Today I’ve been playing with my Fon Simpl wireless access point.

It has an “internet” ethernet port for WAN, a “computer” ethernet port for LAN and public and private wireless networks, so I wanted to minimise what goes through the internet port to just the heartbeat and disable routing between my wired/wireless LAN’s.

Essentially I’ve got the internet port in a different VLAN and subnet to my LAN or the private wireless network and the computer port is currently disconnected – if I want to admin the router I can plug a laptop into the computer port.

I’ve allocated ethernet port 4 on my OpenWRT router to the Fon VLAN (confusingly the physical port 0 marked as “internet” maps to logical port 4, and physical port 4 maps to logical port 0) by configuring a few NVRAM variables:

nvram set vlan0hwname=et0
nvram set vlan0ports="1 2 3 5*"
nvram set vlan1hwname=et0
nvram set vlan1ports="4 5"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"
nvram set fon_ifname=vlan2
nvram set fon_proto=static
nvram set fon_ipaddr=10.0.0.1
nvram set fon_netmask=255.0.0.0
nvram set ifup_interfaces="lan wan wifi fon"
nvram commit

Then to allow some limited WAN (vlan1) routing via the internet port on the Simpl, and nothing to/from the LAN (wired and wireless LAN are bridged to br0) we add some rules to /etc/firewall.user:

iptables -A forwarding_rule -i vlan2 -o vlan1 -p udp --dport 1812 -j ACCEPT
iptables -A forwarding_rule -i vlan2 -o vlan1 -p udp --dport 53 -j ACCEPT
iptables -A forwarding_rule -i vlan2 -o br0 -j DROP   
iptables -A forwarding_rule -i br0 -o vlan2 -j DROP
iptables -A input_rule  -i vlan2 -p udp --dport 53 -j ACCEPT
iptables -A input_rule  -i vlan2 -p tcp --dport 53 -j ACCEPT
iptables -A input_rule  -i vlan2 -j DROP
iptables -A output_rule -o vlan2 -j DROP

Fon is a bit of a mucky implementation when you’re not using it as your main router, as you essentially end up with 3 wireless networks (Fon public, Fon private and my OpenWRT LAN) and 3 wired networks (Fon internet, Fon computer and my OpenWRT LAN) whereas before I only had one of each.

I’ve also upgraded to blog to WordPress 3.1