VLAN Detached Networks each with Wireless and Internet
From DD-WRT Wiki
Revision as of 13:41, 27 June 2008 (edit) Andrewmachtolff (Talk | contribs) m (→Public Free Hotspot and Private ESSID on VLAN's RC6 instructions - formatting) ← Previous diff |
Revision as of 05:59, 26 July 2008 (edit) (undo) KiwiKid (Talk | contribs) m (enabling encryption for the virtual interface) Next diff → |
||
Line 56: | Line 56: | ||
I have not implemented bandwidth shaping nore Hotspot splash page but it's a start. | I have not implemented bandwidth shaping nore Hotspot splash page but it's a start. | ||
+ | |||
+ | == Notes for Getting Encryption Working on the Virtual WiFi Interface == | ||
+ | The above is an excellent guide, but I wanted to set up two private networks, one for guest use, one for my private use. | ||
+ | |||
+ | Everything appeared to be working until I enabled encryption to the virtual interface. | ||
+ | |||
+ | I discovered that the encryption agent, the <pre>nas</pre> daemon had the following options: | ||
+ | |||
+ | <pre> | ||
+ | nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br0 -i wl0.1 -A -m 132 -k <passwd> -s <SSID> -w 6 -g 3600 | ||
+ | <pre> | ||
+ | |||
+ | The issue is that it's running on the wrong bridge interface. It should be using br1. | ||
+ | |||
+ | The work around I'm using is to modify the rc_startup to look like: | ||
+ | |||
+ | <pre> | ||
+ | rc_startup=' | ||
+ | brctl addbr br1 | ||
+ | brctl delif br0 wl0.1 | ||
+ | brctl addif br1 wl0.1 | ||
+ | ifconfig br1 192.168.1.1 netmask 255.255.255.0 | ||
+ | ifconfig vlan2 up | ||
+ | brctl addif br1 vlan2 | ||
+ | ifconfig br1 up | ||
+ | kill $( cat /tmp/nas.wl0.1lan.pid ) | ||
+ | nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 132 -k <passwd> -s <SSID> -w 6 -g 3600 & | ||
+ | ' | ||
+ | </pre> | ||
+ | |||
+ | If the nas daemon for the virtual interface dies, it will be restarted with the incorrect bridge. | ||
+ | I hope to ask the experts on the forum about this, but in case I don't get that far, the above does at least initially work. |
Revision as of 05:59, 26 July 2008
Public Free Hotspot and Private ESSID on VLAN's RC6 instructions
I now have my WRT54GL V24 RC6 serving separate public and private networks. My private network 192.168.1.0/24 has WPA and my public network 192.168.2.0/24 has an open ESSID for any to use, it's also on it's own VLAN on port 4 of the switch.
I put this together using things from this forum and the Wiki. Here's how....
For best results use a WRT54GL or suitable router with the BCM5352 chipset since this gives each virtual AP it's own MAC address. http://en.wikipedia.org/wiki/WRT54G#WRT54GL
First go into Wireless on the web interface and set up the main wireless which will be your private one wl0. You can apply WPA to this in the usual way. Then set up your first virtual interface for public which will be wl0.1. You can add another alias which can be included on the same pubic network. Leave these as bridged for the moment, in RC6 you can change them from the web interface anyway.
Now go into Setup/VLANs to put port 4 on VLAN2. This is not as straight forward as it appears since on my GL I had to select port 1 on the screen as this corresponds to port 4 in hardware.
- Early hardware: http://www.tonns.org/openwrt/WRTSL54GS_layout_rev1.png
- GL hardware: http://garycourt.com/wp-content/images/WRT54_sw2_internal_architecture.png
So in effect I had to move the tick on port 1 to VLAN2, leaving it set to none, to do port 4 on the back of the box.
In the DNS Masq box paste and save the following:
interface=br1 dhcp-range=br1,192.168.2.100,192.168.2.120,255.255.255.0,600 dhcp-option=net:br1,3,192.168.2.1
Having saved these settings open a shell to the router and login as root. Paste to shell:
nvram set vlan0ports="1 2 3 5*" nvram set vlan2ports="0 5*" nvram set rc_startup=' #!/bin/ash PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" brctl addbr br1 brctl delif br0 wl0.1 brctl addif br1 wl0.1 ifconfig br1 192.168.2.1 netmask 255.255.255.0 ifconfig vlan2 up brctl addif br1 vlan2 ifconfig br1 up ' nvram set rc_firewall=' iptables -I INPUT -i br1 -j ACCEPT iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT iptables -I FORWARD -i br1 -o ppp0 -m state --state NEW -j ACCEPT iptables -I FORWARD -i br0 -o br1 -j logdrop ' nvram commit
You will now need to reboot your router.
The way this works is first to put port 4 on VLAN2 and create wl0.1 then to create a bridge br1 and add VLAN2 and WL0.1 to it. With the iptable rules this is then connected to the WAN.
Clients on the 192.168.1.0 LAN and 192.168.2.0 LAN cannot ping accoss although they can both see the router on either 192.168.1.1 or 192.168.2.1.
I have not implemented bandwidth shaping nore Hotspot splash page but it's a start.
Notes for Getting Encryption Working on the Virtual WiFi Interface
The above is an excellent guide, but I wanted to set up two private networks, one for guest use, one for my private use.
Everything appeared to be working until I enabled encryption to the virtual interface.
I discovered that the encryption agent, thenasdaemon had the following options:
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br0 -i wl0.1 -A -m 132 -k <passwd> -s <SSID> -w 6 -g 3600 <pre> The issue is that it's running on the wrong bridge interface. It should be using br1. The work around I'm using is to modify the rc_startup to look like: <pre> rc_startup=' brctl addbr br1 brctl delif br0 wl0.1 brctl addif br1 wl0.1 ifconfig br1 192.168.1.1 netmask 255.255.255.0 ifconfig vlan2 up brctl addif br1 vlan2 ifconfig br1 up kill $( cat /tmp/nas.wl0.1lan.pid ) nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 132 -k <passwd> -s <SSID> -w 6 -g 3600 & '
If the nas daemon for the virtual interface dies, it will be restarted with the incorrect bridge. I hope to ask the experts on the forum about this, but in case I don't get that far, the above does at least initially work.