OpenWRT Network Configuration

Enable Wireless
Wireless is disabled by default. See Kamikaze Wireless Configuration and Configure WiFi encryption for configuration information.

I use WPA2 security, and put it in bridge mode (no need to configure the IP layer):

uci set wireless.cfg2.encryption=psk2    (wpa2-psk) uci set wireless.cfg2.key=ABCDEF1234567  (generate a key between 8 and 63 bytes long) uci set wireless.cfg2.network=lan        (bridging mode) uci set wireless.cfg2.ssid=MacFreek uci set wireless.wlan0.channel=1 uci set wireless.wlan0.disabled=0 uci commit wireless && wifi

In the LuCI webinterface, you can configure this in Network > Wifi > WLAN0

Bridge mode
First of all, the device contains two physical interfaces: wireless (wlan0 on Kamikaze 8.09 and up, wl0 on Kamikaze 7.09) and LAN+WAN (eth0). The LAN+WAN interface (eth0) is connected to a managed switch, where it is split into multiple UTP connectors: 4 LAN and 1 WAN ("Internet") connector. It is possible to configure the individual LAN and WAN interface using VLANs (see below at DMZ)

First disable the DHCP server (and forwarding DNS as well):
 * 1) /etc/init.d/dnsmasq disable
 * 2) /etc/init.d/dnsmasq stop
 * 3) uci set dhcp.cfg1.ignore=1       (not required after the above, but we set it anyway)
 * 4) uci set dhcp.cfg2.ignore=1       (not required after the above, but we set it anyway)
 * 5) uci commit

We first create a bridge interface. This can be done manually using the brctl, but that will not survive a reboot. Instead, we choose to make the lan interface a bridge:
 * 1) uci set network.lan.type=bridge
 * 2) uci commit

After a reboot, this will make a new interface, br-lan, which is bridge with the lan interface (the lan interface is eth0.0. as: eth0.0 bridge name    bridge id               STP enabled     interfaces br-lan          8000.001ee584e2e8       no              eth0.0
 * 1) uci get network.lan.ifname
 * 1) brctl show

To bridge the WLAN (wireless LAN) with the LAN (wired LAN):
 * 1) uci set wireless.cfg2.network=lan              (Kamikaze 7.09)
 * 2) uci set wireless.@wifi-iface[0].network=lan    (Kamikame 8.09 and up)
 * 3) uci commit wireless && wifi

Check the name of the WAN interface, and add it to the LAN interface: eth0.1
 * 1) uci get network.wan.ifname
 * 1) uci set network.lan.ifname="eth0.0 eth0.1"
 * 2) uci commit

After reboot, all LAN, WAN and WLAN interfaces are in the bridge br-lan: bridge name    bridge id               STP enabled     interfaces br-lan         8000.001ee584e2e8       no              eth0.0 eth0.1 wlan0
 * 1) brctl show

For more information, see the OpenWRT forum, Bridge of wan and port 4.

An interface in bridge mode can not have an IP address. Only its bridge interface can have an IP address. Check this in your configuration. Here is mine:

config switch eth0 option vlan0   "0 1 2 3 5*" option vlan1   "4 5" config interface loopback option ifname  lo         option proto    static option ipaddr  127.0.0.1 option netmask 255.0.0.0 config interface lan option ifname  "eth0.0 eth0.1" option type    bridge option proto   static option ipaddr  145.99.148.34 option netmask 255.255.255.240 option gateway 145.99.1.65 config interface       wan option ifname  eth0.1
 * 1) cat /etc/config/network
 * 2) VLAN configuration
 * 1) Loopback configuration
 * 1) LAN configuration
 * 1) WAN configuration

Configure DNS
To configure DNS, simply edit /etc/resolv.conf:

domain macfreek.nl nameserver 192.0.2.5

Add Demilitarized Zone (DMZ)
One of the great things about OpenWRT and Linksys is that it actually contains a manageable Ethernet switch. It is possible to add tagged and untagged ports, even bypassing the core. Again, do read about the generic network concepts of OpenWRT boxes. (Skip the Demilitarized Zone Howto, that is an old WhiteRussian configuration.)

I wanted a configuration with four logical interfaces:
 * The upstream (WAN) interface (the outside world)
 * The wireless (WLAN) interface, to connects laptops
 * Two "server" interfaces, to connect servers (often called demilitarized zone interfaces)
 * Two "client" interfaces, to connect hosts and desktops

The difference between the "client" and "server" interface is that I can later distinguish between them in the firewall: "server" interfaces (DMZ interfaces) are allowed to run services accessible by the outside world, while "client" interfaces are only allowed to run services accessible by the "inside" world.

Note that on the LinkSys WRT54GL v1.1, the port numbers printed on the device do not correspond to the logical port numbers in the switch. Port 3 is marked as Ethernet 1, Port 2 is marked as Ethernet 2, Port 1 is marked as Ethernet 3, Port 0 is marked Ethernet 4, and Port 4 is marked as Internet (WAN).

The picture shows the general idea:



We first create a new logical interface (the dmz interface)
 * 1) uci set network.dmz=interface
 * 2) uci set network.dmz.ifname=eth0.2

The name eth0.2 is automatically linked to VLAN 2. We can now remove ports from VLAN 0, and add them to VLAN 2:
 * 1) uci set network.eth0.vlan0="2 3 5*"
 * 2) uci set network.eth0.vlan2="0 1 5"

Our configuration is now:

config switch eth0 option vlan0   "2 3 5*" option vlan1   "4 5" option vlan2   "0 1 5" config interface loopback option ifname  lo         option proto    static option ipaddr  127.0.0.1 option netmask 255.0.0.0 config interface lan option ifname  "eth0.0 eth0.1 eth0.2" option type    bridge option proto   static option ipaddr  145.99.148.34 option netmask 255.255.255.240 option gateway 145.99.1.65 config interface dmz option ifname  eth0.2 config interface       wan option ifname  eth0.1
 * 1) cat /etc/config/network
 * 2) VLAN configuration
 * 1) Loopback configuration
 * 1) LAN configuration
 * 1) DMZ configuration
 * 1) WAN configuration

Static Route
To add a static route, run /sbin/route, or set them in /etc/config/network.

Let's say you need the routes: Destination    Gateway         Genmask         Flags   MSS Window  irtt Iface 192.0.2.3      0.0.0.0         255.255.255.255 UH        0 0          0 eth0.1 0.0.0.0        192.0.2.3       0.0.0.0         UG        0 0          0 eth0.1

This can easily be achieved by the route command:

/sbin/route add -host 192.0.2.3 dev eth0.1 /sbin/route add -net default dev eth0.1 gateway 192.0.2.3

-or equivalently-

/sbin/route add -net 192.0.2.3 netmask 255.255.255.255 dev eth0.1 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0.1 gateway 192.0.2.3

This can be set in /etc/config/network:

config route option interface wan option target 192.0.2.3

config route option interface wan option target 0.0.0.0 option netmask 0.0.0.0 option gateway 192.0.2.3

Unfortunately, there is a small bug in Kamikaze 8.09 where the first line results in /sbin/route add -net 192.0.2.3 netmask 255.255.255.255 dev eth0.1 gateway 192.0.2.3

It is not possible to circumvent this by adding config route option interface wan option target 192.0.2.3 option gateway 0.0.0.0

Since this leads to invalid syntax, and results in "route: SIOCADDRT: Invalid argument" (you may never specify "gateway 0.0.0.0" by /sbin/route)

I fixed this by deleting the following line in /etc/hotplug.d/iface/10-routes

[ -n "$gateway" ] || { config_get gateway "$interface" gateway }

See bugreport 4928 for details.

Firewall
Starting points:
 * http://wiki.openwrt.org/OpenWrtDocs/IPTables (IP firewall)
 * http://downloads.openwrt.org/people/nico/man/man8/ebtables.8.html (Ethernet firewall)
 * http://wiki.openwrt.org/OpenWrtDocs/WhiteRussian/TransparentFirewall (very good, but for older WhiteRussian release)
 * http://wiki.openwrt.org/ShorewallHowTo (for older WhiteRussian release)
 * http://wiki.openwrt.org/SimpleFirewall (I think outdated, it uses scripts instead of /etc/config/firewall)