OpenWrt Forum Archive

Topic: Backfire on ASUS WL-500g V2 - Dual Wifidog daemons, SSIDs

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I setup this up a little while ago on Kamikaze, and have recently migrated my units to backfire. Thankfully the process is seamless, just had to update my opkg sources and re-install a couple of things. Anyways, I'll provide the output of my configs for anyone who is interested.

The benefits of this setup:
-dual wifidog daemons, each bound to a different SSID
-dual SSIDs, 1 encrypted, 1 not (we use 1 for staff, one for guests)
-locked down remote access via iptables

We are using the 2.4 kernel, and the proprietary broadcom driver. I won't go into flashing/basic setup instructions since this is covered elsewhere, so this assumes that you have already flashed your device with Backfire and are able to SSH into it. You also have an IP address configured and your device is able to access the web.

It is also assumed that you have a basic understanding of how wifidog works/what it does, and have already setup your authentication server on a separate box that is accessible from the internet.

1) First, let's update our package list with the following command:
opkg update

2) Next let's install the wifidog daemon. The package in the repos is kind of old but still accomplishes what we need done. I also prefer to edit files using nano, so we'll install that as well:
opkg install wifidog
opkg install nano

3) Next we'll setup our SSIDs, firewall rules, etc.... To start, change to your config directory
cd /etc/config

4) We'll first setup our SSIDs. As you can see, one of mine is encrypted, one is not. Feel free to set this up how you choose:

nano /etc/config/wireless

config 'wifi-device' 'wl0'
        option 'type' 'broadcom'
        option 'channel' '1'

config 'wifi-iface'
        option 'device' 'wl0'
        option 'network' 'lan'
        option 'mode' 'ap'
        option 'encryption' 'none'
        option 'ssid' 'YOUR SSID#1 NAME'

config 'wifi-iface'
        option 'device' 'wl0'
        option 'network' 'lan2'
        option 'mode' 'ap'
        option 'encryption' 'psk2'
        option 'key' 'YOUR ENCRYPTION KEY'
        option 'ssid' 'YOUR SSID#2 NAME'

Close and save your file (control x, then y)

5) Next we are going to setup our VLANs. I have the LAN ports on the back in my guest/unencrypted VLAN. The only port in my secured VLAN is the wireless transmitter. Change the IP address on the eth0.1 VLAN to match the IP address, subnet, etc... that your ISP has assigned you.

nano /etc/config/network

#### VLAN configuration
config switch eth0
        option enable   1

config switch_vlan eth0_0
        option device   "eth0"
        option vlan     0
        option ports    "0 1 2 3 5"

config switch_vlan eth0_1
        option device   "eth0"
        option vlan     1
        option ports    "4 5"

config switch_vlan eth0_2
        option device   "eth0"
        option vlan     2
        option ports    "5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0


#### WAN configuration
config interface        wan
        option type     bridge
        option ifname   "eth0.1"
        option proto    static
        option ipaddr   1.1.1.1
        option netmask  255.255.255.0
        option gateway  1.1.1.1
        option dns      2.2.2.2


#### LAN configuration
config interface lan2
        option type     bridge
        option ifname   "eth0.2"
        option proto    static
        option ipaddr   192.168.2.1
        option netmask  255.255.255.0

Close and save your file (control x, then y and enter)

(Last edited by Hinzel on 25 May 2010, 00:28)

6) Next we'll setup our firewall rules. Feel free to edit these according to your needs.

nano /etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             lan
        option input    ACCEPT
        option output   ACCEPT
        option forward  REJECT

config zone
        option name             lan2
        option input    ACCEPT
        option output   ACCEPT
        option forward  REJECT

config zone
        option name             wan
        option input    REJECT
        option output   ACCEPT
        option forward  REJECT
        option masq             1

config forwarding
        option src      lan
        option dest     wan
        option mtu_fix  1

config forwarding
        option src      lan2
        option dest     wan
        option mtu_fix  1


# include a file with users custom iptables rules
config include
        option path /etc/firewall.user

Close and save your file. There are a bunch of config examples below this in my file, but since they are all commented out anyways I'm not going to bother cutting/pasting them. Also notice this line: option path /etc/firewall.user. This is how we will permit remote access to the router from remote IPs. I'll get to that in a bit.


7) Add DHCP for our VLANs:

nano /etc/config/dhcp

config dnsmasq
        option domainneeded     1
        option boguspriv        1
        option filterwin2k      '0'  #enable for dial on demand
        option localise_queries 1
        option local    '/lan/'
        option domain   'lan'
        option expandhosts      1
        option nonegcache       0
        option authoritative    1
        option readethers       1
        option leasefile        '/tmp/dhcp.leases'
        option resolvfile       '/tmp/resolv.conf.auto'
        #list server            '/mycompany.local/1.2.3.4'
        #option nonwildcard     0
        #list interface         br-lan

config dhcp lan
        option interface        lan
        option start    100
        option limit    250
        option leasetime        12h

config dhcp wan
        option interface        wan
        option ignore   1

config dhcp lan2
        option interface        lan2
        option start    100
        option limit    250
        option leasetime        12h

Alright, so we now have our VLANs, SSIDs, firewall rules, DHCP bindings, and IP configs setup. Go ahead and reboot your device. When it comes up, you should have 2 seperate SSIDs being broadcast. You should be able to connect to either one, and you should get an IP in a different subnet depending on which one you are connected to. Since we have not yet setup wifidog, you should be able to connect to the internet using either SSID. If any of these conditions are not met on your device, go back and start over. If it's all good so far, then carry on smile

8) Wifidog should install a config file to /etc/wifidog.conf after you install the package. We need to duplicate this file for our second daemon.
cp /etc/wifidog.conf /etc/wifidog2.conf

9) Rather then discuss what each line in the wifidog file represents, I'll post an output of both of the files on my device. Just copy and paste into yours so that it matches, but change the GatewayID to whatever you would like in both files. I use the same hostname in both files, just append a "c" onto the name of the guest file. You'll also need to edit the auth server portion to point to your auth server.

nano /etc/wifidog.conf

# WiFiDog Configuration file

# Parameter: GatewayID
# Default: default
# Optional
#
# Set this to the node ID on the auth server
# this is used to give a customized login page to the clients and for
# monitoring/statistics purpose
# If none is supplied, the mac address of the GatewayInterface interface will be used,
# without the : separators

GatewayID van-wap-1c

# Parameter: ExternalInterface
# Default: NONE
# Optional
#
# Set this to the external interface (the one going out to the Inernet or your larger LAN).
# Typically vlan1 for OpenWrt, and eth0 or ppp0 otherwise,
# Normally autodetected

ExternalInterface eth0.1

# Parameter: GatewayInterface
# Default: NONE
# Mandatory
#
# Set this to the internal interface (typically your wifi interface).
# Typically br-lan for OpenWrt, and eth1, wlan0, ath0, etc. otherwise

GatewayInterface br-lan

# Parameter: GatewayAddress
# Default: Find it from GatewayInterface
# Optional
#
# Set this to the internal IP address of the gateway.  Not normally required.

# GatewayAddress 192.168.1.1

# Parameter: AuthServer
# Default: NONE
# Mandatory, repeatable
#
# This allows you to configure your auth server(s).  Each one will be tried in order, untill one responds.
# Set this to the hostname or IP of your auth server(s), the path where
# WiFiDog-auth resides in and the port it listens on.
#AuthServer {
#       Hostname                 (Mandatory; Default: NONE)
#       SSLAvailable             (Optional; Default: no; Possible values: yes, no)
#       SSLPort                  (Optional; Default: 443)
#       HTTPPort                 (Optional; Default: 80)
#       Path                     (Optional; Default: /wifidog/ Note:  The path must be both prefixed and suffixed by /.  Use a single / for server root.)
#   LoginScriptPathFragment  (Optional; Default: login/? Note:  This is the script the user will be sent to for login.)
#   PortalScriptPathFragment (Optional; Default: portal/? Note:  This is the script the user will be sent to after a successfull login.)
#   MsgScriptPathFragment    (Optional; Default: gw_message.php? Note:  This is the script the user will be sent to upon error to read a readable message.)
#   PingScriptPathFragment    (Optional; Default: ping/? Note:  This is the script the user will be sent to upon error to read a readable message.)
#   AuthScriptPathFragment    (Optional; Default: auth/? Note:  This is the script the user will be sent to upon error to read a readable message.)
#}

AuthServer {
    Hostname yourauthserver.com
    SSLAvailable yes
    Path /
}

#AuthServer {
#    Hostname auth.ilesansfil.org
#    SSLAvailable yes
#    Path /
#}

#AuthServer {
#    Hostname auth2.ilesansfil.org
#    SSLAvailable yes
#    Path /
#}

# Parameter: Daemon
# Default: 1
# Optional
#
# Set this to true if you want to run as a daemon
Daemon 1

# Parameter: GatewayPort
# Default: 2060
# Optional
#
# Listen on this port
GatewayPort 2060

# Parameter: HTTPDName
# Default: WiFiDog
# Optional
#
# Define what name the HTTPD server will respond
HTTPDName WiFiDog

# Parameter: HTTPDMaxConn
# Default: 10
# Optional
#
# How many sockets to listen to
HTTPDMaxConn 30

# Parameter: CheckInterval
# Default: 60
# Optional
#
# How many seconds should we wait between timeout checks.  This is also
# how often the gateway will ping the auth server and how often it will
# update the traffic counters on the auth server.  Setting this too low
# wastes bandwidth, setting this too high will cause the gateway to take
# a long time to switch to it's backup auth server(s).

CheckInterval 3600

# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 72

# Parameter: TrustedMACList
# Default: none
# Optional
#
# Comma separated list of MAC addresses who are allowed to pass
# through without authentication
#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D

# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.

# Parameter: FirewallRule
# Default: none
#
# Define one firewall rule in a rule set.

# Rule Set: global
#
# Used for rules to be applied to all other rulesets except locked.
FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25

    ## Use the following if you don't want clients to be able to access machines on
    ## the private LAN that gives internet access to wifidog.  Note that this is not
    ## client isolation;  The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to 192.168.0.0/16
    # FirewallRule block to 172.16.0.0/12
    # FirewallRule block to 10.0.0.0/8

    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to 69.90.89.192/27
    #FirewallRule allow udp to 69.90.85.0/27
    #FirewallRule allow tcp port 80 to 69.90.89.205
}

# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
    FirewallRule allow to 0.0.0.0/0
}

# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
    FirewallRule allow to 0.0.0.0/0
}

# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
    FirewallRule allow tcp port 67
}

# Rule Set: locked-users
#
# Not currently used
FirewallRuleSet locked-users {
    FirewallRule block to 0.0.0.0/0
}

Exit and save

10) Time to edit our second file.

nano /etc/wifidog2.conf

# WiFiDog Configuration file

# Parameter: GatewayID
# Default: default
# Optional
#
# Set this to the node ID on the auth server
# this is used to give a customized login page to the clients and for
# monitoring/statistics purpose
# If none is supplied, the mac address of the GatewayInterface interface will be used,
# without the : separators

GatewayID van-wap-1

# Parameter: ExternalInterface
# Default: NONE
# Optional
#
# Set this to the external interface (the one going out to the Inernet or your larger LAN).
# Typically vlan1 for OpenWrt, and eth0 or ppp0 otherwise,
# Normally autodetected

ExternalInterface eth0.1

# Parameter: GatewayInterface
# Default: NONE
# Mandatory
#
# Set this to the internal interface (typically your wifi interface).
# Typically br-lan for OpenWrt, and eth1, wlan0, ath0, etc. otherwise

GatewayInterface br-lan2

# Parameter: GatewayAddress
# Default: Find it from GatewayInterface
# Optional
#
# Set this to the internal IP address of the gateway.  Not normally required.

# GatewayAddress 192.168.1.1

# Parameter: AuthServer
# Default: NONE
# Mandatory, repeatable
#
# This allows you to configure your auth server(s).  Each one will be tried in order, untill one responds.
# Set this to the hostname or IP of your auth server(s), the path where
# WiFiDog-auth resides in and the port it listens on.
#AuthServer {
#       Hostname                 (Mandatory; Default: NONE)
#       SSLAvailable             (Optional; Default: no; Possible values: yes, no)
#       SSLPort                  (Optional; Default: 443)
#       HTTPPort                 (Optional; Default: 80)
#       Path                     (Optional; Default: /wifidog/ Note:  The path must be both prefixed and suffixed by /.  Use a single / for server root.)
#   LoginScriptPathFragment  (Optional; Default: login/? Note:  This is the script the user will be sent to for login.)
#   PortalScriptPathFragment (Optional; Default: portal/? Note:  This is the script the user will be sent to after a successfull login.)
#   MsgScriptPathFragment    (Optional; Default: gw_message.php? Note:  This is the script the user will be sent to upon error to read a readable message.)
#   PingScriptPathFragment    (Optional; Default: ping/? Note:  This is the script the user will be sent to upon error to read a readable message.)
#   AuthScriptPathFragment    (Optional; Default: auth/? Note:  This is the script the user will be sent to upon error to read a readable message.)
#}

AuthServer {
    Hostname yourauthserver.com
    SSLAvailable yes
    Path /
}

#AuthServer {
#    Hostname auth.ilesansfil.org
#    SSLAvailable yes
#    Path /
#}

#AuthServer {
#    Hostname auth2.ilesansfil.org
#    SSLAvailable yes
#    Path /
#}

# Parameter: Daemon
# Default: 1
# Optional
#
# Set this to true if you want to run as a daemon
Daemon 1

# Parameter: GatewayPort
# Default: 2060
# Optional
#
# Listen on this port
GatewayPort 2060

# Parameter: HTTPDName
# Default: WiFiDog
# Optional
#
# Define what name the HTTPD server will respond
HTTPDName WiFiDog

# Parameter: HTTPDMaxConn
# Default: 10
# Optional
#
# How many sockets to listen to
HTTPDMaxConn 30

# Parameter: CheckInterval
# Default: 60
# Optional
#
# How many seconds should we wait between timeout checks.  This is also
# how often the gateway will ping the auth server and how often it will
# update the traffic counters on the auth server.  Setting this too low
# wastes bandwidth, setting this too high will cause the gateway to take
# a long time to switch to it's backup auth server(s).

CheckInterval 3600

# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 24

# Parameter: TrustedMACList
# Default: none
# Optional
#
# Comma separated list of MAC addresses who are allowed to pass
# through without authentication
#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D

# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.

# Parameter: FirewallRule
# Default: none
#
# Define one firewall rule in a rule set.

# Rule Set: global
#
# Used for rules to be applied to all other rulesets except locked.
FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25

    ## Use the following if you don't want clients to be able to access machines on
    ## the private LAN that gives internet access to wifidog.  Note that this is not
    ## client isolation;  The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to 192.168.0.0/16
    # FirewallRule block to 172.16.0.0/12
    # FirewallRule block to 10.0.0.0/8

    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to 69.90.89.192/27
    #FirewallRule allow udp to 69.90.85.0/27
    #FirewallRule allow tcp port 80 to 69.90.89.205
}

# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
    FirewallRule allow to 0.0.0.0/0
}

# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
    FirewallRule allow to 0.0.0.0/0
}

# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
    FirewallRule allow tcp port 67
}

# Rule Set: locked-users
#
# Not currently used
FirewallRuleSet locked-users {
    FirewallRule block to 0.0.0.0/0
}

Save and exit.

11) Now we need to edit the init script so that it starts both daemons at once.
nano /etc/init.d/wifidog

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
START=65
EXTRA_COMMANDS="status"
EXTRA_HELP="        status Print the status of the service"

start() {
        /etc/init.d/network restart
        /usr/bin/wifidog-init start
        sleep 5s
        /usr/bin/wifidog-init2 start
}

stop() {
        /usr/bin/wifidog-init stop
}

status() {
        /usr/bin/wifidog-init status
}

Save and exit

12) Almost there! Couple more things left to do. We need to modify one more wifidog script to allow both daemons to start at once.
cd /usr/bin
cp wifidog-init wifidog-init2
nano wifidog-init2

#!/bin/sh
#
# Could be better, but it's working as expected
#
#
#
# chkconfig: 345 65 35
#
# description: Startup/shutdown script for Wifidog captive portal
# processname: wifidog

# Date    : 2004-08-25
# Version : 1.0

IPT=/usr/sbin/iptables
WD_DIR=/usr/bin
OPTIONS="-c /etc/wifidog2.conf"

case "$1" in
  start)
    echo "Starting Wifidog ... "
#    if $WD_DIR/wdctl status 2> /dev/null
#    then
#       echo "FAILED:  Wifidog already running"
#    else
        $0 test-module
        if $WD_DIR/wifidog $OPTIONS
        then
                echo "OK"
        else
                echo "FAILED:  Wifidog exited with non 0 status"
        fi
#    fi
    ;;
  restart)
    $0 stop
    sleep 2
    $0 start
    ;;
  reload)
    $0 stop
    sleep 2
    $0 start
    ;;
  stop)
    echo "Stopping Wifidog ... "
    if $WD_DIR/wdctl status 2> /dev/null
    then
        if $WD_DIR/wdctl stop
        then
                echo "OK"
        else
                echo "FAILED:  wdctl stop exited with non 0 status"
        fi

    else
       echo "FAILED:  Wifidog was not running"
    fi
    ;;
  status)
    $WD_DIR/wdctl status
    ;;
  debug|test-module)

    ### Test ipt_mark with iptables
    test_ipt_mark () {
      IPTABLES_OK=$($IPT -A FORWARD -m mark --mark 2 -j ACCEPT 2>&1 | grep "No chain.target.match")
      if [ -z "$IPTABLES_OK" ]; then
        $IPT -D FORWARD -m mark --mark 2 -j ACCEPT 2>&1
        echo 1
      else
        echo 0
      fi
    }
    ### Test ipt_mac with iptables
    test_ipt_mac () {
      IPTABLES_OK=$($IPT -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT 2>&1 | grep "No chain.target.match")
      if [ -z "$IPTABLES_OK" ]; then
        $IPT -D INPUT -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT 2>&1
        echo 1
      else
        echo 0
      fi
    }

    ### Test ipt_REDIRECT with iptables
    test_ipt_REDIRECT () {
      IPTABLES_OK=$($IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 2060 2>&1 | grep "No chain.target.match")
      if [ -z "$IPTABLES_OK" ]; then
        $IPT -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 2060 2>&1
        echo 1
      else
        echo 0
      fi
    }

    ### Find a module on disk
    module_exists () {
    echo " Looking for a module on disk"
      EXIST=$(find /lib/modules/`uname -r` -name $1.*o 2>/dev/null)
      if [ -n "$EXIST" ]; then
        echo 1
      else
        echo 0
      fi
    }

    ### Test if a module is in memory
    module_in_memory () {
      MODULE=$(lsmod | grep $1 | awk '{print $1}')
      if [ "$MODULE" = "$1" ]; then
        echo 1
      else
        echo 0
      fi
    }

    echo "Testing for iptables modules"

    echo "  Testing ipt_mac"
    TEST_IPT_MAC=$(test_ipt_mac)
    if [ "$TEST_IPT_MAC" = "0" ]; then
      echo "   iptables is not working with ipt_mac"
      echo "   Scanning disk for ipt_mac module"
      TEST_IPT_MAC_MODULE_EXISTS=$(module_exists "ipt_mac")
      if [ "$TEST_IPT_MAC_MODULE_EXISTS" = "0" ]; then
        echo "   ipt_mac module is missing, please install it (kernel or module)"
        exit
      else
        echo "   ipt_mac module exists, trying to load"
        insmod ipt_mac > /dev/null
        TEST_IPT_MAC_MODULE_MEMORY=$(module_in_memory "ipt_mac")
        if [ "$TEST_IPT_MAC_MODULE_MEMORY" = "0" ]; then
          echo "  Error: ipt_mac not loaded"
          exit
        else
          echo "  ipt_mac loaded sucessfully"
        fi
      fi
    else
      echo "   ipt_mac  module is working"
    fi

    echo "  Testing ipt_mark"
    TEST_IPT_MARK=$(test_ipt_mark)
    if [ "$TEST_IPT_MARK" = "0" ]; then
      echo "   iptables is not working with ipt_mark"
      echo "   Scanning disk for ipt_mark module"
      TEST_IPT_MARK_MODULE_EXISTS=$(module_exists "ipt_mark")
      if [ "$TEST_IPT_MARK_MODULE_EXISTS" = "0" ]; then
        echo "   iptables ipt_mark module missing, please install it (kernel or module)"
        exit
      else
        echo "   ipt_mark module exists, trying to load"
        insmod ipt_mark
        TEST_IPT_MARK_MODULE_MEMORY=$(module_in_memory "ipt_mark")
        if [ "$TEST_IPT_MARK_MODULE_MEMORY" = "0" ]; then
          echo "   Error: ipt_mark not loaded"
          exit
        else
          echo "   ipt_mark loaded sucessfully"
        fi
      fi
      else
    echo "   ipt_mark module is working"
    fi

##TODO:  This will not test if required iptables userspace (iptables-mod-nat on Kamikaze) is installed
    echo "  Testing ipt_REDIRECT"
    TEST_IPT_MAC=$(test_ipt_REDIRECT)
    if [ "$TEST_IPT_MAC" = "0" ]; then
      echo "   iptables is not working with ipt_REDIRECT"
      echo "   Scanning disk for ipt_REDIRECT module"
      TEST_IPT_MAC_MODULE_EXISTS=$(module_exists "ipt_REDIRECT")
      if [ "$TEST_IPT_MAC_MODULE_EXISTS" = "0" ]; then
        echo "   ipt_REDIRECT module is missing, please install it (kernel or module)"
        exit
      else
        echo "   ipt_REDIRECT module exists, trying to load"
        insmod ipt_REDIRECT > /dev/null
        TEST_IPT_MAC_MODULE_MEMORY=$(module_in_memory "ipt_REDIRECT")
        if [ "$TEST_IPT_MAC_MODULE_MEMORY" = "0" ]; then
          echo "  Error: ipt_REDIRECT not loaded"
          exit
        else
          echo "  ipt_REDIRECT loaded sucessfully"
        fi
      fi
    else
      echo "   ipt_REDIRECT  module is working"
    fi

    ;;

  *)
   echo "Usage: $0 {start|stop|restart|reload|status|test-module}"
   exit 1
   ;;
esac

Save and exit.

13) Verify that Wifidog is starting as expected:
/etc/init.d/wifidog start

You should see a number of new iptables rules, a different set for each daemon. Test this out using the following:
iptables -L | grep "WiFiDog"

Now connect to each SSID and verify that they are forwarding to your Authentication servers. All good? Then carry on, if not go back and read through the above steps....


14) Enable remote access to the router:

nano /etc/firewall.user

iptables -I INPUT -s 1.1.1.0/24 -j ACCEPT

Replace 1.1.1.0/24 with the subnet that you would like to be able to access the device.

15) Enable wifidog to start on boot:
/etc/init.d/wifidog enable

16) Reboot your device. Verify that you have 2 SSIDs, a wifidog daemon bound to each one, and that you are able to access the internet after properly authenticating!

Any questions, please let me know. Also there is a good chance that I made a type or 50 during this write up, please let me know if something doesn't work as expected smile

Is it possible to do this with 2.6 kernel also?

andy778 wrote:

Is it possible to do this with 2.6 kernel also?

I haven't tried it personally, so not sure. As long as the iptables kernel modules are available for 2.6 it should work though.

andy778 wrote:

Is it possible to do this with 2.6 kernel also?

I just treid it and it gives me

command failed: No such device (-19)
Configuration file: /var/run/hostapd-phy0.conf
Using interface wlan0 with hwaddr 00:1b:fc:91:8c:fa and ssid 'supi_hnizdo_2'
random: Cannot read from /dev/random: Resource temporarily unavailable
random: Only 0/20 bytes of strong random data available from /dev/random
random: Not enough entropy pool available for secure operations
WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects
Could not set interface wlan0-1 flags: Operation not supported
Failed to add BSS (BSSID=02:1b:fc:91:8c:fb)
Interface initialization failed
wlan0: Unable to setup interface.
rmdir[ctrl_interface]: No such file or directory
Failed to remove BSS interface wlan0-1
Failed to start hostapd for phy0

So either I am doing something wrong (I followed http://wiki.openwrt.org/doc/recipes/guest-wlan ) or it does not work with 2.6:-(

b43 does not support multiple SSIDs.

jow wrote:

b43 does not support multiple SSIDs.

Thanks for the quick reply. It is sad, but what can I do (beside installing 2.4 kernel again) :-).  Have you any idea if it ever will be supported (I noticed kernel version is 2.32 which is several years old, I have no idea how old the b43 in Kamikaze are)?

It works if you build trunk brcm47xx with wl instead of b43.

jow wrote:

It works if you build trunk brcm47xx with wl instead of b43.

Any pointers how to do that?

Alright, I found http://wiki.openwrt.org/doc/howto/build which looks straightforward and this should provide me with the config so taht I can only change wl instead of b43 http://wiki.openwrt.org/doc/howto/build, so I should be set to go.

I last messed with openwrt 3-4 years ago and it has really matured since than, at least when I look at the doces available!

However, I cannot find out how to build just the image without the packages.

So i checked out current trunk (originally, I wanted to compile 10.3.1, but that does not have support for compiling with wl yet) and when I do make, it says:

make[5]: Entering directory `/home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4'
  CHK     include/linux/version.h
make[5]: Leaving directory `/home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4'
. /home/drew/Sources/openwrt/trunk/include/shell.sh; grep '=[ym]' /home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4/.config | LC_ALL=C sort | md5s > /home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4/.vermagic
touch /home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4/.configured
rm -f /home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4/vmlinux /home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4/System.map
make -C /home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4 CROSS_COMPILE="mipsel-openwrt-linux-uclibc-" ARCH="mips" KBUILD_HAVE_NLS=no CONFIG_SHELL="/bin/bash" V='' CC="mipsel-openwrt-linux-uclibc-gcc" modules
make[5]: Entering directory `/home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4'
  CHK     include/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
  CC [M]  drivers/mmc/core/cd-gpio.o
drivers/mmc/core/cd-gpio.c: In function 'mmc_cd_gpio_request':
drivers/mmc/core/cd-gpio.c:43:2: error: implicit declaration of function 'gpio_request_one' [-Werror=implicit-function-declaration]
cc1: some warnings being treated as errors

make[8]: *** [drivers/mmc/core/cd-gpio.o] Error 1
make[7]: *** [drivers/mmc/core] Error 2
make[6]: *** [drivers/mmc] Error 2
make[5]: *** [drivers] Error 2
make[5]: Leaving directory `/home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4'
make[4]: *** [/home/drew/Sources/openwrt/trunk/build_dir/linux-brcm47xx/linux-3.3.4/.modules] Error 2
make[4]: Leaving directory `/home/drew/Sources/openwrt/trunk/target/linux/brcm47xx'
make[3]: *** [compile] Error 2
make[3]: Leaving directory `/home/drew/Sources/openwrt/trunk/target/linux'
make[2]: *** [target/linux/compile] Error 2
make[2]: Leaving directory `/home/drew/Sources/openwrt/trunk'
make[1]: *** [/home/drew/Sources/openwrt/trunk/staging_dir/target-mipsel_uClibc-0.9.33/stamp/.target_compile] Error 2
make[1]: Leaving directory `/home/drew/Sources/openwrt/trunk'
make: *** [world] Error 2

(Last edited by sup on 6 May 2012, 09:20)

Never seen that. Maybe you enabled some odd mmc over gpio driver which is fubar with recent kernels.

jow wrote:

Never seen that. Maybe you enabled some odd mmc over gpio driver which is fubar with recent kernels.

That is strange, I am using the default config for BCM and have not changed anything. Anyway, I found kmod-mmc-over-gpio in Other modules in Kernel modules which is selected by GPIO_SUPPORT, which I do not know how to unset. Is it possible to unset it somehow?

Anyway, may I ask if there will be compiled images for this target BCM947xx/953xx and target wl,proprietary once there are further releass of OpenWRT. If yes, I would probably wait for them, compiling my own firmware still scares me a bit.

jow wrote:

b43 does not support multiple SSIDs.

BTW, upstream http://lists.infradead.org/pipermail/b4 … 02489.html says multiple SSIDs are a mac80211 issue and links here http://forums.freebsd.org/showthread.php?t=24268 where someone (using linux even though it is on freebsd.org) had the same issue and it turned out to be a bad configuration and not a driver issue - arguably it was a different driver, but upstrem says it should not be driver specific so it leaves me utterly confused.

That list post is wrong. The b43 driver lacks various functions to support VAP configuration.

jow wrote:

That list post is wrong. The b43 driver lacks various functions to support VAP configuration.

Hm, bad for them:-). Anyway, I managed tot build a wl image with image builder and

make image PROFILE=Broadcom-wl

It was surprisingly easier than I would have thought. I will try it tomorrow and helpfully it will work.

sup wrote:
jow wrote:

That list post is wrong. The b43 driver lacks various functions to support VAP configuration.

Hm, bad for them:-). Anyway, I managed tot build a wl image with image builder and

make image PROFILE=Broadcom-wl

It was surprisingly easier than I would have thought. I will try it tomorrow and helpfully it will work.

Well, it does not work. With /etc/config/wireless,

config wifi-device  wl0
    option type broadcom
    option channel  11

config 'wifi-iface'
    option 'encryption' 'psk2'
    option 'device' 'wl0'
    option 'key' 'superkata'
    option 'mode' 'ap'
    option 'network' 'lan'
    option 'ssid' 'supi_hnizdo_2'
    
config 'wifi-iface'
    option 'device' 'wl0'
    option 'mode' 'ap'
    option 'network' 'guest'
    option 'ssid' 'guest'
    option 'encryption' 'none'

It says

wl0: Invalid argument
wl0: Invalid argument
wl0: Invalid argument
Command 'set ssid' failed: -1

If I comment out any of the two interface definitions, it only says

wl0: Invalid argument
wl0: Invalid argument

In either case, one wireless network gets created and it works. This is on revision r31572

sup wrote:

In either case, one wireless network gets created and it works. This is on revision r31572

Hm, I just tried it again and it works. Huraah!

The discussion might have continued from here.