1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bridge/WET/WDS question...

Discussion in 'Tomato Firmware' started by bobl, May 1, 2008.

  1. bobl

    bobl LI Guru Member

    Greetings!

    I have a particular problem and I'm not finding the ideal solution yet..

    I have a family member who has a cable modem installed in his home. He wants to have wireless and wired internet access in his house - so a WRT54GL is going in to fill that task.

    Then, he wants to get internet access in his business workshop which is about 60' in his backyard. There is unfortunately no way of getting a Cat5e wire over there, so I'm thinking about putting a second WRT54GL over there, and using it as a (whatever you call it, bridge, WET, WDS - never did it, and I don't have the two routers to test it yet). From what I've read so far, that should work, yes?

    But.. what he doesn't want, is that the computer in his workshop being able to see the computers linked to the router in his house. Doesn't want his secretary accessing recipes in his wife's computer, or income tax records, etc. Is that possible?? And if so, how could I configure the two routers to achieve this? I was planning on flashing both WRT54GL's with the latest Tomato (1.19 as of today).

    Thanks for any insight!!!

    Bob
     
  2. RonWessels

    RonWessels Network Guru Member

    Important question: what level of protection does he want preventing office access of his home computers? It can be done two ways: one where you have to know what you're doing to be able to get to the home network from the office and one where the home computers are protected from the office equally as they are protected from the Internet.

    If you don't care that it's possible to access the home computers from the office, put the home WRT in Access Point mode and put the office WRT in Wireless Client mode. Make sure the office WRT is set up with a different network than the home network (ie. home is 192.168.1.X and office is 192.168.2.X). Since they are different networks, you have to know (or deduce) something of the home network topology to access it from the office. But it's possible.

    If you want the home network secured from the office network and you have only one Internet feed into the house, you're going to need a _third_ WRT. Connect the first WRT to your Internet connection and set it up in WDS mode with LAN address 192.168.1.X (addresses are examples). Connect the second WRT via its WAN port to one of the LAN ports on the first WRT. Setup the second WRT on a new network (eg. 192.168.2.X) and wireless as appropriate. The LAN ports and wireless from this WRT are your home network. Now take your third WRT and set it up in WDS mode (or WDS+AP mode if you want wireless access to your office network) to connect to the first WRT. It will have to be on the same LAN address as the first WRT (192.168.1.X). The LAN ports (and wireless if WDS+AP is used) from the third WRT are your office network connections.

    This allows access to the office computers from the home network (via the 192.168.1.X addresses) but blocks access to the home network from the office network.

    This setup can physically be done with only two WRT's, but the setup is complicated and not recommended unless you know what you're doing.
     
  3. Maggard

    Maggard LI Guru Member

    Or, and not to preach heresy, consider Ethernet-over-powerline.

    These devices have dropped to under US$100/pair and enable encrypted point-to-point networking over the existing electrical infrastructure. You can even plug one box into a LAN port, the other box into another router's WAN port, and bridge two networks that way. Set the routers for whatever sort of firewalling you want.

    The advantage over wireless? Less susceptible to rain/trees/trucks going between. Comparable or faster speeds. Pretty much undetectable, and well encrypted anyhow. Trivial to set up and no frequency/WPA/AES/TKIP type issues. Disadvantages? They cost, and depending on how your electrical system is set up may not always work in every location (transformers filter 'em out, etc.)

    Just another option.
     
  4. HennieM

    HennieM Network Guru Member

    As Ron suggested, using only 2 WRTs, with wired-only W/Shop computers (not tested):

    Home ---------------- W/Shop
    modem--WRT1(AP)------WRT2(Wireless Client)--wired W/Shop computers only
    192.168.1.0/24(LAN) ---- 192.168.2.0/24(LAN)

    Now set up, under "Admin > Scripts > Firewall" of WRT1
    Code:
    iptables -I PREROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
    iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
    Use "-I" to ensure the iptables rules go at the top of the PREROUTING and FORWARD chains.

    You MUST set WRT2 as "router", not "gateway" under "Advanced > Routing" (or WRT2 will masquarade as a 192.168.1.0/24 device).
     
  5. bobl

    bobl LI Guru Member

    Thanks for the tips!

    Hi Guys!

    Thanks for the response, I'm still testing on this one. I just received the two WRTs yesterday, but I didn't have the time to really play with them yet.

    He wants - if possible - total isolation of the house from the office. And speaking of isolation, since his business is rewiring and repairing electrical motors, his electrical installation is separate as far as I know.

    I'll try HennieM's solution later this week, I'll see what it does with my own network install. I have enough old computers here to simulate almost anything.. :)

    Thanks again! I'll post the results as soon as I can!

    Bob
     
  6. bobl

    bobl LI Guru Member

    Tests in progress...

    I've finally had time to fiddle with that particular setup. I'm discovering that I don't know enough about network and routing, and that does not make me happy! Oh well...

    I've tried HammieM's solution (described as untested) and it didn't work. What puzzled me about that one though, is the IP addresses given to the two WRTs: 192.168.1.0 and 192.168.2.0? I've tested with 192.168.1.1 and 192.168.2.1, and although with WRT1 as AP and WRT2 as Wireless Client I could get an IP address for WRT2 from the DHCP server in WRT1, I couldn't get through to the internet. The setup was like this:

    Company LAN -> WRT1 (192.168.1.1 - AP - Gateway)->Local computer 1
    WRT2 (192.168.2.1 - Wireless Client - Router) -> Local computer 2

    WRT2 got an IP address (192.168.1.122) from WRT1's DHCP server, but that was it. No access to the internet on WRT2. I've added the scripts described in HammieM's post to the Firewall section, but the results were the same.

    I've tried setting the WRTs like Jon described in the Tomato FAQ in the WDS section, and I could access the internet from both computers - but I was wondering about the security of that setup... As I decribed in the first post, I don't want the workshop computers (that would be wired to WRT2) being able to access files and folders (or anything, for that matter) on the computers linked to (wired or wireless) WRT1 - the one that receives the WAN feed. Is this possible?? Or is it already like this?

    I really must find a reference describing the different options (WET/AP/AP+WDS/Wireless Client...) of Tomato, I'm getting really confused right now!

    Thanks for any help or insight or pointers!!

    Bob
     
  7. HennieM

    HennieM Network Guru Member

    You probably have your DHCP server setup, as well as your routing setup wrong. Here some more details
    Code:
    Internet (via cable modem or company LAN)
       |
       |   -----------------------WRT1 set up as normal AP--------------------------------------
       |   WAN side: PPPoE or PPPoA to cable modem, alternatively DHCP to company LAN
      WRT1 LAN side: Fixed IP 192.168.1.1, netmask 255.255.255.0, DHCP server on, Gateway mode
       |   LAN side: Add a static route: 192.168.2.0 gateway 192.168.1.254 netmask 255.255.255.0 metric 2
       |   Add rule: iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP 
       |   -------------------------------------------------------------------------------------
       ~
       ~   Wireless
       ~
       |   -----------------------WRT2 set up as Wireless Client---------------------------------------------------------
      WRT2 WAN side (which is the wireless interface): FIXED IP 192.168.1.254, netmask 255.255.255.0, gateway 192.168.1.1
       |   LAN side: Fixed IP: 192.168.2.1, netmask 255.255.255.0, DHCP server on, Router mode
       |   --------------------------------------------------------------------------------------------------------------
       |
    W/Shop computers all set to get IP addresses by DHCP
    They should get (test in DOS prompt with "ipconfig -all"):
    IP      192.168.2.x
    Netmask 255.255.255.0
    Gateway 192.168.2.1
    To add the static route in WRT1, check under "Advanced > Routing" in Tomato.

    To first test if everything can get to everything (i.e. if DHCP and routing is good), do the setup without adding the iptables rule to WRT1. Now you should be able to get from any W/Shop computer to any computer connected to WRT1 and to the internet.

    To apply the iptables rule to WRT1, add the rule under "Administration > Scripts > Firewall".
    Once you apply the iptables rule, you should, from any W/Shop computer, get to the internet, but not to any computer connected to WRT1. (If this part does not work, we made a thinking error, so check back...;)
     
  8. bobl

    bobl LI Guru Member

    Finally!

    I've been able to test everything out, and after fiddling a little, it works!

    The only problem I had at the end, was that WRT1 didn't give DNS servers to WRT2. I configured WRT2 to use 192.168.1.1 as a DNS server, and everything got working. In fact, I'm writing this on the "workshop" side of the setup, which is still in my basement for the moment.

    From WRT2-connected computers, I can't see the computers on the WRT1 side of things, and that's what I wanted. Wireless encryption is working (although Tomato warned me that WPA2 Personal didn't work when using Wireless Client) good, so I guess I have finally found a workable solution - thanks to you HennieM!

    I'll make sure I save this for future reference, and now it's time I really learn about iptables...

    Thanks again!
     
  9. HennieM

    HennieM Network Guru Member

    Happy you got sorted.
     

Share This Page