Today I’ve been playing with my Fon Simpl wireless access point.
It has an “internet” ethernet port for WAN, a “computer” ethernet port for LAN and public and private wireless networks, so I wanted to minimise what goes through the internet port to just the heartbeat and disable routing between my wired/wireless LAN’s.
Essentially I’ve got the internet port in a different VLAN and subnet to my LAN or the private wireless network and the computer port is currently disconnected – if I want to admin the router I can plug a laptop into the computer port.
I’ve allocated ethernet port 4 on my OpenWRT router to the Fon VLAN (confusingly the physical port 0 marked as “internet” maps to logical port 4, and physical port 4 maps to logical port 0) by configuring a few NVRAM variables:
nvram set vlan0hwname=et0 nvram set vlan0ports="1 2 3 5*" nvram set vlan1hwname=et0 nvram set vlan1ports="4 5" nvram set vlan2hwname=et0 nvram set vlan2ports="0 5" nvram set fon_ifname=vlan2 nvram set fon_proto=static nvram set fon_ipaddr=10.0.0.1 nvram set fon_netmask=255.0.0.0 nvram set ifup_interfaces="lan wan wifi fon" nvram commit
Then to allow some limited WAN (vlan1) routing via the internet port on the Simpl, and nothing to/from the LAN (wired and wireless LAN are bridged to br0) we add some rules to /etc/firewall.user:
iptables -A forwarding_rule -i vlan2 -o vlan1 -p udp --dport 1812 -j ACCEPT iptables -A forwarding_rule -i vlan2 -o vlan1 -p udp --dport 53 -j ACCEPT iptables -A forwarding_rule -i vlan2 -o br0 -j DROP iptables -A forwarding_rule -i br0 -o vlan2 -j DROP iptables -A input_rule -i vlan2 -p udp --dport 53 -j ACCEPT iptables -A input_rule -i vlan2 -p tcp --dport 53 -j ACCEPT iptables -A input_rule -i vlan2 -j DROP iptables -A output_rule -o vlan2 -j DROP
Fon is a bit of a mucky implementation when you’re not using it as your main router, as you essentially end up with 3 wireless networks (Fon public, Fon private and my OpenWRT LAN) and 3 wired networks (Fon internet, Fon computer and my OpenWRT LAN) whereas before I only had one of each.
I’ve also upgraded to blog to WordPress 3.1