I have been playing around with the WRT54G a little bit more.
Instead of acting as a Wireless AP and forwarding traffic to the Internet via the WAN port, I have configured it to forward packets coming from the LAN (via any of the 4-LAN ports) to the Internet via the Wireless interface. The WRT54G will associate with an existing Wireless AP and will use it as the gateway to forward traffic to the Internet.
These are the steps I followed to configure WRT54G in such a way:
- Break the bridge between wired and wireless interfaces:
In its default configuration, the WRT54G router is configured to bridge together the wired (vlan0) and wireless (eth1) interfaces. Since the WRT54G is being configured to route between the wired interface (LAN) and the wireless interface (Internet), this bridge must be disabled:
# nvram set lan_ifname=vlan0
Setting lan_ifname to br0 will bridge together the interfaces specified by lan_ifnames under a bridge interface named br0. Setting lan_ifname to vlan0 means no bridge will get built up, and that LAN traffic will flow through and from the vlan0 interface.
NOTE: vlan0 represents the 4-LAN ports of the WRT54G, vlan1 the WAN port, and eth1 the Wireless interface, by the way.
# nvram set lan_ifnames=vlan0
This variable defines the interfaces that will get bridged together into br0. Since only one interface is listed, and lan_ifname is not set to br0, no bridge will be built.
- Configure WRT54G as a Wireless client:
The Wireless interface will behave like a WAN port. Thus, I have used the wan_* NVRAM set of variables to configure it. I run the following commands from inside a router shell:
# nvram set wl0_mode=sta
This configures the WRT54G to act as a Wireless client, instead of a Wireless AP.
# nvram set wl0_ssid=
Configures the ESSID of the Wireless LAN the WRT54G will try to associate with.
# nvram set wl0_wep=enabled
WEP authentication is required in order to associate to the Wireless AP.
# nvram set wl0_key=1
Use the first WEP key, of the four available WEP key slots.
# nvram set wl0_key1=
This fills in the first WEP key slot with the correct key.
# nvram set wan_proto=static
Use static IP configuration (no DHCP).
# nvram set wan_ipaddr=
Configures the IP address for the wireless interface (acting as the WAN port).
# nvram set wan_netmask=
Sets the network mask for the wireless interface (acting as the WAN port).
# nvram set wan_ifname=eth1
We tell the initscripts that the Wireless interface will act as the WAN port (outside, firewalled, Internet connection).
# nvram set wan_gateway=
Defines the gateway that will be used as the default route to reach the Internet.
# nvram set wan_hostname=
Sets the router’s FQDN, like linksys.local or openwrt.example.com.
# nvram set wan_dns=
Sets the DNS name server used to resolve names (this is optional, since the router does not have to perform name resolution).
- Reconfigure the WRT54G hardware MAC address:
Sometimes, when the Wireless AP is using MAC filtering, it may be necessary to change the hardwareMAC address of the WRT54G wirelss interface. This can be done using the following command:
# nvram set il0macaddr=
However, it is recommended to keep a copy of the original MAC address. My WRT54G router has a sticker in its bottom listing the hardware MAC address for the wired interfaces, but no sticker for the wireless one. Anyways, the MAC address for the wireless interface is the result of adding 0x02 to the last byte of the wired interface MAC address. Thus, if the wired MAC address is 00:11:22:33:44:55, the wireless MAC address is 00:11:22:33:44:57.
- Check the wireless interface is properly configured and working:
The simplest way is to save changes into NVRAM and reboot to check everything is working is to save the changes to NVRAM and reboot:
# nvram commit # reboot
After rebooting, use the iwconfig command to check if the wireless interface has been able to associate with the Wireless AP:
# iwconfig eth1 eth1 IEEE 802.11-DS ESSID: Mode:Managed Frequency:2.412Ghz Access Point: AA:BB:CC:DD:EE:FF Tx-Power:31 dBm RTS thr=2347 B Fragment thr=2346B Encryption key:XXXX-XXXX-XX
where AA:BB:CC:DD:EE:FF is the MAC address of the Wireless AP.
- Harden the firewall:
Since the WRT54G will be directly exposed to the outside by means of the Wireless connection, it is important to properly harden the firewall:
# nvram set wan_ifname=eth1
Although we are not using the WAN interface, the firewall initscript (S45firewall), by default, blocks all incoming traffic coming from the interface listed in the wan_ifname NVRAM variable. Since we want to block all the traffic coming from the Wireless interface, we want to block all traffic coming from eth1.
Next, tweak the firewall initscript:
# rm /etc/init.d/S45firewall # cp /rom/etc/init.d/S45firewall /etc/init.d/S45firewall # vi /etc/init.d/S45firewall
From the /etc/init.d/S45firewall file, comment out the following lines:
iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
This will drop any incoming traffic not related to an already established flow (either TCP session, or UDP/ICMP datagrams).