[WLANware] Mesh with 2 radios (help with 5 ghz)

Frederico Marques frederico at marques.cx
Sun Jan 14 18:10:07 CET 2007 

Hi,

On Jan 6, 2007, at 9:10 PM, Dan Flett wrote:

>
> Just out of curiosity - what IPTables hacks have you done to solve the
> multi-splash problems?

No big deal. I have a micro mesh with about 6 nodes, all running  
Freifunk Firmware. Just one node is connected to the internet and  
injects a 0.0.0.0/0 route to the 10.0.0.0/8 Mesh. I also have  
configured the nat/dhcp/dnsmasq olsr hack in all nodes to allow non- 
olsr clients to 'see' the mesh network. Besides that, every node  
communicates with the other only by one wireless interface, except of  
course the node announcing the 0.0.0.0/0 route with a wireless  
interface and one ethernet to cable isp/internet. I wanted to  
authenticate every mac address connecting from the wireless interface  
on each node, to the internet only, not the free mesh. I liked the  
architecture of wifidog with centralized administration, the easy UAM  
authentication, and no radius work involved. The problem? Well, on  
each node, by default, the wifidog-gw denies new packets coming in  
the external interface (public, not from internal networks) in the  
WiFiDog_WIFI2Internet chain:

Chain WiFiDog_WIFI2Internet (1 references)
0     0 DROP       all  --  eth1  *       0.0.0.0/0             
0.0.0.0/0           state INVALID,NEW

which makes sense, of course. The problem arises when in my mesh  
configuration, the external interface is the same of the gateway  
interface, the eth1/wireless interface serves the clients (so it's a  
gateway one) and connects with other nodes to the public internet  
too. So it denies also new packets coming from wifi clients. I solved  
the problem with a rule replacement:

iptables -t filter -R WiFiDog_WIFI2Internet 3 -i eth1 -s ! 10.0.0.0/8  
-m state --state NEW,INVALID -j DROP

(allowing new packets coming from the Mesh on this wireless interface)

I have this rule on every wifidog-gw running on every node. I put  
also the mac address of all the wifi interfaces of the nodes on every  
TrustedMACList of each wifidog-gw, so the user don't have to  
authenticate twice (freifunk does nat on behalf of non-olsr wifi  
clients). Yes, I know it's ugly, but it works for me on 6 nodes, and  
I know it's not manageable  with a large network. And I think that  
looking for  /proc/net/arp to automatic populate the allowed mac  
addresses from other nodes talking olsr it's lame. One way it could  
work is to make an olsr plugin to automatic populate an iptables rule  
or wifidog.conf with mac addresses from trusted olsr neighbours. What  
do you think?

Regards,

--fred

More information about the WLANware mailing list