OpenWrt Forum Archive

Topic: How To: Secure wifi bridge

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
dyfrgi
22 Jul 2009, 11:28

Like many people, I have systems which I don't want to put wireless interfaces on directly. Instead, I just want to hook them up to my network through a network device running OpenWrt. However, I don't want to deal with a routed segment, since that causes all kinds of hassle with service discovery. Instead, I want to bridge, circumventing lots of issues.

If you search this forum, you'll find people saying, over and over, "You have to use routed client mode". For some hardware, they're right - this doesn't work with all wireless interfaces. Why? I don't know - if you figure it out, please let me know. However, this does work on at least one system, the WRT54G ver 2.0. I believe it should work on all systems with Broadcom wireless, but I haven't tested it on any others.

The setup is trivial. First, install Kamikaze 8.0.9.1. Connect via telnet, set a root password, disable telnet, and reconnect via SSH. Time to edit some config files!

# /etc/config/network
#### VLAN configuration
config switch eth0
        option vlan0    "1 2 3 4 5*"
        option vlan1    "0 5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.0.2
        option netmask  255.255.255.0
        option gateway  192.168.0.1
        option dns         192.168.0.1

#### WAN configuration
config interface        wan
        option ifname   "eth0.1"
        option proto    dhcp

Replace the ipaddr and gateway with the ones of your choice. The gateway points to the primary router for your network. wan is left set to DHCP in this example, but there's no reason why you couldn't combine that port into the LAN by simply modifying the vlan lines. That's a topic for another document, though.

Next up, set up the wireless.

# /etc/config/wireless
config wifi-device  wl0
        option type     broadcom
        option channel  11

config wifi-iface
        option device   wl0
        option network  lan
        option mode     sta
        option ssid     yourssid
        option encryption psk2
        option key 'a key for all doors'

Replace the channel, ssid, encryption type, and key with appropriate values for your network.

Lastly, and be sure not to miss this step! Turn off dnsmasq. Otherwise systems connected to the router via ethernet will get an IP from it, not from your main router. I also disabled the firewall at this step. Do this by deleting S45firewall and S60dnsmasq from /etc/rc.d/.

Save, reboot, and you should be done! Confirm that you can connect to the box via the wireless, and that a system connected to it via wired interface gets an IP address and can connect to other systems on the local network and the internet.

OPEN QUESTIONS:
What systems does this work on?
How can we make this work on other systems?

Post #2
dyfrgi
23 Jul 2009, 15:44

I don't think that a bridged vs. routed client is any less secure. A routed client *could* be more secure, if the router ran an additional firewall, but I prefer to secure at the edge of the network rather than the interior, since I'm not using any sort of DMZ design.

I'm not sure what you mean about my posting server being in France. I'm in the US, at any rate. The installation is indoors.

Did you post to the wrong thread?

The discussion might have continued from here.