[WLANware] Mesh with 2 radios (help with 5 ghz)
Frederico Marques
frederico at marques.cx
Sun Jan 14 18:10:07 CET 2007
Hi,
On Jan 6, 2007, at 9:10 PM, Dan Flett wrote:
>
> Just out of curiosity - what IPTables hacks have you done to solve the
> multi-splash problems?
No big deal. I have a micro mesh with about 6 nodes, all running
Freifunk Firmware. Just one node is connected to the internet and
injects a 0.0.0.0/0 route to the 10.0.0.0/8 Mesh. I also have
configured the nat/dhcp/dnsmasq olsr hack in all nodes to allow non-
olsr clients to 'see' the mesh network. Besides that, every node
communicates with the other only by one wireless interface, except of
course the node announcing the 0.0.0.0/0 route with a wireless
interface and one ethernet to cable isp/internet. I wanted to
authenticate every mac address connecting from the wireless interface
on each node, to the internet only, not the free mesh. I liked the
architecture of wifidog with centralized administration, the easy UAM
authentication, and no radius work involved. The problem? Well, on
each node, by default, the wifidog-gw denies new packets coming in
the external interface (public, not from internal networks) in the
WiFiDog_WIFI2Internet chain:
Chain WiFiDog_WIFI2Internet (1 references)
0 0 DROP all -- eth1 * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
which makes sense, of course. The problem arises when in my mesh
configuration, the external interface is the same of the gateway
interface, the eth1/wireless interface serves the clients (so it's a
gateway one) and connects with other nodes to the public internet
too. So it denies also new packets coming from wifi clients. I solved
the problem with a rule replacement:
iptables -t filter -R WiFiDog_WIFI2Internet 3 -i eth1 -s ! 10.0.0.0/8
-m state --state NEW,INVALID -j DROP
(allowing new packets coming from the Mesh on this wireless interface)
I have this rule on every wifidog-gw running on every node. I put
also the mac address of all the wifi interfaces of the nodes on every
TrustedMACList of each wifidog-gw, so the user don't have to
authenticate twice (freifunk does nat on behalf of non-olsr wifi
clients). Yes, I know it's ugly, but it works for me on 6 nodes, and
I know it's not manageable with a large network. And I think that
looking for /proc/net/arp to automatic populate the allowed mac
addresses from other nodes talking olsr it's lame. One way it could
work is to make an olsr plugin to automatic populate an iptables rule
or wifidog.conf with mac addresses from trusted olsr neighbours. What
do you think?
Regards,
--fred
More information about the WLANware
mailing list