{"id":917,"date":"2013-04-16T20:43:45","date_gmt":"2013-04-17T00:43:45","guid":{"rendered":"https:\/\/infotechguy.net\/?p=917"},"modified":"2025-02-22T13:14:39","modified_gmt":"2025-02-22T18:14:39","slug":"multiple-access-points-over-802-1q-using-openwrtpart2","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=917","title":{"rendered":"OpenWRT — Multiple Access Points With 802.1Q (part2)"},"content":{"rendered":"

Welcome back!<\/p>\n

In the last part, part 1, we configured our OpenWRT device, got it to emit two(2) Access Point SSIDs (insecureWiFi & secureWiFi), created two(2) VLANs to separate traffic frames, and created a trunk to our PoweConnect switch! Wow!
\nFor this part, part 2<\/strong>, we will be creating another VLAN Trunk from our Dell PowerConnect switch to our Linux router, designing and configuring some Firewall rules.
\n
\nNow, back to our topology….<\/p>\n

Topology<\/h3>\n

\"\"<\/a>\"\"<\/a><\/p>\n

Creating the 802.1Q Trunk Link<\/h3>\n
    \n
  1. \n

    Installing and Configuring VLANs on Linux<\/h4>\n

    I am using a home based Linux router, running Ubuntu 12.04 server. Here is where I run my IPTABLES and firwall rules. Look back at our topology diagram. Do you see the Trunk between the Dell PowerConnect switch and the IPTABLES firewall? Great, we need to prepare each side of the Trunk link. Let’s start with the Linux IPTABLES side.<\/p>\n

    NOTICE: eth1<\/strong> is the physical interface of the Trunk link.
    \n<\/em><\/p>\n

    sudo apt-get install vlan<\/pre>\n
    Load the 802.1Q module<\/p>\n
    sudo modprobe 8021q<\/pre>\n
    Have the module automatically load on startup by adding “8021q”<\/strong> at the end of the \/etc\/modules<\/strong> file:<\/p>\n
    sudo echo \"8021q\" >> \/etc\/modules<\/pre>\n<\/li>\n
  2. \n
    Adding VLANs to our eth0 interface<\/h4>\n
    The next step will add the VLAN tags to the eth1 interface, so we must specify 100 and 110. Once we add the first VLAN tag the interface will be converted into a Trunk interface.<\/p>\n
    sudo vconfig add eth1 100 \r\nsudo vconfig add eth1 110 \r\nifconfig<\/pre>\n
    You should see two(2) new interfaces called eth1.100 and eth1.110<\/strong>. Seem familar? It’s because back when we did it under OpenWRT, it was linux too!<\/li>\n
  3. \n
    Adding IPs to each VLAN interface<\/h4>\n
    I am picking the first host address in each subnet, remember our subnets are 192.168.0.0\/24 and 192.168.1.0\/24.<\/p>\n
    sudo ip addr add 192.168.0.1 eth1.100 \r\nsudo ip addr add 192.168.1.1 eth1.110<\/pre>\n
    Let’s also add these address to the \/etc\/network\/interfaces config, so they will remain permanant.
    \nIn your \/etc\/network\/interfaces add:<\/p>\n
    auto eth1.100\r\niface eth1.100 inet static\r\n        address 192.168.0.1\r\n        netmask 255.255.255.0\r\n        network 192.168.0.0\r\n        broadcast 192.168.0.255\r\n        vlan_raw_device eth1\r\n\r\nauto eth1.110\r\niface eth1.110 inet static\r\n        address 192.168.1.1\r\n        netmask 255.255.255.0\r\n        network 192.168.1.0\r\n        broadcast 192.168.1.255\r\n        vlan_raw_device eth1\r\n<\/pre>\n
    NOTICE:<\/strong> vlan_raw_device<\/em>, denotes the physical interface to bind\/attach itself to.<\/li>\n
  4. \n
    Creating Trunk Link on PowerConenct<\/h4>\n
    We did this in part 1, so quickly create a Trunk link on port g21<\/strong>. g21 is connected to eth1 on our Linux router.<\/p>\n
     SW1 configure<\/pre>\n
    SW1(config) interface ethernet g21<\/p>\n
    SW1(config-if) switchport mode trunk
    \nswitchport trunk allowed 100
    \nswitchport trunk allowed 110<\/li>\n<\/ol>\n
    Basic IPTABLES<\/h3>\n
      \n
    1. \n
        We now have to give both networks Internet access, but deny the insecure network(192.168.1.0\/24) to our secure network (192.168.0.0\/24). Assume for this tutorial that on our Linux Router, the eth0 interface is a public interface.<\/ol>\n<\/li>\n<\/ol>\n
        On the Linux Router…<\/p>\n
          \n
        1. \n
          Allow Secure to Insecure Network<\/h4>\n
          iptables -I FORWARD -s 192.168.0.0\/24 -d 192.168.1.0\/24 -p all -j ACCEPT<\/pre>\n<\/li>\n
        2. \n
          Deny Insecure to Secure Network<\/h4>\n
          iptables -A FORWARD -s 192.168.1.0\/24 -d 192.168.0.0\/24 -p all -j DROP<\/pre>\n<\/li>\n
        3. \n
          Masquerade Internet bound traffic<\/h4>\n
          iptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -o eth0 -j MASQUERADE \r\niptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -o eth0 -j MASQUERADE<\/pre>\n
          NOTICE: <\/strong>This will allow full Internet access for both networks. You may want to filter your Insecure network to only HTTP and HTTPS.<\/em><\/li>\n<\/ol>\n
          Verifying It All Works<\/h3>\n
            \n
          1. \n
            Set OpenWRT IPs<\/h4>\n
            Log back onto the OpenWRT Web Configuration page. Browse to the Insecure Interface and make sure it has an IP address set on the 192.168.0.0\/24 network, next do the same thing for the Secure Interface. For my example OpenWRT has an IP address of 192.168.0.2 on the Secure network<\/strong> and 192.168.1.2 on the Insecure network<\/strong>.<\/li>\n
          2. \n
            Try to Ping each IP<\/h4>\n
            Try to ping each IP 192.168.0.2 and 192.168.1.2<\/strong> from an end user device on the Secure network. My laptop has an IP of 192.168.0.155. I get a 100% echo response from both OpenWRT IPs. This will verify that our new Trunk and our routing is working, since the Linux router needs to route from 192.168.0.0 to 192.168.1.0 networks.<\/li>\n
          3. \n
            Connecting Wirelessly<\/h4>\n
            Go ahead and set a static IP address or use OpenWRTs DHCP feature, to assign an insecure network IP. Such as 192.168.1.54. Try to ping a computer on the Secure network. Does it reply? If so, recheck your IPTABLES. Else, try to ping an outside website or Google at 8.8.8.8. Do a traceroute. Does it receive a response? Awesome!<\/li>\n<\/ol>\n
            Congrats!!! You have two working Access Points using one Wireless Router!!<\/h3>\n
            See part 1<\/a>, part 2<\/a><\/h4>\n
            Sources:<\/p>\n