User Tools

Site Tools


doc:recipes:routedap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:routedap [2012/09/25 05:39]
hongquan
doc:recipes:routedap [2015/05/01 19:14] (current)
jow Remove masq on lan advice, its just papering over problems and may cause subtle issues
Line 1: Line 1:
 +====== Routed AP ======
  
 +In the default configuration,​ OpenWrt bridges the wireless network to the LAN of the device.
 +The advantage of bridging is that broadcast traffic from Wireless to LAN and vice versa works without further changes.
 +
 +In order to separate the wireless network from LAN, a new network with the corresponding DHCP and firewall settings must be created.
 +This document outlines the steps necessary to implement such a setup.
 +
 +{{:​doc:​recipes:​routed.ap_v3.png|}}
 +
 +===== Configuration =====
 +
 +The changes below assume an OpenWrt default configuration,​ the relevant files are:
 +
 +  * [[doc:​uci:​network|/​etc/​config/​network]]
 +  * [[doc:​uci:​wireless|/​etc/​config/​wireless]]
 +  * [[doc:​uci:​dhcp|/​etc/​config/​dhcp]]
 +  * [[doc:​uci:​firewall|/​etc/​config/​firewall]]
 +
 +
 +==== Step 1: Define a new network ====
 +
 +Edit ''/​etc/​config/​network''​ and define a new ''​[[doc:​uci:​network#​interfaces|interface]]''​ section:
 +
 +| ''​config '​interface'​ **'​wifi'​**
 +        option '​proto' ​     '​static'​
 +        option '​ipaddr' ​    '​192.168.2.1'​
 +        option '​netmask' ​   '​255.255.255.0'​ ''​ |
 +
 +Note that no ''​ifname''​ option is set here, it is not required since the wireless network will reference this section later.
 +
 +| {{:​meta:​48px-dialog-warning.svg.png?​nolink}} | Make sure that the chosen IP address is in a different subnet than the one used by the ''​lan''​ interface. |
 +
 +
 +==== Step 2: Change the existing wireless network ====
 +
 +In ''/​etc/​config/​wireless'',​ locate the existing ''​[[doc:​uci:​wireless#​wifi.networks|wifi-iface]]''​ section and change its network option to point to the newly created interface section.
 +
 +| ''​config '​wifi-iface'​
 +        option '​device' ​    '​wl0'​
 +        **option '​network' ​   '​wifi'​**
 +        option '​mode' ​      '​ap'​
 +        option '​ssid' ​      '​OpenWrt'​
 +        **option '​encryption'​ '​none'​ **''​ |
 +
 +In the existing section, ''​network''​ was changed to point to the ''​wifi''​ interface defined in the previous step.
 +
 +Optionally change the last line for ''​option encryption '​psk2'''​ and add the line ''​option key '​secret key'''​ to enable [[doc/​uci/​wireless/​encryption#​wpa.encryption|WPA encryption]]\\
 +
 +==== Step 3: Define a new DHCP pool (Optional) ====
 +
 +Since wireless is not bridged to LAN anymore, no DHCP leases are served to wireless clients yet.
 +In order to support DHCP on wireless as well, a new ''​[[doc:​uci:​dhcp#​dhcp.pools|dhcp]]''​ pool must be defined in ''/​etc/​config/​dhcp'':​
 +
 +| ''​config '​dhcp'​ **'​wifi'​**
 +        option '​interface' ​ **'​wifi'​**
 +        option '​start' ​     '​100'​
 +        option '​limit' ​     '​150'​
 +        option '​leasetime' ​ '​12h'​ ''​ | 
 +\\
 +
 +
 +==== Step 4: Adjust firewall settings ====
 +
 +By default, traffic originating from the wireless network is not allowed to reach the WAN or the LAN interface.
 +There is also no firewall zone defined for it yet, so only the default policies apply to the wireless network.
 +
 +Edit ''/​etc/​config/​firewall''​ and add new ''​[[doc:​uci:​firewall#​zones|zone]]''​ section covering the ''​wifi''​ interface:
 +
 +| ''​config zone
 +        option name       ​**wifi**
 +        list   ​network ​   **'​wifi'​**
 +        option input      ACCEPT
 +        option output ​    ​ACCEPT
 +        option forward ​   REJECT ''​ |
 +
 +Now that the zone is defined, traffic forwarding control for the wireless network can be implemented.
 +To allow wireless clients to use the WAN interface, add the following ''​[[doc:​uci:​firewall#​forwardings|forwarding]]''​ section:
 +
 +| ''​config '​forwarding'​
 +        option '​src' ​       **'​wifi'​**
 +        option '​dest' ​      '​wan'​ ''​ |
 +
 +If LAN clients should be able to contact wireless clients, add the following forwarding:
 +
 +| ''​config '​forwarding'​
 +        option '​src' ​       '​lan'​
 +        option '​dest' ​      ​**'​wifi'​** ''​ |
 +
 +To allow wireless clients to reach the LAN network, add the reversed rule below as well:
 +
 +| ''​config '​forwarding'​
 +        option '​src' ​       **'​wifi'​**
 +        option '​dest' ​      '​lan'​ ''​ |
 +===== Apply changes =====
 +
 +  - Enable the new wireless network<​code>​ifup wifi
 +wifi</​code>​
 +  - Restart the firewall<​code>/​etc/​init.d/​firewall restart</​code>​
 +  - Restart the DHCP service<​code>/​etc/​init.d/​dnsmasq restart</​code>​
 +
 +==== More tweaks ====
 +  - In some case, you cannot access Internet from "​wifi"​ network clients (though you can do from the router), then you can replace the firewall setting with this https://​forum.openwrt.org/​viewtopic.php?​pid=166701#​p166701