Bridging with Coova

There is a lot of documentation on the web that describes how to set up a wireless router with OpenWRT. Furthermore, there is distribution based upon OpenWRT, Coova, that is tailored for hotspots. Unfortunately, none of them quite described what I wanted to do, which was to set up a bridge wireless router with hotspot. After way too many hours late at night pouring through the internals of my router, I believe I finally figured it out.

The following diagram shows the network topography, both current design and intended result.

Currently there is a single switch that also acts as a NAT router for the internal network. Behind that switch are a number of PCs. Due to changes in needs, several new PCs were to be added to the network. Rather than running new cables from these new machines all of the way to the switch, three new routers (labeled HS1, HS2, and HS3) were purchased. They were all brand new Linksys WRT54GL routers. (Note that these are the L series of routers; things may be different for original WRT54G devices.)

So that LAN activities remain uninterrupted, it was important that all three new routers be configured for bridging mode. Each device also had a specific requirement:

HS1: This router would be the master hotspot server. All wireless authentication shall go through it.
HS2: Although this router could also be running its own hotspot server, this would prevent a laptop user from roaming around. The solution is for this router will forward all of its wireless packets to HS1 via WDS.
HS3: This router will be in an entirely different building. Computers that are physically plugged into it (i.e., both WAN and LAN ports) will be connected to the rest of the internal network via an unencrypted tunnel to HS1.

Another use of this bridging trick is for accessing the Coova router via SSH from a different subnet (say, 192.168.2.1). A freshly-installed Coova distribution will have a routing table that looks something like this:

root@XXXX:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.255.0   U     0      0        0 vlan0
10.1.0.0        *               255.255.255.0   U     0      0        0 tap0

So although you may be able to send packets from 192.168.2.1 to the router, the router has no gateway to which reply.

Installing Coova

The instructions on Coova's wiki are pretty accurate. To paraphrase them:

Download an appropriate firmware image. The following instructors worked with at least version 1.0-beta.12.
Log in to Linksys's administrative web page, then upload the firmware.
After the router has reboot, log in and set the root password.
Enable boot_wait and WAN SSH Access.
Commit the settings to the NVRAM by clicking on apply change.
Test that things are working by checking for updated packages.

Repeat these steps for all routers. For convenience, I assigned each router its own IP address. I have HS1 set to 192.168.1.51; HS2 at 192.168.1.52, and HS3 at 192.168.1.53. Each router's address may be configured on the network tab. After applying the changes, a new login will be required at the new address.

Configuring HS1

As described on OpenWRT site, the Linksys WRT54GL has three physical interfaces. vlan0 encompasses the four LAN ports. vlan1 is the WAN port. Although the wiki page claims that the wireless is wl0, on my setup I was getting eth1, according to ifconfig. From henceforth I will call the wireless interface eth1.

Enable bridging from vlan0 to vlan1

To enable bridging, a new interface, br0 will be created to tie together vlan0, vlan1, and eth1. First, ssh into the router as root, then issues these commands:

# nvram set lan_ifname=br0
# nvram set lan_ifnames="vlan0 vlan1 eth1"
# nvram set lan_stp=1
# nvram set wan_ifname=br0
# nvram set wan_proto=none
# nvram set wan_ssh_admin=on
# nvram set wan_web_admin=both
# nvram commit

So why do those last two NVRAM settings even though the WAN protocol will be set to none? This is because SSH and Web admin access will be routed by the iptables chains prerouting_wan and input_wan; see /etc/firewall.user.

Double check that your lan address is still set:

# nvram get lan_ipaddr
192.168.1.51

and ensure that the hotspot is disabled (otherwise the router will not reboot successfully):

# nvram get hs_type
none

(Alternatively, hs_type might not even be set, which is adequate for this step.)

I also unset the DHCP server on the router, as that the master switch was already responsible for that. Once everything is set, reboot the router, and ensure the LAN and WAN ports are now bridged. Run the route command to see if you now have a default gateway on br0.

Enabling Hotspot

The default Coova install handles hotspots by creating a bridge from an authenticated wireless client to the WAN port. Unfortunately, the hotspot scripts call this bridge br0. To call the bridge br1 instead, a few files on the router need to be changed. Begin by starting an ssh session to the device. Edit the file /etc/hs/functions.sh using vi. (If you don't know vi, you could scp the file to your local desktop, making changes there, then uploading it back.)

Find the line HS_LANIF=br0. Set it to br1 instead.
Jump down to the split_wireless() function. After the line echo "Splitting the wired from wireless", add these two lines: brctl delif br0 eth1 and LAN_VLAN=br0.
Also in split_wireless(), change set_nvram lan_ifnames "" to set_nvram lan_ifnames "vlan0 vlan1" and set_nvram wifi_ifname "br0" to set_nvram wifi_ifname "br1"

The changed portions of split_wireless() should now look like:

    [ -n "$LANIFS" -a "$LANwWIFI" = "$LANIFS" ] && {
	echo "Splitting the wired from wireless"
	brctl delif br0 eth1
	LAN_VLAN=br0
	set_nvram lan_ifname   "$LAN_VLAN"
	set_nvram lan_ifnames  "vlan0 vlan1"
	set_nvram wifi_ifname  "br1"
	set_nvram wifi_ifnames "$WIFIIF"

The only other necessary change is with /etc/init.d/S35firewall. In the FORWARDING section, after

iptables -A FORWARD
-i br0 -o br0 -j ACCEPT

add the line

iptables -A FORWARD
-i br1 -o br1 -j ACCEPT

Use the web interface to enable and configure the hotspot. Cross your fingers, start the service, and test to ensure that everything is working.

Enabling IPsec

If you will have wireless clients using IPsec through the hotspot, you will need to add an additional iptables rule to /etc/chilli/up.sh. On about line 50, after the two rules

ipt -I FORWARD -i $DHCPIF -j DROP

and ipt -I FORWARD -o $DHCPIF -j DROP, add the line ipt -I FORWARD -p udp --dport 4500 -j ACCEPT. This allows nat-t IKE_AUTH to be forwarded to the IPsec server.

Configuring HS2

Setting up router HS2 is easy when compared to setting up HS1. First, enable bridging between vlan0 and vlan1 as described above. Next, to link HS2 to HS1 wirelessly, a WDS (wireless distribution system) will be created. As noted in a forum post, the following changes need to be made on HS1 and HS2.

Both HS1's and HS2's wireless MAC addresses will be needed. They can be obtained by ssh into the respective router, then running the command ifconfig eth1 | head -1. Write down the hardware number somewhere.

Enabling WDS on HS1

Log on to HS1's web interface and make the following changes:

Switch to the Network tab, and then to Wireless. Change the channel from automatic to some value; for my network I chose channel six.
Switch to the Advanced Wireless tab. Add HS2's MAC address. Disable Automatic WDS

When all has been done, the settings should appear as:

Enabling WDS on HS2

Leave the hotspot disabled on HS2. Configure its Wireless and Advanced Wireless settings the same as for HS1, except substitute HS1's MAC address in the WDS Connections section.

Configuring HS3

(to be done)

Return to index.

Last modified 13 Apr 2012.
Jason Tang / tang@jtang.org