Topic: Routed WPA2 Client with Backfire 10.03.1-RC3 WL500GP with Atheros Card

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

==qp==

16 Sep 2010, 18:53

I'm cutting out my reply from Mr. M's howto, since his guide was for Kamikaze.

I would like to express my thanks to Mr.M's guide, which I have used parts of to update my STA-Bridge/Route from 8.09 to Backfire 10.03.1-RC3 on my WL500GP running a Toshiba WLL4071-D4 (AR5006G) replacement-card.
dmesg spits out this as my chipset:

ath5k phy0: Atheros AR5213A chip found (MAC: 0x59, PHY: 0x43)
ath5k phy0: RF5112B multiband radio found (0x36)

I am now posting this connected to the lan-port of my OpenWRT Box using ath5k drivers, which in turn is a client of a WPA2 PSK remote router! Huge props to the devs for making this work!

Disclaimer: This guide should be seen as a W.i.P. or a proof-of-concept at most and avoided in production scenarios without further fine-tuning. This should be obvious, once you get to the firewall-part.

The following configuration uses a virtual interface to separate the wireless-master-connection (e.g. uplink to internet through remote AP) from the local network with a different subnet (I usually have another router connected to my OpenWRT box, which I then use to create my own network at home). When this virtual interface is set up to use dhcp, it is possible to "transparently" jump between available access-points without changing anything on the network depending on OpenWRT. Might be useful together with AAP or something the-like.
I have yet to test QoS, WME, upnp, etc. If you can, lend me a hand (or a head) here! (I don't bittorrent or play WoW. I do use VoIP, though.)
E.g.:

|ISP| = |Remote Router| - |OpenWRT| - |Other Wi-Fi Router|
               |                               |
        LAN (subnet #1)                LAN (subnet #2)

Steps taken:

Update to usual 2.6 Backfire release for Broadcom (openwrt-brcm47xx-squashfs.trx), using i.e. "mtd -r write <firmware.trx> linux" from a CIFS-share on my Mac.
telnet into the box; passwd; vi /etc/opkg.conf (set to local mirror);

opkg remove kmod-b43 kmod-b43legacy [s]wpad-mini[/s]

opkg install kmod-ath kmod-ath5k [s]wpa-supplicant[/s]

wifi down
rm /etc/config/wireless
wifi detect > /etc/config/wireless

Create a virtual interface by adding this to /etc/config/network

/etc/config/network wrote:

#### AIRWIRE config
config interface airwire
[s]option ifname radio0[/s]
option proto dhcp

I also changed the IP Address of lan to my personal subnet (different from the wireless: i.e. 192.168.100.x) and turned off WAN (proto none)

My /etc/config/wireless looks like this:

/etc/config/wireless wrote:

config wifi-device radio0
option type mac80211
option channel 1
option macaddr 00:11:xx:xx:xx:xx
option hwmode 11g
# REMOVE THIS LINE TO ENABLE WIFI:
# option disabled 1
config wifi-iface
option device radio0
option network airwire
option mode sta
option ssid ChooseYourPoison
option encryption psk2
option key XXXXXXXXXX

Note that the network is set to airwire (the virtual interface that we added to /etc/config/network). Don't ask me about radio0, that's just the default output from wifi detect.

my /etc/config/firewall looks like this (it's propably [s]more[/s] less than sub-optimal, but it does work; please provide a meaningful fix if you have the time!):

/etc/config/firewall wrote:

config defaults
option syn_flood 1
option input [s]ACCEPT[/s]DROP
option output ACCEPT
option forward [s]ACCEPT[/s]DROP
option drop_invalid 0
config zone
option name lan
option network lan
option input [s]ACCEPT[/s]DROP
option output ACCEPT
option forward [s]ACCEPT[/s]DROP
option masq 1
config zone
option name airwire
option network airwire
option input [s]ACCEPT[/s]DROP
option output ACCEPT
option forward [s]ACCEPT[/s]DROP
option masq 1
config zone
option name wan
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest airwire

Do all this and then
/etc/init.d/network restart and watch your OpenWRT box get an IP address from the other AP.
Hope this helps, enjoy

EDIT: Updated to reflect jow's comments. Please read the firewall drop vs. reject wiki-page for more information on how to configure the firewall. Using DROP in simple terms would be like a stealth mode, where, if you have not established a connection from your side first, a connection attempt from the outside would be silently dropped (thus not revealing anything, not even whether the IP is available), whereas a REJECT would allow a response a-la "This port on this IP is unavailable". If you need "unsolicited" traffic from outside the zones, you should create special rules (e.g. port-forwarding) or as a last resort use ACCEPT.

(Last edited by ==qp== on 16 Sep 2010, 23:05)

Post #2

jow

16 Sep 2010, 19:33

==qp== wrote:

opkg remove kmod-b43 kmod-b43legacy wpad-mini
opkg install kmod-ath kmod-ath5k wpa-supplicant

Removing b43 won't free any space so you can also jsut leave it around.
Replacing wpad-mini with wpa-supplicant is a waste of space in most cases, wpad-mini already covers the WPA PSK/PSK2 functionality of wpa-supplicant.

==qp== wrote:

Create a virtual interface by adding this to /etc/config/network

Leave out the "option ifname" here, it will lead to issues especially with b43.

==qp== wrote:

my /etc/config/firewall looks like this (it's propably [s]more[/s] less than sub-optimal, but it does work; please provide a meaningful fix if you have the time!):

There's no need to set input and forward policies to ACCEPT, but that might depend on your particular environment.

Also check http://wiki.openwrt.org/doc/recipes/routedclient - most stuff is covered there already (except the replace wireless card part obviously).

Post #3

==qp==

16 Sep 2010, 21:06

Thank you very much for your feedback jow. I will update my post to reflect your suggestions.

Post #4

lizby

17 Sep 2010, 02:54

Thanks very much for this. I tried this with a Buffalo WZR-HP-G300NH, with no encryption, but haven't had success. iwconfig shows a connection to the AP, but I can't ping the gatway router (192.168.1.1) or www.google.com. /etc/init.d/network restart shows the following:

Received SIGTERM
Entering released state
0.openwrt.pool.ntp.org: Unknown host
1.openwrt.pool.ntp.org: Unknown host
2.openwrt.pool.ntp.org: Unknown host
3.openwrt.pool.ntp.org: Unknown host
udhcpc (v1.15.3) started
udhcpc (v1.15.3) started
Sending discover...
udhcpc: bind: No such device
ioctl[SIOCSIWENCODEEXT]: Invalid argument
ioctl[SIOCSIWENCODEEXT]: Invalid argument
udhcpc (v1.15.3) started
root@wzr92:/etc/config# Sending discover...
Sending discover...
Sending select for 192.168.1.6...
Lease of 192.168.1.6 obtained, lease time 86400
udhcpc: setting default routers: 192.168.1.1
route: SIOCADDRT: No such process
udhcpc: setting dns servers: 192.168.1.1
Sending discover...

So I got an ip address of 192.168.1.6, and it thinks the default router and dsn server is 192.168.1.1. /tmp/resolv.conf shows "nameserver 192.168.1.1"

/etc/config/wireless (I modified the existing file and changed radio0 to wlan0)

config wifi-device  wlan0
    option type     mac80211
    option channel  5
    option macaddr    00:xx:xx:xx:xx:xx
    option hwmode    11ng
    option htmode    HT20
    list ht_capab    SHORT-GI-40
    list ht_capab    DSSS_CCK-40
    # REMOVE THIS LINE TO ENABLE WIFI:
#    option disabled 1

config wifi-iface
    option device   wlan0
    option network  airwire
    option mode     sta
    option ssid     Omnibus4
    option encryption none

/etc/config/network

config interface loopback
    option ifname    lo
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0

config interface lan
    option ifname    eth0
    option type    bridge
    option proto    static
    option ipaddr    192.168.1.92
    option netmask    255.255.255.0
    option gateway  192.168.1.1
    option dns      192.168.1.1

config interface wan
    option ifname    eth1
    option proto    dhcp

config interface airwire
    option proto    dhcp

config switch
    option name    rtl8366s
    option reset    1
    option enable_vlan 1

config switch_vlan
    option device    rtl8366s
    option vlan     1
    option ports    "0 1 2 3 5"

/etc/config/firewall

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT 
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
    option disable_ipv6    1

config zone
    option name        lan
    option network    lan
    option input    ACCEPT 
    option output    ACCEPT 
    option forward    REJECT
    option masq    1

config zone
    option name        airwire
    option network    airwire
    option input    ACCEPT 
    option output    ACCEPT 
    option forward    REJECT
    option masq    1

config zone
    option name        wan
    option input    REJECT
    option output    ACCEPT 
    option forward    REJECT
    option masq    1 
    option mtu_fix    1

config forwarding 
    option src      lan
    option dest     airwire

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family    ipv4

#Allow ping
config rule
    option src wan
    option proto icmp
    option icmp_type echo-request
    option target ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option dest        wan
#    option proto    tcp
#    option target    REJECT 

# block a specific mac on wan
#config rule
#    option dest        wan
#    option src_mac    00:11:22:33:44:66
#    option target    REJECT 

# block incoming ICMP traffic on a zone
#config rule
#    option src        lan
#    option proto    ICMP
#    option target    DROP

# port redirect port coming in on wan to lan
#config redirect
#    option src            wan
#    option src_dport    80
#    option dest            lan
#    option dest_ip        192.168.16.235
#    option dest_port    80 
#    option proto        tcp


### FULL CONFIG SECTIONS
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port    80
#    option dest        wan
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp
#    option target    REJECT 

#config redirect
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port        1024
#    option src_dport    80
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp

iwconfig gives the following:

lo        no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

br-lan    no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:"Omnibus4"
          Mode:Managed  Frequency:2.432 GHz  Access Point: Not-

Associated
          Tx-Power=27 dBm
          RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

iwlist wlan0 scanning finds "Omnibus4" (which is unsecured and

doesn't filter based on mac address)

wlan0     Scan completed :
          Cell 01 - Address: 00:90:4C:7E:00:6E
                    Channel:5
                    Frequency:2.432 GHz (Channel 5)
                    Quality=70/70  Signal level=-27 dBm
                    Encryption key:off
                    ESSID:"Omnibus4"
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 

18 Mb/s
                              24 Mb/s; 36 Mb/s; 54 Mb/s
                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
                    Mode:Master
                    Extra:tsf=0000002b3a01cc81
                    Extra: Last beacon: 590ms ago
                    IE: Unknown: 00084F6D6E6962757334
                    IE: Unknown: 010882848B962430486C
                    IE: Unknown: 030105
                    IE: Unknown: 2A0100
                    IE: Unknown: 2F0100
                    IE: Unknown: 32040C121860
                    IE: Unknown: DD06001018020000

This seems close. What do I need to do to get this to connect?

Post #5

==qp==

17 Sep 2010, 03:37

Hi lizby,
First off which driver do you use?
Second, you should change the subnet of your lan or of your ap to be different from one another, otherwise you should create a bridge (if you want to be on the same subnet) and follow the appropriate recipe in the wiki.
Third, you are not associated with the AP.
Fourth, try leaving everything as is in the guide and once it works, fiddle with the names, etc.
The first time playing with backfire, I got a similar issue with the discover message, but eventually figured out a way to associate with the ap, I could ping the uplink-router and the internet, but couldn't get routing to work from behind the openwrt box (e.g. I could ping fine from openwrt, but not with my computer connected to it). The second time, I just reflashed my device and started with fresh configs etc.
Also (from the original guide by Mr. M), you should try setting the hwmode to 11g and maybe turn off the double-frequency as well.

Mr. M wrote:

4) Important Note: When using ATH9K, the script will suggest "option hwmode 11ng". That didn't work with my "TP-Link TL-WN861N" card. I had to change it to "option hwmode 11g".

What does wifi detect show? What about topic-related dmesg output?
General procedure is to test minimal configuration and then make it look and behave "nice".
Please report back!

(Last edited by ==qp== on 17 Sep 2010, 03:44)

The discussion might have continued from here.

Page 1 of 1