WRT54G's as clients

Hi,

Thanks to Floyd and Jeff for the tips and comments on hiding my own intranet
when sharing my internet connection to a couple of neighbours w/o giving
them access to my intranet.

I finally solved the problem by purchasing another WRT54G router which I
connected in series with the first one. Now I have:

ADSL modem
| wired to
Internet router WRT54GS (alchemy fw)
WAN 192.168.0.20
LOCAL 192.168.10.254 -> wirelessly to neighbours
| wired to
Intranet router WRT54GS (linksys fw)
WAN 192.168.10.10
LOCAL 192.168.50.254 - wireless to my own notebooks
| wired to
Intranet switch

Neighbour:
WRT54GS (alchemy fw)

I have read Jeff's tip to read Justin's guide to setting up WDS towards the
neighbour on these devices. I spent a few hours trying different
possibilities w/o success.

But my first surprise with my double router setup was that I could access my
intranet fileshares when connecting wirelessly to the Internet WRT. Isn't
the Intranet WRT supposed to block all traffic from its WAM port's
192.168.10 net? Why could I access the 192.168.50 net from the 192.168.10
net?

Secondly, if I don't misunderstand, WDS would enable the neighbour to use
his own WRT as a wireless 'access' point in his house in addition to ensure
the wireless connection to my Internet WRT. That would be neat, but first I
prefer to have his WRT connect wirelessly to my Internet WRT and *wire* his
computers to his WRT's four LAN ports. Do I need WDS for that scenario too?
Should his WRT's wireless mode be 'Client' or what?

Thanks for info on these issues. more to come later ;-)

regards

Tor

"Tor Tveitane" <(E-Mail Removed)> wrote:
>
>ADSL modem
>| wired to
>Internet router WRT54GS (alchemy fw)
>WAN 192.168.0.20
>LOCAL 192.168.10.254 -> wirelessly to neighbours
>| wired to
>Intranet router WRT54GS (linksys fw)
>WAN 192.168.10.10
>LOCAL 192.168.50.254 - wireless to my own notebooks
>| wired to
>Intranet switch
>
>Neighbour:
>WRT54GS (alchemy fw)

I don't have a good picture of how you've arranged that. I
can't tell if you have 2 or 3 WRT54GS units either.

Is this accurate:

<++++> is a wired link, <====> is a wireless link

WRT54GS #1 (WDS enabled)
ADSL <+++> WAN PORT 192.168.0.20
+++> LAN/WIRELESS 192.168.10.254 <====> WRT54GS #3 (WDS enabled)
+ neigbhor's
+ WRT54GS #2 (WDS disabled)
+++> WAN PORT 192.168.10.10
+++> LAN/WIRELESS 192.168.50.254 <====> Laptop client
+
+ ETHERNET SWITCH
+++> INTRANET PORT
+++> INTRANET PORT
+ ...
+
+++> Multiple Desktop Hosts


>But my first surprise with my double router setup was that I could access my
>intranet fileshares when connecting wirelessly to the Internet WRT. Isn't
>the Intranet WRT supposed to block all traffic from its WAM port's
>192.168.10 net? Why could I access the 192.168.50 net from the 192.168.10
>net?

If you want traffic from the switch to be able to access the Internet,
then WRTGS #1 and #2 *must* route traffic between those IP addresses

You can, however, enable the firewall and put filters on what
WRT54GS #2 will allow through the WAN port. That of course will
necessitate configuring ipchains in that router.

>Secondly, if I don't misunderstand, WDS would enable the neighbour to use
>his own WRT as a wireless 'access' point in his house in addition to ensure
>the wireless connection to my Internet WRT.

Yes. Configure his WRT54GS as an Access Point with WDS enabled.
He can then use _both_ wireless connections and plug local wired
connections into the LAN ports.

>That would be neat, but first I
>prefer to have his WRT connect wirelessly to my Internet WRT and *wire* his
>computers to his WRT's four LAN ports. Do I need WDS for that scenario too?
>Should his WRT's wireless mode be 'Client' or what?

For that his WRT54GS would be set to Client, and he would *not*
be able to access it with wireless clients.

I'd change your layout a little, perhaps.


WRT54GS #1 (WDS disabled)
ADSL <+++> WAN PORT 192.168.0.20
+++> LAN/WIRELESS 192.168.50.254 <====> Laptop client
+
+ ETHERNET SWITCH
+++> INTRANET PORT
+ INTRANET PORT <+++> Multiple Desktop Hosts
+
+ WRT54GS #2 (WDS enabled)
+ WAN PORT 192.168.10.10
+++> LAN/WIRELESS 192.168.10.254 <====> WRT54GS #3 (WDS enabled)
neigbhor's

With this arrangement you don't need to do anything special with the
ipchains filters, and instead need to do a little fancy fiddling with
the route tables in the WRT54GS #2.

Specifically, any subnet that you want to isolate from the neighbor
should be routed to the WAN port (device vlan1). You could have
one entry that routes one subnet to the LAN port (actually, to the
bridge, device br0), and then a catch all entry to route everything
else in the 192.168.n.n range to the WAN port. And then a default
that sends everything else to the ADSL address.

So, lets say your ADSL has an IP of 192.168.0.1, and the other ranges
are as follows:

192.168.50.n Your LAN, both wired and wireless
192.168.10.n Neighbor's LAN, both wired and wireless

In WRT54G #1 you want a route table that looks like this

Destination Gateway Netmask Device
192.168.0.0 * 255.255.255.0 vlan1
192.168.10.0 * 255.255.255.0 br0
192.168.50.0 * 255.255.255.0 br0
default 192.168.0.1 255.255.255.255 vlan1

Everything to 192.168.0.n goes to the WAN port (vlan1), which
provides a route to the gateway specified as a default address.
The two subnets, yours at 192.168.50.n and the neighbor's at
192.168.50.n are routed to the bridge and thus to both wireless
and LAN ports. (Which also means you can actually use the same
IP address range on your LAN or for a wireless client... *if*
you want the neighbor to have access to that particular host.)

And the default sends everything else to the WAN port.

In WRT54G #2 you want a route table that looks like this

Destination Gateway Netmask Device
192.168.0.0 * 255.255.255.0 br0
192.168.10.0 * 255.255.255.0 br0
192.168.0.0 * 255.255.0.0 vlan1
default 192.168.1.1 255.255.255.255 br0

This also sends everything to 192.168.0.n to the LAN/Wireless
ports. If you wanted, that could be just a host route, which
would be

192.168.0.1 * 255.255.255.255 br0

and then *only* that one address would have a route.

It also sends everything for the neighbor's subnet,
192.168.10.0, to the LAN/Wireless ports. Then there is the
catch all which sends *all other* 192.168.n.n traffic to
the vlan1 device (which is a dead end with nothing attached).
That effectively filters out all traffic directed at your
LAN subnet.

And finally there is a default, which sends everything else
to the LAN/Wireless ports (and thus to WRT54G #1).

Caveat: I haven't tried it all. I did try the routing as
described for WRT54G #2 and am positive that part will work.

I also don't know just how you can set routes like that via the
web interface. I found it very frustrating to deal with, and
simply gave up and went to using a command line interface by
accessing the router via telnet.

If you choose to telnet into the WRT54GS, I have no experience
with the Sveasoft Alchemy firmware, but it is no doubt very
similar to their Satori firmware for what you'll need to do.
I can give you a /tmp/.rc_startup file that will,

initialize /etc/hosts, /etc/resolv.conf, /tmp/.profile
and a /tmp/routes file that contains routing commands.

Execute the /tmp/routes file, to set routing.

Set a hostname for the router

Set the timezone and the hardware clock

Start syslogd

The /tmp/.profile root shell profile contains the following,

Sets a color prompt that shows the host name of the router,
the user name, and the current directory.

Defines a function to save /etc/hosts, /etc/resolv.conf,
/etc/.profile, /tmp/routes, and /tmp/.rc_startup files to
nvram, allowing configuration to survive a reboot.

Defines a function to restore /etc/hosts, /etc/resolv.conf,
/etc/.profile, /tmp/routes, and /tmp/.rc_startup files from
nvram. Hence you can try things, and with one command reset
to the boot time configuration.

Defines aliases for ls and ll, variations of /bin/ls.

Defines a "help" command alias for the _wl_ program, which
will page the help output of wl for easier reading.

Defines a command alias to repeat, every 10 seconds, the
signal strength from any of a list of MAC addresses for
wireless clients.


--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

"Floyd L. Davidson" <(E-Mail Removed)> skrev i melding
news:(E-Mail Removed)...

> I don't have a good picture of how you've arranged that. I
> can't tell if you have 2 or 3 WRT54GS units either.
>
> Is this accurate:

Thanks Floyd for a long and interesting answer. I will study it and try to
set it up like you suggest and get back with any questions.

I thought that I could solve this by using the WRT's web-browser config as
it might be other persons than me being responsible in the future.

But if I understand you correctly I cannot solve my needs w/o configuring
the WRTs from the shell.

I will draw a chart of my network topology later (any suggestion of suitable
software to do this?).

regards

Tor

Try dia for a drawing program.
Similar to Visio and it's free.
http://www.gnome.org/projects/dia/

Mike.....

"Tor Tveitane" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Floyd L. Davidson" <(E-Mail Removed)> skrev i melding
> news:(E-Mail Removed)...
>
>
> I will draw a chart of my network topology later (any suggestion of
suitable
> software to do this?).
>
> regards
>
> Tor
>
>

"Tor Tveitane" <(E-Mail Removed)> wrote:
>"Floyd L. Davidson" <(E-Mail Removed)> skrev i melding
>news:(E-Mail Removed)...
>
>> I don't have a good picture of how you've arranged that. I
>> can't tell if you have 2 or 3 WRT54GS units either.
>>
>> Is this accurate:

I realized after I posted that, that my drawing *can't* be what
you described. You indicated that you were routing traffic from
one of the wireless 192.168.n.n subnets to a different
192.168.n.n subnet. That *can't* go from the wireless through
the router's WAN port. (Or, I don't know how to configure it so
that it will, because that traffic necessarily goes through the
Linux kernel routing and IP forwarding in the WRT54G, and that
won't forward to a 192.168.n.n address on a different interface.
One could re-arrange the bridge to include the WAN port, but not
from a web interface.)

>Thanks Floyd for a long and interesting answer. I will study it and try to
>set it up like you suggest and get back with any questions.

I'm fooling with something similar myself. Except I was
originally thinking that I wanted to be able to route just
exactly 1 client at the "neighbor's" location to my own LAN.
That 1 client would of course be *my* laptop.

I've decided that I can't do it automatically, and instead will
just have to log into the WRT54G and set up that route whenever
I need it, and then remove it. (The WRT54G is essentially an
open wireless AP, intended to provide access to the Internet but
not to my LAN.)

>I thought that I could solve this by using the WRT's web-browser config as
>it might be other persons than me being responsible in the future.
>
>But if I understand you correctly I cannot solve my needs w/o configuring
>the WRTs from the shell.

I'm not really sure if it can be done or not. *I* can't!

But then I'm not willing to spend much time trying either,
because the fun part for me is figuring out what I can do via
telnet. At one point I did spend some time trying to set routes
using the web interface, and frankly it was extremely
frustrating.

>I will draw a chart of my network topology later (any suggestion of suitable
>software to do this?).

Wellll... I'm a unix weenie, so xfig is what I'd use. :-) But
it hasn't been ported to the WRT54G, so you'll either need
different software or a whole 'nother 'puter to run Linux on,
eh?

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)