dobrača.hr

Hosting Two WiFi Networks on One OpenWrt Router

These are instructions for setting up one OpenWrt router (running Kamikaze 8.09.1) to run two WiFi networks.  One will be secured and will have access to the LAN.  The other will be unsecured (a hotspot) and will only have access to the internet.  These instructions were tested on an ASUS 500g Premium and assume that you already have a secured WiFi connection enabled and bridged to your LAN (the default configuration).  They should work reasonably well on almost any hardware.  The only area that might need modification is vlan setup.  See the documentation on the OpenWrt website for more information about vlans.

Hosting two wireless networks is actually a cool feature that the hardware on every wireless router supports, but is rendered inoperable by the firmware.  Yet again another reason why it is advantageous to use use open source firmware on your router.

Both WiFi networks must function on the same channel.  This is a limitation in the hardware.  The radio can only listen and transmit on one channel at a time.  However, data from these networks will be processed separately, operating on two separate vlans.

These instructions are all written using ssh to access the router command line.  Much, or perhaps all, of these settings can be configured using the web interface.  However, I found it easier in this case to just edit the config files directly.

The first thing we need to do is setup a new vlan for our hotspot WiFi network.  The system already comes preprogrammed with a vlan for the first WiFi network, which is bridged with the LAN.  To do this, we need to edit the first section of the /etc/config/network file.  Under the section entitled

config 'switch' 'eth0'

add the line

option 'vlan2' '5'

This creates a vlan that only has access to port 5 (the internal programmable switch).  We will use this vlan for the unsecured WiFi connection.  My entire vlan section looks like this:

config 'switch' 'eth0'
        option 'vlan0' '1 2 3 4 5*'
        option 'vlan1' '0 5'
        option 'vlan2' '5'

The next step is to create a network using vlan2.  To do this, we need to add a new interface to the bottom of the /etc/config/network file.

config 'interface' 'hotspot'
        option 'ifname' 'eth0.2'
        option 'proto' 'static'
        option 'ipaddr' '192.168.200.1'
        option 'netmask' '255.255.255.0'
        option 'type' 'bridge'
        option 'defaultroute' '0'

eth0.2 tells it to use vlan 2.  In this sample case the IP Address is set to 192.168.200.1 and the netmask is 255.255.255.0.  You can reset this to be whatever makes the most sense in your situation.

My entire /etc/config/network file is as follows:

config 'switch' 'eth0'
        option 'vlan0' '1 2 3 4 5*'
        option 'vlan1' '0 5'
        option 'vlan2' '5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'defaultroute' '0'
        option 'peerdns' '0'
        option 'type' 'bridge'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'defaultroute' '0'
        option 'peerdns' '0'
        option 'proto' 'static'
        option 'ipaddr' '<IP Address>'
        option 'netmask' '<Subnet Mask>'
        option 'gateway' '<Gateway>'
        option 'dns' '<DNS Server>'

config 'interface' 'hotspot'
        option 'ifname' 'eth0.2'
        option 'proto' 'static'
        option 'ipaddr' '192.168.200.1'
        option 'netmask' '255.255.255.0'
        option 'type' 'bridge'
        option 'defaultroute' '0'

Next, we need to setup the WiFi options.  To do this we need to add a new wifi-iface section to the end of /etc/config/wireless.

config 'wifi-iface'
        option 'device' 'wl0'
        option 'ssid' '<Unsecured Hotspot SSID>'
        option 'network' 'hotspot'
        option 'mode' 'ap'
        option 'encryption' 'none'
        option 'isolate' '1'

Set the SSID to be whatever you like.  The isolate option tells the access point that clients connected to it should not be able to communicate with each other.

My entire /etc/config/wireless files is as follows:

config 'wifi-device' 'wl0'
        option 'type' 'broadcom'
        option 'disabled' '0'
        option 'channel' '1'

config 'wifi-iface'
        option 'device' 'wl0'
        option 'network' 'lan'
        option 'mode' 'ap'
        option 'ssid' '<Secured SSID>'
        option 'encryption' 'psk2'
        option 'key' '<WPA2 passphrase>'

config 'wifi-iface'
        option 'device' 'wl0'
        option 'ssid' '<Unsecured Hotspot SSID>'
        option 'network' 'hotspot'
        option 'mode' 'ap'
        option 'encryption' 'none'
        option 'isolate' '1'

Now we need to turn on DHCP on our hotspot.  To do this we need to add the following section to the end of /etc/config/dhcp:

config 'dhcp'
        option 'interface' 'hotspot'
        option 'start' '100'
        option 'limit' '150'
        option 'dynamicdhcp' '1'

The start option tells it to start giving out IP Addresses beginning with .100 of the last octet.  The limit option tells it to give out a total of 150 IP Addresses.

My entire /etc/config/dhcp file is as follows:

config 'dnsmasq'
        option 'domainneeded' '1'
        option 'boguspriv' '1'
        option 'filterwin2k' '0'
        option 'localise_queries' '1'
        option 'local' '/lan/'
        option 'domain' 'lan'
        option 'expandhosts' '1'
        option 'nonegcache' '0'
        option 'authoritative' '1'
        option 'readethers' '1'
        option 'leasefile' '/tmp/dhcp.leases'
        option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'dynamicdhcp' '0'
        option 'ignore' '1'

config 'dhcp' 'wan'
        option 'interface' 'wan'
        option 'ignore' '1'
        option 'dynamicdhcp' '0'

config 'dhcp'
        option 'interface' 'hotspot'
        option 'start' '100'
        option 'limit' '150'
        option 'dynamicdhcp' '1'

The last step is to tell the router to forward traffic from the WiFi hotspot to the WAN so they can transmit and receive from the internet.  To do this we need to add the following two sections to the /etc/config/firewall file:

config 'zone'
        option 'name' 'hotspot'
        option 'network' 'hotspot'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'forwarding'
        option 'src' 'hotspot'
        option 'dest' 'wan'
        option 'mtu_fix' '1'

My entire /etc/config/firewall file is below.  It includes several port forwarding options, which aren’t needed on all networks.

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'
        option 'mtu_fix' '1'

config 'include'
        option 'path' '/etc/firewall.user'

config 'zone'
        option 'name' 'hotspot'
        option 'network' 'hotspot'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'forwarding'
        option 'src' 'hotspot'
        option 'dest' 'wan'
        option 'mtu_fix' '1'

#Port 25
config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'src_dport' '25'
        option 'dest_ip' '192.168.1.2'
        option 'dest_port' '25'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'dest_ip' ''
        option 'dest_port' '25'
        option 'target' 'ACCEPT'

#Port 80
config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'src_dport' '80'
        option 'dest_ip' '192.168.1.2'
        option 'dest_port' '80'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'dest_ip' ''
        option 'dest_port' '80'
        option 'target' 'ACCEPT'

#Port 110
config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'src_dport' '110'
        option 'dest_ip' '192.168.1.2'
        option 'dest_port' '110'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'dest_ip' ''
        option 'dest_port' '110'
        option 'target' 'ACCEPT'

#Port 143
config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'src_dport' '143'
        option 'dest_ip' '192.168.1.2'
        option 'dest_port' '143'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'dest_ip' ''
        option 'dest_port' '143'
        option 'target' 'ACCEPT'

You can now restart all the affected services:

/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart
/etc/init.d/network restart

Alternately, you can simply reboot the router.

Izvor: http://www.smallbusinesstech.net/more-complicated-instructions/openwrt/hosting-two-wifi-networks-on-one-openwrt-router