I apologize if this is answered somewhere in the Wiki.  I've been reading the install instructions and as much as I can, but there's a lot of documentation to get through and it's possible I may have missed the part that answers this.  I'm trying to get up to speed on all the info, but it's a bit hard for someone new to OpenWRT to catch up with everything.  (And I'm also quite thankful there's so much info on it!)

I just traded to get a WRT54G, Version 2 and will be installing OpenWRT on it.  My home network contains the systems I use for my business, which means most of my LAN is not going to be on the wifi side.   I have an cable modem, then a firewall, then a wired router.  The WRT54G connects to the wired router on the WAN side.  The other side will be used for devices I have for music streaming and (eventually) one other Linux box used for work.  For now, while I'm still using the Linksys firmware, I am administering the router from the WAN side.  I know I can upgrade the Linksys firmware from this connection without having to connect from the LAN side of the router.

When I install OpenWRT, is there any problem if I upgrade it from the WAN connection?  And once it's installed, will I have to change the CAT5 cables so I access it from the LAN side to administer it?  Can I administer OpenWRT from the LAN connection over the long term and can I do it when OpenWRT is first installed?

Thanks for help or links on this!

Hello,

You can login to your router from the WAN Ethernet Port. Here how to do it:

ipkg install kmod-ipt-ipopt iptables-mod-ipopt
insmod ipt_mac
vim /etc/firewall.user
        |-->  (Add the two following lines)

            iptables -t nat -A prerouting_wan -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp --dport 22 -s <SOURCE_IP> -j ACCEPT
            iptables        -A input_wan      -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp --dport 22 -s <SOURCE_IP> -j ACCEPT

NOTE:
- As you can see, I added more security things: MAC Address of the computer accessing the router's administration interface via SSH. Also, there is the SOURCE IP accessing the router's administration interface via SSH. For sure, there is also your password.

I hope this guide will help

Thanks.

I like the extra focus on security you have!

Now, just for my curiosity (and I'm not trying to take the easy way out -- I'm trying to learn since this is an area I'm weak in), are there other ways to do the same thing and am I safe in assuming this is not something I could have done through the web if?

there's absolutely no point of including the mac address of a computer over the internet. this information is not sent out of the local ethernet network. if you used the mac address of the computer correctly, the rule would fail to allow any traffic. if you used the mac address of the next-hop router (apparent mac address of the computer), the rule would allow all traffic

I've tried this, and I did leave out the mac, at least at this point, especially since the WAN side is on the more secure side of my net right now.

The problem is it just isn't working.  I know the hardware is working because I've had to set up a cable from the WAN to my router, then one from the LAN to a Windows system (is there any kind of ssh for Windows?  Think there is, might need if if this won't work).  I have seen data go through the router (Samba shares for the Windows computer to use and RealVNC), but no matter what I do, there seems to be no way of communicating with my router through the WAN interface.  It won't return a ping and when I try to ssh in, it just freezes, without an error message or anything.  I suspect the router is receiving the data but not responding, but that's just based on another semi-related question I asked for help on earlier today in a Usenet group.

I've also posted that I keep getting 14 instances of "Cannot find device "imq0"" whenever I restart the WAN interface, but it looks like that's more an issue with X-WRT (I installed the image that included it).

Okay, it's working now.  I'm not sure why, but I reset it and reviewed what I was doing at each step and it's working now.  My best guess is a typo.  (Unfortunately, I have a learning disability that makes some typos almost impossible to find!)

Hello Kevin,

I understand that the MAC address is not sent over the Internet. This setup is used for Internal LAN Side. The goal is to allow only one computer on the LAN to access OpenWRT's AP router. The router is connected on another router which is on the LAN (already secure in some way). It is for internal/LAN use, not external/internet. Look at the text graphic here:

MODEM   -->   WIRED ROUTER   -->   ACCESS POINT ROUTER (OPENWRT)
                          |--> COMPUTER1
                          |--> COMPUTER2
                          |--> COMPUTER3  -->>>>^^^^

(only computer #3 can access AP on the WAN. Other computers cannot access because MAC address doesn't match my rule). Kevin, I read your post but I don't really understood your explanation about "allowing any traffic"... Could you explain it to me another way please. Tell me if this setup is correct but it seems to me to be ok

Hmm, the above doesn't for some reason work for me. I've tried the less secure (my particular setup doesn't require the mac/ip level security) variant that is suggested in /etc/firewall.user:

            iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
            iptables          -A input_wan         -p tcp --dport 22 -j ACCEPT

Any ideas?

Running Kamikaze OpenWRT 7.07 with 2.6.22