The number of network devices in our house has increased significantly recently. With two Apple TVs, a wii, iPad, two iPhones, a Kindle, an xbox, two laptops, a desktop and a nettop, my creaky old AirPort Extreme was struggling to cope, particularly streaming media across the network. I also need to bridge two sections of wired network and as I need to reach the work network from several devices at home, I wanted to share a VPN connection into the office. All of this took some figuring out and some heavy googling, so in the interests of helping out anyone with a similar problem, here’s what I did.
- A simultaneous dual-band wireless-n router at the gateway
- A normal dual-band wireless-n router to bridge to the LAN
- Gigabit switches at both ends
- dd-wrt support on both devices (PPTP support at the gateway, and bridging or WDS at the LAN)
- Same chipset on both routers for compatability
I ended up with a Cisco Linksys WRT610n for the gateway router, and a Cisco Linksys WRT320n for the LAN bridge. Both second-hand/refurbished models from eBay. Total cost £80.
- Flash the WRT610n with dd-wrt.
- Create two wireless networks. The 2.4GHz carries 802.11b/g/n for maximum compability. The 5GHz carries 802.11n for maximum bandwidth.
- Add a virtual interface to the 5GHz network with its own SSID to carry the inter-router link.
- Set WPA2 AES encryption on all networks with pre-shared key.
- Connect to the cable modem, reboot and check that internet connection is established by connecting with the iPad to each of the wireless networks in turn and web surfing.
LAN Bridge Configuration
I wanted to use WDS to link the two routers but I ran into some problems. I could establish a connection, but the link bandwidth fluctuated significantly, and I also couldn’t get PPTP traffic to tunnel successfully. Data transfer over the VPN stalled for larger packets. This is a classic symptom of incorrect network MTU but despite resorting to packet sniffing, I couldn’t get this working properly. I ended up using dd-wrt Repeater Bridge mode which solved these problems straight away. The steps were:
- Flash the WRT320n with dd-wrt.
- Disable the WAN connection and give the router a static IP address (192.168.1.2) with the gateway router’s IP as the gateway address.
- In “Advanced Routing”, set the Operating Mode to “Router”.
- In Wireless Basic Settings, set the Wireless Mode to “Repeater Bridge”, and the Wireless Network Mode to “N-Only (5 GHz). Give it the same SSID as the inter-router link in step 3 of “Gateway Configuration”
- Add the appropriate Security Mode, WPA Algorithm and WPA Shared Key in the “Wireless Security” section.
- Under “Services -> Services”, Disable DNSMasq (which turns off the DNS and DHCP servers).
- Reboot, connect the desktop PC to the gigabit switch on the bridge router, check it picks up an IP address from the gateway DHCP server and that it can reach the internet.
At this point, I added the rest of the wireless and wired devices to the network and checked that things were working properly. AirPlay working from an iPhone to one of the Apple TVs, streaming audio and video from the PC to the TVs and download content from the internet were all evidence that dd-wrt was correctly bridging between the different networks and things were behaving properly.
The final stage was the VPN, and this is where information online started to run a bit thin.
DD-WRT, PPTP VPN, routing DNS queries correctly and handling unqualified hostnames
The requirements for the VPN connection were:
- The gateway router establishes the VPN connection and handles routing.
- Only work traffic crosses the VPN – everything else gets routed straight to the Internet.
- Home LAN access to the work LAN is NATted to remove the need to add routes back to the home LAN.
- Unqualified hostnames are in use both on the host LAN and on the work network.
- DNS resolution for the work domain should be handled by the work internal DNS servers; DNS resolution for the home LAN should be handled locally; everything else gets handled by my ISP’s DNS servers.
- All LAN client configuration is done via DHCP, so that all devices including the iPhones and iPad will work immediate on connection.
Steps 1 to 3 are straightforward:
- On the Gateway router, under Services->VPN, enable the PPTP Client.
- Use the IP address rather than the DNS name for the server – this will not change frequently, and makes DNS configuration more straightforward.
- Configure the remote Subnet and Subnet Mask as appropriate – my work uses an RFC1918 Class A address space.
- I changed the MPPE Encryption settings to “mppe required,no40,no56,stateless”. This was in the middle of my “trial and error” phase of trying to troubleshoot WDS – it might not therefore be necessary but if it works, it won’t hurt!
- Leave MRU and MTU as the defaults. Enable NAT and complete the User Name and Password fields as appropriate. NB if this is authenticating against a Windows domain, you need to put username in the form DOMAIN\\username.
- Hit “Apply Settings”. Reboot the router.
If all is well, you should now be able to ping IP addresses of machines on your work network from client machines on the home LAN. traceroute should also show that this traffic is being carried across the VPN, where traceroute to www.bbc.co.uk goes via your gateway and across your ISP’s networks in several hops.
Next step is to confirm that you can reach your work DNS servers. Ping them first, and then attempt a hostname lookup: our intranet server is called “intranet” so “nslookup intranet <WORK DNS IP>” should return the correct IP address. To complete requirements 4-6, we need to use the dd-wrt DNS/DHCP server DNSMasq to manage home LAN DNS registrations, pass off work DNS queries to the work servers over the VPN, to send the rest to the ISP and to send appropriate search domain information to all LAN DHCP clients so unqualified hostname resolution will still work. I have to admit that these settings were reached through some trial and error so there could be a better way of doing this. But at least this works:
- In “Services->Services”, under “Services Management” “DHCP Server”, add a local value to LAN Domain. I use “marlow.org.uk” here. This will be added to the hostnames of your LAN devices while they’re on the home network to give them an FQDN.
- DNSMaq should already be enabled, but you should enable “Local DNS” and disable “No DNS Rebind”.
- In “Additional DNSMasq Options”, add the following (changing the bits in red):
dhcp-option=15,"workdomain.com homelandomain.org.uk" strict-order no-resolv no-poll server=/workdomain.com/ipaddressofworkdnsserver server=yourispprimarydnsip server=youridpsecondarydnsip
- Hit “Apply Settings”
- Renew the DHCP lease of one of your home LAN clients and check that DNS resolution is behaving as expected by pinging www.bbc.co.uk, followed by the unqualified hostname of a machine on the work network and then one of the clients on your home network.
- Pour yourself a stiff drink.