Procedure:

  • prerequisites
    • make sure you're using a mac80211-based driver; wpa2 enterprise doesn't work on the proprietary Broadcom wl driver (so, for wrt54g, use brcm47xx, not brcm-2.4)
    • make sure wpad is installed (and uninstall wpad-mini) – needed for WPA/WPA2 enterprise
    • make sure that relayd is installed (needed for pseudobridge)
    • note: these packages just barely fit in the jffs partition of a WRT54Gv3
  • /etc/config/wireless:
    config 'wifi-device' 'radio0'
            option 'type' 'mac80211'
            option 'macaddr' '<mac address>'
            option 'hwmode' '11g'
            option 'disabled' '0'
            option 'txpower' '20'
            option 'country' 'US'
            option 'channel' 'auto'
    
    config 'wifi-iface'
            option 'device' 'radio0'
            option 'ssid' '<ssid>'
            option 'mode' 'sta'
            option 'network' 'wan' 
            option 'eap_type' 'peap'
            option 'auth' 'MSCHAPV2'
            option 'identity' '<username>'
            option 'password' '<password>'
            option 'encryption' 'wpa2+ccmp'
    • note: we're forcing AES-based encryption (CCMP)
  • /etc/config/network:
    config 'switch' 'eth0'
            option 'enable' '1'
    
    config 'switch_vlan' 'eth0_0'
            option 'device' 'eth0'
            option 'vlan' '0'
            option 'ports' '0 1 2 3 5'
    
    config 'switch_vlan' 'eth0_1'
            option 'device' 'eth0'
            option 'vlan' '1'
            option 'ports' '4 5'
    
    config 'interface' 'loopback'
            option 'ifname' 'lo'
            option 'proto' 'static'
            option 'ipaddr' '127.0.0.1'
            option 'netmask' '255.0.0.0'
    
    config 'interface' 'lan'
            option 'type' 'bridge'
            option 'ifname' 'eth0.0 eth0.1'
            option 'proto' 'static'
            option 'ipaddr' '192.168.1.1'
            option 'netmask' '255.255.255.0'
    
    config 'interface' 'wan'
            option 'proto' 'dhcp'
    
    config 'interface' 'stabridge'
            option 'proto' 'relay'
            option 'network' 'lan wan'
    • note: both eth0.0 (lan ports) and eth0.1 (wan port) are configured as lan connections
    • note: there is no ifname for wan… instead, the wireless interface attaches to it
  • /etc/init.d/dnsmasq stop && rm /etc/rc.d/S60dnsmasq – we don't need DNS or DHCP
  • in /etc/config/firewall, change option forward for the wan zone to ACCEPT – this allows incoming connections (from upstream) to downstream computers
  • /etc/init.d/firewall restart
  • ifup wan
  • perform other/normal openwrt setup tasks – set a password, disable telnet, set timezone, configure WAN to accept SSH, etc.

Bugs:

  • cannot access router configuration interface from downstream clients (works fine from upstream, though) – there's a way to address this, but only if the router's IP is static – see http://wiki.openwrt.org/doc/recipes/relayclient#enable.access.from.main.network – the (temporary) workaround is to manually set the IP of a client on the 192.168.1.0/24 subnet, then talk to the router at 192.168.1.1
  • not sure how it determines which AP to associate with when there are multiple candidates… sometimes it picks one with a weaker signal, then deauthenticates and doesn't automatically reestablish the connection. I put in a bssid (AP MAC address) value as a workaround, but this is a bit hacky. (it restricts roaming ability)

Recommended – autossh:

  • so we can remotely administer the router and keep track of its IP
  • opkg install autossh
  • /etc/config/autossh:
    config autossh
    	option ssh	'-i /etc/dropbear/id_rsa -N -T -R 2201:localhost:22 -R 8001:localhost:80 wap@server'
    	option monitorport	'20001'
    	option poll	'600'
  • see dropbear_key-based_auth for info on setting up a key relationship with the server (needed for autologin)
  • /etc/init.d/autossh start
  • note: autossh is apparently supposed to be triggered by the interface going up… but this doesn't seem to work (maybe it's confused by the unusual network config?) – workaround by enabling it as a traditional startup script using luci
  • apply this patch to make autossh more reliable: https://dev.openwrt.org/changeset/28018

Not needed?

  • in /etc/config/firewall, change option network for the lan zone to 'lan wan'
  • in /etc/config/firewall, change option network for the wan zone to ''
  • in /etc/config/firewall, change option forward for the lan zone to ACCEPT

See also:

computer/wpa_enterprise_client_bridge_in_openwrt.txt · Last modified: 2012/02/08 03:21 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS