I'm a network admin admin and am in the process of designing a wireless metwork. (sort of like a cell net), and not a newbie to linux or embedded linux

I'd like to do the following.

1. have each node (ap) responsible for doling out a specific dhcp range (ok easy)

2. directly route all the node traffic to our centeral servers. (no nat just a direct route) the client IP needs to be at the servers (not the gateways)

3. The WAN is very big 255.248.0.0 (private space), any client IP in that range should be able to use any access point (regardless of where the IP came from) but it must be in that range...

4 sent the syslog to a remote server (simple)

The D-link ent AP (dwl1000ap) fits the bill, BUT it's not linux :0 and is $$$

Any thoughts appreciated

Use OpenWRT and a compatible ap and:

1. setup dnsmasq or udhcpd to give a different range of ip's on every access point.

2. setup the default route on every node as your central server. Edit the iptables rules and remove any lines which end -j MASQUERADE. Remove the wireless bridge (ifconfig br0 down followed by brctl delif br0).

3. Use  255.248.0.0 as your netmask on the wireless interfaces but have each machine only give out dhcp addresses from a small range. This way any AP will accept traffic from any ip in that range but will only allocate IPs in its specified range.

4. Use scp to send syslog every hour?

Or, if your AP can do bridging (linksys AP's do this if you disable dhcp, dunno about dlink):

link every AP up to an ethernet switch/hub and connect them to a central router. This runs the dhcp server, does routing etc. All packets just pass through at the ethernet level from the wireless network to your ethernet. If your going long distance you'll have to encapsulate the ethernet in something else. You can get ethernet to ISDN bridges, LAN extension services from your telco, bridge back to wireless again or if your AP runs linux put the ethernet inside PPP and use the internet to carry it.

Sorry running OpemWRT on a linksys WRT54G

dnsmakq is set so dhcp doles out a range with a mask of 255.248.0.0, and the route is to the master server
Iptables MASQUERADE line is out (there was only one)

ifconfig br0 down  seems to lock me out completely, could it be that I need to console in to do this (havn't done teh hack (yet))
Thinking about it and the results of the ifconfig on the interfaces the only one that appears ot have an IP is the br.  Do I need to assign the eth interfaces  manually before shutting the bridge down. looking through the docs I see a note that I should probably be setting the static_route and  nvram wifi_ variables before shutting the bridege down . Is this correct? and what about the wan interface (or is that treated as part of the eth valan as a whole ????

I suppose I could script it if need be, at least I could get the changes made (at lease temporarily)

Sorry if I seem a bit dense, but the whole vlan setup is adding to my confusion ....

BTW thanks for the quick response

Sure.
ifconfig eth1 x.x.x.x netmask x.x.x.x
during startup via script.

Maybe you can set this also with some nvram settings.

The interface setup works as follows (at least on the wrt54g v2 which i'm using):

vlan0 - lan ports
vlan1 - wan port
eth1 - wireless

vlan0 and vlan1 are really the same network card divided into 2 vlans (virutal lans), the real network card is eth0 but we never address it directly.

vlan0's properties are controlled by the nvram variables lan_ipaddr, lan_netmask, and lan_proto.

vlan1's by wan_ and the same suffixes.

I don't think the wireless has an nvram option for its ip as in the intended mode of operation you use the same ip on both sides of the bridge, so only one interface has to be configured.

See http://www.openwrt.org/OpenWrtFaq#head- … f48fb4b4df
for more info on the vlans.

You don't need a serial console to do any of this.

The bridge is created due to lan_ifname being set to br0 .. any time any of the *_ifname variables is a br* the script will create a bridge and parse the corresponding *_ifnames variable.

So, you could do the following:

lan_ifname=vlan0
wan_ifname=vlan1
wifi_ifname=eth1

(assumes a v2 or above)

Just noticed on http://openwrt.org/Wrt54gNVRAM that there is a wifi_ipaddr , wifi_netmask and wifi_proto variable. I presume these can be setup to configure the ip of the wireless interface.

Just one other thing I noticed in this post

Whats to stop 2 different access points allocating the same IP to somebody and then becoming confused about what the mac address of that machine is? Surely each access point needs to have its own unique range of IPs to allocate.

Each access point has dhcp set to allow a subnet of the 'big net'  as it's pool.
The clients attach to any of the node access points (each having a different dhcp range).
They can then use (once they have any ip in the 'big net') any of the access points. This way they don't need to get a new dhcp ip (because they already hae one in the 'big net', and the lease is valid)

So in short the access points all give different sub-ranges in the 'big net'

could someone write up a sample file or tell me how to modify the S45firewall script to allow straight routing?

I looked for the MASQ stuff, but can't figure it out. I think this would be well worth a minihowto!

These things would make sweet routers

I use the following code on an old laptop to do straight through routing from its wireless (eth1 - 192.168.2.x) to wired (eth0 - 192.168.3.x) interfaces. One problem i've noticed with this is that every machine on the wired network must be told where to route packets to reach the wireless network, if I use nat this isn't the case. As i've only got a small network I do this by adding rules manually to the each system, but in a large setup you'd need to get DHCP to supply this or use something like RIP.

For this to work you'll also need your default route set correctly.

#!/bin/sh

#turn on ip forwarding to let packets pass through
echo 1 > /proc/sys/net/ipv4/ip_forward

#reset iptables
iptables -F
iptables -t nat -F

#set default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

iptables -A INPUT -i eth1 -s 192.168.2.2 -m mac --mac-source 01:23:45:67:89:AB -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.2.2 -m mac --mac-source 01:23:45:67:89:AB -j ACCEPT

This only lets through a single ip, which must have the correct MAC. If you want to let everything through then take out the -m mac and --mac-source bits, and change the -s bit to 0/0 or the CIDR notation for your network (e.g. 192.168.2.0/24). For example:

iptables -A INPUT -i eth1 -s 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.2.0/24 -j ACCEPT

I am running kamikaze 7.09 as a non-nat router.  This may not be the best or minimal way to do it, but adding these lines to /etc/firewall.user seems to allow this OpenWRT router to work without NAT.  You still need to correctly configure the other elements including /etc/config/network and /etc/config/dhcp, but this seems to keep within the basic iptables firewall framework of OpenWRT while disabling the NAT (mis-)feature when that is not what you need.

## 1: Don't use NAT anymore
## Flush all system defined and user defined chains related to nat
iptables -t nat -F
iptables -t nat -X
## 2: Allow forwarding from the WAN to the LAN
iptables -A forwarding_wan -j ACCEPT