Topic: Kids wlan

I'm new to OpenWRT but have successfully installed OpenWrt Attitude Adjustment r31566 /LuCI Trunk (trunk+svn8668)
on a TP-Link TL-WA901N/ND v2.

The WA901 has a single ethernet port and a radio. I'm trying to add a wireless router to my network which my kids devices (tablet, phone and ipod) will connect to. I want the router to force all their DNS requests out to OpenDNS (where I have set filtering options).

I've been following the guest-wlan and dmz how tos as a basis for what I'm trying to do and bits of it seem to be working except that I cannot route out beyond the 192.168.1.0 network onto the internet when connected over the wlan.

I want the WA901 to fetch an IP address from the network DHCP and to create the wlan on a different subnet so that I can use IPTables to 1) force DNS requests to resolve using dnsmasq running on the WA901 and then onto OpenDNS for any domains that are not in the cache. Later I want to add another rule that will disable internet access after 9pm at night.

Ideally I'd like the wlan to be able to access servers (music, mythtv etc) in the lan too.

Here is my new config for the router:

/etc/config/firewall
==============
config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth0'
    option type 'bridge'
    option proto 'dhcp'

config interface 'kids'
    option 'proto' 'static'
    option 'ipaddr' '172.16.96.1'
    option 'netmask' '255.255.255.0'


/etc/config/dhcp
============
config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    list server '208.67.220.220'
    list server '208.67.222.222'

config dhcp 'kids'
    option interface 'kids'
    option start '100'
    option limit '150'
    option leasetime '1h'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

/etc/config/wireless
===============
config wifi-device 'radio0'
    option type 'mac80211'
    option macaddr 'b0:48:xx:xx:xx:xx'
    option hwmode '11ng'
    option htmode 'HT20'
    list ht_capab 'SHORT-GI-40'
    list ht_capab 'DSSS_CCK-40'
    option channel '6'
    option txpower '27'
    option country 'US'

config wifi-iface
    option device 'radio0'
    option network 'kids'
    option mode 'ap'
    option ssid 'QT901'
    option encryption 'psk2'
    option key '123456789abc'

/etc/config/firewall
=============

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'kids'
    option network 'kids'
    option forward 'REJECT'
    option output 'ACCEPT'
    option input 'REJECT'

config zone
    option name 'wan'
    option network 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'kids'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option src 'kids'
    option dest_port '53'
    option proto 'tcpudp'
    option target 'ACCEPT'

config rule
    option src 'kids'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

The route command shows:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
172.16.96.0     *               255.255.255.0   U     0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

When connected to the WA901 over ethernet (via a switch), and ssh'd into the router, I can see that the router can ping the LAN side
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=0.644 ms

It can also resolve DNS and connect to the outside world
PING www.apple.com (2.19.205.15): 56 data bytes
64 bytes from 2.19.205.15: seq=0 ttl=53 time=22.363 ms

However when I try the same thing from a computer connected over the WA901 wlan, things don't work.
The PC has an 172.16.96.165 IP address from the WA901 over the wlan.

But when I try to ping www.apple.com I see:
PING e3191.c.akamaiedge.net (2.19.205.15) 56(84) bytes of data.
From 172.16.96.1 icmp_seq=1 Destination Port Unreachable

I'm not sure if I've got a routing issue, firewall issue or just don't know what the hell I'm doing?!

Can someone help explain how to configure this correctly? As you've probably figured (if you read this far), networks
are not my thing, although I'm keen to learn.

Thanks

JJ

Re: Kids wlan

Destination Port Unreachable -> firewalled.

Re: Kids wlan

I don't understand, shouldn't this firewall directive allow traffic from the wlan to the wan port?

config forwarding
    option src 'kids'
    option dest 'wan'

Re: Kids wlan

In case anyone else needs something similar, there's a howto that describes the process exactly

http://wiki.openwrt.org/doc/recipes/routedap

Of course, I still can get wlan clients to see the internet though... grrrrr

sad

Re: Kids wlan

Does anyone know if the TP-Link WA901N(D) v2 can actually support a routed-ap?

I've followed the guide to the letter and I still cannot get this to work.

jow suggested that it is a firewall issue, but I have the appropriate forwards in there and I changed the zone input/output sections for the wlan to ACCEPT.

Anyone know how to fix this?

Re: Kids wlan

Well, if you'd followed it to the letter your router would be connected to the internet via wan, not lan.
If your default route is on the lan interface (which it is) you of course need to allow forwards from wifi to lan, not wifi to wan. You'll also need to enable masquerading on lan, not wan.

Re: Kids wlan

Thanks for the info - I think I'm beginning to understand the problem now.

After first installing OpenWRT, the /etc/config/network settings are:

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth0'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'

Based on the configuration settings, it looks like the router is operating as a bridged AP by default.

What I don't understand is why there isn't both a lan and wan setting in the network file? Especially since the firewall rules make mention of a wan zone that isn't defined in any other files. See below

config zone
    option name        lan
    option network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT

config zone
    option name        wan
    option network        'wan'
    option input        REJECT
    option output        ACCEPT
    option forward        REJECT
    option masq        1
    option mtu_fix        1

config forwarding
    option src        lan
    option dest        wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name        Allow-DHCP-Renew
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option name        Allow-Ping
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

... {rest omitted} ...

Since the router worked as a bridged AP after first installing openWRT, I'm assuming that there are no errors in the default configuration files.

Does this mean that the wan interface/zone always created by default by OpenWRT and bound to a particular interface regardless of whether it is defined in the network settings?

It suggests to me that maybe the routeap recipe is designed for a different device that has more than one physical network interface or where the wan setting is explicitly mentioned in network settings.

Is this the case?

The recipe includes the incremental changes to make to the router to achieve the routed AP configuration. It would be really helpful, if the recipe included the full settings as well so that people could see what the differences are even if this varies by device.

If I can get this working on the WA901N, I'd be very happy to document it as an additional section within the routedap recipe to avoid other newbies hitting the same issues I've encountered (even if they are errors of my own making).

Re: Kids wlan

Because the network configuration is generated on first boot according to the found interfaces. If there is only one on your unit then you only get a lan iface. The wan firewall zone is always defined because the config file is shipped and generic.

Full settings are not possible because they differ from unit to unit.

Re: Kids wlan

jow, thanks for your help on this.

I have posted my settings that appear to work in a separate message which can be found at

https://forum.openwrt.org/viewtopic.php?pid=166657#p166657