basically i want to implement this [ur]lhttp://wiki.openwrt.org/HotspotOpenvpnHowto[/url] in kamikaze, working within the default firewall scripts. The VPN on the wlan would be great, but not essential.
I've successfully broken the bridge, and I have DNSMasq assigning IPs correctly to wlan clients, dns working for them, and they are getting wan access. also the LAN is working correctly. the two last hurtles:
1) for some reason wlan clients get crappy service. ping times are spastic, often 20 times longer than lan ping times. also there is often significant packet loss on the wlan.
2) the isolation is incomplete. for some reason wifi clients can get a crappy, slow ssh session on the router. when I add rules that break this connection they always seem to also break the wlan to wan connection. I've seen several example rules and they are all different. like:
http://forum.openwrt.org/viewtopic.php?pid=70559#p70559
and then
http://www.dd-wrt.com/wiki/index.php/Se … N_and_WLAN
and the rules in the wiki post too. not sure where / how to drop wlan - lan traffic without breaking wlan - wan.
here are some relevant files.
root@OpenWrt:~# cat /etc/config/network
#### VLAN configuration
config switch eth0
option vlan0 "1 2 3 4 5*"
option vlan1 '0 5*'
#### Loopback configuration
config interface loopback
option ifname "lo"
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
#### LAN configuration
config interface lan
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr 192.168.2.1
option netmask 255.255.255.0
config interface wlan
option type bridge
option ifname 'wl0'
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0
#### WAN configuration
config interface wan
option ifname "eth0.1"
option proto static
option ipaddr ****
option gateway ****
option netmask 255.255.255.248
option dns ****root@OpenWrt:~# cat /etc/config/wireless
config wifi-device wl0
option type broadcom
option channel 5
option disabled '1'
option maxassoc '50'
option distance '100'
# REMOVE THIS LINE TO ENABLE WIFI:
config wifi-iface
option device wl0
option network 'wlan'
option mode ap
option ssid 'OpenWrt'
option encryption none
option hidden '0'
option isolate '1'
option bgscan '0'
option wds '0'/etc/firewall.user (flushes and forwards omitted)
#let out wifi packets
WLAN=br-wlan
iptables -F WIFI_ACCEPT
iptables -X WIFI_ACCEPT
iptables -N WIFI_ACCEPT
# do i need something like
# iptables -A WIFI_ACCEPT -i $LAN -j RETURN
# so that this is really just accepting packets from WLAN?
iptables -A WIFI_ACCEPT -i $WAN -j RETURN
iptables -A WIFI_ACCEPT -j ACCEPT
iptables -A input_rule -j WIFI_ACCEPT
iptables -A forwarding_rule -i $WLAN -o $WAN -j ACCEPT
iptables -A forwarding_rule -i $WAN -o $WLAN -j ACCEPT
# no wlan to lan ???
#iptables -A forwarding_rule -i $WLAN -o $LAN -j DROP
#iptables -A input_rule -i $WLAN -j DROP
#iptables -A forwarding_rule -s 192.168.1.0/16 -d 192.168.2.0/16 -j DROP
#iptables -A input_rule -s 192.168.1.0/16 -j DROPalso have this line in /etc/dnsmasq.conf
dhcp-option=3,192.168.1.1and honestly I don't understand how that part works. What I think is happening is: this sets the default route of all dhcp clients on the wlan. if they create packets that can't be resolved on the wlan then their interfaces will send them to 192.168.1.1, where they will enter the router. if I'm right about that, at that point do they go through the INPUT branch, or the FORWARD branch?
http://wiki.openwrt.org/OpenWrtDocs/IPTables
they are targeted to the router, but they are actually intended to wind up somewhere on the net. despite hours of wikipedia reading I still don't have a grasp on this basic concept of routing.