I want to serve wireless clients with two different networks -- an authenticated network (using WPA2-EAP) with unrestricted access to my local network, and an unauthenticated network (using WPA2-PSK) with heavily restricted access. Neither wireless network will be bridged to the wired LAN. Yes, this setup suggests that I am paranoid. The meat of this howto will be in setting up the physical networks; you can use them however you like, with whatever authentication and encryption systems you see fit, to meet whatever needs you may have. Moreover, the setup is extensible, allowing more wireless networks to be added easily. There are some hardware restrictions on the number of AP's a single WRT can serve; see the Kamikaze configuration page on the wiki for more details.

1. Set up virtual networks
This is the part that looks the most like voodoo. OpenWRT doesn't like to set up the virtual wireless networks without a physical network to bind them to, but we don't want to bridge our wireless and wired networks. Hence, we create some special vlans to serve our purposes.

/etc/config/network:

#### VLAN configuration 
config switch eth0
    option vlan0    "0 1 2 3 5*"
    option vlan1    "5"
    option vlan2    "5"
    option vlan4    "4 5"


#### Loopback configuration
config interface loopback
    option ifname    "lo"
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0

#### Wired LAN configuration
config interface wired
    option type    "bridge"
    option ifname    "eth0.0"
    option proto    static
    option ipaddr    192.168.1.1
    option netmask    255.255.255.0
    option gateway    192.168.1.1
    option dns    192.168.1.1

#### Wireless LAN configuration
config interface wlsec
    option type    "bridge"
    option ifname    "eth0.1"
    option proto    static
    option ipaddr    192.168.2.1
    option netmask    255.255.255.0
    option gateway    192.168.2.1
    option dns    192.168.2.1

config interface wlunsec
    option type    "bridge"
    option ifname    "eth0.2"
    option proto    static
    option ipaddr    192.168.3.1
    option netmask    255.255.255.0
    option gateway    192.168.3.1
    option dns    192.168.3.1

#### WAN configuration
config interface    wan
    option type    "bridge"
    option ifname    "eth0.4"
    option proto    dhcp

Note that I've set up all four interfaces as bridges. This isn't necessary in the cases of 'wired' and 'wan', but it gives us some consistency in our nomenclature, which makes everything easier to keep track of. The two wireless interfaces must be configured as bridges for the magic to work. 
However, this bridging means that all the networks will have new names; the WAN will be 'br-wan', the wired LAN will be 'br-wired', and so forth.

2. Set up the wireless interfaces
Now we just need to configure these wireless interfaces. This actually works exactly the way you'd expect, but I'll include a configuration example for clarity's sake:

/etc/config/wireless:

config wifi-device  wl0
    option type     broadcom
    option channel  11

config wifi-iface
    option device    wl0
    option network    wlsec
    option mode    'ap'
    option ssid    'openwrt-eap'
    option encryption 'wpa2'
    option key    'youreapsharedsecret'
    option server    '127.0.0.1'
    option port    '1812'

config wifi-iface
    option device   wl0
    option network    wlunsec
    option mode     'ap'
    option ssid     'openwrt-psk2'
    option encryption 'psk2'
    option key    'yourwpa2psk'

As you might guess, this will provide a WPA2-EAP-secured network with SSID 'openwrt-eap' and a WPA2-PSK-secured network with SSID 'openwrt-psk2'. (Hint: don't try to use this configuration verbatim unless you have a FreeRADIUS server set up already and know how to operate it.)
You can use the rest of the /etc/config files to configure these networks just as you normally would.

Don't forget to set up routing on your new networks.

To add more wireless networks, just add a new vlan and a new stanza each in /etc/config/network and /etc/config/wireless corresponding to the ones outlined above.

(Last edited by existentialhero on 16 Sep 2007, 07:15)

Hi,

Why would you want to do this?   I mean--is there someway you can alter what each SSID has access to?

-Rich

(Last edited by flowersrj on 20 Sep 2007, 00:26)

Yes. The network interfaces br-wlunsec and br-wlsec are separate, so you can firewall them separately in iptables. I have mine set up so that traffic from wlsec can pass uninhibited to the wired network and to the internet but traffic from wlunsec can pass only to the internet, so authentication is needed to access the subnet that hosts my server and sensitive data. Basically, anything you normally could do with subnets and iptables you could do to your disjoint wireless networks with this kind of setup.

I was wondering if you might post a snippet of the iptables configuration you are talking about.   I am looking to do the exact same thing with my wlan.  Thank you!!

Thanks for the HOWTO... One question though.

I was testing with multiple SSID's on the same AP, and found out the windows clients do not like Multiple SSID's with the same base station id ( MAC of AP ) they get all confused. Did this work for you on windows clients??

thanks, michael

When a particular AP is hosting multiple wireless networks what is happening is really quite strange. First a little background:

A normal AP sends out a packet every so often (usually 10 times a second) telling everyone on the channel that is exists and what its capabilities are, this packet is called a "beacon".  In theory to discover an AP all you have to do is listen on a channel for these beacons, such applications like Kismet do just this.

However, most clients are too impatient for this and will send out a packet ("Probe Request") to everyone on the channel asking for there name and capabilities.  Only APs respond, and they do so with a "Probe Response" packet.

Now, for an AP that hosts multiple networks it only beacons for the primary wireless network.  However, when it is queried (receives a probe request) the AP will send out two probe responses, one for the primary network and one for the secondary network.  This is how the second network is advertised.

The problem lies here, a client doesn't have to send out a probe request to be fully standards compliant; in fact, in some countries it is illegal.  In these cases all that is seen is the primary network.

I hope this gives a little more insight into the situation at hand. 

An iptables script firewalling the two wifi ssid's would be great, is it possible to post?

Many thanks

Oops, sorry guys. I've been pretty busy this semester and forgot to check back in on this topic. The iptables code that makes all of this work is actually very simple. The two different networks we set up actually do appear to be separate network interfaces to the kernel, but there is a trick: they're bridge interfaces, in this case called "br-wlsec" and "br-wlunsec". You can use these in any iptables scripts you wish to do whatever you want. For example, if you've set things up to default to dropping all packets but you want to allow traffic between the secured wireless and the wired LAN (this is how I do things), you'd need two lines like these:

        iptables -A FORWARD -i eth0.0 -o br-wlsec -m state --state NEW -j ACCEPT 
        iptables -A FORWARD -i br-wlsec -o eth0.0 -m state --state NEW -j ACCEPT

Note that this is not necessarily compatible with the /etc/config/firewall system used in Kamikaze. I don't really know how to work that, so you'd probably want to check with people who do if you want to stay within that system.

Assuming you're running your own scripts, though, this should get it done. Just be aware that now any time you have a packet filter that is source-aware, you'll have to do "br-wlsec" and "eth0.0" entries separately, as packets on these two interfaces will no longer be picked up by the same filters. However, if (as I do) you do most of your packet filtering in POSTROUTING and don't pay attention to source, this won't be a problem.

Let me know if you guys need anything else on this subject. (I am subscribed to the topic now, so if anyone asks any further questions I'll actually come back in a reasonable time.)

(Last edited by existentialhero on 10 Dec 2007, 15:52)

Thanks for the post, i can confirm that with the config below, the wireless can ping out onto the restricted lan and i dont understand why. When i added the eth0 vlan i had to explicitly allow the connections from vlan1 to vlan0 otherwise it was being blocked by iptables.

This is with kamikazi but i dont understand why, apart from being a bridge, the wireless is allowed by default packets to pass between the wireless and restricted internal networks.

Any ideas or should i post in kamikazi forum?

Many thanks again,

Chris

/etc/firewall.user

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables        -A forwarding_wan -d 192.168.1.2 -j ACCEPT

iptables -A forwarding_rule -i eth0.0 -o eth0.1 -j ACCEPT
iptables -A forwarding_rule -i eth0.1 -o eth0.0 -j ACCEPT
iptables -A forwarding_rule -i eth0.1 -o eth0.2 -j ACCEPT

/etc/config/network

#### VLAN configuration
config switch eth0
    option vlan0    '1 2 5*'
    option vlan1    '3 4 5*'
    option vlan2    '0 5*'
    option vlan3    '5'

#### Loopback configuration
config interface loopback
    option ifname    "lo"
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0

#### LAN configuration
config interface lan
    option ifname    'eth0.0'
    option proto    static
    option ipaddr    '192.168.2.1'
    option netmask    255.255.255.0
    option gateway    ''
    option dns    ''

config interface lanmgmt
    option ifname    'eth0.1'
    option proto    static
    option ipaddr    '192.168.1.1'
    option netmask    255.255.255.0
    option gateway    ''
    option dns    ''
   
#### WAN configuration
config interface    wan
    option ifname    "eth0.2"
    option proto    'static'
    option dns    '213.132.33.15'
    option ipaddr    ''
    option netmask    '255.255.255.252'
    option gateway    ''

config interface wlunsec
    option type    "bridge"
    option ifname    "eth0.3"
    option proto    static
    option ipaddr    10.0.0.1
    option netmask    255.255.255.0
    option gateway    ''
    option dns    ''

/etc/init.d/firewall

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

## Please make changes in /etc/firewall.user
START=45
start() {
    include /lib/network
    scan_interfaces
    config_load /var/state/network
   
    config_get WAN wan ifname
    config_get WANDEV wan device
    config_get LAN lan ifname
   
    ## CLEAR TABLES
    for T in filter nat; do
        iptables -t $T -F
        iptables -t $T -X
    done
   
    iptables -N input_rule
    iptables -N input_wan
    iptables -N output_rule
    iptables -N forwarding_rule
    iptables -N forwarding_wan

    iptables -t nat -N NEW
    iptables -t nat -N prerouting_rule
    iptables -t nat -N prerouting_wan
    iptables -t nat -N postrouting_rule
   
    iptables -N LAN_ACCEPT
    [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
    [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
    iptables -A LAN_ACCEPT -j ACCEPT
   
    ### INPUT
    ###  (connections with the router as destination)
   
    # base case
    iptables -P INPUT DROP
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
   
    #
    # insert accept rule or to jump to new accept-check table here
    #
    iptables -A INPUT -j input_rule
    [ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
   
    # allow
    iptables -A INPUT -j LAN_ACCEPT    # allow from lan/wifi interfaces
    iptables -A INPUT -p icmp    -j ACCEPT    # allow ICMP
    iptables -A INPUT -p gre    -j ACCEPT    # allow GRE
   
    # reject (what to do with anything not allowed earlier)
    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
   
    ### OUTPUT
    ### (connections with the router as source)
   
    # base case
    iptables -P OUTPUT DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
   
    #
    # insert accept rule or to jump to new accept-check table here
    #
    iptables -A OUTPUT -j output_rule
   
    # allow
    iptables -A OUTPUT -j ACCEPT        #allow everything out
   
    # reject (what to do with anything not allowed earlier)
    iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
   
    ### FORWARDING
    ### (connections routed through the router)
   
    # base case
    iptables -P FORWARD DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
   
    #
    # insert accept rule or to jump to new accept-check table here
    #
    iptables -A FORWARD -j forwarding_rule
    [ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
   
    # allow
    iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
    [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
   
    # reject (what to do with anything not allowed earlier)
    # uses the default -P DROP
   
    ### MASQ
    iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
    iptables -t nat -A PREROUTING -j prerouting_rule
    [ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
    iptables -t nat -A POSTROUTING -j postrouting_rule
    [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

    iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
        iptables -t nat -A NEW -j DROP

    ## USER RULES
    [ -f /etc/firewall.user ] && . /etc/firewall.user
    [ -n "$WAN" -a -e /etc/config/firewall ] && {
        export WAN
        awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
    }
}

stop() {
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    iptables -X
    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -t nat -P OUTPUT ACCEPT
    iptables -t nat -F
    iptables -t nat -X
}

I don't see anything right away, but I'm not exactly an iptables guru. You might want to try to find one. Otherwise, the output of "iptables -L" might shed some light on the situation.

(Last edited by existentialhero on 11 Dec 2007, 06:48)

Hello,
I would like to have a same network setup but a bit simpler.

I want my lan ports and a wifi/psk to be on a same lan: 192.168.2.1/24

Then I want a public wlan  which has a 192.168.3.1/24 netwok address

In your set up, you create 2 vlan for your two wlans:

    option vlan1    "5"
    option vlan2    "5"

My question is if they have to be on 2 different vlans. If yes why ? Wouldn't it be possible just to have two wlans (192.168.2.1 and 192.168.3.1) which are on the same vlan ?

Thanks for your help,
Tex.

Using separate VLANs causes the kernel to create separate interface devices for the two WLANs, which can then be handled separately by the firewall, by your DHCP server, and so forth. If you connect them to the same VLAN, they'll be the same interface where the kernel's networking code is concerned, just with two different ways to attach to it wirelessly.

(Note: I may have misinterpreted the way these things work entirely, so if someone more knowledgeable about the actual inner workings of the networking subsystem comes along, please correct me.)

When I try this setup (or/and at least a very similar one) I get an error:

Configuration file: /var/run/hostapd-wlan0.conf
ifuFailed to update rate sets in kernel module
Mode: IEEE 802.11g  Channel: 5  Frequency: 2432 MHz
Failed to set CTS protect in kernel driver
Failed to set Short Slot Time option in kernel driver
Could not set preamble for kernel driver
Using interface wlan0 with hwaddr 00:23:69:21:dc:14 and ssid 'OpenWrt'
p athFailed to set CTS protect in kernel driver
Failed to set Short Slot Time option in kernel driver
Could not set preamble for kernel driver
0Configuration file: /var/run/hostapd-wlan0.conf
Failed to create interface mon.wlan0.
nl80211 driver initialization failed.
enable_mac80211(wlan0): Failed to set up wpa for interface wlan0

I get those "Failed to set" errors also when running in single wifi setup, but wireless works fine. What dazzles me is that it says it cannot setup WPA for interface wlan0 although I specified wep for the second wireless lan. Here are my settings:

/etc/config/network

config 'switch' 'eth0'
        option 'vlan0' '0 1 2 3 5*'
        option 'vlan1' '4 5'
        option 'vlan2' '5'
#       option 'vlan3' '5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'macaddr' ''
        option 'ip6addr' ''
        option 'gateway' ''
        option 'ip6gw' ''
        option 'dns' ''

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'pppoe'
        option 'macaddr' ''
        option 'vpi' ''
        option 'vci' ''
        option 'defaultroute' '1'
        option 'ipaddr' ''
        option 'ip6addr' ''
        option 'netmask' ''
        option 'gateway' ''
        option 'ip6gw' ''
        option 'dns' ''
        option 'username' '???????????'
        option 'password' '???????????'
        option 'mtu' '1500'
        option 'keepalive' '10'
        option 'ppp_redial' 'persist'

#config 'interface' 'closedwifi'
#       option 'type' 'bridge'
#       option 'ifname' 'eth0.3'
#       option 'ipaddr' '192.168.3.1'
#       option 'netmask' '255.255.255.0'
#       option 'gateway' '192.168.3.1'
#       option 'dns' '192.168.3.1'


config 'interface' 'openwifi'
        option 'type' 'bridge'
        option 'ifname' 'eth0.2'
        option 'proto' 'static'
        option 'ipaddr' '192.168.2.1'
        option 'netmask' '255.255.255.0'
        option 'gateway' '192.168.2.1'
        option 'dns' '192.168.2.1'

/etc/config/wireless

config 'wifi-device' 'wlan0'
        option 'type' 'mac80211'
        option 'channel' '5'
        option 'disabled' '0'

config 'wifi-iface'
        option 'device' 'wlan0'
        option 'network' 'lan'       # 'closedwifi'
        option 'mode' 'ap'
        option 'ssid' 'OpenWrt'
        option 'key' '????????????'
        option 'encryption' 'psk2'

config 'wifi-iface'
        option 'device' 'wlan0'
        option 'network' 'openwifi'
        option 'mode' 'ap'
        option 'ssid' 'OtherWrt'
        option 'encryption' 'wep'
        option 'key' '??????????????'

The removed lines are an alternative configuration closer to the one from the original post that I also tried to same result.
Anyone any hints or suggestions to what happens and why it won't work?

Are you using Kamikaze 8.09?

I read somewhere that there is some issues with the multiple ssid in that version.

I'm also looking for a solution...

After an attempted upgrade, I'm now having similar problems to yours. I'm not sure what's going on here. There may be some fixes in recent trunk, but it's refusing to build for me, so I can't confirm that yet.

I tried this on a wrt54g v2.2 with KAMIKAZE (8.09.2, r18961) but the second wifi link never shows up and I can only connect to the first one. I would like to have a psk2 protected wifi linked to the ethernet vlan and a second open or wep encrypted wifi with only access to the internet. Is this even possible? Seems like some people are able to do this with openwrt but I can't get it to happen. Thanks for any help

(Last edited by xamindar on 8 Feb 2010, 02:57)