DD-WRT:WLAN separate from LAN, with independent dhcp, etc

'''NOTE: This is an old unmaintained and duplicate guide. You should use one of the following currently maintained guides instead.'''

For a GUI based method see: Separate LAN and WLAN.

If you're separating virtual interfaces then use the instructions from the Multiple WLAN Guide.

Introduction
It took me quite a while to make all this work, so i thought i'd share all the hoops i had to jump through to get here with the community.

My goal was to migrate my existing linux box with an ethernet interface and a wifi card which was acting as a crude AP, but keep the same functionality: firewalling, separate subnets for wired and wireless, separate dhcp, etc.

Contrary to popular belief, DHCPMasq is quite capable of serving different ip ranges for different interfaces. The main problem seems to be that iptables(aka the firewall) prevents it in the default configuration.

Step 1: Remove Wireless interface (eth1) from the LAN bridge (br0)
a) Go to the 'Setup -> VLANs' page.

b) At the bottom of the page change the "Wireless" option from "LAN" to "None"

(Above setting doesn't take place until the next reboot which is good because it kills the WLAN. We'll fix that in the next step.)

Step 2: Configure startup scripts
a1) Go to the 'Administration -> Diagnostics' page.

a2) (v23) Go to the 'Administration -> Command' page.

b) What you type here may vary, depending on your desired network. I wanted my wifi on a separate subnet from my LAN, with its own DHCP scope. In these examples, lan is 192.168.7.0/24, and wifi is 192.168.8.0/24

The following goes in the text box. Feel free to omit the lines that start with ##, as they are just comments. If you are really pressed for space, you can omit the linebreaks and just separate commands with ';'s

ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0
 * 1) configure wireless interface

cat << EOF > /tmp/new.dnsmasq.conf interface=br0 interface=eth1 resolv-file=/tmp/resolv.conf leasefile-ro dhcp-script=/etc/lease_update.sh dhcp-lease-max=50 dhcp-option=br0,3,192.168.7.1 dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m dhcp-option=eth1,3,192.168.8.1 dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m EOF
 * 1) setup dnsmasq

killall dnsmasq dnsmasq --conf-file /tmp/new.dnsmasq.conf
 * 1) restart dnsmasq

wl -i eth1 down wl -i eth1 ap 1 wl -i eth1 infra 1 wl -i eth1 txpwr 84 wl -i eth1 up
 * 1) configure wireless options
 * 2) I set some extra options here, see the docs for the wl command
 * 3) this may all be handled by doing 'wlconf eth1 up' instead

killall nas nas -P /tmp/nas.wl0lan.pid -H 34954 -l eth1 -i eth1 -A -m 128 -k secretkey -s yourssid -w 2 -g 3600 &
 * 1) depending on your wifi settings, this will change. I just copied the existing command and changed the -l option

You should be able to get the nas command line from the output of 'ps' from the shell (ssh/telnet)

c) Click the 'Save Startup' button instead of the 'Cmd' button (Don't close this window yet!)

Configure the necessary iptables rules:

The default firewalling setup is quite specific, and has no knowledge of the eth1 interface (it assumes it will be part of the LAN), so we need to add several rules to make it aware. These work under v23, you may need to tweak parts if you run a different version. Specifically, the rule #s may be different on your system.

a) Paste the following into the same text box used above but this time press the 'Save Firewall' button:

iptables -I INPUT 9 -i eth1 -m state --state NEW -j logaccept iptables -R FORWARD 6 -i br0 -o vlan1 -j ACCEPT iptables -I FORWARD 7 -i eth1 -o vlan1 -j ACCEPT iptables -I FORWARD 7 -i eth1 -o br0 -j ACCEPT
 * 1) wan:  vlan1
 * 2) lan:  br0
 * 3) wifi: eth1
 * 4) permit incoming connections from WLAN
 * 1) fixup forwarding table
 * 2) the lan2wan target didn't work for me, replace it with straight accept
 * 1) permit WLAN -> WAN
 * 1) permit WLAN -> LAN

Step 3: Turn off stock DHCPMasq
This step comes third just to make sure we have a way back into the router, since it seems to reboot everytime we save the above configs.

a) Go to the 'Setup -> Basic Setup' page.

b) Change the 'DHCP server' setting to 'disable'

c) uncheck all the DHCP-specific options

The above didn't actually disable DHCPMasq for me. I had to run the following command from the shell (ssh or telnet). nvram set dnsmasq_enable=0 nvram commit

I think that's it. enjoy

Comment recalcitrantyouth 11:01, 23 Jan 2008 (CEST) Thanks for this! In order to make this work with v2.3 SP2 on a WRT54GL 1.1, I needed to make a couple of minor changes.

ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0
 * 1) configure wireless interface

cat << EOF > /tmp/new.dnsmasq.conf interface=br0 interface=eth1 resolv-file=/tmp/resolv.dnsmasq
 * 1) setup dnsmasq
 * 1) resolv-file=/tmp/resolv.conf
 * 2) RY - incorrect resolv file in 2.3

leasefile-ro dhcp-script=/etc/lease_update.sh dhcp-lease-max=50 dhcp-option=br0,3,192.168.7.1 dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m dhcp-option=eth1,3,192.168.8.1 dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m EOF

killall dnsmasq dnsmasq --conf-file /tmp/new.dnsmasq.conf
 * 1) restart dnsmasq

wlconf eth1 up
 * 1) configure wireless options
 * 2) I set some extra options here, see the docs for the wl command
 * 3) this may all be handled by doing 'wlconf eth1 up' instead


 * 1) wl -i eth1 down
 * 2) wl -i eth1 ap 1
 * 3) wl -i eth1 infra 1
 * 4) wl -i eth1 txpwr 84
 * 5) wl -i eth1 up


 * 1) depending on your wifi settings, this will change. I just copied the existing command and changed the -l option
 * 2) RY - if not running authentication, no need for this - the process isn't running
 * 3) killall nas
 * 4) nas -P /tmp/nas.wl0lan.pid -H 34954 -l eth1 -i eth1 -A -m 128 -k secretkey -s yourssid -w 2 -g 3600 &

I also found that step three was not actually necessary. Since during startup dnsmasq is being restarted anyway, forcing it not to start up shouldn't really matter.

Comment by tech128:

Well to get this to work properly on V24 SP2 I had to modify the firewall and startup somewhat

Also on atheros builds keep in mind there are no vlans (that I saw anyway) so you want to set the wireless interface to unbridged and enable nat instead. And you will need to modify the startup and firewall since the interfaces will be different. I believe it was ath0 for the wireless and eth0 for the wan instead of vlan1

First, the firewall:

iptables -I INPUT 2 -i eth1 -m state --state NEW -j logaccept iptables -R FORWARD 5 -i br0 -o vlan1 -j ACCEPT iptables -I FORWARD 7 -i eth1 -o vlan1 -j ACCEPT iptables -I FORWARD 7 -i eth1 -o br0 -m state --state NEW -j DROP iptables -I FORWARD -i br0 -o eth1 -m state --state NEW -j DROP iptables -I FORWARD -i eth1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP iptables -I INPUT -i eth1 -m state --state NEW -j DROP iptables -I INPUT -i eth1 -p udp --dport 67 -j ACCEPT iptables -I INPUT -i eth1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i eth1 -p tcp --dport 53 -j ACCEPT
 * 1) wan:  vlan1
 * 2) lan:  br0
 * 3) wifi: eth1
 * 4) permit incoming connections from WLAN
 * 1) fixup forwarding table
 * 2) the lan2wan target didn't work for me, replace it with straight accept
 * 1) permit WLAN -> WAN
 * 1) disallow WLAN -> LAN
 * 1) disallow LAN -> WLAN
 * 1) disallow WLAN -> WAN subnet
 * 1) disallow WLAN -> direct router access
 * 1) Allow WLAN -> DHCP on the router
 * 1) Allow WLAN -> DNS on the router

Next, the startup:

ifconfig br0 up inet 192.168.7.1 netmask 255.255.255.0 ifconfig eth1 up inet 192.168.8.1 netmask 255.255.255.0
 * 1) configure wired interface
 * 1) configure wireless interface

cat << EOF > /tmp/new.dnsmasq.conf interface=br0 interface=eth1 resolv-file=/tmp/resolv.dnsmasq all-servers
 * 1) setup dnsmasq
 * 1) resolv-file=/tmp/resolv.conf
 * 2) RY - incorrect resolv file in 2.3

dhcp-script=/etc/lease_update.sh dhcp-lease-max=50 dhcp-authoritative dhcp-option=br0,3,192.168.7.1 dhcp-range=br0,192.168.7.100,192.168.7.249,255.255.255.0,1440m dhcp-option=eth1,3,192.168.8.1 dhcp-range=eth1,192.168.8.100,192.168.8.249,255.255.255.0,1440m stop-dns-rebind EOF

killall dnsmasq dnsmasq --conf-file=/tmp/new.dnsmasq.conf
 * 1) restart dnsmasq

wlconf eth1 up
 * 1) configure wireless options
 * 2) I set some extra options here, see the docs for the wl command
 * 3) this may all be handled by doing 'wlconf eth1 up' instead