Linksys WRT54G (cont.)

I have been playing around with the WRT54G a little bit more.

Instead of acting as a Wireless AP and forwarding traffic to the Internet via the WAN port, I have configured it to forward packets coming from the LAN (via any of the 4-LAN ports) to the Internet via the Wireless interface. The WRT54G will associate with an existing Wireless AP and will use it as the gateway to forward traffic to the Internet.

These are the steps I followed to configure WRT54G in such a way:

  1. Break the bridge between wired and wireless interfaces:

    In its default configuration, the WRT54G router is configured to bridge together the wired (vlan0) and wireless (eth1) interfaces. Since the WRT54G is being configured to route between the wired interface (LAN) and the wireless interface (Internet), this bridge must be disabled:

    # nvram set lan_ifname=vlan0

    Setting lan_ifname to br0 will bridge together the interfaces specified by lan_ifnames under a bridge interface named br0. Setting lan_ifname to vlan0 means no bridge will get built up, and that LAN traffic will flow through and from the vlan0 interface.

    NOTE: vlan0 represents the 4-LAN ports of the WRT54G, vlan1 the WAN port, and eth1 the Wireless interface, by the way.

    # nvram set lan_ifnames=vlan0

    This variable defines the interfaces that will get bridged together into br0. Since only one interface is listed, and lan_ifname is not set to br0, no bridge will be built.

  2. Configure WRT54G as a Wireless client:

    The Wireless interface will behave like a WAN port. Thus, I have used the wan_* NVRAM set of variables to configure it. I run the following commands from inside a router shell:

    # nvram set wl0_mode=sta

    This configures the WRT54G to act as a Wireless client, instead of a Wireless AP.

    # nvram set wl0_ssid=

    Configures the ESSID of the Wireless LAN the WRT54G will try to associate with.

    # nvram set wl0_wep=enabled

    WEP authentication is required in order to associate to the Wireless AP.

    # nvram set wl0_key=1

    Use the first WEP key, of the four available WEP key slots.

    # nvram set wl0_key1=

    This fills in the first WEP key slot with the correct key.

    # nvram set wan_proto=static

    Use static IP configuration (no DHCP).

    # nvram set wan_ipaddr=

    Configures the IP address for the wireless interface (acting as the WAN port).

    # nvram set wan_netmask=

    Sets the network mask for the wireless interface (acting as the WAN port).

    # nvram set wan_ifname=eth1

    We tell the initscripts that the Wireless interface will act as the WAN port (outside, firewalled, Internet connection).

    # nvram set wan_gateway=

    Defines the gateway that will be used as the default route to reach the Internet.

    # nvram set wan_hostname=

    Sets the router’s FQDN, like linksys.local or openwrt.example.com.

    # nvram set wan_dns=

    Sets the DNS name server used to resolve names (this is optional, since the router does not have to perform name resolution).

  3. Reconfigure the WRT54G hardware MAC address:

    Sometimes, when the Wireless AP is using MAC filtering, it may be necessary to change the hardwareMAC address of the WRT54G wirelss interface. This can be done using the following command:

    # nvram set il0macaddr=

    However, it is recommended to keep a copy of the original MAC address. My WRT54G router has a sticker in its bottom listing the hardware MAC address for the wired interfaces, but no sticker for the wireless one. Anyways, the MAC address for the wireless interface is the result of adding 0x02 to the last byte of the wired interface MAC address. Thus, if the wired MAC address is 00:11:22:33:44:55, the wireless MAC address is 00:11:22:33:44:57.

  4. Check the wireless interface is properly configured and working:

    The simplest way is to save changes into NVRAM and reboot to check everything is working is to save the changes to NVRAM and reboot:

    # nvram commit
    # reboot

    After rebooting, use the iwconfig command to check if the wireless interface has been able to associate with the Wireless AP:

    # iwconfig eth1
    eth1      IEEE 802.11-DS  ESSID: 
              Mode:Managed  Frequency:2.412Ghz  Access Point: AA:BB:CC:DD:EE:FF
              Tx-Power:31 dBm
              RTS thr=2347 B   Fragment thr=2346B
              Encryption key:XXXX-XXXX-XX

    where AA:BB:CC:DD:EE:FF is the MAC address of the Wireless AP.

  5. Harden the firewall:

    Since the WRT54G will be directly exposed to the outside by means of the Wireless connection, it is important to properly harden the firewall:

    # nvram set wan_ifname=eth1

    Although we are not using the WAN interface, the firewall initscript (S45firewall), by default, blocks all incoming traffic coming from the interface listed in the wan_ifname NVRAM variable. Since we want to block all the traffic coming from the Wireless interface, we want to block all traffic coming from eth1.

    Next, tweak the firewall initscript:

    # rm /etc/init.d/S45firewall
    # cp /rom/etc/init.d/S45firewall /etc/init.d/S45firewall
    # vi /etc/init.d/S45firewall

    From the /etc/init.d/S45firewall file, comment out the following lines:

    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -p gre -j ACCEPT
    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

    This will drop any incoming traffic not related to an already established flow (either TCP session, or UDP/ICMP datagrams).

Advertisements

11 thoughts on “Linksys WRT54G (cont.)

  1. Pingback: Long Distance Router

  2. Pingback: My Technology Website

  3. Simply wish to say your article is as astounding. The clarity in your post is just spectacular and i can assume you’re an expert on this subject. Well with your permission let me to grab your RSS feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.

  4. Aw, this was a very nice post. In concept I want to put in writing like this moreover ?taking time and precise effort to make an excellent article?but what can I say?I procrastinate alot and on no account seem to get something done.

  5. Excellent blog you have here but I was curious if you knew of any forums that cover the same topics talked about in this article? I’d really like to be a part of online community where I can get feed-back from other experienced people that share the same interest. If you have any suggestions, please let me know. Many thanks!

  6. Having read this I thought it was extremely informative. I appreciate you finding the time and effort to put this informative article together. I once again find myself personally spending a lot of time both reading and leaving comments. But so what, it was still worthwhile!

  7. I’ve read several just right stuff here. Definitely worth bookmarking for revisiting. I surprise how a lot effort you put to make this kind of excellent informative site.

  8. Have you ever thought about publishing an e-book or guest authoring on other websites? I have a blog centered on the same topics you discuss and would love to have you share some stories/information. I know my visitors would appreciate your work. If you’re even remotely interested, feel free to shoot me an e-mail.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s