This page will provide you with the information to change the Switch into a Router.
The description is not complete and under construction. Since I am not an expert in the field I ask anybody who can help to help me to complete this project. Mail to [marco][dot][website][at][debooy][dot][eu].
The WRT54G has 6 ports. 1 port is the WAN and is connected to the modem. 1 port is wireless and the other 4 are wired. The IP address of the WAN port will be depending on the modem. The other ports will be defined by the network administrator. I propose the values in the table below. The ports on the WRT54G will get x.x.x.1 as network address. In the following table you will see an example:
Name | Description | Sub Net | IF name |
---|---|---|---|
WAN | Internet | 10.0.0.x | vlan0 |
DMZ | DeMiliterized Zone | 192.168.10.x | vlan1 |
LAN | Local network | 192.168.20.x | vlan2 |
VoIP | Voice Over IP | 192.168.30.x | vlan3 |
FREE | Local network | 192.168.40.x | vlan4 |
WiFi | Wireless network | 192.168.50.x | vlan5 |
In the DMZ there is a server for DNS, DHCP and syslog. The WRT54G must be configured so that it uses this server instead of the ones available in the OpenWRT package.
That is the easiest part. The more difficult part is the definition of the firewall. The rules of the firewall are:
The 'ports it really needs' should be opened when they block 'normal behaviour'. Check on the site from IANA for the ports and their usage.
The following script defines the necessary variables to make the separate sub-nets.
The first part defines 5 vlans.
nvram set vlan0hwname=et0 nvram set vlan0ports="0 5" nvram set vlan1hwname=et0 nvram set vlan1ports="1 5" nvram set vlan2hwname=et0 nvram set vlan2ports="2 5" nvram set vlan3hwname=et0 nvram set vlan3ports="3 5" nvram set vlan4hwname=et0 nvram set vlan4ports="4 5"
The second part maps these vlans to an interface. Each interface becomes a sub-net.
nvram set wan_device=eth0 nvram set wan_proto=dhcp nvram set lan_ifname=vlan1 nvram set lan_proto=static nvram set lan_ipaddr=192.168.10.1 nvram set lan_netmask=255.255.255.0 nvram set dmz_ifname=vlan2 nvram set dmz_proto=static nvram set dmz_ipaddr=192.168.20.1 nvram set dmz_netmask=255.255.255.0 nvram set voip_ifname=vlan3 nvram set voip_proto=static nvram set voip_ipaddr=192.168.30.1 nvram set voip_netmask=255.255.255.0 nvram set free_ifname=vlan4 nvram set free_proto=static nvram set free_ipaddr=192.168.40.1 nvram set free_netmask=255.255.255.0
The third part sets the variable that is used in /etc/init.d/S40network to bring up the interfaces.
nvram set ifup_interfaces="wan lan dmz voip free"
The fourth part sets the variables for the LAN.
nvram set lan_dns=192.168.20.10 nvram set lan_gateway=10.0.0.10 nvram set lan_ifnames="vlan0 eth1 eth2" nvram set log_ipaddr=192.168.20.10
The firewall must block access from one subnet to another. The most basic definition should be that only the DMZ can access the internet. All other connections should be blocked or redirected to a server in the DMZ. No connections between any subnet.
The script can be found at here.
The configuration can be checked with ifconfig, route, and nvram show.
The default script for NTP does not seem to work. I changed the script /etc/init.d/S60ntp. I replaced the line that executes the ntpclient with:
/usr/sbin/ntpclient -l -h $NTP_SERVER -c 1 -s
Since the WRT54G has no USB there is no way to connect an external drive. The best way is to mount a directory from another server. The simplest way is to use shfs. Use it like:
insmod shfs shfsmount user@host:/remote/dir /some/local/mountpoint
To get this working I used the OpenWRT Forum.