Mar 29, 2013

Separate WLAN in DD-WRT

If you have a DD-WRT device, you can configure the WLAN to be completely separate from the LAN while still granting it internet connection. That means that the WLAN subnet won't be able to access any device in the LAN subnet, but it will be able to passthrough the router/modem to get internet access.

The basic configuration consists on the following:
  1. Create a new bridge with a new subnet address that will contain the WLAN interface.
  2. Add DHCP service to the new subnet if needed.
  3. Configure the firewall settings to setup the WLAN.
The first two are self-explanatory, but for the third one you have to insert the following in the firewall rules, save it and apply it:

iptables -t nat -I POSTROUTING -o `get_wanface`
 -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j
 TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get 
lan_ipaddr`/`nvram get lan_netmask` -m state
--state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j 
SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
TCA="tc class add dev br1" 
TFA="tc filter add dev br1" 
TQA="tc qdisc add dev br1" 
SFQ="sfq perturb 10" 
tc qdisc del dev br1 root 
tc qdisc add dev br1 root handle 1: htb 
tc class add dev br1 parent 1: classid 1:1 htb rate 1024kbit 
$TQA parent 1:1 handle 10: $SFQ 
$TFA parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1 
iptables -t mangle -A POSTROUTING -d -j
MARK --set-mark 10 
TCAU="tc class add dev imq0" 
TFAU="tc filter add dev imq0" 
TQAU="tc qdisc add dev imq0" 
insmod imq 
insmod ipt_IMQ 
ip link set imq0 up 
tc qdisc del dev imq0 root 
tc qdisc add dev imq0 root handle 1: htb 
tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit 
$TQAU parent 1:1 handle 10: $SFQ 
$TFAU parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1 
iptables -t mangle -A PREROUTING -s -j
MARK --set-mark 10

With the above rules we're doing the following:
  • Allowing the WLAN subnet to access internet.
  • Allowing the WLAN subnet to access to DNS and DHCP servers.
  • Limiting WLAN bandwidth to 1024kbit/512kbit download/upload speed.
Take note that in the example above, the bridge with the WLAN interface is named br1 and the bridge with the rest of internaces is br0, also the WLAN subnet is

Mar 26, 2013

Wake from USB

Trying to suspend and wake up your system again can be a little painfull with newest kernel under Linux. Thats mainly because ACPI directory under /proc is deprecated and changes made to /sys are cleared with a reboot. With this in mind, we're gonna see how can we set up an USB device to wake the PC from suspend and how to make that change so it won't be cleared on reboot or shutdown.

If you're using kernel 3+ its better if you compile the deprecated /proc/acpi into the kernel, to make things easier:

Power management and ACPI options  --->
  [*] Power Management support
    [*] ACPI (Advanced Configuration and Power Interface) Support  --->
      [*] Deprecated /proc/acpi files

Enabling a device to wake up the system
To enable a device to wake up the system, you need to set the device in both /proc/acpi/wakeup and /sys/bus/usb/devices/[usb_num]/power/wakeup. You can get the usb_num of your device by either testing one by one or by lsusb. Take note that if you swap your device or connect it to another USB port on your computer, you need to change here the number as well.

ZOTAC ~ # cat /proc/acpi/wakeup

Device  S-state   Status   Sysfs node
P0P8      S3    *disabled  pci:0000:00:1e.0
USB0      S3    *enabled   pci:0000:00:1d.0
USB1      S3    *enabled   pci:0000:00:1d.1
USB3      S3    *enabled   pci:0000:00:1d.3
echo enabled > /sys/bus/usb/devices/usb3/power/wakeup

Making the setting persistent
To make the settings persistent you can do two things: Use a local.d script or create a initscript. Since the script will be just one line, I've decided to go with the local.d option. The idea is to just set the enable flag in the device so it will be always enabled


echo enabled > /sys/bus/usb/devices/usb3/power/wakeup