openwrt and wrt54gl - separate wireless from lan

I've always wanted to get one of those wrt54gls (linksys wireless router that you can flash your own linux on) and was motivated to make the purchase after hearing good things from a friend at work. The wrt arrived last Thursday and I had it flashed with the latest openwrt within 5 minutes. There is always that dread that you just bricked your 50 dollar toy while you wait for the firmware to upgrade and reboot the device. Within 2 minutes though, I was telneting to my router and was greeted with a pleasant banner:

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
 |__| W I R E L E S S   F R E E D O M
KAMIKAZE (7.09) -----------------------------------
* 10 oz Vodka       Shake well with ice and strain
* 10 oz Triple sec  mixture into 10 shot glasses.
* 10 oz lime juice  Salute!
---------------------------------------------------
root@OpenWrt:~#

Fantastic! The first thing I wanted to learn was how to config iptables so I could pass through traffic from wrt clients to my uplink, but prevent any access to other machines on my home LAN. This would seem to be a fairly common request and I found tons of pages with tips and such but nothing as straight foward was I wanted. I eventually spent time with the iptables tutorial and divined out the following command:

iptables -A FORWARD -m iprange --dst-range 192.168.1.2-192.168.1.255 -j DROP

This is exactly what I needed. First, I found out that the table 'FORWARD' represents network traffic not destined for the host machine. That means it would be either for my LAN, or the internet. My uplink router IP is 192.168.1.1 and that is the only valid IP I want to forward between my two segments. Once I ran that command, I could ping external machines but nothing on my LAN.

After that success, I moved on to the real topic; separating wireless from LAN. I run an open wireless router with essid broadcasting. This means that anyone close enough to the router can associate and connect. I'm comfortable with this setup, however, the default config for all WIFI routers is to bridge the wireless with the wired connections. This just makes sense for most folks. My preference is to ensure that whomever connects to the WIFI link can't attempt to connect/crack/DoS anything on the LAN. I finally stumbled upon exactly what I needed. As usual, the hardest part is to know what to look for when searching on google. I knew that I needed to first remove the wireless link on the wrt from the software bridge that allows traffic between WIFI and the LAN. After separating them, one needs some firewall changes if the WIFI connection is to be able to connect to the internet. The guide to making that happen was on the openwrt wiki. In about 5 minutes, I had it all working. I skipped over the Shorewall config and chose to use a modified version of the 'Using OpenWrt Stock Scripts' section. I removed the last two lines which allowed traffic between WIFI and LAN; exactly what I don't want. But the line above is needed to ensure that WIFI traffic is allowed to WAN. Here is what I added to the 'allow' section:

# wireless-to-wireless OK                                              
iptables -A FORWARD -i $WIFI -o $WIFI -j ACCEPT
# wireless to WAN, if WAN present
[ -z "$WAN" ] || iptables -A FORWARD -i $WIFI -o $WAN -j ACCEPT
               
# wifi to lan -- OFF
#iptables -A FORWARD -i $WIFI -o $LAN -j ACCEPT
# lan to wifi -- OFF
#iptables -A FORWARD -i $LAN -o $WIFI -j ACCEPT

The next step, of course, is to start playing with QoS on the WIFI link. I want to ensure that openVPN WIFI traffic is prioritized over any other.