OpenWrt Forum Archive

Topic: Bridging, WiFi, multiple SSIDs, and VLANs

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Nalin
9 Jun 2007, 18:19

UPDATE: I solved this on my own while I was writing this.  I am going to post it so in case anybody ever makes the same mistake, they will be able to search for it on the forum.

--------------------------------------------------

Hello there.  I have probably read the documentation for Kamikaze five times over, searched the forums many times, and experimented a good long while, but I just can't get this to work.

I have a WRT54G v4 flashed with Kamikaze 7.06.  I want my router to broadcast two different SSIDs, both with different encryption levels.  One of them will use PSK2 and the other WEP.  The one that uses PSK2 I want to bridge with my vlan0 interface like normal (basically, the default configuration).  It will be part of the 192.168.1.x/24 range.  Anybody that access via WEP I want to be placed in the 192.168.2.x/24 network.  Basically, I want WEP users to be segmented from the hardwired and PSK2 users.

I have tried many different things trying to get this to work.  My last configuration tried something like this:

-- /etc/config/network --
config switch eth0
    option vlan0    "0 1 2 3 5*"
    option vlan1    "4 5"
    option vlan2    "5"

config interface lan
    option type    bridge
    option ifname    "eth0.0"
    option proto    static
    option ipaddr    192.168.1.1
    option netmask    255.255.255.0

config interface gwifi
    option type    bridge
    option ifname    "eth0.2"
    option proto    static
    option ipaddr    192.168.2.1
    option netmask    255.255.255.0

config interface wan
    option ifname    "eth0.1"
    option proto    dhcp


-- /etc/config/wireless --
config wifi-device wl0
    option type    broadcom
    option channel    11
    option disabled    0

config wifi-iface
    option device    wl0
    option network    lan
    option mode    ap
    option ssid    testpsk2
    option hidden    0
    option encryption psk2
    option key    thekey

config wifi-iface
    option device    wl0
    option network    gwifi
    option mode    ap
    option ssid    testwep
    option hidden    0
    option encryption wep
    option key    thekey

As you can see, I tried creating a vlan2 with just port 5 and creating the gwifi interface with it.  Then, I have my WEP connection bridge with it.  When I do it this way, the router will broadcast both SSIDs correctly.  I can even connect to the PSK2 connection.  But, when I try to connect to the WEP connection through Windows Vista, it fails.

---------------------------------------------------------------------

UPDATE:
As I was writing out this post, I had an epiphany and found out what was wrong.  I had forgotten to modify /etc/config/dhcp to add my gwifi interface to the dhcp list.  Once I did that, I was able to successfully connect.  I am going to still post this so in case anybody makes my mistake, they will be able to search for it.

Post #2
Nalin
12 Jun 2007, 23:45

Today, I found out my previous solution wasn't... complete.  Connections from the "gwifi" interface couldn't access the Internet.  In case anybody tries to duplicate what I have done, this is how it is fixed:

/etc/init.d/firewall
After

config_get LAN lan ifname

Add

config_get GWIFI gwifi ifname

Alter

iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

To

iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
iptables -A FORWARD -i $GWIFI -o $GWIFI -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $GWIFI -o $WAN -j ACCEPT

(Last edited by Nalin on 12 Jun 2007, 23:45)

Post #3
netprince
16 Jun 2007, 08:56

I just tried this out, works well.  Thanks for posting the info.

Post #4
Lorphos
11 Jul 2007, 12:50

So, could this be used to offer WEP WLAN (for a Nintendo DS handheld system), restricting it to talking to the internet and a WPA WLAN (allowed to talk to the LAN, too) simultaneously using just one WRT54G?

If so, is this also possible with whiterussian?

(Last edited by Lorphos on 11 Jul 2007, 12:51)

Post #5
TcT
11 Jul 2007, 14:06
Lorphos wrote:

If so, is this also possible with whiterussian?

It isn't possible with white russian because it douesn't support multiple SSIDs.

Post #6
Lorphos
13 Jul 2007, 21:52

OK, I tried this configuration, however after changing the VLANs, my PPP interface didn't come up any more.
I have a WRT54G V2 and internet via DSL + pppoe.

Any idea what's making it fail?

Also, iwconfig shows only wl0 having an ESSID.


Edit:

OK so instead of
config switch eth0
    option vlan0    "0 1 2 3 5*"
    option vlan1    "4 5"
    option vlan2    "5"

i am now using

config switch eth0
option vlan0    "1 2 3 4 5*"
option vlan1    "0 5"
option vlan2    "5"

I think it makes sense because on the WRT54G, 0 is the WAN port, isn't it?
WAN PPPOE works now, however I do not see the second SSID (which uses WEP) and I can't connect to it using a Nintendo DS handheld either.

(Last edited by Lorphos on 13 Jul 2007, 22:26)

Post #7
Kevin
16 Jul 2007, 01:06

it is not necessary to use vlans for this unless you have a reason to (possible reasons I can think of: connection to different physical networks at the device - vlans used on the internal switch, openwrt is not your firewall and you want the traffic managed at the firewall, you have a large network using vlans in the traditional way and want users to connect to their department network). otherwise, you can manage this with the firewall rules

Post #8
Lorphos
16 Jul 2007, 09:19

Good to know. I wish this entire subject were better documented. I bet there are quite a few people with old hardware that can only do WEP they would like to utilize in a (relatively) safe and restricted manner.

Post #9
tnstatc
28 Jul 2007, 04:36

Nalin - your instructions were perfect.  They covered exactly what I needed to do, and everything worked right the first time.  And I've never run OpenWRT before this evening, so that's saying something!  But anyway, to follow-up to Lorphos' first question... for the specific case of using this setup to put the "real" computers on a WPA/WPA2 WLAN and Nintendo games on a WEP WLAN...  I bought a WRT54GL (replacing my WRT54Gv5) and installed Kamikaze for just that purpose, and tonight was the night to set it all up.

I started by configuring the Nintendo Wii to be on the WEP WLAN (it had been on my one single WPA WLAN).  I told it to search for access points, it displayed them both, I picked WEP, entered the key, and everything just worked.  Simple.

Not so with DS #1, DS #2, or the DSLite.  Apparently, not only did Nintendo give us crappy firmware that won't handle WPA, they gave us crappy firmware that barely handles Wi-Fi at all.  When I told the DS to search for access points, it would usually fail and complain that the access point wanted security that it didn't support -- it was finding the WPA SSID and failing to see the WEP SSID.  But once in a while it would work, and find the WEP SSID.  But as soon as I enetered the key and did "test connection" it would fail every single time.  And entering the WEP SSID manually didn't help either - it would still fail on "test connection."

Finally, after about 90 minutes of flailing around uselessly, something prompted me to try switching the order in which the WLANs are configured in /etc/config/wireless.  So, I rearranged it so that the WEP WLAN comes first in the file and the WPA WLAN comes second.  Eureka!  The DSes and the DSLite suddenly work!  I had to tell the Windows XP box to look for the access point by name (instead of search), but as soon as I did that it connected just fine, and now that it knows it's there, it reconnects on its own.

I am still amazed that not only has Nintendo still not fixed this issue with a firmware update, but they didn't even fix it in the DSLite.  Sony issued a patch for the PSP to support it within a few months of the PSP coming out.

Oh well, it works, and the kids are happy.  One more thing to cross off the list of things to do.  :-)

(Last edited by tnstatc on 28 Jul 2007, 04:38)

Post #10
Lorphos
28 Jul 2007, 10:19

I had the same idea but it doesn't work (yet).

Did you also change the order in /etc/config/network?
What does "iwconfig" show? I only see the WPA network there.
Did you rename the interfaces?

Edit:

Turns out i had a typo in the wireless file, it works now :-)
Thanks all!

(Last edited by Lorphos on 28 Jul 2007, 10:26)

Post #11
tnstatc
29 Jul 2007, 19:18

I did discover one other thing as I used it some more.... Windows XP laptop using an old v1.0 Linksys card was having problems connecting.  It would see the "right" (WPA) access point, but when I'd go to connect, it would confuse itself and think it wanted WEP instead of WPA even though it used WPA the last time.  Fiddling around with the "Advanced settings" in the "View wireless networks" window would eventually get it connected, but it required fiddling.

I'm GUESSING that XP and the DSes are having trouble because they're storing some or all of the information on an access point using the MAC address as the lookup key instead of the SSID, and they're getting the wrong data (or overwriting one with the other) since both access points in this case have the same MAC address.

So, this afternoon I thought I'd try setting "option hidden 1" on the WEP access point.  Since all the DSes and the Wii know about it now, it doesn't need to advertise, and that should keep the XP box from seeing information from two access points with the same MAC address.

Sure enough, this seems to help.  The XP box is much happier now; it sees the single access point it "should" see and connects right up.  So, if you can make one of the access points 'hide" in your environment, it's worth trying if you're having problems.

The discussion might have continued from here.