getting started with this stuff.
Please help! Smile
Thanks!
Robert
validcustomer
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 14

PostPosted: Thu Jul 31, 2008 13:59    Post subject: Re: Help with virtual WAPs in v24-SP1! Reply with quote
rjmcinty wrote:
I'm having a heck of a time getting this to work:



See the second to last post in this topic:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35498&postdays=0&postorder=asc&start=15

The problem is that a program called "nas" is being run with the wrong parameters.
rjmcinty
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 4

PostPosted: Fri Aug 01, 2008 1:56    Post subject: Re: Help with virtual WAPs in v24-SP1! Reply with quote
validcustomer wrote:


See the second to last post in this topic:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35498&postdays=0&postorder=asc&start=15

The problem is that a program called "nas" is being run with the wrong parameters.


Excellent! It worked great! A couple of notes:

1. When you said to set up the virtual adapter, via the gui, it should be set up as "bridged", otherwise you have to give it an IP (which I did as 192.168.2.1), which collides with the IP in the 4th line of the rc_startup script.

2. I'm not sure why you said "I'll add don't be tempted to use the WPA choices unless you are using Enterprise". After twiddling the -m parameter in the nas commands, I've got it working with WPA (and WPA2), though interestingly the GUI says they're WPA, but wl0_akm says they're PSK...

Anyway, thanks a ton for your help! I've been beating my head against this wall every night since Sunday, and now I can relax!

Thanks,
Robert
mackintire
DD-WRT Novice


Joined: 28 Jul 2008
Posts: 32

PostPosted: Fri Aug 01, 2008 15:43    Post subject: Reply with quote
What did you twiddle with?

I'm not sure why you said "I'll add don't be tempted to use the WPA choices unless you are using Enterprise". After twiddling the -m parameter in the nas commands, I've got it working with WPA (and WPA2), though interestingly the GUI says they're WPA, but wl0_akm says they're PSK...


That would be great information for all of us, if you don't mind sharing.
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sat Aug 02, 2008 1:27    Post subject: Re: Help with virtual WAPs in v24-SP1! Reply with quote
rjmcinty wrote:
validcustomer wrote:


See the second to last post in this topic:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35498&postdays=0&postorder=asc&start=15

The problem is that a program called "nas" is being run with the wrong parameters.


Excellent! It worked great! A couple of notes:

1. When you said to set up the virtual adapter, via the gui, it should be set up as "bridged", otherwise you have to give it an IP (which I did as 192.168.2.1), which collides with the IP in the 4th line of the rc_startup script.

2. I'm not sure why you said "I'll add don't be tempted to use the WPA choices unless you are using Enterprise". After twiddling the -m parameter in the nas commands, I've got it working with WPA (and WPA2), though interestingly the GUI says they're WPA, but wl0_akm says they're PSK...

Anyway, thanks a ton for your help! I've been beating my head against this wall every night since Sunday, and now I can relax!

Thanks,
Robert
Is it true that with V24 SP1 that the wifiplanet tutorial is obsolete? Or is it considered a bug that the wifiplanet method no longer works. I have yet to try this method proposed here, but am curious if it is considered a workaround or considered the new correct way to set this up.

On V24 final, Did anyone else experience the issue visiting walmart.com I reported?
rjmcinty
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 4

PostPosted: Sat Aug 02, 2008 19:32    Post subject: Detailed instructions from my configuration Reply with quote
Several people have asked for additional information, so I'll include it below. As for the wi-fiplanet tutorial, I think that it should be valid, but there's a bug in DD-WRT that keeps it from working.

Note that all of this came from validcustomer's post; there's very little here that's original to me. (Credit where credit is due)

Thanks,
Robert

Here's my instructions:
Source: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35498&postdays=0&postorder=asc&start=15
Author: validcustomer

Firmware: DD-WRT v24-SP1 (7/27/08 ) std - build 10011

Note: I usually do "Save" rather than "Apply Settings" after each page, and then do a single "Apply Settings" at the end

Step 1: Restore to factory defaults (I did this to make sure that I was starting from a clean point)
Step 2: Configure wireless (via Wireless -> Basic Settings)
Step 2a: Configure default Wireless Physical Interface wl0
Step 2b: Configure virtual Interface wl0.1
- AP Isolation to Enabled if you don't want those clients to talk to each other
- Network Configuration to Bridged (the rc_startup script will unbridge it)
Step 2c: Configure Wireless Security for both interfaces (via Wireless -> Wireless Security)
- Select the security mode, algorithms and shared keys as you desire
Step 3: Configure DNSMasq (Services)
- Enter the options, shown below, in the Additional DNSMasq Options box
Step 4: Add scripts (via Adminstration -> Commands)
- Enter the text from rc_startup below (pay attention to the notes at the end) into the text box
- Click Save Startup
- Enter the text from rc_firewall below into the text box
- Click Save Firewall
Step 5: Make sure that you've Apply Settings, and then reboot
Step 6: Do any other configuration changes you want for your network (name, UPnP, etc., etc.)

That should be it!

-----------------------------------
rc_startup:

##MOVES VIRTUAL WIRELESS TO OWN BRIDGE
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0
ifconfig br1 up

##FIX NAS
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 -A -m 4 \
-k "`nvram get wl0_wpa_psk`" -s "`nvram get wl0_ssid`" -w 2 \
-g `nvram get wl0_wpa_gtk_rekey`
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 4 \
-k "`nvram get wl0.1_wpa_psk`" -s "`nvram get wl0.1_ssid`" -w 2 \
-g `nvram get wl0.1_wpa_gtk_rekey`

!!!!!!!!!!!!!!!!
Notes:
(See http://wiki.openwrt.org/OpenWrtDocs/nas for details about the nas command)
1. As the original link has the rc_startup code, it used "-m 132", which, according to the docs linked
above, corresponds to PSK PSK2, and that didn't work for me, since I set my security to WPA in the GUI.

To be honest, I'm not sure of the relationship between WPA/PSK/etc. So, I simply set the security options in the GUI that I knew I wanted, and then either telnet'd into the router, or used the Administration -> Commands page to execute a "nvram get wl0_akm", which for WPA returns PSK in my config. So, looking at the nas docs, I saw that corresponded to "-m 4".

2. Likewise, I looked at "nvram get wl0_crypto" to get the encryption method (TKIP in my case), and
looking at the nas docs I found that was "-w 2".

Use wl0.1_akm and wl0.1_crypto for the virtual wireless interface.
!!!!!!!!!!!!!!!!
-----------------------------------
rc_firewall:

##BRI1
iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
#below keeps the two networks from talking
iptables -I FORWARD -i br0 -o br1 -j logdrop

-----------------------------------
Additional DNSMasq options:

interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.149,255.255.255.0,1440m
threepwood
DD-WRT Novice


Joined: 01 Aug 2008
Posts: 2

PostPosted: Sat Aug 02, 2008 22:14    Post subject: Reply with quote
Thanks, works perfectly now :)

For reference this is my rc_startup for wl0lan (WPA2-PSK with AES) and wl0.1 (WPA-PSK with AES):


##FIX NAS
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 -A -m 128 \
-k "`nvram get wl0_wpa_psk`" -s "`nvram get wl0_ssid`" -w 4 \
-g `nvram get wl0_wpa_gtk_rekey`
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 4 \
-k "`nvram get wl0.1_wpa_psk`" -s "`nvram get wl0.1_ssid`" -w 4 \
-g `nvram get wl0.1_wpa_gtk_rekey`
validcustomer
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 14

PostPosted: Sun Aug 03, 2008 19:35    Post subject: Pay it forward Reply with quote
I'm glad I could help. Everything I know about the subject came from this forum or a good Google search and lots of rebooting. I probably spent a week wondering why I couldn't get that second interface to use encryption while not finding many complaining about it not working. The process of understanding is made difficult because over time the developers have incorporated a lot of the command-line power into the GUI, which makes some examples outdated, and people ended up doing things just because they work but not really understanding why.

For instance, at first when nothing worked I blamed DHCP. The WifFi Planet tutorial says to put
interface=wl0.1
dhcp-option=wl0.1,3,192.168.2.1 (which sets the gateway)
dhcp-option=wl0.1,6,192.168.1.1 (which sets the name server (dns))
dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m
and some added this line:
dhcp-authoritative

But just looking at the results after omitting the lines setting the name server and gateway proves that the lines are not needed and are just voodoo. (Unless your name server and gateway are not your DD-WRT). By the way, the dhcp-authoritative line is set by a check box in the GUI and is on by default.

So all that is really needed in Additional DNSMasq Options is
interface=wl0.1
dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m

You can even set these options in the GUI on the Setup\Networking tab under the "DHCPD\Multiple DHCP Server" heading. ( I didn't recommend using the GUI here because the br1 interface can't be used by the GUI until it's created in the start-up script.)

Yes, I did forget in the original post to note that I left the virtual wireless interface bridged after it was created in the GUI.

As for all the discussion back and forth about what I meant by being careful when picking WPA, I just meant that the meaning of terms used in the DD-WRT GUI are not the same as the meaning on the nas manual page. From my understanding, what DD-WRT refers to as WPA Personal is called PSK by the nas instructions. A pre-shared key (PSK) is the pass-phrase that you put in both your DD-WRT and the devices that connect. WPA Enterprise is more complex and involves the key being automatically renewed/changed periodically. The nas manual page refers to Enterprise as just WPA. So to repeat, most users of DD-WRT are using WPA Personal)/PSK. At some time the process was improved, including allowing AES encryption, which is what the "2" part means, as in WPA2 or PSK2. If your devices support it, you should use it. I use a pre-shared key and allow both WPA Personal and WPA2 Personal clients to connect (-m 132) using either TKIP or AES (which is what -w 6 means). If I used "-w 4" like the post above, then I would only allow AES and one of my network cards wouldn't work because I guess it only does TKIP.

By the way, here is some more of my firewall script that modifies br0 to only allow the connections permitted. (This would be a great network to put a computer you fear might be infected, or to offer for free without fear that someone would run something to eat up all your bandwidth.) You could, of course change the lines to apply to br1 instead if you wanted. These rules apply only to traffic entering and leaving the bridge, so if you wanted to truly isolate all clients on the subnet, you'd need to check the AP isolation option on the "Wireless\Basic Setting" tab

##BR0
#port 80=surfing, port 443=secure browsing, port 21=ftp
iptables -I FORWARD 1 -i br0 -p tcp -m multiport --dport 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -i br0 -j DROP

Good luck.
validcustomer
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 14

PostPosted: Sun Aug 03, 2008 19:48    Post subject: Re: Pay it forward Reply with quote
validcustomer wrote:
These rules apply only to traffic entering and leaving the bridge, so if you wanted to truly isolate all clients on the subnet, you'd need to check the AP isolation option on the "Wireless\Basic Setting" tab


Correction:
AP Isolation for eth1(wl0), which by default is on br0, can be set on the "Wireless\Advanced Settings" tab. AP isolation for wl0.1 (which for me is now on br1) is set on "Wireless\Basic Settings".
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Thu Aug 07, 2008 1:54    Post subject: Reply with quote
I am hoping this has been fixed in build 10108. Does anyone know?

Thanks
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sat Aug 09, 2008 17:10    Post subject: Re: Detailed instructions from my configuration Reply with quote
rjmcinty wrote:
##FIX NAS
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 -A -m 4 \
-k "`nvram get wl0_wpa_psk`" -s "`nvram get wl0_ssid`" -w 2 \
-g `nvram get wl0_wpa_gtk_rekey`
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 4 \
-k "`nvram get wl0.1_wpa_psk`" -s "`nvram get wl0.1_ssid`" -w 2 \
-g `nvram get wl0.1_wpa_gtk_rekey`

!!!!!!!!!!!!!!!!
Notes:
(See http://wiki.openwrt.org/OpenWrtDocs/nas for details about the nas command)
I looked at this link and it was not clear to me what to do if I want WEP. Does anyone know how to do this with WEP? (and don't tell me WEP is inferior because I have a device that does WEP and not WPA and I know the limitation of WEP.)

The wifiplanet method has been completely broken in every build after V24 Final 9526 and is still broken in 10108. And when it did work, I still couldn't get to some websites through the VWLAN, such as walmart.com. I am still wondering about that one too and would like more info? I am using Buffalo WHR-HP-G54 for the VWLAN stuff.
TheBashar
DD-WRT Novice


Joined: 26 Mar 2007
Posts: 25

PostPosted: Sun Aug 10, 2008 1:11    Post subject: Re: Detailed instructions from my configuration Reply with quote
JN wrote:
I looked at this link and it was not clear to me what to do if I want WEP. Does anyone know how to do this with WEP?


I am running build 10108M TNG Eko and I'm using WPA2-PSK on my main wireless with WEP on my virtual wireless. In my startup I do need to create the br1 bridge and move the wl0.1 interface to it from br0, but I do not need to do any special work-arounds with nas. I think those nas commands are only needed to fix WPA on the virtual wireless interfaces.
dr3w2k
DD-WRT Novice


Joined: 10 Aug 2008
Posts: 2

PostPosted: Sun Aug 10, 2008 21:49    Post subject: Reply with quote
I am having a similar problem where I can get an IP on my virtual network and I can ping the gateway, but I cannot get out to the Internet. I think I know what the problem is but not sure what my options are.

I have a Smoothwall firewall with my Linksys WRT54G v5 connected to to the Green network. I have no cable connect to the WAN port of the AP.

I am running v24-sp1. Here are the commands I have entered:

DNS Masq:
interface=br1
dhcp-option=br1,6,65.24.7.10
dhcp-range=br1,192.168.105.100,192.168.105.149,255.255.255.0,1440m

Startup:
##MOVES VIRTUAL WIRELESS TO OWN BRIDGE
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
ifconfig br1 192.168.105.1 netmask 255.255.255.0
ifconfig br1 up

##FIX NAS
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 -A -m 132 \
-k "`nvram get wl0_wpa_psk`" -s "`nvram get wl0_ssid`" -w 6 \
-g `nvram get wl0_wpa_gtk_rekey`
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 132 \
-k "`nvram get wl0.1_wpa_psk`" -s "`nvram get wl0.1_ssid`" -w 6 \
-g `nvram get wl0.1_wpa_gtk_rekey`

Firewall:
##BRI1
iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
#below keeps the two networks from talking
iptables -I FORWARD -i br0 -o br1 -j logdrop

I believe the problem is that the firewall command is allowing traffic from br1 to vlan1, with vlan1 being the WAN port on the AP. Since I have nothing connected to that port, I cannot get out to the Internet. If I plug another cable from the Green network of my Smoothwall into the WAN port, I still cannot get out.

Not sure if I can acomplish what I want with my current setup, but all I want is to have two wireless networks. One secured and one unsecured.

My thinking is that I will need to add a Purple network to my Smoothwall and configure it for the same subnet as my virtual network on my AP. I can then plug the purple network into the WAN port on the AP and statically assign the WAN port an IP.

Any help/thoughts would be appreciated.
dr3w2k
DD-WRT Novice


Joined: 10 Aug 2008
Posts: 2

PostPosted: Tue Aug 12, 2008 13:58    Post subject: Reply with quote
Anyone who is interested, I got this working with my Smoothwall.

Using DDWRT, I disabled the WAN functionality of the WAN port and made it just another switch port. Moved it to a seperate VLAN and then connected it to the orange interface of my Smoothwall. Set up DHCP in DDWRT to hand out addresses on the orange network and use the orange IP as the gateway. I now have two seperate SSIDs broadcasting from one router, one secure on my green network and one unsecure on orange. I'm sure I could do the same without using the WAN port and just moving one of the LAN ports to the seperate VLAN and connecting it to the orange network.

I went with the orange network rather than purple becuase when I used the purple network, the unsecure clients were still getting DHCP from my DHCP server on my green network. Plus, it seems that purple can still access orange so why not just use the orange network?
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 5 of 8
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum