Hey guys,

I have written a netfilter for the WRT54G following the guide here:
http://www.linuxjournal.com/node/7184/print

It works great on the WRT54G to see packets that go in and out of the "Internet" port

I was wondering if it is possible to write a filter for the switch, so that if two computers are connected to switch port 1 and switch port 2, if they send packets to each other, I can filter them through netfilter some how

Is this possible?  Basically I understand that packets do not go through the routers TCP/IP stack if the host and destination are on the same subnet.  Is there any way to force this?  Does wireless also bypass the TCP/IP stack?

Thanks!
George

(Last edited by hedpe on 22 Feb 2006, 08:14)

You probably have to split your switch and use different interface for the different ports...

what about ebtables ??

how is it that i can do this?

in this way, however I never tried
http://wiki.openwrt.org/OpenWrtDocs/Con … 37c5318626

awesome, i will give that a try, thanks for your help guys

ok i tried following that guide and i couldn't get switch port 2 working after trying to create its own vlan for itself

I do not have openwrt installed, i have a telnet daemon so i can telnet to the WRT54G

i tried creating a seperate vlan for switch port 2
nvram set vlan0ports="1 3 4 5*"
nvram set vlan0hwname=et0
nvram set vlan1ports="0 5"
nvram set vlan1hwname=et0
nvram set vlan2ports="2"
nvram set vlan2hwname=et0
vconfig add eth0 2
reboot
ifconfig vlan2 hw ether 00:13:10:F6:47:01
ifconfig vlan2 up
# ifconfig -a
br0       Link encap:Ethernet  HWaddr 00:13:10:F6:47:2E 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:262 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13132 (12.8 kb)  TX bytes:69769 (68.1 kb)

eth0      Link encap:Ethernet  HWaddr 00:13:10:F6:47:2E 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:624 errors:0 dropped:0 overruns:0 frame:0
          TX packets:270 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:54563 (53.2 kb)  TX bytes:72442 (70.7 kb)
          Interrupt:5 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:13:10:F6:47:30 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:202
          TX packets:85 errors:90 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:28290 (27.6 kb)
          Interrupt:4 Base address:0x1000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vlan0     Link encap:Ethernet  HWaddr 00:13:10:F6:47:2E 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:193 errors:0 dropped:0 overruns:0 frame:0
          TX packets:262 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13988 (13.6 kb)  TX bytes:70817 (69.1 kb)

vlan1     Link encap:Ethernet  HWaddr 00:12:3F:98:0C:04 
          inet addr:128.2.140.229  Bcast:128.2.141.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:430 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:29293 (28.6 kb)  TX bytes:1625 (1.5 kb)

vlan2     Link encap:Ethernet  HWaddr 00:13:10:F6:47:01 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Then i plug a computer into the switch port 2, and try to dhcp to get an address, no response...

I guess I mis-understood something about the settings...

thanks!
George

(Last edited by hedpe on 23 Feb 2006, 00:56)

The switch is only configured when the et.o initially loads (or if you use the admcfg/robocfg utils). Simply setting the nvram variable doesn't change the current switch configuration.

(FYI - The rc5 release will replace et.o with an opensource driver, "b44" and will make the switch configuration accessable via /proc, eliminating the need for admcfg or robocfg)

so is there any way for me to modify the firmware or startup to configure the switch this way without using robocfg?

after searching through the code, I found:

  struct nvram_tuple vlan[] = {
    { "lan_ifname", "br0", 0 },
    { "lan_ifnames", "vlan0 eth1 eth2 eth3", 0 },
    { "wan_ifname", "vlan1", 0 },
    { "wan_ifnames", "vlan1", 0 },
    { 0, 0, 0 }
  };

in router/rc/rc.c

not sure if this is what i'm looking for?

In the meantime i am going to try putting robocfg on my firmware...

(Last edited by hedpe on 23 Feb 2006, 20:31)

I tried using robocfg on my WRT54G v3.1 and i get:
SIOCETHTOOL: your ethernet module is either unsupported or outdated: Invalid argument

what else can i try?

You do realize you're on the openwrt.org site right? Those files aren't present in the openwrt firmware or sources.

vlan2 has nothing to talk to - it's sitting there by itself, so of course it won't work. Add the cpu port (5) to the ..ports per the example.

- DL

More info here: http://wiki.openwrt.org/OpenWrtNVRAM

I suspect you will want something like this:

nvram set vlan0ports="1 3 4 5*"
nvram set vlan0hwname=et0
nvram set vlan1ports="0 5"
nvram set vlan1hwname=et0
nvram set vlan1ports="2 5"
nvram set vlan1hwname=et0
nvram set lan_ifname="br0"
nvram set lan_ifnames="eth1 vlan0 vlan2"   <<< NOTE: check whether current setting is eth1 or eth2, and use that
nvram commit
<reboot>

This filters off switch port 2, probably labelled "LAN 3" on your hardware, to a separate vlan. (Use "robocfg show" to see which devices are plugged into which ports). Then the bridge br0 connects the wifi, the other LAN ports, and the LAN 3 port. Traffic between the LAN 3 port and the other ports can then be filtered using ebtables.

that seemed to work because the computer can now connect on the port, however the transmission rate was cut in half now!

I am sure this has to do with using twice the CPU now, which is understandable

however it did not solve the initial problem of getting the packets to show through a netfilter ... the packets never went through the tcp/ip stack in the kernel

any other suggestions to get the packets to go through the kernel then?

and yes mbm i know its openwrt forum, and i'm sorry, but there is no greater active forum for help on the wrt54g, and i appreciate it very much

(Last edited by hedpe on 24 Feb 2006, 00:00)

I think you'll have to break the bridge to accomplish this.

- DL

how do you break the bridge?  just remove it? what implications does this have?

For bridging, you need to use ebtables. For an example of how to load the relevant modules and a pointer to the ebtables documentation see http://forum.openwrt.org/viewtopic.php?id=4481