Linksys WRT54G (cont.)

I have been playing around with the WRT54G a little bit more.

Instead of acting as a Wireless AP and forwarding traffic to the Internet via the WAN port, I have configured it to forward packets coming from the LAN (via any of the 4-LAN ports) to the Internet via the Wireless interface. The WRT54G will associate with an existing Wireless AP and will use it as the gateway to forward traffic to the Internet.

These are the steps I followed to configure WRT54G in such a way:

Break the bridge between wired and wireless interfaces:
In its default configuration, the WRT54G router is configured to bridge together the wired (vlan0) and wireless (eth1) interfaces. Since the WRT54G is being configured to route between the wired interface (LAN) and the wireless interface (Internet), this bridge must be disabled:
```
# nvram set lan_ifname=vlan0
```
Setting lan_ifname to br0 will bridge together the interfaces specified by lan_ifnames under a bridge interface named br0. Setting lan_ifname to vlan0 means no bridge will get built up, and that LAN traffic will flow through and from the vlan0 interface.

NOTE: vlan0 represents the 4-LAN ports of the WRT54G, vlan1 the WAN port, and eth1 the Wireless interface, by the way.
```
# nvram set lan_ifnames=vlan0
```
This variable defines the interfaces that will get bridged together into br0. Since only one interface is listed, and lan_ifname is not set to br0, no bridge will be built.
Configure WRT54G as a Wireless client:
The Wireless interface will behave like a WAN port. Thus, I have used the wan_* NVRAM set of variables to configure it. I run the following commands from inside a router shell:
```
# nvram set wl0_mode=sta
```
This configures the WRT54G to act as a Wireless client, instead of a Wireless AP.
```
# nvram set wl0_ssid=
```
Configures the ESSID of the Wireless LAN the WRT54G will try to associate with.
```
# nvram set wl0_wep=enabled
```
WEP authentication is required in order to associate to the Wireless AP.
```
# nvram set wl0_key=1
```
Use the first WEP key, of the four available WEP key slots.
```
# nvram set wl0_key1=
```
This fills in the first WEP key slot with the correct key.
```
# nvram set wan_proto=static
```
Use static IP configuration (no DHCP).
```
# nvram set wan_ipaddr=
```
Configures the IP address for the wireless interface (acting as the WAN port).
```
# nvram set wan_netmask=
```
Sets the network mask for the wireless interface (acting as the WAN port).
```
# nvram set wan_ifname=eth1
```
We tell the initscripts that the Wireless interface will act as the WAN port (outside, firewalled, Internet connection).
```
# nvram set wan_gateway=
```
Defines the gateway that will be used as the default route to reach the Internet.
```
# nvram set wan_hostname=
```
Sets the router’s FQDN, like linksys.local or openwrt.example.com.
```
# nvram set wan_dns=
```
Sets the DNS name server used to resolve names (this is optional, since the router does not have to perform name resolution).
Reconfigure the WRT54G hardware MAC address:
Sometimes, when the Wireless AP is using MAC filtering, it may be necessary to change the hardwareMAC address of the WRT54G wirelss interface. This can be done using the following command:
```
# nvram set il0macaddr=
```
However, it is recommended to keep a copy of the original MAC address. My WRT54G router has a sticker in its bottom listing the hardware MAC address for the wired interfaces, but no sticker for the wireless one. Anyways, the MAC address for the wireless interface is the result of adding 0x02 to the last byte of the wired interface MAC address. Thus, if the wired MAC address is 00:11:22:33:44:55, the wireless MAC address is 00:11:22:33:44:57.
Check the wireless interface is properly configured and working:
The simplest way is to save changes into NVRAM and reboot to check everything is working is to save the changes to NVRAM and reboot:
```
# nvram commit
# reboot
```
After rebooting, use the iwconfig command to check if the wireless interface has been able to associate with the Wireless AP:
```
# iwconfig eth1
eth1      IEEE 802.11-DS  ESSID: 
          Mode:Managed  Frequency:2.412Ghz  Access Point: AA:BB:CC:DD:EE:FF
          Tx-Power:31 dBm
          RTS thr=2347 B   Fragment thr=2346B
          Encryption key:XXXX-XXXX-XX
```
where AA:BB:CC:DD:EE:FF is the MAC address of the Wireless AP.
Harden the firewall:
Since the WRT54G will be directly exposed to the outside by means of the Wireless connection, it is important to properly harden the firewall:
```
# nvram set wan_ifname=eth1
```
Although we are not using the WAN interface, the firewall initscript (S45firewall), by default, blocks all incoming traffic coming from the interface listed in the wan_ifname NVRAM variable. Since we want to block all the traffic coming from the Wireless interface, we want to block all traffic coming from eth1.

Next, tweak the firewall initscript:
```
# rm /etc/init.d/S45firewall
# cp /rom/etc/init.d/S45firewall /etc/init.d/S45firewall
# vi /etc/init.d/S45firewall
```
From the /etc/init.d/S45firewall file, comment out the following lines:
```
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
```
This will drop any incoming traffic not related to an already established flow (either TCP session, or UDP/ICMP datagrams).

11 thoughts on “Linksys WRT54G (cont.)”

Pingback: Long Distance Router
Pingback: My Technology Website
find similar images

27/10/2011 at 2:06 AM

With this free tool you can find duplicate files that waste valuable space on your hard disks. Use it to increase free space by up to 50%!
jersey

03/11/2011 at 5:59 AM

Simply wish to say your article is as astounding. The clarity in your post is just spectacular and i can assume you’re an expert on this subject. Well with your permission let me to grab your RSS feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.
Brent Parmelee

09/01/2012 at 12:43 PM

no he didnt i would have SHIT! tho…………………
Ellsworth Shenkle

11/01/2012 at 4:11 PM

Aw, this was a very nice post. In concept I want to put in writing like this moreover ?taking time and precise effort to make an excellent article?but what can I say?I procrastinate alot and on no account seem to get something done.
Sunday Martenez

11/02/2012 at 1:15 PM

Excellent blog you have here but I was curious if you knew of any forums that cover the same topics talked about in this article? I’d really like to be a part of online community where I can get feed-back from other experienced people that share the same interest. If you have any suggestions, please let me know. Many thanks!
awus036h 802.11

12/03/2012 at 5:42 AM

Having read this I thought it was extremely informative. I appreciate you finding the time and effort to put this informative article together. I once again find myself personally spending a lot of time both reading and leaving comments. But so what, it was still worthwhile!
Estelle Procell

29/03/2012 at 12:21 PM

Can you please email me the code for this script or please tell me in detail concerning this script?
Vivian Maestri

26/04/2012 at 11:16 PM

I’ve read several just right stuff here. Definitely worth bookmarking for revisiting. I surprise how a lot effort you put to make this kind of excellent informative site.
ruch transgraniczny

13/05/2012 at 6:10 AM

Have you ever thought about publishing an e-book or guest authoring on other websites? I have a blog centered on the same topics you discuss and would love to have you share some stories/information. I know my visitors would appreciate your work. If you’re even remotely interested, feel free to shoot me an e-mail.