http://www.macfreek.nl/memory/OpenWRT_Network_Configuration
Contents[hide] |
Enable Wireless
Wireless is disabled by default. See Kamikaze Wireless Configuration and Configure WiFi encryption for configuration information.
I use WPA2 security, and put it in bridge mode (no need to configure the IP layer):
uci set wireless.cfg2.encryption=psk2 (wpa2-psk) uci set wireless.cfg2.key=ABCDEF1234567 (generate a key between 8 and 63 bytes long) uci set wireless.cfg2.network=lan (bridging mode) uci set wireless.cfg2.ssid=MacFreek uci set wireless.wlan0.channel=1 uci set wireless.wlan0.disabled=0 uci commit wireless && wifi
In the LuCI webinterface, you can configure this in Network > Wifi > WLAN0
Bridge mode
First of all, the device contains two physical interfaces: wireless (wlan0 on Kamikaze 8.09 and up, wl0 on Kamikaze 7.09) and LAN+WAN (eth0). The LAN+WAN interface (eth0) is connected to a managed switch, where it is split into multiple UTP connectors: 4 LAN and 1 WAN ("Internet") connector. It is possible to configure the individual LAN and WAN interface using VLANs (see below at DMZ)
First disable the DHCP server (and forwarding DNS as well):
# /etc/init.d/dnsmasq disable # /etc/init.d/dnsmasq stop # uci set dhcp.cfg1.ignore=1 (not required after the above, but we set it anyway) # uci set dhcp.cfg2.ignore=1 (not required after the above, but we set it anyway) # uci commit
We first create a bridge interface. This can be done manually using the brctl, but that will not survive a reboot. Instead, we choose to make the lan interface a bridge:
# uci set network.lan.type=bridge # uci commit
After a reboot, this will make a new interface, br-lan, which is bridge with the lan interface (the lan interface is eth0.0. as:
# uci get network.lan.ifname eth0.0 # brctl show bridge name bridge id STP enabled interfaces br-lan 8000.001ee584e2e8 no eth0.0
To bridge the WLAN (wireless LAN) with the LAN (wired LAN):
# uci set wireless.cfg2.network=lan (Kamikaze 7.09) # uci set wireless.@wifi-iface[0].network=lan (Kamikame 8.09 and up) # uci commit wireless && wifi
Check the name of the WAN interface, and add it to the LAN interface:
# uci get network.wan.ifname eth0.1 # uci set network.lan.ifname="eth0.0 eth0.1" # uci commit
After reboot, all LAN, WAN and WLAN interfaces are in the bridge br-lan:
# brctl show bridge name bridge id STP enabled interfaces br-lan 8000.001ee584e2e8 no eth0.0 eth0.1 wlan0
For more information, see the OpenWRT forum, Bridge of wan and port 4.
An interface in bridge mode can not have an IP address. Only its bridge interface can have an IP address. Check this in your configuration. Here is mine:
# cat /etc/config/network #### VLAN configuration config switch eth0 option vlan0 "0 1 2 3 5*" option vlan1 "4 5" #### Loopback configuration config interface loopback option ifname lo option proto static option ipaddr 127.0.0.1 option netmask 255.0.0.0 #### LAN configuration config interface lan option ifname "eth0.0 eth0.1" option type bridge option proto static option ipaddr 145.99.148.34 option netmask 255.255.255.240 option gateway 145.99.1.65 #### WAN configuration config interface wan option ifname eth0.1
Configure DNS
To configure DNS, simply edit /etc/resolv.conf:
domain macfreek.nl nameserver 192.0.2.5
Add Demilitarized Zone (DMZ)
One of the great things about OpenWRT and Linksys is that it actually contains a manageable Ethernet switch. It is possible to add tagged and untagged ports, even bypassing the core. Again, do read about the generic network concepts of OpenWRT boxes. (Skip the Demilitarized Zone Howto, that is an old WhiteRussian configuration.)
I wanted a configuration with four logical interfaces:
- The upstream (WAN) interface (the outside world)
- The wireless (WLAN) interface, to connects laptops
- Two "server" interfaces, to connect servers (often called demilitarized zone interfaces)
- Two "client" interfaces, to connect hosts and desktops
The difference between the "client" and "server" interface is that I can later distinguish between them in the firewall: "server" interfaces (DMZ interfaces) are allowed to run services accessible by the outside world, while "client" interfaces are only allowed to run services accessible by the "inside" world.
Note that on the LinkSys WRT54GL v1.1, the port numbers printed on the device do not correspond to the logical port numbers in the switch. Port 3 is marked as Ethernet 1, Port 2 is marked as Ethernet 2, Port 1 is marked as Ethernet 3, Port 0 is marked Ethernet 4, and Port 4 is marked as Internet (WAN).
The picture shows the general idea:
We first create a new logical interface (the dmz interface)
# uci set network.dmz=interface # uci set network.dmz.ifname=eth0.2
The name eth0.2 is automatically linked to VLAN 2. We can now remove ports from VLAN 0, and add them to VLAN 2:
# uci set network.eth0.vlan0="2 3 5*" # uci set network.eth0.vlan2="0 1 5"
Our configuration is now:
# cat /etc/config/network #### VLAN configuration config switch eth0 option vlan0 "2 3 5*" option vlan1 "4 5" option vlan2 "0 1 5" #### Loopback configuration config interface loopback option ifname lo option proto static option ipaddr 127.0.0.1 option netmask 255.0.0.0 #### LAN configuration config interface lan option ifname "eth0.0 eth0.1 eth0.2" option type bridge option proto static option ipaddr 145.99.148.34 option netmask 255.255.255.240 option gateway 145.99.1.65 #### DMZ configuration config interface dmz option ifname eth0.2 #### WAN configuration config interface wan option ifname eth0.1
Static Route
To add a static route, run /sbin/route, or set them in /etc/config/network.
Let's say you need the routes:
Destination Gateway Genmask Flags MSS Window irtt Iface 192.0.2.3 0.0.0.0 255.255.255.255 UH 0 0 0 eth0.1 0.0.0.0 192.0.2.3 0.0.0.0 UG 0 0 0 eth0.1
This can easily be achieved by the route command:
/sbin/route add -host 192.0.2.3 dev eth0.1 /sbin/route add -net default dev eth0.1 gateway 192.0.2.3
-or equivalently-
/sbin/route add -net 192.0.2.3 netmask 255.255.255.255 dev eth0.1 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0.1 gateway 192.0.2.3
This can be set in /etc/config/network:
config route option interface wan option target 192.0.2.3
config route option interface wan option target 0.0.0.0 option netmask 0.0.0.0 option gateway 192.0.2.3
Unfortunately, there is a small bug in Kamikaze 8.09 where the first line results in
/sbin/route add -net 192.0.2.3 netmask 255.255.255.255 dev eth0.1 gateway 192.0.2.3
It is not possible to circumvent this by adding
config route option interface wan option target 192.0.2.3 option gateway 0.0.0.0
Since this leads to invalid syntax, and results in "route: SIOCADDRT: Invalid argument" (you may never specify "gateway 0.0.0.0" by /sbin/route)
I fixed this by deleting the following line in /etc/hotplug.d/iface/10-routes
[ -n "$gateway" ] || { config_get gateway "$interface" gateway }
See bugreport 4928 for details.
Firewall
Starting points:
- http://wiki.openwrt.org/OpenWrtDocs/IPTables (IP firewall)
- http://downloads.openwrt.org/people/nico/man/man8/ebtables.8.html (Ethernet firewall)
- http://wiki.openwrt.org/OpenWrtDocs/WhiteRussian/TransparentFirewall (very good, but for older WhiteRussian release)
- http://wiki.openwrt.org/ShorewallHowTo (for older WhiteRussian release)
- http://wiki.openwrt.org/SimpleFirewall (I think outdated, it uses scripts instead of /etc/config/firewall)