Posted: Mon Jun 18, 2007 5:14 am Post subject: Multiple SSID, Independant Virtual WLANs - SUCCESS!
SUCCESS!!
I have successfully set up a Buffalo WHR-G54S running v24 06/16/07 with two independent wireless SSIDs. The basics are:
LAN 192.168.1.0 255.255.255.0
Physical WLAN (wl0) bridged with LAN (br0) using WPA2 Enterprise (AES)
Virtual WLAN (wl0.1) using WPA Personal (TKIP) with Internet-only access.
To do this, turn off Cron as it will cause check_ps to run messing up the nas replacement below:
Set dnsmasq to act as DNS, local DNS and add the following to its options:
ifconfig br0:0 down
brctl addbr br1
ifconfig br1 192.168.21.254 netmask 255.255.255.0 promisc up
brctl delif br0 wl0.1
brctl addif br1 wl0.1
killall dnsmasq
dnsmasq --conf-file /tmp/dnsmasq.conf
kill -9 `cat /tmp/nas.wl0.1lan.pid`
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 4 -k "`nvram get wl0.1_wpa_psk`" -s "`nvram get wl0.1_ssid`" -w 2 -g `nvram get wl0.1_wpa_gtk_rekey` &
This nas statement uses WPA-PSK (TKIP). You can modify accordingly to work your way. the kill -9 is required because nas doesn't like to die gracefully at that point.
This sets up a bridge (br1) for wl0.1 to talk to and for the nas command to attach to. DHCP works perfectly and you have full access to the Interent, yet you do have any access to the LAN if you are using WPA-PSK. If you use WPA2 Enterprise, you get full access to the the LAN and the Internet.
I want to do the same thing as you succeded in with your first post: One WLAN encrypted with WPA2-AES and another WLAN encrypted with WEP 64 bit (for a Nintendo DS Lite). I have almost the same setup as you:
Router Local IP 192.168.2.1, using dnsmasq for DHCP and DNS with addresses in the range 192.168.2.100-139.
I have tried your setup almost 100% as shown. The only difference is that I have used wl0.1_key1 instead of wl0.1_wpa_psk in the last line of the startup script, due to the wep-encryption.
However, I cannot get it to work. When I configure the way you describe, I cannot connect to any of my WLANs. Any suggestions?
EDIT: I should be more precise: I can connect to the WLANs, but I cannot get an IP address. I suspect it has something to do with the dnsmasq configuration?
I want to do the same thing as you succeded in with your first post: One WLAN encrypted with WPA2-AES and another WLAN encrypted with WEP 64 bit (for a Nintendo DS Lite). I have almost the same setup as you:
Router Local IP 192.168.2.1, using dnsmasq for DHCP and DNS with addresses in the range 192.168.2.100-139.
I have tried your setup almost 100% as shown. The only difference is that I have used wl0.1_key1 instead of wl0.1_wpa_psk in the last line of the startup script, due to the wep-encryption.
However, I cannot get it to work. When I configure the way you describe, I cannot connect to any of my WLANs. Any suggestions?
EDIT: I should be more precise: I can connect to the WLANs, but I cannot get an IP address. I suspect it has something to do with the dnsmasq configuration?
I am using DD-WRT v24 Beta (06/20/07) std.
Sorry about the long quote, but good description of what you are doing. A couple of questions and a couple of things to look at...
Are you broadcasting either of your SSIDs (I am not)? I know there have been some issues with SSID broadcast that may or may not apply.
Make sure you add the dnsmasq lines to the dnsmasq area on the services page. Do not include the no-dhcp-interface line since you are using dnsmasq for all of your DHCP. You can telnet/ssh to the router and "cat /tmp/dnsmasq.conf" to look at the file. You should have, at a minimum, two dhcp-range statements (LAN range and your special range).
Joined: 18 Jun 2007 Posts: 31 Location: California, USA
Posted: Mon Jun 25, 2007 9:00 pm Post subject:
I just flashed up my WRT54G v2.0 with DD-WRT v24 Beta (06/20/07) std. I didn't have to do any modifications to the NVRAM. Currently I have the Physical Interface wl0 configured with WPA2 AES and Virtual Interface wl0.1 with WEP. Each interface has a unique SSID which isn't broadcast. Both interfaces and wireless connections work flawlessly. Totally amazing, this is a feature I've been wanting but all my searching said it absolutely wasn't possible. v24 proves otherwise.
I can't get this to connect my DS Lite, and on my notebook the forwarding to the net is rather flakey.
I am trying to set up either a WEP64 key on br1 or no encryption at all. dnsmasq serves out the gateway address, which happens to be on the other vlan, could that be the problem?
P.S. FurryFace... if it works without any nvram changes, you probably didn't change the new virtual interface to unbridged, correct?
The iptables rules I used are the ones listed by Pete.
Regarding the startup script, as far as I can tell by the links Pete gace to the openwrt forum and by reading the openwrt faq, nas is not needed/used for WEP encryption. So I just omitted the last two lines in Petes startup script:
Now it works: I can connect to the virtual wlan with wep 64 bit encryption and this network is isolated from my lan and physical wlan. As FurryFace wrote a virtual wlan will work without extra code, but the code is necessary to isolate the virtual vlan from the other networks.
Unfortunately, I was a bit to quick to say it worked . Initially, it worked perfectly on my laptop. I could connect to both networks and also connect to the internet. But I could not get my sons NDS Lite to make a connection to the nintendo wifi site. After some fumbling back and forth, I could not get a connection to the internet through the vitual wlan anymore.
I suspected that it was because the gateway is outside the virtual wlan network, so I tried changing the IP and/or netmask of the virtual wlan without any success.
This seems to force the gateway to the br1 interface ALL the time, which seems to actually work from the notebook AND the DS... well, a real game connects OK but I can't get any homebrew to recognize it...
You need the interface number before the dhcp-range line AND the dhcp-option line. It serves out different gateway numbers for each different SSID you connect to.
Again, works great on the notebook, still can't figure out homebrew on the DS Lite. The virtual interface doesn't show up as a SSID in things like NDSMail (which has a great scanner). Hope this helps.
Again, works great on the notebook, still can't figure out homebrew on the DS Lite. The virtual interface doesn't show up as a SSID in things like NDSMail (which has a great scanner). Hope this helps.
Great information! From reading other threads, only the primary SSID will show up as a "broadcast" SSID even if the SSIDs aren't broadcast. This might be the issue with not showing up in NDSMail.
The DS Lite might be having trouble with two SSIDs on the same frequency. It is strange but... I use a D-Link wireless bridge to connect my DVR to the VWLAN and it takes an extensive number of tries before it connects (it wouldn't connect at all until DLink's March release of firmware). The DVR still shows no Internet connection, but that is because the VWLAN does not have upnp yet. I have asked for a mod to the upnp code in Bugtracker to allow upnp on multiple interfaces so hopefully we will see this in the next release (yes, I provided some recommended code to speed the process). This might be an issue with the DS Lite, as well.
I wondered that, but I live in an apartment, and I can see 8-15 SSIDs at any time, some of those must be on the same frequency. Also, when I scan using a commercial game - with Nintendo's networking code, it can find the virtual interface as long as the primary one is hidden.
On my laptop, I can see whichever ones are broadcast.
Could the broadcast information be partial or something, and the laptop/Nintendo drivers auto-correct it, whereas the homebrew + dlink ones don't? The virtual interface still seems virtual to some outside observers.
Could the broadcast information be partial or something, and the laptop/Nintendo drivers auto-correct it, whereas the homebrew + dlink ones don't? The virtual interface still seems virtual to some outside observers.
You think the upnp would fix that?
The D-Link bridge had issues with WPA on any WRT type router until their last fix. It still isn't perfect, but it does work.
upnp might help the game. Games often use UDP (connectionless) packets and tell the router via upnp to open up certain port(s) for outside sources to connect to them. If they don't get a UDP response back from the router, they may consider that even though there is a valid gateway, it is unusable since it can't activate upnp to open up some ports. This is how my DVR works.
You should see the game device in your Wireless status page. It should show with the wl0.1 interface and a solid signal strength (usually about 50% since they normally auto reduce their transmit power). When my DVR is trying to connect, I will see momentary glimpses of the DVR on that page but it will stay constantly on that page once the D-Link recognizes the SSID and properly connects. The DVR gets its DHCP, etc. but reports no Internet connection because of no upnp.
No the problem is in finding the SSID in the first place. Games actually work OK, just applications like homebrew mail clients or the web browser built in to DSOrganize don't seem to find the router.
I don't see the DS Lite in the wireless page when it claims to be searching, either.
I'd chalk it up to buggy homebrew code but it works find with a normal wireless interface. If I have time, I could try reversing the roles of the virtual and physical WLAN ports. The other possibility is to forget all about the multiple SSID and unbridge the physical WLAN, if I need to get to my network, just use a VPN of some kind.
If you (or Bent) has some other thoughts, I'm all (rabbit) ears.
!
. Initially, it worked perfectly on my laptop. I could connect to both networks and also connect to the internet. But I could not get my sons NDS Lite to make a connection to the nintendo wifi site. After some fumbling back and forth, I could not get a connection to the internet through the vitual wlan anymore.
