I’ve installed DD-WRT on a WRT54GS and configured it as a router that bridges the wireless AP, the ethernet and WAN connection. I didn’t want DD-WRT configured as a “gateway” as that means NAT and I didn’t want that: my firewall is already doing NAT, so I wanted DD-WRT to just route traffic upstream.
Here’s a diagram of how I set things up:
I wanted the WRT54GS to bridge the 172.16.113.0/24 network on the WAN port (interface vlan1) to the firewall with the 172.16.113.0/24 network on the wireless AP side (interface br0). The firewall’s NIC was configured as 172.16.113.1. The WRT54GS’s WAN port was configured with a static IP of 172.16.113.254 and gateway of 172.16.113.1. The local IP was configured to 172.16.113.253 and no gateway. The VLANs were configured so that everything was assigned to the “LAN” bridge, all 4 wired switch ports, the WAN port, and wireless.
This looks like it all should have worked, but it didn’t. What I finally ended up having to do was to set a small startup script to make the final adjustments. I’m going to share the steps to set that script here, since I know I’ll forget it:
nvram set rc_startup=' echo 1 >/proc/sys/net/ipv4/conf/br0/proxy_arp echo 1 >/proc/sys/net/ipv4/conf/vlan1/proxy_arp ip route add 172.16.113.1 dev vlan1 ip route delete default ip route add default via 172.16.113.1 dev vlan1 ' nvram commit
And with that, everything works. Clients can connect wirelessly or wired, get assigned an IP via DHCP in the 172.16.113.0/24 network, get routed up to the firewall which enforces all my security and routing policies.
What I’d like to do next is play with the AP isolation setting to keep the wireless clients from being able to snoop on the wired connections. I like to keep this configured as an open wi-fi access point, but I don’t want someone who roams up to be able to see the activity of the wired clients. But, for now, what I’ve got working is good enough.