OpenWRT Network Configuration

http://www.macfreek.nl/memory/OpenWRT_Network_Configuration

This article was written in April 2009, and last updated in December 2009. This article was written with OpenWRT 8. I have not upgraded to the latest version. Given the volatile nature of this topic, expect that the content of this article is outdated after about two years time.

Contents

 [hide] 

• 1Enable Wireless
• 2Bridge mode
• 3Configure DNS
• 4Add Demilitarized Zone (DMZ)
• 5Static Route
• 6Firewall

Enable Wireless

Wireless is disabled by default. See Kamikaze Wireless Configuration and Configure WiFi encryption for configuration information.

I use WPA2 security, and put it in bridge mode (no need to configure the IP layer):

uci set wireless.cfg2.encryption=psk2     (wpa2-psk)uci set wireless.cfg2.key=ABCDEF1234567   (generate a key between 8 and 63 bytes long)uci set wireless.cfg2.network=lan         (bridging mode)uci set wireless.cfg2.ssid=MacFreekuci set wireless.wlan0.channel=1uci set wireless.wlan0.disabled=0uci commit wireless && wifi

In the LuCI webinterface, you can configure this in Network > Wifi > WLAN0

Bridge mode

First of all, the device contains two physical interfaces: wireless (wlan0 on Kamikaze 8.09 and up, wl0 on Kamikaze 7.09) and LAN+WAN (eth0). The LAN+WAN interface (eth0) is connected to a managed switch, where it is split into multiple UTP connectors: 4 LAN and 1 WAN ("Internet") connector. It is possible to configure the individual LAN and WAN interface using VLANs (see below atDMZ)

First disable the DHCP server (and forwarding DNS as well):

# /etc/init.d/dnsmasq disable# /etc/init.d/dnsmasq stop# uci set dhcp.cfg1.ignore=1       (not required after the above, but we set it anyway)# uci set dhcp.cfg2.ignore=1       (not required after the above, but we set it anyway)# uci commit

We first create a bridge interface. This can be done manually using the brctl, but that will not survive a reboot. Instead, we choose to make the lan interface a bridge:

# uci set network.lan.type=bridge# uci commit

After a reboot, this will make a new interface, br-lan, which is bridge with the lan interface (the lan interface is eth0.0. as:

# uci get network.lan.ifnameeth0.0# brctl showbridge name     bridge id               STP enabled     interfacesbr-lan          8000.001ee584e2e8       no              eth0.0

To bridge the WLAN (wireless LAN) with the LAN (wired LAN):

# uci set wireless.cfg2.network=lan              (Kamikaze 7.09)# uci set wireless.@wifi-iface[0].network=lan    (Kamikame 8.09 and up)# uci commit wireless && wifi

Check the name of the WAN interface, and add it to the LAN interface:

# uci get network.wan.ifnameeth0.1# uci set network.lan.ifname="eth0.0 eth0.1"# uci commit

After reboot, all LAN, WAN and WLAN interfaces are in the bridge br-lan:

# brctl showbridge name     bridge id               STP enabled     interfacesbr-lan          8000.001ee584e2e8       no              eth0.0                                                        eth0.1                                                        wlan0

For more information, see the OpenWRT forum, Bridge of wan and port 4.

An interface in bridge mode can not have an IP address. Only its bridge interface can have an IP address. Check this in your configuration. Here is mine:

# cat /etc/config/network #### VLAN configuration config switch eth0        option vlan0    "0 1 2 3 5*"        option vlan1    "4 5"#### Loopback configurationconfig interface loopback        option ifname   lo        option proto    static        option ipaddr   127.0.0.1        option netmask  255.0.0.0#### LAN configurationconfig interface lan        option ifname   "eth0.0 eth0.1"        option type     bridge        option proto    static        option ipaddr   145.99.148.34        option netmask  255.255.255.240        option gateway  145.99.1.65#### WAN configurationconfig interface        wan        option ifname   eth0.1

Configure DNS

To configure DNS, simply edit /etc/resolv.conf:

domain macfreek.nlnameserver 192.0.2.5

Add Demilitarized Zone (DMZ)

One of the great things about OpenWRT and Linksys is that it actually contains a manageable Ethernet switch. It is possible to add tagged and untagged ports, even bypassing the core. Again, do read about thegeneric network concepts of OpenWRT boxes. (Skip the Demilitarized Zone Howto, that is an old WhiteRussian configuration.)

I wanted a configuration with four logical interfaces:

• The upstream (WAN) interface (the outside world)
• The wireless (WLAN) interface, to connects laptops
• Two "server" interfaces, to connect servers (often called demilitarized zone interfaces)
• Two "client" interfaces, to connect hosts and desktops

The difference between the "client" and "server" interface is that I can later distinguish between them in the firewall: "server" interfaces (DMZ interfaces) are allowed to run services accessible by the outside world, while "client" interfaces are only allowed to run services accessible by the "inside" world.

Note that on the LinkSys WRT54GL v1.1, the port numbers printed on the device do not correspond to the logical port numbers in the switch. Port 3 is marked as Ethernet 1, Port 2 is marked as Ethernet 2, Port 1 is marked as Ethernet 3, Port 0 is marked Ethernet 4, and Port 4 is marked as Internet (WAN).

The picture shows the general idea:

We first create a new logical interface (the dmz interface)

# uci set network.dmz=interface# uci set network.dmz.ifname=eth0.2

The name eth0.2 is automatically linked to VLAN 2. We can now remove ports from VLAN 0, and add them to VLAN 2:

# uci set network.eth0.vlan0="2 3 5*"# uci set network.eth0.vlan2="0 1 5"

Our configuration is now:

# cat /etc/config/network #### VLAN configuration config switch eth0        option vlan0    "2 3 5*"        option vlan1    "4 5"        option vlan2    "0 1 5"#### Loopback configurationconfig interface loopback        option ifname   lo        option proto    static        option ipaddr   127.0.0.1        option netmask  255.0.0.0#### LAN configurationconfig interface lan        option ifname   "eth0.0 eth0.1 eth0.2"        option type     bridge        option proto    static        option ipaddr   145.99.148.34        option netmask  255.255.255.240        option gateway  145.99.1.65#### DMZ configurationconfig interface dmz        option ifname   eth0.2#### WAN configurationconfig interface        wan        option ifname   eth0.1

Static Route

To add a static route, run /sbin/route, or set them in /etc/config/network.

Let's say you need the routes:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface192.0.2.3       0.0.0.0         255.255.255.255 UH        0 0          0 eth0.10.0.0.0         192.0.2.3       0.0.0.0         UG        0 0          0 eth0.1

This can easily be achieved by the route command:

/sbin/route add -host 192.0.2.3 dev eth0.1/sbin/route add -net default dev eth0.1 gateway 192.0.2.3

-or equivalently-

/sbin/route add -net 192.0.2.3 netmask 255.255.255.255 dev eth0.1/sbin/route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0.1 gateway 192.0.2.3

This can be set in /etc/config/network:

 config route       option interface wan       option target 192.0.2.3

 config route       option interface wan       option target 0.0.0.0       option netmask 0.0.0.0       option gateway 192.0.2.3

Unfortunately, there is a small bug in Kamikaze 8.09 where the first line results in

/sbin/route add -net 192.0.2.3 netmask 255.255.255.255 dev eth0.1 gateway 192.0.2.3

It is not possible to circumvent this by adding

 config route       option interface wan       option target 192.0.2.3       option gateway 0.0.0.0

Since this leads to invalid syntax, and results in "route: SIOCADDRT: Invalid argument" (you may never specify "gateway 0.0.0.0" by /sbin/route)

I fixed this by deleting the following line in /etc/hotplug.d/iface/10-routes

    [ -n "$gateway" ] || {        config_get gateway "$interface" gateway    }

See bugreport 4928 for details.

Firewall

Starting points:

• http://wiki.openwrt.org/OpenWrtDocs/IPTables (IP firewall)
• http://downloads.openwrt.org/people/nico/man/man8/ebtables.8.html (Ethernet firewall)
• http://wiki.openwrt.org/OpenWrtDocs/WhiteRussian/TransparentFirewall (very good, but for older WhiteRussian release)
• http://wiki.openwrt.org/ShorewallHowTo (for older WhiteRussian release)
• http://wiki.openwrt.org/SimpleFirewall (I think outdated, it uses scripts instead of /etc/config/firewall)