?

Log in

No account? Create an account
WRT54G 2.0 firewalling question - brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

WRT54G 2.0 firewalling question [Aug. 21st, 2006|08:01 pm]
Brad Fitzpatrick
[Tags|, ]

I have a WRT54G ver 2.0 (CD5* S/N).

I want wifi in the house, but I do not want Wifi users to be able to connect to 10.0.0.0/8, the local house network. Typically I've always put Wifi routers behind a Linux box and firewalled the shit out of it, letting it connect to some ports (tcp port 22) on the local network but not others (everything else, including UDP (NFS)). But I haven't had such an extra box around for awhile. Or rather, I do, but it's no longer serving its other purpose, and I don't want a loud power-sucking tower box turned on non-stop to do a frickin' firewall rule when this router is a computer and has the smarts to implement my simple firewall rule itself.

But can it? (with the default firmware)

I tried to add a static route of 10.0.0.0/8 to 10.99.99.99 (something dead) to make it work, but no effect.

Do I have to install OpenWrt or something to achieve this? And then how much pain? And will I end up frying this guy if I ever want it back in its original state?

And if I want multiple of these around the house so people can roam without dropping ssh connections, I assume I'd need OpenWrt for that? Can it do that?

Update: Realized I could just manually set the gateway IP to a new IP on my home server (Linux) and firewall it there. Will do that later. OpenWrt looks like a distraction I don't need.
LinkReply

Comments:
[User Picture]From: herbie
2006-08-22 04:05 am (UTC)
There's a setting in WRT54G firmware on "Wireless"->"Advanced Wireless Settings", you can turn on "AP Isolation". From the help page:

AP Isolation:
Creates a separate virtual network for your wireless network. When this feature is enabled, each of your wireless client will be in its own virtual network and will not be able to communicate with each other. You may want to utilize this feature if you have many guests that frequent your wireless network.
(Reply) (Thread)
[User Picture]From: brad
2006-08-22 05:59 am (UTC)
That option isn't in my "Wireless"->"Advanced Wireless Settings". I have Auth Type, Basic Rate, Trans Rate, CTS Protection Mode, ..... RTS Threshold. But nothing like that.
(Reply) (Parent) (Thread)
[User Picture]From: brad
2006-08-22 06:11 am (UTC)
According to the ChangeLog,

Firmware 2.04.3
.....
- Added Wireless isolation function
- Added ability to filter internal NAT redirection

....

(Reply) (Parent) (Thread)
[User Picture]From: brad
2006-08-22 06:28 am (UTC)
Nope, the AP Isolation is for different wireless clients to not be able to see each other, not blocking access to the local LAN.

And the so-called "Added ability to filter internal NAT redirection" wasn't present in the Web UI as far as I could see.
(Reply) (Parent) (Thread)
(Deleted comment)
[User Picture]From: brad
2006-08-22 06:00 am (UTC)
Ah, that looks like the key! And it has the "AP Isolation" shown in the screenshot which herbie mentioned.
(Reply) (Parent) (Thread)
[User Picture]From: anildash
2006-08-22 11:02 pm (UTC)
oh nice! i had missed this, so now i can go home and fry my router give it a try tonight.
(Reply) (Parent) (Thread)
[User Picture]From: edm
2006-08-22 04:57 am (UTC)

WRT54G firewalling

To the best of my recollection the default firmware always bridges the LAN and wireless network together, and only firewalls between that and the WAN connection -- and the firewalling is basically "allow all" out to the WAN, and "block all" in from the WAN, except for pinholes you configure. (I could be misremembering -- I only ran the default firmware for a few hours of hardware testing.)

As such, your work around of connecting the WAN port of the WRT54G to your internal network (and presumably ignoring the LAN ports on WRT54G), addressed with an overlay on your internal network (ie, not 10.0.0.0/8), and routing/firewalling somewhere else is probably the best you'll achieve.

FWIW, OpenWRT isn't _that_ scary (especially these days), and it does let you do useful things like break the bridge between the wireless and the internal LAN. My WRT54GS, with OpenWRT, is configured with the LAN as vlan0, and the wireless as eth1, with separate subnets on the two, and firewalling between them (and no bridging). Access from the wireless to the Intaweb is allowed, plus a few other things, but access to the internal LAN is heavily restricted.

In terms of your roaming question I think OpenWRT might be able to help you, although my impression is that most roaming is configured in bridging mode (as an AP) rather than in routing/firewalling mode. To do it with routing/firewalling you'd probably need the AP handoff stuff, plus liberal firewall rules (or state sharing ones) that allow traffic through without seeing SYN/ACK packets, plus possibly some sort of dynamic routing protocol. Again it may be simpler to do the AP handoff stuff, in bridging mode, bridging to an overlay on the lan (ie, _not_ the 10.0.0.0/8, but something only on one other box) and do the firewalling on a separate box. And of course if you have OpenWRT on the WRT54G you can do all the usual Linux routing tricks without problems (mine has VPNs landed on it, and source-address-based routing, amongst other things).

Ewen
(Reply) (Thread)
[User Picture]From: brad
2006-08-22 06:08 am (UTC)

Re: WRT54G firewalling

It's not so much an issue of "scary" vs "time suck". :-) But it's nice to know it's there should I ever find myself in excess of free time. The dual-WRTs bridging instead of NATing makes sense. For now I'll go with the HyperWRT which seems to add back the AP Isolation checkbox I'm missing. Or maybe a Linksys firmware upgrade to the standard Linksys one adds it.
(Reply) (Parent) (Thread)
From: jmason
2006-08-22 09:32 am (UTC)

Re: WRT54G firewalling

I assumed OpenWRT would be a hacky, half-documented time-suck, too -- and was very pleasantly surprised to find that it was just a rock-solid bare bones linux distro with some very nice features.

Basically, you wind up with a linux box that can do everything you _think_ a WRT should be able to do given the hardware, with a UI reminiscent of early-90's 386BSD -- ie. ugly but consistent.

I'd definitely recommend it.
(Reply) (Parent) (Thread)
[User Picture]From: octal
2006-08-22 05:50 am (UTC)
There are many other reasons to upgrade to dd-wrt or openwrt. It's really easy to do, and provides better performance, etc.
(Reply) (Thread)