WRT54G with WL in and Local ports out..

Hi,

In my house I have a WRT54G router and I wonder if my neighbour can purchase
another WRT54G and have it connect to my WRT wirelessly? Normally the WRT
has a wired LAN port as 'input' (internet) and WL ans Local ports as
'outputs' but in this case I need it to be the contrary (WL in) and the 4
local LAN ports as output for the local net.

Is this possible with this device. If yes, how do I do this...?

best regards

Tor

In article <(E-Mail Removed)>, "Tor Tveitane" <(E-Mail Removed)> wrote:
>Hi,
>
>In my house I have a WRT54G router and I wonder if my neighbour can purchase
>another WRT54G and have it connect to my WRT wirelessly? Normally the WRT
>has a wired LAN port as 'input' (internet) and WL ans Local ports as
>'outputs' but in this case I need it to be the contrary (WL in) and the 4
>local LAN ports as output for the local net.
>
>Is this possible with this device. If yes, how do I do this...?
>
>best regards
>
>Tor
>
>

Using Google look for "Wireless Bridge" without quotes.

fundamentalism, fundamentally wrong.

On Wed, 13 Apr 2005 23:55:31 +0200, "Tor Tveitane"
<(E-Mail Removed)> wrote:


>In my house I have a WRT54G router and I wonder if my neighbour can purchase
>another WRT54G and have it connect to my WRT wirelessly?

Yes, sorta. The WRT54G supports WDS (wireless distribution service)
which will allow it to simultaneously act as an access point (for
local clients) and a transparent bridge (for your neighbors
connections). He can plug a PC directly into the LAN ports on his
WRT54G and get connectivity to your WRT54G. His WAN port is not
connected to anything. The only possible problem is that wireless
thruput, for his wireless clients will be cut in half by the store and
forward (simplex) nature of the WDS repeater.

>Normally the WRT
>has a wired LAN port as 'input' (internet) and WL ans Local ports as
>'outputs' but in this case I need it to be the contrary (WL in) and the 4
>local LAN ports as output for the local net.

Please do me a favour and do NOT rename the function of the ports.
They are the WAN (wide area network) and the LAN (local area network)
ports. Trying to figure out which is "in" or "out" at any given time
in any given topology, will surely cause frustration and possibly
premature balding.

>Is this possible with this device. If yes, how do I do this...?
http://www.linksysinfo.net/modules.p...showpage&pid=7
http://www.tomsnetworking.com/Sectio...le78-page1.php (10 pages)


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# (E-Mail Removed)
# (E-Mail Removed) AE6KS

All ports are both in and out. The ports are:
LAN== Local Area Network
WLAN== Wireless Local Area Network
WAN== Wide Area Network


"Jeff Liebermann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Wed, 13 Apr 2005 23:55:31 +0200, "Tor Tveitane"
> <(E-Mail Removed)> wrote:
>
>
>>In my house I have a WRT54G router and I wonder if my neighbour can
>>purchase
>>another WRT54G and have it connect to my WRT wirelessly?
>
> Yes, sorta. The WRT54G supports WDS (wireless distribution service)
> which will allow it to simultaneously act as an access point (for
> local clients) and a transparent bridge (for your neighbors
> connections). He can plug a PC directly into the LAN ports on his
> WRT54G and get connectivity to your WRT54G. His WAN port is not
> connected to anything. The only possible problem is that wireless
> thruput, for his wireless clients will be cut in half by the store and
> forward (simplex) nature of the WDS repeater.
>
>>Normally the WRT
>>has a wired LAN port as 'input' (internet) and WL ans Local ports as
>>'outputs' but in this case I need it to be the contrary (WL in) and the 4
>>local LAN ports as output for the local net.
>
> Please do me a favour and do NOT rename the function of the ports.
> They are the WAN (wide area network) and the LAN (local area network)
> ports. Trying to figure out which is "in" or "out" at any given time
> in any given topology, will surely cause frustration and possibly
> premature balding.
>
>>Is this possible with this device. If yes, how do I do this...?
> http://www.linksysinfo.net/modules.p...showpage&pid=7
> http://www.tomsnetworking.com/Sectio...le78-page1.php (10 pages)
>
>
> --
> # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
> # 831.336.2558 voice http://www.LearnByDestroying.com
> # (E-Mail Removed)
> # (E-Mail Removed) AE6KS

"Jeff Liebermann" <(E-Mail Removed)> skrev i melding
news:(E-Mail Removed)...

> Yes, sorta. The WRT54G supports WDS (wireless distribution service)
> which will allow it to simultaneously act as an access point (for
> local clients) and a transparent bridge (for your neighbors
> connections). He can plug a PC directly into the LAN ports on his
> WRT54G and get connectivity to your WRT54G. His WAN port is not
> connected to anything. The only possible problem is that wireless
> thruput, for his wireless clients will be cut in half by the store and
> forward (simplex) nature of the WDS repeater.

OK, good news thanks ;-)

> Please do me a favour and do NOT rename the function of the ports.

I promise. Sorry about that :-|

Now a second question: I also use windows filesharing on my wlan. Does it
exist a way with the WRT to block windows filesharing information ports from
certain MAC or IP addresses so my neighbours don't even see any of mine
computer shares or printers when opening network neighborhood in Windows...?

regards

Tor

"Tor Tveitane" <(E-Mail Removed)> wrote:
>
>Now a second question: I also use windows filesharing on my wlan. Does it
>exist a way with the WRT to block windows filesharing information ports from
>certain MAC or IP addresses so my neighbours don't even see any of mine
>computer shares or printers when opening network neighborhood in Windows...?

That can get (very) complex, but yes it can be done. You'll
need to install third party firmware (Sveasoft or HyperWRT),
which allows telneting into the router and changing
configuration in ways not available via the web interface. The
wrt54g is a little Linux box, which means it has horrendous
flexibility. Of course learning how to use it is another
thing... :-)

What you want to do can be done in at least two ways. If you
set up subnetting with your local wired LAN on one subnet, your
wireless LAN on another, *and* your neighbors similar networks
assigned to even different subnets, then what you want to do can
be accomplished strictly with routing on the two wrt54g units.

The trick to it is routing certain subnets to the WAN port as
opposed to the LAN/Wireless ports (i.e., if your LAN is all
192.168.0.x, you mask off 192.168.0.x and route everything
through the neighbor's wrt54g to the WAN port instead of the LAN
ports). It requires that 1) you be the only one with admin
access to the router, and 2) his network not use any 192.168.0.x
addresses via the wrt54g.

If for some reason you cannot assign such networks, if you
cannot trust the neighbor not to hack the wrt54g (relatively
easily done with physical access), or if you just want a more
technically interesting solution... The actual equipment inside
the wrt54G consists of a linux system with two ethernet
interfaces, one of which is connected to the WAN and one of
which is connected to a bridge through a switch that supports
vlan's. Out of the box anything sent to the wireless also goes
to all of the LAN wired ports, and the Linux firewall software
only affects packets forwarded between the LAN/Wireless ports
and the WAN port. That can all be reconfigured.

It is possible to establish a vlan for each individual port plus
the wireless, and use the firewall to segregate traffic between
any of them, all based on any level of complexity you are
willing to conjure up!

I'm not sure that even the routing solution is trivial enough to
learn if Unix systems administration isn't something you are
already familiar with (it's one that I've actually done), and
I'm positive that reconfiguring the internal hardware is only
for the most intrepid hardware hackers (I've read about how it
works and understand it, but haven't tried doing anything
serious even though I'm doing several other things that also
required figuring out how to change nvram and make use of what
is there).

If you want to try either method, I'll be happy to provide some
URL's with good information and provide a few pointers that will
get you at least started in the right direction.

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

On Thu, 14 Apr 2005 20:39:48 +0200, "Tor Tveitane"
<(E-Mail Removed)> wrote:

>Now a second question: I also use windows filesharing on my wlan. Does it
>exist a way with the WRT to block windows filesharing information ports from
>certain MAC or IP addresses so my neighbours don't even see any of mine
>computer shares or printers when opening network neighborhood in Windows...?

Floyd Davidson answered the question in detail. My turn to try a
simple explanation of why it can't be (easily) done. (It's usually
the other way around, where I deliver the overly complex and
obfuscated answers).

WDS and all wireless is bridging. Bridging is ISO layer 2 protocol.
The wireless bridges know nothing about IP addresses, which is on ISO
layer 3. To do layer 3 filtering, blocking, routing, and such by IP
address, you need a router. The problem is that the router in your
neighbors WDS wireless bridge is not in the circuit. Because the WAN
port is not used, there's no path for the router to do its thing.

However, methinks there be an easier way. The stock Linksys firmware
has a feature they call "AP Isolation". It's on the bottom of the
advanced wireless settings page. It really should be called "Client
Isolation". What it does is prevent *ANY* packets from going between
wireless clients. I use it in my neighborhood WLAN to keep the
peer-to-peer game networks under control.

See:

http://groups-beta.google.com/group/...029742969eee72
for my latest rant on the topic.

The problem is that I have no clue what this will do in a WDS
environment. I also haven't bothered to see if it will isolate the
wireless clients from the wired clients. It will also probably
prevent you from using your own wireless Windoze networking LAN. I
can probably test it for you, but I plan to spend my weekend under the
hood of my truck doing repairs instead.

Well, so much for simple...


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# (E-Mail Removed)
# (E-Mail Removed) AE6KS

Jeff Liebermann <(E-Mail Removed)> wrote:
>On Thu, 14 Apr 2005 20:39:48 +0200, "Tor Tveitane"
><(E-Mail Removed)> wrote:
>
>>Now a second question: I also use windows filesharing on my wlan. Does it
>>exist a way with the WRT to block windows filesharing information ports from
>>certain MAC or IP addresses so my neighbours don't even see any of mine
>>computer shares or printers when opening network neighborhood in Windows...?
>
>Floyd Davidson answered the question in detail. My turn to try a
>simple explanation of why it can't be (easily) done. (It's usually
>the other way around, where I deliver the overly complex and
>obfuscated answers).
>
>WDS and all wireless is bridging. Bridging is ISO layer 2 protocol.
>The wireless bridges know nothing about IP addresses, which is on ISO
>layer 3. To do layer 3 filtering, blocking, routing, and such by IP
>address, you need a router. The problem is that the router in your
>neighbors WDS wireless bridge is not in the circuit. Because the WAN
>port is not used, there's no path for the router to do its thing.

But taking advantage of that is the only thing that *does* make
it easy! Route all of the wireless traffic for a subnet you
want to protect to the WAN port... and it is bannished for
*your* LAN!

>However, methinks there be an easier way. The stock Linksys firmware
>has a feature they call "AP Isolation". It's on the bottom of the
>advanced wireless settings page. It really should be called "Client
>Isolation". What it does is prevent *ANY* packets from going between
>wireless clients. I use it in my neighborhood WLAN to keep the
>peer-to-peer game networks under control.
>
>See:
>
>http://groups-beta.google.com/group/...029742969eee72
>for my latest rant on the topic.

You should have also tried what I'd described to you earlier,
using routing. It works rather well, and actually is simple. Or
at least for somebody who is comfortable doing Unix systems
admin, and can figure out how to make such routing persistent
across restarts and power failures on the WRT54G, neither of
which are necessarily easy skills to acquire over a weekend.

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

On Thu, 14 Apr 2005 20:37:33 -0800, (E-Mail Removed) (Floyd L.
Davidson) wrote:

>>http://groups-beta.google.com/group/...029742969eee72
>>for my latest rant on the topic.
>
>You should have also tried what I'd described to you earlier,
>using routing. It works rather well, and actually is simple.

I did. Read the above URL. I tried it and it worked as you
described. It would properly route IP traffic. However, the original
problem was different. It was to isolate wireless customers at a
coffee-shop or hotel wireless LAN. The "AP protection" setting in the
stock Linksys firmware took care of that without any routing.

The problem I was faced with (different issue) is that routing
wouldn't do anything for non-IP wireless traffic. I was dealing with
a bunch of gamers running NETBEUI over IP that the IP router didn't
touch. They could care less if they went to the internet with their
traffic. All they wanted was to connect to each other using the
WRT54G as their private repeater. My available wireless bandwidth was
zero when they were on.

>Or at least for somebody who is comfortable doing Unix systems
>admin, and can figure out how to make such routing persistent
>across restarts and power failures on the WRT54G, neither of
>which are necessarily easy skills to acquire over a weekend.

Chuckle. Be nice. Do a search on the web and usenet for my name and
SCO Unix, especially in comp.unix.sco.misc. Google groups shows 3500
of my postings, almost all answers to tech questions, starting about
1985 with Xenix 2.0. There's even some Unix humor. Methinks that
qualifies as more than a weekends worth of study. I also edited an
awful SCO Unix book (never again). I haven't done much with SCO Unix
since they became politically incorrect.

I'll confess that I'm not terribly proficient with iptables, but can
do well enough with the older ipchains (or if I can remember ipfwadm).
I've been really lazy these days and use Firewall Builder. Most of my
current remote office systems use VPN's which avoid many routing
issues. I'm also marginally functional with Cisco IOS from the
command line. As for admin skill, I've done quite a bit in the past
with assorted SNMP tools (MRTG, RRDTool, Nagios, OpenNMS, etc) in
setting up monitoring at ISP's and corporate LAN's. I'm not sure that
counts as admin experience. I haven't done much of that in the last 5
years. For a nominal fee, I'll send you an autographed copy of my
resume (after I write one), suitable for framing.

You're correct about one item. I didn't or couldn't figure out how to
make the routes persistent. Probably by editing rc_startup. I wanted
to tinker and didn't want to deal with undoing my mistakes. It's the
same way with Cisco. I don't run:
copy running_config to startup_config
until I've tested the hell out of my running configuration and am sure
it's worth saving. If I completely mangle the running config it's
very easy to recover.

Thanks to Google, the proper incantation is probably something like:
nvram set rc_startup="/sbin/route add..."
or something similar. Am I close? Do I get a prize?


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> wrote:
>
>The problem I was faced with (different issue) is that routing
>wouldn't do anything for non-IP wireless traffic. I was dealing with
>a bunch of gamers running NETBEUI over IP that the IP router didn't

That doesn't make sense to me. Is NETBEUI over IP an example of
non-IP traffic? I would have thought that would be routed...
Or do you mean NETBEUI over Ethernet? (I've never messed with
any of the non-IP protocols.)

I haven't looked at either the switch or the bridge in the
WRT54G to see what can be done as far as protocol restrictions.

>>Or at least for somebody who is comfortable doing Unix systems
>>admin, and can figure out how to make such routing persistent
>>across restarts and power failures on the WRT54G, neither of
>>which are necessarily easy skills to acquire over a weekend.
>
>Chuckle. Be nice. Do a search on the web and usenet for my name and
>SCO Unix, especially in comp.unix.sco.misc.

You need not preen Jeff... I was *not* talking about you.

The average reader in this newsgroup, to whom my comments are
addressed, is almost certainly using MS Windows, and probably
has *no* background in systems admin for even that environment,
much less something as different as Linux is from Windows.

You obviously have the background and won't find it difficult to
come up with the various conceptual models needed to implement
just about anything that strikes your fancy. (And I'd be silly
to think that I'm going to educate you... even if I did find
something you don't know. ;-)

>You're correct about one item. I didn't or couldn't figure out how to
>make the routes persistent. Probably by editing rc_startup.

Yep. Two ways to do it that I know of.

The first one is to make an appropriate file on another system,
and then go to the "Administration->Diagnostics" web page of the
WRT54G, and insert it into the command input window. Instead of
clicking on the "run" box next to it, go down to the bottom of
the window and click on the "startup file" box. (I'm not
looking at the web page, and the quoted titles may be a bit
different than what I'm listing here from memory.)

What that actually does is write to the nvram "rc_startup"
variable, and sets the entire text of the file equal to that
variable. When the system boots it dumps the value of that
variable into a file named /tmp/.rc_startup (/tmp is a ramdisk).

The second way is to create a working file in /tmp, using vi or
any other suitable means (e.g., tftp it from another system).
then do "nvram set rc_startup=$(cat /tmp/foo)", where the
working file is /tmp/foo. On the next boot, that will be found
in /tmp/.rc_startup.

Another trick that is really nice is to put things into the
startup file that create /tmp/.profile, /tmp/host, and
/tmp/resolv.conf files. The last two are symlinked to the /etc
directory, so whatever is in them will be useful.

(I need to try diddling with nvram, or download the source code,
and see if there is an appropriate nvram variable name for those
files, the same as with .rc_startup. That would be easier.)

My WRT54G's boot up with a handy ~/.profile for the root user
that even uses color in the prompt, and provides a few useful
aliases to do complex commands with simple names. It also sets
the current date and time when the system boots. And having
canonical host names in /etc/hosts certainly makes a number
of things much easier to do.

>I wanted
>to tinker and didn't want to deal with undoing my mistakes. It's the
>same way with Cisco. I don't run:
> copy running_config to startup_config
>until I've tested the hell out of my running configuration and am sure
>it's worth saving. If I completely mangle the running config it's
>very easy to recover.

With the WRT54G's you can of course just set everything to
whatever you like, using manual commands from the shell command
line, and if it gets hosed... just reseat the power plug, let
it reboot, and it's back to where it started.

>Thanks to Google, the proper incantation is probably something like:
> nvram set rc_startup="/sbin/route add..."
>or something similar. Am I close? Do I get a prize?

Close enough for government work!

Are you aware that you can add *any* variable to nvram that you
like? You can then use your own nvram variable names to change
what the init script does, or whatever...

Of course playing with nvram is kinda dangerous, because dead
WRT54G's aren't shaped well to be useful as either a door stop
or a boat anchor.

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)