Wednesday, 24 November 2010

Extending a wireless access point with DD-WRT

Extending a wireless access point with DD-WRT

I have had some Netgear WG602 -v4 access points at work for a while.

They seemed to struggle a bit with some XP clients but have been good as gold with Windows 7 clients.

However, I wanted to extend their functionality a little and I used DD-WRT for this. This is a downloadable open source ROM to replace the OS on the access point. I used the V24 SP2 micro build.

Installation can be a little tricky and differs for every device so I will not cover this here.

The first thing to do once you have successfully installed DD-WRT onto your WAP is to make sure it has the appropriate settings for its function: rather than for a fully fledged router.

Please note: I've used the WIKI pages from the DD-WRT site for the below: omitting things that I did not feel were necessary.

# Open the Setup -> Basic Setup tab

* WAN Connection Type : Disabled
* Local IP Address: (i.e. different from primary router and out of DHCP pool)
* Subnet Mask: (i.e. same as primary router)
* DHCP Server: Change to "DHCP Forwarder"
* (Recommended) Gateway/Local DNS: IP address of primary router (many things will fail without this)
* (Optional) NTP Client: Enable/Disable (if Enabled, specify Gateway/Local DNS above)
* Save

# Open the Setup -> Advanced Routing tab

* (Optional) Change operating mode to: Router
* Save

# Open the Wireless -> Basic Settings tab

* Wireless Network Name (SSID): YourNetworkNameHere
* (Optional) Sensitivity Range: The max distance (in meters) to clients x2
* Save

# Open the Wireless -> Wireless Security tab

* Note: Security is optional, but recommended! Clients must support whatever mode you select here.
* (Recommended) Security Mode: WPA2
* (Recommended) WPA Algorithm: AES
* (Recommended) WPA Shared Key: >8 characters
* Save

# Open the Security -> Firewall tab

* Uncheck all boxes except Filter Multicast
* Save
* Disable SPI firewall
* Save

Now its time to start setting up our 2nd WLAN point using the same router: I wanted to set one for office guests: giving internet access but masking away the local LAN.

Navigate to the Wireless -> Basic Settings page and under the Virtual Interfaces section press the "Add" button to add a new virtual interface. Leave the Network Configuration set to "Bridged" for all interfaces regardless of whether you want to bridge them or not.

To get a working unbridged interface we will actually assign it to its own bridge later on. You may change any of the other settings to your liking.

Press the "apply settings" button and wait for a minute.

Now apply the appropriate level of security to this 2nd WLAN.

We will now separate the WLANs.

Navigate to the Setup -> Networking page. Press the "Add" button in the Create Bridge section and type "br1" into the blank input box that is on the left side of all the options that just appeared. Press the "Apply Settings" button at the bottom of the page and new input boxes will appear to specify the IP address for the new bridge.

This new bridge needs to have an address that is in a different subnet than your main LAN. By default the main router LAN address is netmask so we will use netmask for the br1 bridge interface. Press the "Apply Settings" button again so that the IP address will be assigned to the br1 interface before you continue.

Press the "Add" button in the Assign to Bridge section. Select "br1" in the left drop down menu that appeared and select "wl0.1" in the other. Press the "Apply Settings" button and the virtual wireless interface wl0.1 will now be moved from br0 to br1.

Since we disabled DHCP on the access point earlier (for obvious reasons) we will now need to set up a limited form of this again for our 2nd protected subnet.

Go to the Services tab and find the Additional DNSMasq Options text area. Adjust the following options to fit your environment

# Enables DHCP on br1
# Set the default gateway for br1 clients
# Set the DHCP range and default lease time of 24 hours for br1 clients

Apply these changes.

Finally we come to restricting access on the 2nd WLAN to internet only. You do this via the Administration -> Commands page

I used the following commands:

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

I saved, applied and then restarted the access point at this stage.

People can now connect into the 2nd access point and gain internet access: but will be given no access to the local LAN.


Anonymous said...

Thank you, great instructions. I used these instead of the ones @ the official site.

Post a Comment