Monday, November 27, 2006

Updates explained and bridging mode

Yesterday I updated my La Fonera manually to version 0.7.1-1. There is an update available, which really flashes the La Fonera. The update of the autoupdate is just a gzipped tarball containing updated files. I updated it without flashing, so in case of any bricking stuff I can reset my La Fonera. Stefan is hosting information about it.

Finally the bridging mode with the private network works. It was really annoying that associated clients with the private network are masqueraded. Associated clients could access the LAN, but hosts of the LAN could not acces associated clients of the private signal.
With the bridging mode associated clients are in the same subnet of the LAN - no more masquerading is needed. The bridging mode only affects the private signal, the public FON hotspot still uses masquerading.

Frederik released a script for the bridging mode, but the FON hotspot did not function. I changed reworked it and now it works like a charm. Please start it manually and do not put it in /etc/init.d/. It possible it will not work with any version. It tried 0.7.1 rev 1 only.

Ok, here it is. You have to replace XX-XX-XX-XX-XX-XX with the MAC of the public FON hotspot! Please use it only if you know what you are doing.

#!/bin/ash
echo "Setting up LAN bridge"

# Kill DHCP server+ client
/usr/bin/killall dnsmasq
/usr/bin/killall -9 udhcpc

# create bridge interface
/usr/sbin/brctl addbr br0
/usr/sbin/brctl stp br0 off
/usr/sbin/brctl setfd br0 0

# shutdown/remove IPs from the old interfaces
/sbin/ifconfig eth0:1 down
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig ath1 0.0.0.0

# bring up the bridge interface
/sbin/ifconfig br0 up

# add the old interfaces to the bridge
/usr/sbin/brctl addif br0 ath1
/usr/sbin/brctl addif br0 eth0

# Set IP for the bridge
/sbin/udhcpc -i br0 -R # get new IP via dhcp
#/sbin/ifconfig br0 192.168.0.103 # static IP

# set firewall rules
iptables -A INPUT -i br0 -j ACCEPT
iptables -A OUTPUT -o br0 -j ACCEPT

# add bridge to hostapd.conf and restart hostapd (allows to use WPA)
[ `grep -c bridge=br0 /tmp/hostapd.conf` = "0" ] && echo bridge=br0 >> /tmp/hostapd.conf
/usr/bin/killall killall hostapd
/usr/sbin/hostapd -B /tmp/hostapd.conf

# stopping chillispot
/etc/init.d/N50chillispot stop

# bringing ath0 (hotspot interface) down
/sbin/ifdown hotspot

# bringing it manually up
wlanconfig ath0 create wlandev wifi0 wlanmode ap
iwconfig ath0 essid "FON_AP"
ifconfig ath0 up

# restarting dnsmasq but without dhcp
dnsmasq

# restarting chilli
chilli --dns1=192.168.1.222 --dns2=192.168.1.222 --radiusnasid=XX-XX-XX-XX-XX-XX --dhcpif ath0

# configuring iptables
iptables -R NET_ACCESS 6 -i br0 -j ACCEPT
iptables -R NET_ACCESS 7 -o br0 -j ACCEPT
iptables -t nat -R POSTROUTING 2 -o br0 -j MASQUERADE

16 comments:

Anonymous said...

Hi!

Just stumbled over yopur blog seraching for something else, bit then i got the feeling, that the bridge-script would be something i need.

I want to use my "la Fonera" in a slighly unusual way, namely to connect a media streaming client (Hauppauge MediaMVP) to my WLAN. So i want to connect the MVP to the LAN port of the Fonera with a cable an then access it via WLAN.

As the MVP relies on DHCP for getting an IP, this would require, that the DHCP server of the Fonera also works on the LAN port and not only on the WLAN.

Furthermore the MVP must be able to "see" clients connectet to the WLAN and i guess that's where your bridging scipt comes in, right?

But how about enabling DHCP on the LAN port? How can i do that?

Thank's for help!
Hatrick

Michael Kebe said...

I don't think that it will work with this script only. The wireless interfaces are functioning in master mode (AccessPoint). In your case you have to change it to the managed mode. Of course it is possible to use the La Fonera for your issue, but you should use the La Fonera for the FON movement.

atomic said...

If I use the update, will it remove my SSH access?

Also, how do I use the non-flashing update? Thanks!

Anonymous said...

Was ist neben dem notwendigen Beiwerk wie chilli etc. die Quintessenz, die hier das bridging zwischen eth0 und ath1 zum Funktionieren bringt, während es bei anderen nicht funktioniert (hat)?
Greifswaldi

Michael Kebe said...

The important part is this:

# configuring iptables
iptables -R NET_ACCESS 6 -i br0 -j ACCEPT
iptables -R NET_ACCESS 7 -o br0 -j ACCEPT
iptables -t nat -R POSTROUTING 2 -o br0 -j MASQUERADE

You have to adjust the iptables. E.g. change eth0 to br0.

Anonymous said...

@ atomic

the non flashing update will not remove ssh-access

Anonymous said...

I just cant get this working, after running the script manually the Wifi wont let me in when connecting, it justs spins round and round annd round. Nothing happens!

Anonymous said...

works! however, the FON_AP doesnt get to the login page any longe. any ideas?

and what IP is this, dns1=192.168.1.222?

Michael Kebe said...

192.168.1.222 is the IP address of the La Fonera.

Anonymous said...

Thanks for the script - it worked on my FON-Router and lets me use my other AccessPoint for more interesting stuff. :)

Nevertheless, some things should be pointed out more clearly:

chilli --dns1=192.168.1.222 --dns2=192.168.1.222
Enter the Fonera's IP-address on your wired network here. If you use a static ip, enter that. It's okay to use the same IP twice (actually you have to).

Again, if you use static IP setting, the default route on your router will be missing. If you wonder why you can't get to the FON-Login-Page on your public ssid - that's the reason. Just modify your script like that:
/sbin/ifconfig br0 192.168.123.2 # static IP
/sbin/route add default gw 192.168.123.1
In this example 192.168.123.1 would be your Internet router's IP.

I hope this helps. :)

mercurix

Anonymous said...

Thanks for this. You could also put

selfip=`ifconfig br0 | grep 'inet addr' | awk '{print $2}' | cut -d':' -f 2-`

just before the chilli line and change it to

chilli --dns1=$selfip --dns2=$selfip --radiusnasid=XX-XX-XX-XX-XX-XX --dhcpif ath0

and of course you could make same thing for the mac address to make this a "copy and paste" script for everyone.

I think I'll customize it a bit more, maybe add a failsafe mechanism if br0 can't get ip via dhcp etc :)

Anonymous said...

This is exactly what I was looking for, and will probably prevent my La Fonera from getting patched. (It will live it's life as intended)

What needs to be done before this is safe to run from init.d? Is it as simple as changing the filename to make sure it runs last, and just putting it in there, or is there more to it?

Maarten said...

root@OpenWrt:/etc# ls
banner functions.sh mtab
bridge group nvram.sh
chilli.conf hostapd.conf passwd
config hosts passwd-
crontabs hotfix ppp
dnsmasq.conf hotplug.d profile
dropbear httpd.conf protocols
firewall.fon init.d public_fon_rsa_key.der
firewall.user inittab resolv.conf
fon_device ipkg.conf resolv.conf.fon
fon_revision l7-protocols shells
fon_version modules.d sysctl.conf
root@OpenWrt:/etc# ./bridge
-ash: ./bridge: Permission denied


Ok, what am I doing wrong, why can't I start the script (I called it "bridge")

please help me with this, I really want to use bridge mode on my Fonera

Maarten said...

I got it now, had to use chmod first to make is executable

Anonymous said...

What if I'm using 2 La Fon's? I want to setup one as a master and use the second as a "client" wap, but want to be able to give people without wireless access to use it too? Is there a bridge mode so that the ath AND the eth interfaces both retrieved IPs from the primary La Fon?

Eric Tsai said...

Since /etc/init.d/N50chillispot will do the registration during boot, "# stopping chillispot" and "# restarting chilli" sections can be removed.

The wan_ifname in /tmp/network-config have to be br0 for N50chillispot to register correctly, so I replace "wan_ifname=${wan_ifname:-eth0}" with "wan_ifname=${wan_ifname:-br0}" in /sbin/ifup.

Since wan_ifname is br0 in /tmp/network-config, the work of section "# configuring iptables" will be done by /etc/init.d/S45firewall and /etc/firewall.fon .

Finally, here is my procedure to make FON a bridge.