Break the bridge and set up the split internal network

First we need to set up your router's physical networks. For this part of the HOWTO, I'll be using configuration options that make sense on a WRT54GL with the default Kamikaze configuration. If you run a different router or you've tweaked your network configuration heavily, you're on your own with this section, but my Shorewall configuration should still work for you if you change the appropriate interface lines.

*Split wired and wireless networks onto separate interfaces
Edit the /etc/config/network file. Remove the entire section labeled "#### LAN configuration". If you do not have this section, find the "config interface lan" line and remove this entire section. In its place add two new sections:

#### Wired LAN configuration
config interface wired
    option ifname    "eth0.0"
    option proto    "static"
    option ipaddr    192.168.1.1
    option netmask    255.255.255.0
    option gateway    192.168.1.254
    option dns    192.168.1.254

#### Wireless LAN configuration
config interface wireless
    option ifname    "wl0"
    option proto    "static"
    option ipaddr    192.168.2.1
    option netmask    255.255.255.0
    option gateway    192.168.2.254
    option dns    192.168.2.254

Replace the IP addresses and netmasks of the interfaces as you see fit. Be sure the gateway and DNS server settings match the chosen IP's.

DNSmasq supports the use of /etc/ethers to define static mappings:

# Main server
00:01:23:45:67:89    192.168.1.42

Be sure to define these static mappings outside the DHCP ranges. As long as they fall within the subnet defined by the IP and netmask on an interface, DNSmasq will still put the clients in the correct subnet with the accompanying gateways and such.

Note that if you have any subnets living behind any machines on these networks (VPN server, for example) that you want to route back and forth to your main network, you should set that up here with a "config route" stanza. For example:

config route    vpn
    option interface    wired
    option target        192.168.10.0
    option netmask        255.255.255.0
    option gateway        192.168.1.42

Of course, 192.168.1.42 is still responsible for handling the actual routing to the 192.168.10.0/24 subnet, but this will allow OpenWRT to route packets destined to that subnet to the appropriate gateway. Don't worry if you want to add some firewalling to this; Shorewall will give us that power later.

*Configure DHCP
To serve DHCP information on both interfaces, you'll need to edit your /etc/config/dhcp file. Remove the "config dhcp" section with "option interface br0" and replace it with:

config dhcp
    option interface    wired
    option start        150
    option limit        49
    option leasetime    12h

config dhcp
    option interface    wireless
    option start        150
    option limit        49
    option leasetime    12h

This will serve IP's between 192.168.1.150 and 192.168.1.199 on the wired interface and between 192.168.2.150 and 192.168.2.199 on the wireless. Again, change the "start" and "limit" values to suit your environment.

*Configure wireless
There's just one more quick change. In the /etc/config/wireless file, change "option network br0" to "option network netwireless". All your other options will be unchanged from your existing configuration.

Install and configure Shorewall for firewalling

Now we'll use Shorewall to set up and configure a powerful iptables-based firewall. I'll mostly concentrate on configuring Shorewall to use the various network interfaces in the router. The documentation at Shorewall's site will help you set up specific rules to customize this installation, although I will provide some examples.

*Install Shorewall and iptables
If you're using a custom-built image, be sure to include Shorewall along with all the iptables-mod packages (found in the Base System configuration). If you're using a stock image, you'll need to install an array of packages:

ipkg install shorewall iptables iptables-mod-extra iptables-mod-iprange iptables-mod-ipset iptables-mod-nat iptables-mod-ulog iptables-utils

*Set up zones
Now we want to set up Shorewall to use our newly configured interfaces. What happens next may seem a bit counter-intuitive, but I'll explain after everything is set up. For now, remove all uncommented lines in /etc/shorewall/interfaces and replace them with:

wan    eth0.1        detect        routeback,norfc1918,dhcp,routefilter,nosmurfs,logmartians
loc    eth0.0        detect        routeback,dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc    wl0        detect        routeback,dhcp,tcpflags,routefilter,nosmurfs,logmartians

Now likewise purge all uncommented lines from /etc/shorewall/hosts and replace them with:

eth        eth0.0:192.168.1.0/24
wifi        wl0:192.168.2.0/24

If you changed the network settings up above, be sure to incorporate those changes here. If you have any other subnets lurking on this network (again, a VPN server is the most obvious example), you need to tell Shorewall about them by creating additional zones. For example:

vpn        eth0.0:192.168.10.0/24

Note that Shorewall only allows zone names to be five characters long.

Now purge all uncommented lines from /etc/shorewall/zones and replace them with:

fw        firewall

wan        ipv4

loc        ipv4
eth:loc        ipv4
wifi:loc    ipv4

The notation 'eth:loc' tells shorewall that traffic in the 'eth' zone also belongs in the 'loc' zone.

Again, if an additional subnet exists (like our 'vpn' subnet above), add a line for it as well:

vpn:loc        ipv4

Now we've created Shorewall 'zones' representing traffic coming from each of our interfaces (and possibly from a VPN or other internal subnet as well). We initially set all traffic on both the eth0.0 (wired) and wl0 (wireless) interfaces to be in the 'loc' zone, then we further placed all wired traffic in the 'eth' zone, all wireless traffic in the 'wifi' zone, and all traffic from the VPN on the wired interface in a special 'vpn' zone. This will allow us to set up rules that govern all or any combination of these different kinds of traffic.

*Set up the firewall
Now we need to set up Shorewall to control our iptables firewalling. First we want to set up some general rules. Remove all lines between the header and the "#LAST LINE -- DO NO REMOVE" in /etc/shorewall/policy and replace them with:

loc        wan        ACCEPT
loc        $FW        ACCEPT
$FW        loc        ACCEPT

wan        all        DROP        info

#THIS LINE MUST BE LAST
all        all        REJECT        info

This sets up Shorewall to allow traffic internal systems to access the router and the internet freely but to drop and log all packets from the outside.

Clearly these policies are a bit over-reaching -- we do want the outside world to be able to initiate some connections, for example, and we don't want to log every ping attempt that hits our router -- so we'll add some more specific policies. Once again, purge everything between the header and the "#LAST LINE -- DO NOT REMOVE" in /etc/shorewall/rules and insert:

# Allow local clients to use the firewall's DNS and allow the firewall to use external DNS
DNS/ACCEPT    loc    $FW
DNS/ACCEPT    $FW    wan

# Allow local clients to use the firewall's SSH without restrictions
SSH/ACCEPT    loc    $FW

# Allow the firewall to ping the WAN
ACCEPT        $FW    wan        icmp    8

# Silently drop WAN pings (to clean up the logs)
DROP        wan    $FW        icmp    8

# Allow WAN clients to use the firewall's SSH with limiters
ACCEPT        wan    $FW        tcp    22    -        -        4/min:8

Parts of the first few entries are not strictly necessary, but we include them so that a policy change later doesn't lock us out of the router. The last line provides some rudimentary anti-cracking protection -- it will allow only four connection attempts per minute on the SSH port (22) from any WAN client and will allow only eight in a burst. This will slow down brute-force cracking attempts to the point that they'll never possibly work while not noticably affecting legitimate users.

Certainly this isn't all Shorewall can do. A few other possible rules to provide more functionality:

Route VPN traffic (TCP port 1194) to the VPN server (192.168.1.42)

# Allow WAN clients to use OpenVPN on port 1194
DNAT        wan    loc:192.168.1.42    tcp    1194

Route bittorrent traffic on particular ports to a specified host (192.168.1.42)

# Route bittorrent on 6881-6899 to 192.168.1.42
DNAT        wan    loc:192.168.1.42    tcp    6881:6899

Route SSH traffic on a nonstandard external port (2201) to a specified host (192.168.1.42)

# Allow WAN clients to use internal server's SSH with limiters
DNAT        wan    loc:192.168.1.42:22    tcp    2201    -    -    4/min:8

Note that, because we split the wired and wireless networks into separate interfaces, we can define rules that apply to only one or the other. For example, the above SSH rule could be rewritten as

# Allow WAN clients to use internal server's SSH with limiters
DNAT        wan    eth:192.168.1.42:22    tcp    2201    -    -    4/min:8

We could also force all wireless clients to pass HTTP requests through a transparent proxy:

# Force wireless HTTP traffic through a transparent proxy
REDIRECT  wifi        3128     tcp      www

Shorewall is an extremely powerful firewall system. There's plenty of great documentation at the Shorewall site if you need more help.

*Other configuration bits
First we need to set up IP Masquerading. This is what you expect a hardware firewall/router to do -- take packets from the internal network and route them to the external network with masqueraded IP's so that external systems can make sense of them. To do this, again clear everything between the header and the "#LAST LINE" of /etc/shorewall/masq and add:

eth0.0        eth0.1
wl0        eth0.1

We also need to set the routestopped parameters. The /etc/shorewall/routestopped file tells Shorewall what to do if it is stopped, either because loading fails or because it is stopped from the command line. We want to be sure that local packets can still move about, so we'll purge everything between the header and the "#LAST LINE" and add:

eth0.0        -            routeback
wl0        -            routeback

*Enable Shorewall
The default install of Shorewall in OpenWRT is disabled so it doesn't break your router. Edit /etc/shorewall/shorewall.conf and make sure it contains the following lines:

STARTUP_ENABLED=Yes

IMPLICIT_CONTINUE=Yes

The first you will have to change; it should be the first non-comment line in the file. The second should already be set, but check it to make sure; if it is not set, nothing we did above will work.

*Test and start Shorewall
Now that all our settings are in place, it's time to test and start Shorewall. Run a quick

shorewall check

to make sure that all the pieces fit together. If there are any errors, disable Shorewall using the /etc/shorewall/shorewall.conf setting and find some help. If there are not, however, go ahead and

shorewall start

After what may take up to a few minutes of compiling, Shorewall will take over firewalling on your router.

(Last edited by existentialhero on 16 Sep 2007, 07:12)