With alot of help from Dorris and LSD! Many Thanks! Here's a simple way to get the AP to function as a firewall. WAN port connected to Local Trusted Network.Wireless and LAN remain in br0 so another AP can be in client mode as a bridge. With some tweeking you should get this to work for the AP in pure client mode. i.e. client mode bridge to local LAN.This is my actual script for a bare AP:
| GENERAL SETUP STUFF: |
|
| nvram set boot_wait=on |
Allows you to recover from bad flash |
| nvram set clkfreq=216 |
Fixed large file transfer problems |
| nvram unset watchdog |
Unset the watchdog timer which keeps resetting the router for no good reason |
| nvram unset txpwr |
Setting this is a really really bad idea! |
| nvram set antdiv=0 |
Viewed from Front - 0 sets antenna(primary) to left and 1 sets to right |
| nvram set regulation_domain=0x00 |
Open all 14 channels |
| SETUP THE WIRELESS CARD TO AP MODE |
|
nvram set wl0_mode=ap
nvram set wl0_infra=1
nvram set wl0_closed=0
nvram set wl0_country_code=All
nvram set wl0_gmode=1
nvram set l0_infra=1
nvram set wl0_ssid=jawug_int_patch_east
nvram set wl0_channel=11
nvram set wl0_lazywds=0
nvram unset wl0_gmode_protection
nvram unset wl0_afterburner
nvram unset wl0_frameburst |
|
| SETUP THE LAN SIDE |
|
nvram set lan_proto=static
nvram set lan_ipaddr=172.16.255.197
nvram set lan_netmask=255.255.255.240
nvram set lan_gateway=172.16.255.197 |
DON'T use dhcp here
LAN needs to be on a seperate network to WAN |
| WAN PORT SETTINGS: |
|
nvram set wan_proto=static
nvram set wan_ipaddr=172.16.24.32
nvram set wan_netmask=255.255.255.126
nvram set wan_gateway=172.16.24.128
nvram set wan_dns=172.16.24.126
|
You can use DHCP. WAN IP needs to be on seperate network to LAN |
| COMMIT SETTING TO NVRAM: |
|
| nvram commit |
Commit but don't Reboot! |
| SWOP OVER THE FIREWALL: |
|
edit /etc/init.d/S45firewall - reverse lan and wan_ifname to this:
WAN=$(nvram get lan_ifname)
LAN=$(nvram get wan_ifname) |
|
| PORT FORWADING FROM MESH TO LAN ADDRESS |
|
edit /etc/firewall.user
Swop over if_name like above
add port forwards into your private network
e.g.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 172.16.24.1
iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 172.16.24.1 -j ACCEPT |
REMEMBER $WAN IS YOUR LAN
AND THAT'S WHERE THE WIRELESS TRAFFIC WILL BE COMING FROM |
|
|
| Reboot |
|
You will only get SSH on your WAN PORT
So switch ports if you need to get in!
OR enable SSH to portforward in /etc/firewall.user! |
|
To be done.. Try not swopping around if_name, and simply do a find replace $WAN > $DUMMY, find replace $LAN -> $WAN, find replace $DUMMY > $WAN in S45 firewall and /etc/firewall.user - Ivan
JAWUG