Configurando repetidores Wi-Fi com vários SSIDs

--- a humbly committed student 2019/01/19 10:31

O objetivo deste artigo é mostrar aos usuários como configurar um roteador principal e vários pontos de acesso para repetir vários SSIDs por meio do uso de comutadores VLAN marcados.

Este exemplo contém um roteador principal que fornecerá os SSIDs Wi-Fi e o serviço DHCP e dois roteadores configurados como pontos de acesso. Neste exemplo, o roteador Linksys WRT 3200acm com OpenWrt 18.01 foi usado para todos os dispositivos.

Esses procedimentos podem ser realizados principalmente na GUI LuCi, mas, como não consigo anexar capturas de tela, eu fiz a configuração através dos arquivos de configuração dos roteadores localizados em /etc/config durante uma sessão SSH em cada roteador.

Recomenda-se familiarizar-se com os seguintes artigos do wiki para executar esta tarefa.

Esta é uma topologia de rede para este exemplo:

Exemplo de topologia de rede

Os SSIDs foram criados e conectados à respectiva interface de rede. Cada interface de rede foi adicionada ao seu próprio ID de VLAN específico.

Os dois pontos de acesso foram configurados para usar a porta WAN para receber a conexão de uplink marcada da porta de interface marcada do roteador/hop anterior. Fiz isso para me permitir utilizar as 4 portas da LAN, o que me deu mais portas para conectar dispositivos.

Torna-se um jogo compatível para garantir que o número de ID da VLAN anexado a cada uma das interfaces Wi-Fi seja consistente em todos os dispositivos, ou seja, privado na VLAN1 (eth0.1), convidado na VLAN3 (eth0.3), ou seja, na VLAN4 (eth0.4) etc. para que cada roteador saiba a existência das VLANs.

Lista de SSIDs de Wi-Fi:

  • Privado: SSID = Magick Mushroom, Jogos
  • Convidado: SSID = Escravo
  • Tor: SSID = tor

Detalhes do Switch

VLAN ID Upstream side:HW switch ↔ eth1 driver Downstream side:HW switch↔physical ports
CPU (eth0) cpu (eth1) LAN1LAN2LAN3LAN4WAN
1 tagged off untaggeduntaggeduntaggedtaggedoff
2 off tagged offoffoffoffuntagged
3 tagged off offoffofftaggedoff
4 tagged off offoffofftaggedoff

*Dica: Para determinar a CPU da WAN dos roteadores quando houver várias CPUs listadas, use a GUI Luci e navegue até Rede > Switch e veja qual linha tem a CPU marcada e a WAN sem marcação, juntas, por padrão. Outra maneira é usar a GUI Luci para navegar em Rede > Interfaces e ver qual interface é usada nas Configurações físicas da WAN

1. Crie VLANs extras para corresponder à tabela acima. A interface LAN4 foi configurada para ser identificada com números de ID da VLAN. A LAN4 está retransmitindo o uplink para o próximo roteador (o roteador de médio porte).

/etc/config/network

Clique para ver menos

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfb:7e04:aca7::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	option gateway '192.168.0.1'
	option broadcast '192.168.0.255'
	option dns '8.8.8.8'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option hostname 'infraverse.network'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'slave'
	option type 'bridge'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.0.0'
	option ifname 'eth0.3 radio1'
	option gateway '172.16.0.1'
	option broadcast '172.16.255.255'

config interface 'tor'
	option proto 'static'
	option ipaddr '10.1.1.1'
	option netmask '255.0.0.0'
	option type 'bridge'
	option ifname 'eth0.4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '0t 5t'

2. Crie interfaces Wi-Fi.

:!: Certifique-se de tornar os nomes e senhas SSID idênticos aos configurados no roteador principal

/etc/config/wireless

Clique para ver menos

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Gaming'
	option encryption 'psk-mixed'
	option key 'supersecretpassword'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option country 'US'
	option legacy_rates '1'
	option distance '7.7'
	option channel '11'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Magick Mushroom'
	option encryption 'psk-mixed'
	option key 'supersecretpassword'
	option wpa_group_rekey '0'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option ssid 'Slave'
	option isolate '1'
	option network 'slave'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option ssid 'tor'
	option network 'tor'

3. Crie regras de firewall

/etc/config/firewall

Clique para ver menos

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'slave'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'slave'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Slave dns'
	option src 'slave'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'slave dhcp'
	option src 'slave'

config zone
	option name 'tor'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'tor'
	option input 'ACCEPT'
	option syn_flood '1'
	option conntrack '1'

config rule
	option src 'tor'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option name 'tor DHCP'

config rule
	option src 'tor'
	option proto 'tcp'
	option dest_port '9040'
	option target 'ACCEPT'
	option name 'tor transport'

config rule
	option src 'tor'
	option proto 'udp'
	option dest_port '9053'
	option target 'ACCEPT'
	option name 'tor dns'

config redirect
	option name 'Redirect-Tor-Traffic'
	option src 'tor'
	option src_dip '!10.1.1.1'
	option dest_port '9040'
	option proto 'tcp'
	option target 'DNAT'

config redirect
	option name 'Redirect-Tor-DNS'
	option src 'tor'
	option src_dport '53'
	option dest_port '9053'
	option proto 'udp'
	option target 'DNAT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'tor'

config forwarding
	option dest 'tor'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'slave'

4. Crie configurações DHCP

/etc/config/dhcp

Clique para ver menos

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
        list server '8.8.8.8'
        list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option start '2'
	option limit '254'
	option ra_management '1'

config dhcp 'slave'
	option leasetime '12h'
	option interface 'slave'
	option start '2'
	option limit '254'

config dhcp 'tor'
	option leasetime '12h'
	option interface 'tor'
	option start '2'
	option limit '254'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

2º, AP de médio alcance

Detalhes do Switch

VLAN ID Upstream side:HW switch ↔ eth1 driver Downstream side:HW switch↔physical ports
CPU (eth0) cpu (eth1) LAN1LAN2LAN3LAN4WAN
1 tagged tagged untaggeduntaggeduntaggedtaggedtagged
2 off off offoffoffoffoff
3 tagged tagged offoffofftaggedtagged
4 tagged tagged offoffofftaggedtagged

1. Crie VLANs extras para corresponder à tabela acima. As interfaces WAN e LAN4 foram configuradas para serem marcadas com números de ID da VLAN. A WAN está recebendo o uplink do roteador principal e o LAN4 está retransmitindo o uplink para o próximo roteador (o roteador AP de alcance traseiro).

/etc/config/network

Clique para ver menos

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfb:7e04:aca7::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	option gateway '192.168.0.1'
	option broadcast '192.168.0.255'
	option dns '8.8.8.8'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option hostname 'infraverse.network'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'slave'
	option type 'bridge'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.0.0'
	option ifname 'eth0.3 radio1'
	option gateway '172.16.0.1'
	option broadcast '172.16.255.255'

config interface 'tor'
	option proto 'static'
	option ipaddr '10.1.1.1'
	option netmask '255.0.0.0'
	option type 'bridge'
	option ifname 'eth0.4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '0t 5t'

2. Crie interfaces Wi-Fi.

:!: Certifique-se de tornar os nomes e senhas SSID idênticos aos configurados no roteador principal

/etc/config/wireless

Clique para ver menos

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Gaming'
	option encryption 'psk-mixed'
	option key 'supersecretpassword'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option country 'US'
	option legacy_rates '1'
	option distance '7.7'
	option channel '11'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Magick Mushroom'
	option encryption 'psk-mixed'
	option key 'supersecretpassword'
	option wpa_group_rekey '0'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option ssid 'Slave'
	option isolate '1'
	option network 'slave'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option ssid 'tor'
	option network 'tor'

3. Create firewall rules

/etc/config/firewall

Clique para ver menos

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'slave'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'slave'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Slave dns'
	option src 'slave'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'slave dhcp'
	option src 'slave'

config zone
	option name 'tor'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'tor'
	option input 'ACCEPT'
	option syn_flood '1'
	option conntrack '1'

config rule
	option src 'tor'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option name 'tor DHCP'

config rule
	option src 'tor'
	option proto 'tcp'
	option dest_port '9040'
	option target 'ACCEPT'
	option name 'tor transport'

config rule
	option src 'tor'
	option proto 'udp'
	option dest_port '9053'
	option target 'ACCEPT'
	option name 'tor dns'

config redirect
	option name 'Redirect-Tor-Traffic'
	option src 'tor'
	option src_dip '!10.1.1.1'
	option dest_port '9040'
	option proto 'tcp'
	option target 'DNAT'

config redirect
	option name 'Redirect-Tor-DNS'
	option src 'tor'
	option src_dport '53'
	option dest_port '9053'
	option proto 'udp'
	option target 'DNAT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'tor'

config forwarding
	option dest 'tor'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'slave'

4. Create DHCP configurations

/etc/config/dhcp

Clique para ver menos

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
        list server '8.8.8.8'
        list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option start '2'
	option limit '254'
	option ra_management '1'

config dhcp 'slave'
	option leasetime '12h'
	option interface 'slave'
	option start '2'
	option limit '254'

config dhcp 'tor'
	option leasetime '12h'
	option interface 'tor'
	option start '2'
	option limit '254'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Detalhes do Switch

VLAN ID Upstream side:HW switch ↔ eth1 driver Downstream side:HW switch↔physical ports
CPU (eth0) cpu (eth1) LAN1 LAN2 LAN3 LAN4 WAN
1 tagged tagged untaggeduntaggeduntaggeduntaggedtagged
2 off off offoffoffoffoff
3 tagged tagged offoffoffofftagged
4 tagged tagged offoffoffofftagged

1. Crie VLANs extras para corresponder à tabela acima. A interface WAN foi configurada para ser identificada com números de ID da VLAN. A WAN está recebendo o uplink do roteador intermediário.

/etc/config/network

Clique para ver menos

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcb:2636:4335::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.252'
	option gateway '192.168.0.1'
	option broadcast '192.168.0.255'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	option broadcast '192.168.1.255'
	option ipaddr '192.168.0.252'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 4t 5t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '4t 5t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '4t 5t 6t'

config interface 'slave'
	option proto 'static'
	option ipaddr '172.16.0.252'
	option netmask '255.255.255.0'
	option gateway '172.16.0.1'
	option broadcast '172.16.255.255'
	option type 'bridge'
	option ifname 'eth0.3'

config interface 'tor'
	option proto 'static'
	option ipaddr '10.1.1.252'
	option netmask '255.0.0.0'
	option type 'bridge'
	option ifname 'eth0.4'

2. Crie interfaces Wi-Fi.

:!: Certifique-se de tornar os nomes e senhas SSID idênticos aos configurados no roteador principal

/etc/config/wireless

Clique para ver menos

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'
	option legacy_rates '1'
	option channel '44'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Gaming'
	option encryption 'psk-mixed'
	option key 'supersecretpassword'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'
	option channel '9'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Magick Mushroom'
	option encryption 'psk-mixed'
	option key 'supersecretpassword'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option ssid 'Slave'
	option isolate '1'
	option network 'slave'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option ssid 'tor'
	option isolate '1'
	option network 'tor'

3. Crie regras de firewall

/etc/config/firewall

Clique para ver menos

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'slave'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'slave'

config zone
	option name 'tor'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'tor'

4. Crie configurações DHCP

/etc/config/dhcp

Clique para ver menos

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ignore '1'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Recursos:

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/07/23 14:33
  • by someothertime