I had an extra wireless bridge (Buffalo WLA2-G54L) lying around and our current firewalling wireless AP (D-Link) was as crappy as can be. It’s probably ok for just surfing and stuff, but for keeping ssh connections open it just didn’t cut it, since it severed tcp connections every now and then. Also it froze every now and then and needed rebooting. So replacing that with a better solution was on the todo list.
The WLA2-G54L is just a wireless bridge – it has no conception of a firewall in it. So time to flash OpenWRT into it. Setting up OpenWRT is a bit of an adventure in itself, but quite a nice one. Internally the Buffalo units contain the actual computer, a wireless radio, and a normal 5-6 port switch. The computer is connected to one of the ports in the switch, and in firewalling models the switch can present all ports as separate interfaces so that one of them can be treated as the WAN port. However, in WLA2-G54L the switch is a bit different and it doesn’t show the ports separately (tried with robocfg, which did not detect the proper model and couldn’t do anything with it).
OK, so how to setup a firewall with just basically one interface, which is connected to a four port switch? Well, I came up with the solution to just use IP based filtering. Better suggestions are welcome. This basically means that I created an alias to the br0 interface (replace with your own public IP, netmask, and gateway):
ifconfig br0:1 123.123.123.123 netmask 255.255.255.000
route add default gw 123.123.123.1
Meanwhile the normal br0 interface is given an IP address in the LAN, say 10.0.0.1. Now you can quite easily separate the WAN from the LAN using IP addresses instead of interfaces. So instead of
WAN=$(nvram get wan_iface)
iptables -A INPUT -i $WAN -j DROP
you’d have
LANIP=$(nvram get lan_ipaddr)
LANNET=$(echo ${LANIP}/8)
NOTLAN=$(echo \! $LANNET)
iptables -A INPUT -s $NOTLAN -j DROP
And so on. The only problem comes when doing DHCP queries, as the client is probably not in the local network to start with. I solved this by using DHCP only in the wireless network, which is on its separate interface. So for wired access you’ll need to manually setup the network parameters. I can live with that. Another option is to carefully allow DHCP queries with a suitable filter command, and by adding extra checks into the DHCP server so it only server those you want it to serve.
So not a perfect solution, but works OK for me. I now have a low-cost wireless AP that I can ssh into, setup pretty much any kind of firewalling with iptables and otherwise configure to my heart’s desire.
Oh yeah, one more thing: when using WPA in the wireless network, you use the nas software as usual. But in the nas init script you need to remove the parameter “-l br0”. nas is proprietary, so there’s not much of an idea what it’s for, but at least in WLA2-G54L I had a problem with WPA connections not working until this parameter was removed. Then everything worked like a charm, as long as you remember that the WPA-PSK key (if you use that) needs to be given in passphrase format, not in hexadecimal (while WEP keys need to be given in hexadecimal). Weird, that.
Leave a Reply