wifi

OpenWrt on a TP-Link RE450

Recently a Wifi repeater I setup years a go was reset by accident and I lost the configuration which was providing extended wifi coverage and guest wifi on a TP-Link RE450. Reconfiguring the setup cost me much more time than I am willing to admit, thus I wanted to share the basics in order to be prepared next time. Also I have a backup now.

The TP-Link RE450 v1.1 (Image from TP-Link)

The TP-Link 450 is a pretty nice and affordable device which has two different wifi bands (5Ghz, 2.4Ghz). You can get it for around 50 Euros and it comes with three antennas and an ethernet port. Also it can run LEDE / OpenWrt, an open source firmware for embedded systems, such as routers and wifi extenders. The history of LEDE and OpenWrt can be read here, in this article I will call the software OpenWrt altough the interface still shows LEDE. In this article I will refer to the RE 450 as router.

Connecting to the router

Since this router will be embedded into an existing computer network, it is essential to give it a unique IP in a unique subnet. I have decided to assign the IP address 192.168.2.1 and the subnet 255.255.255.0 to the router. The existing network is a wireless network called Wifi with the subnet 192.168.1.1/24. Our plan is to add a guest wifi network 192.168.3.0/24 with its own SSID called Guest and its own password. Clients from the guest network should not be able to access any other devices within the guest network and also not be able to access any clients from the existing network.

After installing the firmware, the router will have the default address 192.168.1.1. In order to avvoid a clash with the existing Wifi network, I attached the router with an ethernet cable to the computer and disabled wifi on my computer during the setup. I then assigned a static IP address 192.168.1.2 for my PC using the same subnet. And while I am already at it, I created a second ethernet profile using the address 192.168.2.5 to switch to the desired subnet once the router is configured. Now you can easily switch between the subnets.

Installing the firmware

The first task is to get rid of the proprietary firmware and install OpenWrt. There are many instructions out there, it is important to verify the firmware and device version with great attention. Otherwise you might produce a 50 Euro paperweight of waste weekends (been there.) In case you have an older version installed, please consider updating.

For this article, I upgraded from LEDE 17.01 to a more recent OpenWRT release 19.07 and downloaded this particular release. For the initial setup, open up a browser and go to 192.168.1.1.

Basic setup of the router

We now have installed OpenWrt on the router and can begin to configure it. You will be greated by the OpenWrt interface and advised to set a password.

We follow the advice and set a good password. Next we will set a static IP by going to Network > Interfaces and edit the existing LAN interface. This is obviously the ethernet connection we are connected to and we want to make sure we always find this device with the static ip 192.168.2.1 in the standard subnet.

Always save and apply thanges. Afther this change you have to switch to the 192.168.2.5 profile we created earlier so that you can access the router again. Now when we have logged in at 192.168.2.1 with our new password, we should be greeted with the OpenWrt Luci Web interface.

Setup the interfaces and wifi networks

THe first step is to connect to the existing Wifi network, so that we have a working internet connection on the router for downloading updates. Go to Network > Wireless. You will see the default wireless interfaces called OpenWrt for both devices (3.4 Ghz and 5Ghz).

Remove them so that you reach a clean state.

Depending if your existing wireless network is on the 5Ghz band or the 2.4 Ghz band, use the appropriate device and click scan network and select the existing network. Obviously you need to be in range to see the network.

You will then be promped with a details page where you enter the passphrase for the existing network and where you can select the name of the new network. This is maybe a bit confusing, because this will create a new interface instead. Add the name wifi. On the tab firewall settings, add this network to the wan zone. This is the crucial step, because the existing wifi will act as the Internet uplink for the guest network.

Make sure to save and apply. You should then be able t ping any web page using Network > Diagnostics.

If this works it would be a perfect time to make a backup of the configuration.

Setup the Guest Wifi

The guest wifi also needs a new interface. Thus go to Network > Interfaces and click add new. Select static IP address and assign the name guestwifi. Leave interface unassigned for now.

On the next page, define a static address. This time we will use 192.168.3.1 and the default subnet 255.255.255.0. Also you should add a public DNS server like 1.1.1.1 or 8.8.8.8.

Then click on the firewall tab and create a new zone guestwifi.

Then click on the DHCP server tab and enable the service.

Review the settings and save the changes.

The DHCP settings can remain as they are.

Every guest will then get an IP address from the 192.168.3.1 subnet. Save and apply.

Then proceed to Network > Wireless again and create a new wireless guest network. I used the second antenna device to achieve this. Click on add and pick Access Point for the mode and give it a name, for instance Guest.

Then - and this is very important - go to the Wireless Security tab and pick WPA2 as the encryption standard and set a password you can share with your guests.

The last step is to enable client isolation in order to prevent that your guests try nasty things on each other. You find the setting at the advanced tab.

Now you should be able to connect to the Guest wifi and get an IP address assigned to your client. Bit it will be pretty boring because there is no internet yet.

Setup the firewall

The last step involves setting up the firewall. Go to Network > Firewall. First of all we need to ensure that we have different zones for lan, wan, wifi and guestwifi. The lan and wan zones are created by default. We have created the other two zones wifi and guestwifi.

The zone overview should look similar to this. We can see that the guestwifi zone can be forwarded to the wan zone. Also make sure that masquerading is enabled for the wan zone (it is per default).

The details of the guestwifi zone settings are shown below. Note the default reject settings for the INPUT and OUTPUT chain and that the only allowed zone to forward traffic to is the wan zone.

Now we have to setup three traffic rules in order to enable DHCP and DNS for the guests and to prevent them from accessing the other networks and the router web interface.

Enable DNS

Allow port 53 to be used.

Enable DHCP (ports 67 - 68)

Allow the UDP port range 67 to 68 for DHCP requests.

Block other networks

In order to separate the guest wifi from our regular wifi and the router, we block the entire subnets.

Conclusion

OpenWrt works very nice once the setup is clear. Some of the naming conventions are a bit confusing, but I guess this is normal given that it is a complex matter. This tutorial shows how to create a guest network on a device which is itself a client in an existing wifi network.

Nachdem das Netzteil meines UPC Modems das zeitliche gesegnet hat, pilgerte ich zum UPC Store am Keplerplatz und ließ das gesamte Gerät tauschen. Der Austausch erfolgte unkompliziert, doch leider hatte ich anstelle des althergebrachten Modems nun endgültig einen Wifi-Router erhalten, wogegen ich mich bisher immer gesträubt hatte. Schließlich betreibe ich einen liebevoll eingerichteten Netgear WNR 3500L mit der altenativen Firmware TomatoUSB und hätte keine Lust, mein Setup auf dem UPC Gerät umzusetzen und auf Funktionen zu verzichten. Das Verwenden eines eigenen Routers stellt an und für sich kein Problem dar und wird auch in der UPC FAQ beschrieben.

Die Switch Variante

Der UPC Router kann auch als Switch eingesetzt werden. In diesem Modus kann eine Bridge zwischen beiden Geräten hergestellt werden. Das UPC Gerät leitet in diesem Modus alle Anfragen direkt an den eigenen Router durch. Explizites Portforwarding ist bei dieser Variante nicht nötig, sie erfolgt lediglich am eigenen Router. Um diesen Modus zu aktivieren, wählen wir die entsprechende Option in den UPC Systemeinstellungen und setzen die Auswahl auf Bridge Modus. Danach starten wir den UPC Router neu. Dadurch erhält das Gerät die IP-Adresse 192.168.100.1. Diese IP Adresse tragen wir nun im TomatoVPN Interface für das Modem ein, wie die folgende Abbildung zeigt:

Nachdem Sie den Bridge Modus aktiviert haben, können Sie den UPC Router nicht mehr aus dem Netzwerk erreichen. Das Administrationsinterface ist lediglich von einem direkt am UPC Router angeschlossenen PC möglich. Mehr Informationen zum Bridge Modus finden sich hier.

Die Router Variante

Das UPC Gerät funktioniert standardmäßig als Router. Damit zwei Router verwendet werden können, müssen auch alle Ports zwischen den beiden Routern weitergeleitet werden. Zunächst muss wie beschrieben das WLAN Modul deaktiviert werden. Danach geht es an die lokalen Netzwerkeinstellungen. Leider sind die Beschreibungen jedoch nicht ganz vollständig, es wurde darauf vergessen, den DNS Servereintrag ebenfalls auf die Class A IP Adresse 10.0.0.1 (also der IP des UPC Routers) zu setzen. Durch die falsche IP Adresse des DNS Servers, können logischerweise keine Hostnamen aufgelöst werden und das Surfen macht nur jenen mit ausgezeichnetem IP-Adressen-Gedächtnis Spaß. Im folgenden Screenshot sind die funktionierenden Settings eingetragen.

Das Diagramm des kleinen Heimnetzwerks ist im folgenden Listing abgebildet, erstellt habe ich es mit ASCII-Flow.

+------------+
                                                                          |            |
                                                                        +-+  Android   |
+-------------------+    +------------------+       +---------------+   | |            |
|                   |    |    UPC Router    |       |Netgear Router |   | +------------+
|      Internet     +----+   IP 10.0.0.1    +-------+IP 192.168.0.1 +---+
|                   |    |WAN 234.124.122.13|       | WAN 10.0.0.2  |   | +------------+
+-------------------+    +------------------+       +---------------+   | |            |
                                                                        +-+   Desktop  |
                                                                          |            |
                                                                          +------------+

Falls Sie Ports per Port Forwarding freigegeben haben, müssen Sie diese natürlich zuerst vom UPC Router auf ihren eigenen Router weiterleiten, also z.B. den Port 443 zum Zielrechner 10.0.0.2.

Wifi networks at conferences or hotels often block certain ports, either for enhancing security or simply by misconfiguration. Blocking ports can be used for preventing some applications from accessing the internet via their access points. Other usages can be to force users to use encrypted protocols, instead of their clear text alternatives. In order to make this process easier, in many cases the ports which should be allowed are whitelisted, whereas everything else is blocked. If your company mail server uses a rather exotic port for some reason, sending and receiving emails does not work. Eduroam is an example, where different policies and configurations are in place, where often the port 25 of mail servers is blocked.

You can use the following command to verify if a port is blocked or open:

telnet mail.example.org 25

If you receive the timeout after some time, the port is very likely to be blocked.

Trying 111.222.1.0 ...

telnet: Unable to connect to remote host: Connection timed out

Fortunately SSH allows tunneling connections, as long as its standard port 21 is open, which is often the case. All you need is a server with an SSH enabled account outside of your current network, which can connect to the mail server. The following command establishes such a SSH tunnel and connects your local port 25 via an SSH secure tunnel to your web server, where the tunnel exits and connects to your mail server.

sudo ssh -L 25:mail.example.org:25 user@web.server.org

You need to enter your password for your user account on the web server here. As soon as the tunnel is established, you can connect any service to your localhost and all traffic on port 25 gets tunneled via your server. If you now try the telnet example again, you should be able to connect.

telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 Email Service

How to establish an SSH tunnel in Windows is described elsewhere.
You can now use this tunnel also in your email program such as Thunderbird, to send emails and bypass the blocked port by tunnelling.Note the localhost as the new server address. This is the only thing that you need to change.

In some cases the tool will detect that the certificate does not match. So you need to accept the certificate warning or add the certificate by your mail server address manually in the dialogue.