I setup this up a little while ago on Kamikaze, and have recently migrated my units to backfire. Thankfully the process is seamless, just had to update my opkg sources and re-install a couple of things. Anyways, I'll provide the output of my configs for anyone who is interested.
The benefits of this setup:
-dual wifidog daemons, each bound to a different SSID
-dual SSIDs, 1 encrypted, 1 not (we use 1 for staff, one for guests)
-locked down remote access via iptables
We are using the 2.4 kernel, and the proprietary broadcom driver. I won't go into flashing/basic setup instructions since this is covered elsewhere, so this assumes that you have already flashed your device with Backfire and are able to SSH into it. You also have an IP address configured and your device is able to access the web.
It is also assumed that you have a basic understanding of how wifidog works/what it does, and have already setup your authentication server on a separate box that is accessible from the internet.
1) First, let's update our package list with the following command:
opkg update
2) Next let's install the wifidog daemon. The package in the repos is kind of old but still accomplishes what we need done. I also prefer to edit files using nano, so we'll install that as well:
opkg install wifidog
opkg install nano
3) Next we'll setup our SSIDs, firewall rules, etc.... To start, change to your config directory
cd /etc/config
4) We'll first setup our SSIDs. As you can see, one of mine is encrypted, one is not. Feel free to set this up how you choose:
nano /etc/config/wireless
config 'wifi-device' 'wl0'
option 'type' 'broadcom'
option 'channel' '1'
config 'wifi-iface'
option 'device' 'wl0'
option 'network' 'lan'
option 'mode' 'ap'
option 'encryption' 'none'
option 'ssid' 'YOUR SSID#1 NAME'
config 'wifi-iface'
option 'device' 'wl0'
option 'network' 'lan2'
option 'mode' 'ap'
option 'encryption' 'psk2'
option 'key' 'YOUR ENCRYPTION KEY'
option 'ssid' 'YOUR SSID#2 NAME'
Close and save your file (control x, then y)
5) Next we are going to setup our VLANs. I have the LAN ports on the back in my guest/unencrypted VLAN. The only port in my secured VLAN is the wireless transmitter. Change the IP address on the eth0.1 VLAN to match the IP address, subnet, etc... that your ISP has assigned you.
nano /etc/config/network
#### VLAN configuration
config switch eth0
option enable 1
config switch_vlan eth0_0
option device "eth0"
option vlan 0
option ports "0 1 2 3 5"
config switch_vlan eth0_1
option device "eth0"
option vlan 1
option ports "4 5"
config switch_vlan eth0_2
option device "eth0"
option vlan 2
option ports "5"
#### Loopback configuration
config interface loopback
option ifname "lo"
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
#### LAN configuration
config interface lan
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0
#### WAN configuration
config interface wan
option type bridge
option ifname "eth0.1"
option proto static
option ipaddr 1.1.1.1
option netmask 255.255.255.0
option gateway 1.1.1.1
option dns 2.2.2.2
#### LAN configuration
config interface lan2
option type bridge
option ifname "eth0.2"
option proto static
option ipaddr 192.168.2.1
option netmask 255.255.255.0
Close and save your file (control x, then y and enter)
(Last edited by Hinzel on 25 May 2010, 00:28)