Using Non-Bridged WiFi
The default OpenWRT configuration bridges the WiFi and LAN interfaces. This gives any computer on your WiFi network full access to your wired network. The more paranoid among us prefer to separate the two interfaces.
This example assumes your WiFi network will use 192.168.2.x, with the OpenWRT router on 192.168.2.1. I'm using a WRT54GL; the details may vary on other devices.
/etc/config/network
First, find the config interface lan section and delete the option type bridge line. Note that this will change the name of your LAN interface. On the WRT54GL it changes from br-lan to eth0.0. This may require changes to your firewall configuration.
Then, add a new section to configure the WiFi interface:
#### Wi-Fi LAN configuration
config interface wifi
option ifname "wl0"
option proto static
option ipaddr 192.168.2.1
option netmask 255.255.255.0
/etc/config/wireless
Make sure the device and network match the ones you defined in /etc/config/network. It should look like this:
config wifi-iface
option device wl0
option network wifiYou should also change the default SSID and enable encryption. Once you've done that, remove the option disabled 1 line, or the WiFi interface won't operate.
/etc/config/dhcp (optional)
If you want dnsmasq to provide DHCP services on your WiFi network, you'll need to add a section enabling that:
config dhcp
option interface wifi
option start 100
option limit 150
option leasetime 4h
Using OpenWrt stock firewall (new UCI firewall)
Zones
uci add firewall zone uci set firewall.@zone[-1].name=wifi uci set firewall.@zone[-1].network=wifi uci set firewall.@zone[-1].input=ACCEPT uci set firewall.@zone[-1].forward=DROP uci set firewall.@zone[-1].output=ACCEPT
Forwarding (Allow wifi -> wan, Allow wifi -> lan, Allow lan -> wifi)
uci add firewall forwarding uci set firewall.@forwarding[-1].src=wifi uci set firewall.@forwarding[-1].dest=wan uci add firewall forwarding uci set firewall.@forwarding[-1].src=wifi uci set firewall.@forwarding[-1].dest=lan uci add firewall forwarding uci set firewall.@forwarding[-1].src=lan uci set firewall.@forwarding[-1].dest=wifi
Save and restart the firewall
uci commit firewall /etc/init.d/firewall restart
Using OpenWrt stock firewall (old firewall)
As an easier alternative to shorewall, modify /etc/init.d/firewall like this:
Find where the other config_get commands are. Add:
config_get WIFI wifi ifname
to where the others are.
Now, scroll down to where it says ### FORWARDING and under the # allow section, add
iptables -A FORWARD -i $WIFI -o $WIFI -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $WIFI -o $WAN -j ACCEPT
iptables -A FORWARD -i $WIFI -o $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $WIFI -j ACCEPT
That will allow computers on the wireless lan to contact each other, to access internet, and for contact between lan and wireless segments.
Shorewall
Your WiFi network should now be operational on 192.168.2.x after a reboot. However, it will not be able to communicate with your LAN or the Internet until you set up the appropriate firewall rules. It may be possible to do that with the default OpenWRT firewall, but I'm more familiar with Shorewall, so that's what I used.
I'm still using Shorewall 3.4, so I enabled the net/shorewall package from the packages repository. The following setup is based on the Shorewall three-interface configuration.
/etc/shorewall/params
I recommend defining your interface names in /etc/shorewall/params. This will aid both readability and portability (if you ever need to move your configuration to another device).
NET_IF=eth0.1 LOC_IF=eth0.0 WF_IF=wl0 # Uncomment if you want to allow remote access to a local webserver: #WWW_IP=loc:192.168.0.9 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 wifi ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS net $NET_IF detect dhcp,tcpflags,routefilter,norfc1918,nosmurfs,logmartians loc $LOC_IF detect dhcp,tcpflags,detectnets,nosmurfs wifi $WF_IF detect dhcp,tcpflags,detectnets,nosmurfs #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC $NET_IF $LOC_IF $NET_IF $WF_IF #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # # Note about policies and logging: # This file contains an explicit policy for every combination of # zones defined in this sample. This is solely for the purpose of # providing more specific messages in the logs. This is not # necessary for correct operation of the firewall, but greatly # assists in diagnosing problems. # # # Policies for traffic originating from the local LAN (loc) # # If you want to force clients to access the Internet via a proxy server # on your firewall, change the loc to net policy to REJECT info. loc net ACCEPT loc wifi ACCEPT loc $FW REJECT info loc all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you do not want open access to the Internet from your firewall, change the # $FW to net policy to REJECT and add the 'info' LOG LEVEL. $FW net ACCEPT $FW wifi REJECT info $FW loc REJECT info $FW all REJECT info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net loc DROP info net wifi DROP info net all DROP info # # Policies for traffic originating from the local Wi-Fi LAN (wifi) # wifi net ACCEPT wifi loc REJECT info wifi $FW REJECT info wifi all REJECT info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP # # Accept SSH connections for administration SSH/ACCEPT loc $FW SSH/ACCEPT net $FW SSH/ACCEPT wifi $FW # Allow Ping from the local network Ping/ACCEPT loc $FW Ping/ACCEPT wifi $FW Ping/ACCEPT loc wifi Ping/ACCEPT wifi loc # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping/REJECT net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp ACCEPT $FW wifi icmp # Accept DNS connections from local network to the firewall DNS/ACCEPT loc $FW DNS/ACCEPT wifi $FW # Forward https traffic: (uncomment if you have a local web server on $WWW_IP) #DNAT net $WWW_IP tcp 443 #ACCEPT wifi $WWW_IP:443 tcp 443 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/routestopped
You may want to include "$WF_IF -" here as well.
#INTERFACE HOST(S) OPTIONS $LOC_IF - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/rc.d/S45firewall
Once you've installed Shorewall, you don't need the default OpenWRT firewall anymore. Deleting /etc/rc.d/S45firewall will prevent it from starting and make your router boot faster.
You don't need /etc/init.d/firewall, /etc/config/firewall, or /usr/lib/firewall.awk, either. But unless you're building your own custom firmware image, there's no point in deleting them. You can't recover space by deleting files from a squashfs filesystem (it actually takes more space to record the files that have been deleted.)
Advanced Shorewall Configuration
If you uncomment the lines mentioning $WWW_IP above, it will allow Internet and WiFi users to reach an https server on your local network. But WiFi users will need to use the local domain name instead of the public domain name used on the Internet. Since your server certificate will probably list the Internet domain, WiFi users will get a warning about the certificate not matching the domain.
It is possible to set things up so that WiFi users can reach the server using the Internet domain, but that requires you to include your public IP address in the Shorewall rule. Since most people have a dynamic IP address, this means you must restart Shorewall any time your public IP changes.
/etc/shorewall/params
Appending these lines to /etc/shorewall/params will record your public IP address in /var/run/shorewall.ip and allow you to use it in rules as $EXT_IP.
EXT_IP=$(find_first_interface_address $NET_IF) echo $EXT_IP >/var/run/shorewall.ip chmod 0644 /var/run/shorewall.ip
/etc/shorewall/rules
This rule will let WiFi users connect to the https server using your public IP address.
DNAT wifi $WWW_IP tcp 443 - $EXT_IP
/etc/hotplug.d/iface/15-shorewall
This script will restart Shorewall when your wan interface is brought up (but only if Shorewall is already running under a different public IP address). The DHCP client generates an ifup event every time it renews your lease, and I only want to restart the firewall when necessary.
CURRENT_IP=/var/run/shorewall.ip
COMMAND=/sbin/shorewall
[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] && {
[ -x $COMMAND ] && [ -s $CURRENT_IP ] && {
include /lib/network
scan_interfaces
. /var/state/network
config_get newip wan ipaddr
[ "$newip" != `cat $CURRENT_IP` ] && {
$COMMAND status | grep -q 'Shorewall is running'
} && {
$COMMAND restart
}
} &
}