Topic: TP-Link WR1043ND Setup Questions

I live in an area where DSL/Cable service isn't available. The only option here is wireless high speed through Xplornet which generally gives us about .1 Mbps. We've found someone down river from us who is willing to beam internet from their house to ours if we cover the cost of the connection and share it with them. We've ordered 3 DSL connections and plan bond them using MLPPP at their house, then set the bridge as a DMZ so that we are outside of their firewall and thus don't have access to their network. We would then have a link with Ubiquiti Nanobridge M2's followed by a firewall/router at our house.

Do you think the best way to separate the networks would be through a DMZ, or would there be a better way.  This all needs to be done on one router (TP-Link WR1043ND running OpenWrt BackFire 10.03.1-RC6).

Below is the proposed setup:

http://img194.imageshack.us/img194/2515/setupmb.jpg

Uploaded with ImageShack.us

2 (edited by eleon216 2012-05-08 11:24:42)

Re: TP-Link WR1043ND Setup Questions

yes the dmz-recipe is fine, you have to change just one bit. Don't allow traffic from lan to dmz (remove this forwarding rule in /etc/config/firewall)
make sure you run the nanobridges in bridge mode.
I never used mlppp so I can't help you with the configuration but I guess there will be some documentation. and if the ppp-interface you will get is part of the network "wan", all firewallrules will work as they should.
And you will have enough switchports even if every modem needs it's on interface (VLAN). 3x Modem, 1x LAN-House1 and 1x Bridge to House2.

Re: TP-Link WR1043ND Setup Questions

Thanks for the advice.  MLPPP was already setup by the host, so I'm good there.  Will try setting up the DMZ this evening.

Re: TP-Link WR1043ND Setup Questions

Would someone mind looking this over and confirming that the changes I plan on making look ok. The MLPPP router from Acanac came preloaded with the following config:

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'

config 'interface' 'wan'
    option 'proto' 'mlppp'
    option 'mtu' '1442'
    option 'username' 'XXXXXXX@realm2.acanac.net'
    option 'password' 'XXXXXXX'
    option 'ml_tx_mode' 'round-robin-speed'
    option 'defaultroute' '1'
    option 'ppp_redial' 'persist'
    option 'keepalive' '5'

config 'switch'
    option 'name' 'rtl8366rb'
    option 'reset' '1'
    option 'enable_vlan' '1'

config 'switch_vlan'
    option 'device' 'rtl8366rb'
    option 'vlan' '1'
    option 'ports' '3 4 5t'

config 'switch_vlan'
    option 'device' 'rtl8366rb'
    option 'vlan' '2'
    option 'ports' '0 5t'

config 'switch_vlan'
    option 'device' 'rtl8366rb'
    option 'vlan' '3'
    option 'ports' '1 5t'

config 'switch_vlan'
    option 'device' 'rtl8366rb'
    option 'vlan' '4'
    option 'ports' '2 5t'

config 'interface' 'mdm0'
    option 'ifname' 'eth0.2'
    option 'mlppp_interface' 'wan'
    option 'line_type' 'DSL'
    option 'mtu' '1500'
    option 'proto' 'static'
    option 'ipaddr' '172.22.100.2'
    option 'netmask' '255.255.255.0'

config 'interface' 'mdm1'
    option 'ifname' 'eth0.3'
    option 'mlppp_interface' 'wan'
    option 'line_type' 'DSL'
    option 'mtu' '1500'
    option 'proto' 'static'
    option 'ipaddr' '172.22.101.2'
    option 'netmask' '255.255.255.0'

config 'interface' 'mdm2'
    option 'ifname' 'eth0.4'
    option 'mlppp_interface' 'wan'
    option 'line_type' 'DSL'
    option 'mtu' '1500'
    option 'proto' 'static'
    option 'ipaddr' '172.22.102.2'
    option 'netmask' '255.255.255.0'

Since the DSL modems take up the WAN and the first 2 lan ports.  I want the DMZ to be on lan port 3 (switch port 3).  I added the extra VLAN and also the code for the DMZ in the network config.  The config I added is below:

config 'switch_vlan'
    option 'device' 'rtl8366rb'
    option 'vlan' '5'
    option 'ports' '3 5t'

config 'interface' dmz
        option 'ifname' eth0.5 # This corresponds to "vlan5" above
        # The rest is the same as for a typical LAN interface:
        option 'proto'   static
        option 'ipaddr'  192.168.2.1   # Remember, this is a separate network
        option 'netmask' 255.255.255.0

I don't think I need DHCP setup as the Nanobridge will have a static IP and the router at the remote house will handle DHCP.  Is this right, or should I add the following in the DHCP Config:

config 'dhcp' 'lan'
    option 'interface'   'dmz'
    option 'start'       '100'
    option 'limit'         '150'
    option 'leasetime'   '12h'

For the firewall, the default config on the router is the following:

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT 
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
    option name        lan
    option network        'lan'
    option input        ACCEPT 
    option output        ACCEPT 
    option forward        REJECT

config zone
    option name        wan
    option network        'wan'
    option input        REJECT
    option output        ACCEPT 
    option forward        REJECT
    option masq        1 
    option mtu_fix        1

config forwarding 
    option src          lan
    option dest         wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option src        wan
    option proto    icmp
    list icmp_type        echo-request
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    list icmp_type        router-solicitation
    list icmp_type        neighbour-solicitation
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule                                   
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

Would adding the following be sufficient for my use:

config 'zone'
       option 'name' 'dmz'
       option 'input' 'REJECT' # By default, stop anything coming from the DMZ
       option 'output' 'ACCEPT'
       option 'forward' 'REJECT'

# Allow the DMZ to use the router as a DNS server
config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcpudp'
       option 'dest_port' '53'
       option 'target' 'ACCEPT'

# Allow the DMZ to use the router as a DHCP server
config 'rule'
       option 'src' 'dmz'
       option 'proto' 'udp'
       option 'dest_port' '67'
       option 'target' 'ACCEPT'

# Allow the DMZ to access the Internet
config 'forwarding'
       option 'src' 'dmz'
       option 'dest' 'wan'

Thanks in advance for your help.

Re: TP-Link WR1043ND Setup Questions

your config looks fine, just make sure you removed port 3 from vlan1.

and you don't need dhcp. if the nanostations are in bridge mode the don't need an IP-address at all, but it's fine to have of if you want to change their config wink

for your client-router (house2), in your picture it seems like you want to run a firewall on it, so just connect the nanobridge to it's WAN-port. set a 192.168.2.x IP there, and the dns-server and gateway to 192.168.2.1
For its LAN you need to choose another subnet.

6 (edited by Knight Rider 2012-05-11 01:12:15)

Re: TP-Link WR1043ND Setup Questions

Thanks for the info.  I removed port 3 from vlan1.

Will remove the DHCP config.

Yes, we will have another router at house2, so I'll run the firewall on there as well.  Would this be an OK DMZ firewall config on the house1 router:

config 'zone'
       option 'name' 'dmz'
       option 'input' 'REJECT' # By default, stop anything coming from the DMZ
       option 'output' 'ACCEPT'
       option 'forward' 'REJECT'

# Allow the DMZ to use the router as a DNS server
config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcpudp'
       option 'dest_port' '53'
       option 'target' 'ACCEPT'

# Allow the DMZ to access the Internet
config 'forwarding'
       option 'src' 'dmz'
       option 'dest' 'wan'

This way the DMZ has internet access, and there is no access from the LAN to the DMZ or vice-versa.

Is there any way I could access the router in house1 from house2 if I needed to make config changes later on?

Thanks again!

7 (edited by eleon216 2012-05-11 09:03:31)

Re: TP-Link WR1043ND Setup Questions

I'm not sure what the dmz in house2 is for, you don't need it for your initial goal to seperate the two networks. house2 is only connected to the dmz (vlan5) in house1 so you don't need any special firewallconfiguration on router2, that's already done by the config on router1. Just make sure that you are using another IP-range for the lan-subnet.
and for accessing router1 form house2 just add this firewall rules to router1:

config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcp'
       option 'dest_port' '22'
       option 'target' 'ACCEPT'

config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcp'
       option 'dest_port' '80'
       option 'target' 'ACCEPT'

config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcp'
       option 'dest_port' '443'
       option 'target' 'ACCEPT'

for ssh, http and https

8 (edited by Knight Rider 2012-05-12 04:28:37)

Re: TP-Link WR1043ND Setup Questions

Hi Eleon216,

That worked great, thanks.  In my test setup I'm now able to access the House1 router from house2, but nothing else at House1 as I wanted.  From House1 I'm not able to access House2.

Below is what I chose for subnets.  Everything seems to be working, but could you confirm this looks ok.  Will be installing the link Sunday.

http://img821.imageshack.us/img821/9349/setupips.jpg

Re: TP-Link WR1043ND Setup Questions

looks fine, only the wan-port of the router in house2 and the nanobridge there cannot have the same IP-address! They need to be in the same subnet, but they need different IP-addresses.

Re: TP-Link WR1043ND Setup Questions

Thanks for the help.  I changed the router2 IP to 192.168.2.4.  One final issue, I can't seem to access router1 from router2 anymore.  My current firewall on router1 is:

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'lan'
    option 'network' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'wan'
    option 'network' 'wan'
    option 'input' 'REJECT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'masq' '1'
    option 'mtu_fix' '1'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '68'
    option 'target' 'ACCEPT'
    option 'family' 'ipv4'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'family' 'ipv4'
    option 'target' 'ACCEPT'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    list 'icmp_type' 'echo-request'
    list 'icmp_type' 'destination-unreachable'
    list 'icmp_type' 'packet-too-big'
    list 'icmp_type' 'time-exceeded'
    list 'icmp_type' 'bad-header'
    list 'icmp_type' 'unknown-header-type'
    list 'icmp_type' 'router-solicitation'
    list 'icmp_type' 'neighbour-solicitation'
    option 'limit' '1000/sec'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    list 'icmp_type' 'echo-request'
    list 'icmp_type' 'destination-unreachable'
    list 'icmp_type' 'packet-too-big'
    list 'icmp_type' 'time-exceeded'
    list 'icmp_type' 'bad-header'
    list 'icmp_type' 'unknown-header-type'
    option 'limit' '1000/sec'
    option 'family' 'ipv6'
    option 'target' 'ACCEPT'

config 'include'
    option 'path' '/etc/firewall.user'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'lan'

config 'zone'
       option 'name' 'dmz'
       option 'input' 'REJECT' # By default, stop anything coming from the DMZ
       option 'output' 'ACCEPT'
       option 'forward' 'REJECT'

# Allow the DMZ to use the router as a DNS server
config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcpudp'
       option 'dest_port' '53'
       option 'target' 'ACCEPT'

# Allow the DMZ to access the Internet
config 'forwarding'
       option 'src' 'dmz'
       option 'dest' 'wan'

config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcp'
       option 'dest_port' '22'
       option 'target' 'ACCEPT'

config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcp'
       option 'dest_port' '80'
       option 'target' 'ACCEPT'

config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcp'
       option 'dest_port' '443'
       option 'target' 'ACCEPT'

Any idea what would could be causing this?

Thanks again!

11 (edited by Knight Rider 2012-05-17 05:13:11)

Re: TP-Link WR1043ND Setup Questions

Setup the wireless link today.  Unfortunately the internet didn't work at house2 even though I could connect to the Nanobridge at both ends of the link.  Mustbe something in the firewall causing the issue...