home  wiki

Diff: MWRPFirewall

--- Version 5 
+++ Version 6 
@@ -157,38 +157,6 @@ 
   iptables -t nat -A POSTROUTING -j postrouting_rule 
   iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE 
 ++++ 
-!! Router port configuration 
-The firewall configuration chosen needs to match the router port configuration. Currently you will need to do this by hand, later it can be incorporated into a setup script that will allow you to choose the configuration you want and will set up the bridges etc. and configure the firewall script. 
-The port configuration only needs to be done once. 
-There are two sets of NVRAM variables that need to be set correctly for the configuration required. These are the Router ports and the VLAN tagging. 
-!!! Router ports 
-On the v2.0 and later ther ports are as follows: 
-* eth0  internal switch MI2 interface 
-* eth1  internal  radio interface 
-* vlan0 LAN VLAN 
-* vlan1 WAN VLAN 
-* br0   The bridge used for vlan0 and eth1 
-The router configuration is maintained in NVRAM variables. 
-For each interface there is a variable _ifname and a _ifnames. 
-These are used in the S40network script to set up the ports. If the _ifname is a bridge (has br[0-9] then the _ifnames variable is checked for the list of ports that belong to the bridge. 
-Default case: 
- wan_ifname = vlan1 
- wan_ifnames = vlan1 
- lan_ifname = br0 
- lan_ifnames = vlan0 eth1 eth2 
-!!! VLAN tagging 
-The switch in the WRT54 uses VLAN tagging to determine where packets shuld be sent. The configuration uses two variables per vlan; vlan[0-n]ports and vlan[0-n]hwname. 
-The switch ports are 0 WAN, 1-4 LAN and 5 Internal. Port 5 is a special case and is included in all defined vlans. vlan[0-n]hwname is always et0. 
-Default case: 
- vlan0ports = "1 2 3 4 5*" 
- vlan0hwname = et0 
- vlan1ports = "0 5" 
- vlan1hwname = et0 
 ! What should the firewall do? 
 The firewall has to do a couple of things to be usefull in a MW node: 
 * Allow unrestricted access from your private segment into the MW segment. 
@@ -205,9 +173,36 @@ 
 * forward ports from the MW segment to a machine in either the private or DMZ segment 
 
 Note: By exposing these services clients connected to your Node will be "tunneling" through your private network to reach the Internet via your broadband connection. You may want to think about what you expose if you have a capped connection. 
+!! Router port and vlan configuration 
+The firewall configuration chosen needs to match the router port configuration. Currently you will need to do this by hand, later it can be incorporated into a setup script that will allow you to choose the configuration you want and will set up the bridges etc. and configure the firewall script. 
+The port configuration only needs to be done once. 
+There are two sets of NVRAM variables that need to be set correctly for the configuration required. These are the Router ports and the vlan tagging. 
+!!! Router ports 
+On the v2.0 and later the ports are as follows: 
+* eth0 internal switch MI2 interface 
+* eth1 internal radio interface 
+* vlan0 LAN vlan 
+* vlan1 WAN vlan 
+* br0 The bridge used for vlan0 and eth1 
+The router port configuration is stored in NVRAM variables. For each interface there are _ifname and _ifnames variables. 
+These are used in the S40network script to set up the ports. If the _ifname is a bridge ( br[0-9] ) then the _ifnames variable is checked for the list of ports that belong to the bridge and the brodge is created and the ports added to the bridge. 
+Default case: 
+ wan_ifname = vlan1     wan_ifnames = vlan1 
+ lan_ifname = br0       lan_ifnames = vlan0 eth1 eth2 
+!!! vlan tagging 
+The switch in the WRT54G(S) uses vlan tagging to determine where packets should be sent. Two variables are needed per vlan; vlanports and vlanhwname. vlanhwname is always et0. 
+The switch ports are 0 WAN, 1-4 LAN and 5 Internal. Port 5 is a special case and is included in all defined vlans. The LAN ports are assigned to vlan0 and the WAN port is assigned to vlan1. 
+Default case: 
+ vlan0ports  = "1 2 3 4 5*"     vlan0hwname = et0 
+ vlan1ports  = "0 5"            vlan1hwname = et0 
 !! Modified S45firewall script 
 We modify the firewall script to allow it to be configured through setting a number of environment variables. These can be set in the script itselfand will be overridden if they are set in the shell prior to calling the script. 
 Modified S45firewall script 
 ++++ 
  #!/bin/sh 
@@ -336,59 +331,66 @@ 
 ++++ 
 ! Example router port configurations and firewall scripts 
 !! OpenWRT default configuration and firewall 
-This configuration is useful for setting up a private wireless network but should not be used as part of a MW Node. Any machine connected to the LAN ports would be bridged with the Node and exposed to hacking. 
+This configuration is useful for setting up a private wireless network but should be used carefully a MW Node. Any machine connected to the LAN ports would be bridged with the Node and thereofre on a public network. 
 
-        Public WAN         WRT PORT      Private LAN 
+         Public WAN         WRT PORT      Private LAN 
                           +-------+ 
-       -------------------|  WAN  | 
+       ------------ vlan1 |  WAN  | 
                           +-------+ 
-                  +-----  +-------+ 
-                  |       | WLAN  |----------< Antenna (radio used as AP) 
-                  |       +-------+ 
-                  |       +-------+ 
+          +-------------  +-------+ 
+          |         eth1  | WLAN  |----------< Antenna (radio used as AP) 
+          |               +-------+ 
+          |       +-----  +-------+ 
  ports bridges    |       | LAN 1 |---------- 
-   together       |       +-------+ 
-                  |       +-------+ 
-                  |       | LAN 2 |---------- 
-                  |       +-------+ 
-                  |       +-------+ 
-                  |       | LAN 3 |---------- 
-                  |       +-------+ 
-                  |       +-------+ 
-                  |       | LAN 4 |---------- 
-                  +-----  +-------+ 
+   together br0   | vlan0 +-------+ 
+          |       |       +-------+ 
+          |       |       | LAN 2 |---------- 
+          |       |       +-------+ 
+          |       |       +-------+ 
+          |       |       | LAN 3 |---------- 
+          |       |       +-------+ 
+          |       |       +-------+ 
+          |       |       | LAN 4 |---------- 
+          +------ +-----  +-------+ 
 
 !!! Port configuration 
-No changes required. 
+No changes required. 
 !!! Firewall configuration 
-Use the S45firewall script as is out of the box. 
+ MELW = br0 
+ PRIV = (NULL) 
+ WAN  = vlan1 
+ DMZ  = (NULL) 
 !! Private WAN interface, public LAN interface 
 This is the simplest useful node configuration. It does not require any changes to the OpenWRT port assignment. In this configuration there is a single WAN port and a bridged LAN ( bridge the remaining 4 switch ports and the wirless port ). 
 
-        Private LAN        WRT PORT      Public LAN ( i.e. Melbourne wireless space ) 
+ Private LAN        WRT PORT      Public LAN ( i.e. Melbourne wireless space ) 
                           +-------+ 
-       -------------------|  WAN  | 
+          --------- vlan1 |  WAN  | 
                           +-------+ 
-                  +-----  +-------+ 
-                  |       | WLAN  |----------< Antenna (radio used as Node AP) 
-                  |       +-------+ 
-                  |       +-------+ 
+          +-------------  +-------+ 
+          |         eth1  | WLAN  |----------< radio used as Node AP 
+          |               +-------+ 
+          |       +-----  +-------+ 
  ports bridges    |       | LAN 1 |----------  to link radio 
-   together       |       +-------+ 
-                  |       +-------+ 
-                  |       | LAN 2 |----------  to node server 
-                  |       +-------+ 
-                  |       +-------+ 
-                  |       | LAN 3 |----------  Switch port 3 
-                  |       +-------+ 
-                  |       +-------+ 
-                  |       | LAN 4 |----------  Switch port 4 
-                  +-----  +-------+ 
+   together br0   | vlan0 +-------+ 
+          |       |       +-------+ 
+          |       |       | LAN 2 |----------  to node server 
+          |       |       +-------+ 
+          |       |       +-------+ 
+          |       |       | LAN 3 |---------- 
+          |       |       +-------+ 
+          |       |       +-------+ 
+          |       |       | LAN 4 |---------- 
+          +------ +-----  +-------+ 
 In this configuration the router is using the WAN port to give you a connection from your private LAN space into the MW node. The firewall needs to be set up differently to the case where the LAN is the private side and the WAN is the public (Internet) side. 
 !!! Port configuration 
 No changes in NVRAM required. 
 !!! Firewall configuration 
+ MELW = br0 
+ PRIV = vlan1 
+ WAN  = (NULL) 
+ DMZ  = (NULL) 
 !! Individual ports 
 Another common use of the WRT is as a dedicated router. This is the case, for example at NodeGHO where there are three AP each serving different address ranges and the WRT is used to route traffic between them. 
 
@@ -418,66 +420,59 @@ 
 The S40network init script will need to be changed also to remove the ifup wan and ifup lan lines and replace then with ifup lan0, ifup lan1 etc. 
 !!! Port configuration 
 NVRAM variables 
- wan_ifname   = 
- wan_ifnames  = 
- lan0_ifname  = vlan0 
- lan0_ifnames = vlan0 
- lan1_ifname  = vlan0 
- lan1_ifnames = vlan1 
- lan2_ifname  = vlan2 
- lan2_ifnames = vlan2 
- lan3_ifname  = vlan3 
- lan3_ifnames = vlan3 
- lan4_ifname  = vlan4 
- lan4_ifnames = vlan4 
- lan5_ifname  = vlan5 
- lan5_ifnames = vlan5 
- vlan0ports  = "1 5*" 
- vlan0hwname = et0 
- vlan1ports  = "0 5" 
- vlan1hwname = et0 
- vlan2ports  = "2 5" 
- vlan2hwname = et0 
- vlan3ports  = "3 5" 
- vlan3hwname = et0 
- vlan4ports  = "4 5" 
- vlan4hwname = et0 
- vlan5ports  = "5 5" 
- vlan5hwname = et0 
+ wan_ifname   = (NULL)   wan_ifnames  = (NULL) 
+ lan0_ifname  = vlan0    lan0_ifnames = vlan0 
+ lan1_ifname  = vlan1    lan1_ifnames = vlan1 
+ lan2_ifname  = vlan2    lan2_ifnames = vlan2 
+ lan3_ifname  = vlan3    lan3_ifnames = vlan3 
+ lan4_ifname  = vlan4    lan4_ifnames = vlan4 
+ lan5_ifname  = vlan5    lan5_ifnames = vlan5 
+ vlan0ports  = "1 5*"    vlan0hwname = et0 
+ vlan1ports  = "0 5"     vlan1hwname = et0 
+ vlan2ports  = "2 5"     vlan2hwname = et0 
+ vlan3ports  = "3 5"     vlan3hwname = et0 
+ vlan4ports  = "4 5"     vlan4hwname = et0 
+ vlan5ports  = "5 5"     vlan5hwname = et0 
 !!! Firewall configuration 
-Not really needed for the given example. ( doh - what's it doing here then? ) 
+For this example there is no need for a firewall. There is no private segment, no Internet connection and no DMZ. If you were using an ''All ports'' routed configuration with any of these additional segments then the appropriate vlan would be assigned to the segment variable. 
+ MELW = vlan0,vlan1,vlan2,vlan3,vlan4 
+ PRIV = (NULL) 
+ WAN  = (NULL) 
+ DMZ  = (NULL) 
 !! Node AP on WAN port 
 This is a simple change, involving only the removal of the bridge between the WLAN and LAN and is the configuration used in the MWRP examples. The AP is connected to the router through the WAN port to avoid conflicts with the boot default addresses of both devices being the same. 
 
-                           WRT PORT      Public LAN ( i.e. Melbourne wireless space ) 
+                    WRT PORT      Public LAN ( i.e. Melbourne wireless space ) 
                           +-------+ 
-                    vlan1 |  WAN  |---------- to AP radio 
+                    vlan1 |  WAN  |---------- to AP ( Senao ) 
                           +-------+ 
                           +-------+ 
-                    eth1  | WLAN  |----------< Antenna ( radio used as link ) 
+                    eth1  | WLAN  |----------< radio used as link 
                           +-------+ 
                   +-----  +-------+ 
-                  |       | LAN 1 |---------- 
+                  |       | LAN 1 |---------- 
                   | vlan0 +-------+ 
                   |       +-------+ 
-                  |       | LAN 2 |---------- 
+                  |       | LAN 2 |---------- 
                   |       +-------+ 
                   |       +-------+ 
-                  |       | LAN 3 |---------- 
+                  |       | LAN 3 |---------- 
                   |       +-------+ 
                   |       +-------+ 
-                  |       | LAN 4 |---------- 
+                  |       | LAN 4 |---------- 
                   +-----  +-------+ 
 
 !!! Port configuration 
 NVRAM variables: 
- lan_ifname   = vlan0 
- lan_ifnames  = vlan0 
- wlan_ifname  = eth1 
- wlan_ifnames = eth1 
+ lan_ifname   = vlan0     lan_ifnames  = vlan0 
+ wlan_ifname  = eth1      wlan_ifnames = eth1 
 !!! Firewall configuration 
-The firewall in this case will treat the vlan0 interface as the PRIV segment and the vlan1 and eth1 devices as the PUBLIC segments. 
+In this case the vlan0 interface is the PRIV segment and the vlan1 and eth1 devices are PUBLIC segments. vlan1 will reeive an address from the APs address range and eth1 will use an address allocated when the link is set up. 
+ MELW = vlan1,eth1 
+ PRIV = vlan0 
+ WAN  = (NULL) 
+ DMZ  = (NULL) 
 !! DMZ segment 
 If you want to provide services to the network but don't want to have them exposed in the node itself or forward ports into your private space then you may want to configure a DMZ segment. Remove the br0 bridge, leave one or two ports to connect the node to your private space and create a new vlan with the remaining ports. The WAN port could be used for an AP  or link as could the WLAN port. 
 In this way you can expose only those ports on the DMZ server machines you want to and can avoid having to spend too much effort hardening the machines. 
@@ -503,13 +498,24 @@ 
                   +-----  +-------+ 
 
 !!! Port configuration 
+ wan_ifname=(NULL) wan_ifnames= (NULL) 
+ lan_ifname=vlan0  lan-ifnames=vlan0 
+ dmz_ifname=vlan2  dmz_ifnames=vlan2 
+ vlan0ports = "1 2 5*"     vlan0hwname = et0 
+ vlan1ports = "0 5"        vlan1hwname = et0 
+ vlan2ports = "3 4 5"      vlan2hwname = et0 
 !!! Firewall configuration 
+ MELW=vlan1,eth1 
+ PRIV=vlan0 
+ WAN= (NULL) 
+ DMZ=vlan2 
 !! The ultimate cheap bastard 
 This is my favorite configuration. It is the one to use if you are too cheap to buy more than one router/AP and you want to do everything. This is really getting your money's worth from the router. Use the WAN port to make your broadband connection, use the wired LAN ports internally within your house and use the radio as your MW Node AP. If you have wireless devices you can configure the firewall to allow them to work from "outside". Feeling cheaper still, try to convince the next Node to connect to  you to using WDS and you have a built in link as well. 
 
         Public Internet    WRT PORT      Public LAN ( i.e. Melbourne wireless space ) 
                           +-------+ 
-       -------------------|  WAN  | 
+       ------------ vlan1 |  WAN  | 
                           +-------+ 
                           +-------+ 
                           | WLAN  |----------< Antenna (radio used as Node AP) 
[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]
> home> about> events> files> members> maps> wiki board   > home   > categories   > search   > changes   > formatting   > extras> site map

Username
Password

 Remember me.
>

> forgotten password?
> register?
currently 0 users online
Node Statistics
building132
gathering192
interested515
operational242
testing216