Topic: Backfire on ASUS WL-500g V2 - Dual Wifidog daemons, SSIDs
I setup this up a little while ago on Kamikaze, and have recently migrated my units to backfire. Thankfully the process is seamless, just had to update my opkg sources and re-install a couple of things. Anyways, I'll provide the output of my configs for anyone who is interested.
The benefits of this setup:
-dual wifidog daemons, each bound to a different SSID
-dual SSIDs, 1 encrypted, 1 not (we use 1 for staff, one for guests)
-locked down remote access via iptables
We are using the 2.4 kernel, and the proprietary broadcom driver. I won't go into flashing/basic setup instructions since this is covered elsewhere, so this assumes that you have already flashed your device with Backfire and are able to SSH into it. You also have an IP address configured and your device is able to access the web.
It is also assumed that you have a basic understanding of how wifidog works/what it does, and have already setup your authentication server on a separate box that is accessible from the internet.
1) First, let's update our package list with the following command:
2) Next let's install the wifidog daemon. The package in the repos is kind of old but still accomplishes what we need done. I also prefer to edit files using nano, so we'll install that as well:
opkg install wifidog
opkg install nano
3) Next we'll setup our SSIDs, firewall rules, etc.... To start, change to your config directory
4) We'll first setup our SSIDs. As you can see, one of mine is encrypted, one is not. Feel free to set this up how you choose:
config 'wifi-device' 'wl0' option 'type' 'broadcom' option 'channel' '1' config 'wifi-iface' option 'device' 'wl0' option 'network' 'lan' option 'mode' 'ap' option 'encryption' 'none' option 'ssid' 'YOUR SSID#1 NAME' config 'wifi-iface' option 'device' 'wl0' option 'network' 'lan2' option 'mode' 'ap' option 'encryption' 'psk2' option 'key' 'YOUR ENCRYPTION KEY' option 'ssid' 'YOUR SSID#2 NAME'
Close and save your file (control x, then y)
5) Next we are going to setup our VLANs. I have the LAN ports on the back in my guest/unencrypted VLAN. The only port in my secured VLAN is the wireless transmitter. Change the IP address on the eth0.1 VLAN to match the IP address, subnet, etc... that your ISP has assigned you.
#### VLAN configuration config switch eth0 option enable 1 config switch_vlan eth0_0 option device "eth0" option vlan 0 option ports "0 1 2 3 5" config switch_vlan eth0_1 option device "eth0" option vlan 1 option ports "4 5" config switch_vlan eth0_2 option device "eth0" option vlan 2 option ports "5" #### Loopback configuration config interface loopback option ifname "lo" option proto static option ipaddr 127.0.0.1 option netmask 255.0.0.0 #### LAN configuration config interface lan option type bridge option ifname "eth0.0" option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 #### WAN configuration config interface wan option type bridge option ifname "eth0.1" option proto static option ipaddr 18.104.22.168 option netmask 255.255.255.0 option gateway 22.214.171.124 option dns 126.96.36.199 #### LAN configuration config interface lan2 option type bridge option ifname "eth0.2" option proto static option ipaddr 192.168.2.1 option netmask 255.255.255.0
Close and save your file (control x, then y and enter)