In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. The advantage of bridging is that broadcast traffic from Wireless to LAN and vice versa works without further changes.
In order to separate the wireless network from LAN, a new network with the corresponding DHCP and firewall settings must be created. This document outlines the steps necessary to implement such a setup.
Configuration
The changes below assume an OpenWrt default configuration, the relevant files are:
Step 1: Define a new network
Edit
/etc/config/network
and define a new interface
section:config 'interface' 'wifi' option 'proto' 'static' option 'ipaddr' '192.168.2.1' option 'netmask' '255.255.255.0' |
Note that no
ifname
option is set here, it is not required since the wireless network will reference this section later.Make sure that the chosen IP address is in a different subnet than the one used by the lan interface. |
Step 2: Change the existing wireless network
In
/etc/config/wireless
, locate the existing wifi-iface
section and change its network option to point to the newly created interface section.config 'wifi-iface' option 'device' 'wl0' option 'network' 'wifi' option 'mode' 'ap' option 'ssid' 'OpenWrt' option 'encryption' 'none' |
In the existing section,
network
was changed to point to the wifi
interface defined in the previous step.
Optionally change the last line for
option encryption 'psk2
‘ and add the line option key 'secret key
‘ to enable WPA encryptionStep 3: Define a new DHCP pool (Optional)
Since wireless is not bridged to LAN anymore, no DHCP leases are served to wireless clients yet. In order to support DHCP on wireless as well, a new
dhcp
pool must be defined in /etc/config/dhcp
:config 'dhcp' 'wifi' option 'interface' 'wifi' option 'start' '100' option 'limit' '150' option 'leasetime' '12h' |
Step 4: Adjust firewall settings
By default, traffic originating from the wireless network is not allowed to reach the WAN or the LAN interface. There is also no firewall zone defined for it yet, so only the default policies apply to the wireless network.
config zone option name wifi list network 'wifi' option input ACCEPT option output ACCEPT option forward REJECT |
Now that the zone is defined, traffic forwarding control for the wireless network can be implemented. To allow wireless clients to use the WAN interface, add the following
forwarding
section:config 'forwarding' option 'src' 'wifi' option 'dest' 'wan' |
If LAN clients should be able to contact wireless clients, add the following forwarding:
config 'forwarding' option 'src' 'lan' option 'dest' 'wifi' |
To allow wireless clients to reach the LAN network, add the reversed rule below as well:
config 'forwarding' option 'src' 'wifi' option 'dest' 'lan' |
If clients on the wifi network can’t connect to the outside Internet, you may also need to enable masquerade (NAT) on your lan. To do this, add “option masq ’1′” to your lan zone config as follows:
config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' option masq '1' |
Apply changes
- Enable the new wireless network
ifup wifi wifi
- Restart the firewall
/etc/init.d/firewall restart
- Restart the DHCP service
/etc/init.d/dnsmasq restart
More tweaks
- In some case, you cannot access Internet from “wifi” network clients (though you can do from the router), then you can replace the firewall setting with thishttps://forum.openwrt.org/viewtopic.php?pid=166701#p166701
from http://wiki.openwrt.org/doc/recipes/routedap
No comments:
Post a Comment