You would rather use routing between your two LAN segments instead of bridging because it gives better performance and more control. For example, you might set up a separate link just to give Internet access to visitors and easily keep them out of your network. Or, you want some separation and different sets of LAN services for each network segment. You know it’s a bit more work to set up, but that doesn’t bother you, you just want to know how to make it go.
The example access point in this chapter has three Ethernet interfaces: ath0, eth0, and eth1. Instead of bridging ath0 and eth0 to create the br0 LAN interface, ath0 and eth0 are going to be two separate LAN interfaces, and eth1 will still be the WAN interface. iptables will forward traffic between ath0 and eth0, and dnsmasq.conf will need some additional lines to handle the extra subnet.
This recipe assumes you are using either WPA-PSK or WPA-Enterprise with a separate RADIUS server. (See the previous recipes in this chapter to learn how to configure encryption and authentication.) You may create an open access point for testing by commenting out the two lines that control hostapd:
##/etc/network/interfaces auto lo iface lo inet loopback
auto ath0 iface ath0 inet static address 192.168.2.50 network 192.168.2.0 netmask 255.255.255.0 broadcast 192.168.2.255 post-down wlanconfig ath0 destroy pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap pre-up iwconfig ath0 essid "alrac-net" channel 01 rate auto pre-up ifconfig ath0 up pre-up sleep 3 up hostapd -B /etc/hostapd.conf post-down killall hostapd
#DNS server dhcp-option=lan,6,192.168.1.50 dhcp-option=wifi,6,192.168.2.50
#assign static IP addresses dhcp-host=stinkpad,192.168.2.74,net:wifi dhcp-host=penguina,192.168.2.75,net:wifi dhcp-host=uberpc,192.168.1.76,net:lan dhcp-host=xena,192.168.1.10,net:lan
You’ll need to add a batch of iptables rules to your firewall script. See the Discussion for a complete example iptables firewall script.
This iptables example forwards all traffic freely between your two LAN segments, and makes name services available to all. This is a liberal configuration with no restrictions.
Remember that broadcast traffic does not cross routes, and some network protocols are nonroutable, such as Samba and other NetBIOS traffic. All routable traffic, such as SSH, ping, mail and web servers, and so forth will travel between your subnets with no problems.
By routing between your wired and wireless network segments, your options are legion: limit the services available to either network segment, filter on individual hosts, do some fine-grained traffic shaping—anything you want to do is possible.
dnsmasq.conf uses RFC 2132 numbers to represent servers, so refer to it for a complete list. Some common servers are:
Time offset from UTC (Coordinated Universal Time). You’ll have to manually adjust this twice per year if you are afflicted with daylight saving time. But at least you’ll control everything from the server. For example, pacific standard time is written asdhcp-option=2,-28800, which equals UTC -8 hours.
Send clients the default route. Use this when dnsmasq is not on the same box as your router.
dhcp-option=7, [IP address]
dhcp-option=33, wifi, [destination IP address, router address]
Assign a static route to the “wifi” group. You may list as many routes as you want. Each route is defined by a pair of comma-separated IP addresses.
dhcp-option=40, [domain] NIS domain name.
dhcp-option=41,[IP address] NIS domain server.
dhcp-option=42,[IP address] NTP server.
dhcp-option=69,[IP address] SMTP server.
dhcp-option=70,[IP address] POP server.
dhcp-option=72,[IP address] HTTP server.
Because our LAN routes pass through an iptables firewall with a defaultDROPpolicy, permitted traffic must be explicitly accepted and forwarded.
If you followed Chapter 3 to build your iptables firewall, don’t forget you can use/etc/ init.d/firewall/stop|start|restartwhen you’re testing new rules.
Here is a complete example /usr/local/bin/fw-nat that gives the wired and wireless subnets nearly unlimited access to each other:
#!/bin/sh #iptables firewall script for sharing a cable or DSL Internet #connection, with no public services