Tuesday, February 08 2005 @ 05:35 PM CET Contributed by: bart Views: 84522
As you can read in a previous article I have a Linksys WRT54G running the OpenWRT Linux distribution. In this article I will first describe the default configuration and then show some of the things one can do by changing this setup.
The WRT54G as sold by Linksys is supposedly a router + wireless access point, providing a WAN connector and on the LAN side a 4 port switch, bridged to the wireless accesspoint. This basicly means that you end up with 2 network segments, LAN + wireless on one side, and WAN on the other side. That is what you get to see as consumer, but that is not how the device is put together.
This article is based on the WRT54G v2.2, older versions are very similar but not identical. Specifically, the names of network interfaces will be different for older versions
Internally, we get a somewhat different picture. At first glance, we seem to have a R3000 based 'system on a chip' micro computer with 2 ethernet interfaces, eth0 and eth1.
eth1 turns out to be the wireless interface, wich means that eth0 connects to both the WAN and the LAN ports, and it does indeed.
In fact, the WRT54G doesn't really have seperate WAN and LAN ports, rather, it has a 6 port programmable switch with VLAN support.
In the default configuration there are 2 vlans:
vlan0 consists of ports 1,2,3,4 and 5
vlan1 consists of ports 0 and 5
Port 5 connects to eth0, port 0 to the WAN connector and ports 1,2,3 and 4 to the LAN connectors.
So, we have 4 interfaces now: eth0, eth1, vlan0 and vlan1. In the default configuration, eth0 does not get an address, it is used for the physical conenction to the switch and for handlign the 2 vlans.
Vlan0 (the LAN connectors) and eth1 (the wireless connection) are normally connected to bridge br0 so that the LAN and wireless networks look like a single network segment.
Vlan1 is not bridged to anything, but there is routing possible between br0 and vlan1, and depending on configuration, there is a firewall with NAT support active for vlan1.
So, this makes us end up with those 2 network segments, one on br0 and one on vlan1.
This setup is fine for a broadband router with wireless AP but it may not entirely be what you want when you have some computers connected to the LAN ports that should be protected from the wireless network for example.
For this kind of use, and in fact for many other setups, it is desirable to disable the bridging between the LAN connectors and the wireless network, at times there may be little use for the WAN port while it might also be that we need multiple seperate LAN segments.
The hardware allows such configurations, but the default firmware from Linksys does not, hence you will have to install alternative firmware.
Sveasoft provides alternative firmware that allows such setups and can be managed with a webbrowser. THis has the advantage of being relatively easy and 'user friendly' to use, but is limited by the web based user interface.
Alternatively, one can use OpenWRT and configure everything from the commandline. This is a lot less 'user friendly' and it is relatively easy to mess things up to the point of having to use 'emergency mode' to make the device accessable again, but it gives maximum flexibility, if the hardware and drivers support a feature you can most likely configure it, either by using nvram settings or by changing the startup scripts. In other words, you have complete control over the operation of the device.
When using a WRT54G v2.2, the first problem one encounters is that the normal distribution of OpenWRT does not yet support this device. There is an alternative distribution specifically for the WRT54G v2.2 and the WRT54GS v1.1 devices. This distribution can be found in the OpenWRT forums. This distribution is running without problems here, but please make sure you follow the instructions for enabling boot_wait so you can recover the system when it gets hosed.
Sveasoft does support those new devices but I have no personal experience with how well this works.
At any rate, a few interesting configurations one can make:
Together with another access point, a WRT54G can be used to create a wireless bridge, without needing any special support in the remote access point. This is done by bridging eth1 and vlan0, disabling the WRT's access point, and configuring it as a wireless client instead. Nothing special is needed on the remote access point
Router with wireless client
Alternatively, one could disable the bridge and use the device as a router between an ethernet segment and a remote wireless access point. This is mostly interesting because you can use iptables on the WRT54G to filter traffic from/to the wireless network and as a result can protect the machines on the ethernet network.
Router between upto 5 ethernet segments and a wireless segment
This can be achieved by creating a vlan for each of the ethernet connectors and disabling the bridge.
Router/access point with vpn support
The idea here is to have wireless clients use vpn software for connecting to the network. This can provide for much better security then the wireless security protocols that are supported.
In the remainder of this article I will concentrate on configuring the WRT54G as a router with a wireless client connecting to a remote accesspoint
In most cases, configuration information is stored in what is called nvram (this is actually just a small reserved area of the flash memory in which the firmware and optional rom filesystem reside as well)
The contents of nvram can be viewed and changed with the nvram command. Typing this command without arguments will show a list of options.
After making changes to nvram variables, you have to 'commit' the changes to make them permanent.
Changing the vlan configuration is done by changing nvram variables, 2 for each vlan that you need.
vlanXhwname, this should always be set to et0
vlanXports, this should be set to contain a list of all ports in this specific vlan
X should be replaced by the number of the vlan
A vlan should always include port 5 if you want to be able to do anything with it from within the WRT itself.
So, for creating the default configuration, the following commands would be needed:
nvram set vlan0hwname=et0
nvram set vlan0ports="1 2 3 4 5"
nvram set vlan1hwname=et0
nvram set vlan1ports="0 5"
Creating a single vlan from all ports:
nvram set vlan0hwname=et0
nvram set vlan0ports="0 1 2 3 4 5"
nvram unset vlan1hwname
nvram unset vlan1ports
The bridge device can be managed with the brctl command, typing it without arguments will show a list of options.
addbr add bridge
delbr delete bridge
addif add interface to bridge
delif delete interface from bridge
setageing set ageing time
setbridgeprio set bridge priority
setfd set bridge forward delay
sethello set hello time
setmaxage set max message age
setpathcost set path cost
setportprio set port priority
show show a list of bridges
showmacs show a list of mac addrs
showstp show bridge stp info
stp turn stp on/off
brctl only changes the current configuration, changes are not permanent. This is a good thing because it is very easy to lock yourself out with this command. A quick power-off/on of the WRT will fix this.
Alternatively, one can change the bridge configuration with nvram settings, refer to the OpenWRT documentation, configuration section, for more information on this. I opted for changing the networking scripts instead.
The big disadvantage of using nvram for configuration is that you can easily lock yourself out with no possibility to use emergency mode to recover from it. This is especially true when reconfiguring the ethernet switch. I managed to not have any port conencted to eth0, with the result that going into emergency mode did not do anything whatsoever, there was no ethernet port to talk to. Luckily the wireless part was configured and working, so I could still access the device.
When using nvram, you can ofcourse opt for resetting nvram after messing up, but realize that you also turn off boot_wait when doing that, which means that if the reset does not work, you are left without a possibility to reinstall the original firmware (unless you want to open the device and create a short circuit on the flash memory to clear it)
THats it for this time, might add more in another article