SECN WAN Options
Author: T Gillett
- 1 Introduction
The VT SECN firmware supports router operation with several alternatives for the WAN port, allowing a variety of ways to connect to upstream networks.
The WAN port alternatives include Ethernet, WiFi, USB Modem and Wireless Mesh.
The use of WiFi and Wireless Mesh WAN ports in particular allows you to construct entirely wireless, cell based networks covering a campus area, or larger areas with the use of long shot links.
In all active WAN Port modes, the SECN device operates as a router, with a LAN interface (typically with bridged Ethernet and WiFi ports), and a WAN interface (typically Ethernet), with Firewall rules and Network Address Translation (NAT) operating in between.
LAN and DHCP Server Settings
The LAN interface operates by default on the IP address 10.130.1.20.
There is a DHCP server available to operate on the LAN interface, however it is disabled by default.
When enabled, it will provide default IP addresses in the range 10.130.1.200 to .240, with Gateway set to the device address of 10.130.1.20 and DNS Server set to 22.214.171.124.
The LAN and DHCP settings are located on the SECN Advanced configuration page.
The WAN settings may be accessed by selecting the SECN Advanced configuration page, then selecting the WAN tab.
By default the SECN firmware has the WAN mode set to Disabled.
Like any router, the LAN and WAN interfaces on a SECN device must be set to different IP address ranges (subnets) for correct router operation.
There is a facility to forward the LAN side SSH (port 22) and HTTPS (port 443) ports to the WAN side on ports 2222 and 4433 respectively. This facility can be enabled by a checkbox located on the WAN configuration page.
With Port Forwarding enabled, the router can be accessed for remote management from the WAN side, although the Primary IP address may have been assigned automatically by an upstream DHCP server.
SSH is enabled when the root password has been set. To connect via SSH to the default Secondary WAN IP address, use the command:
$ ssh -p 2222 email@example.com
SSL is enabled when the "Enable SSL" checkbox on the SECN Basic configuration page has been ticked, and the device restarted. To connect via HTTPS to the default Secondary WAN IP address, use the URL:
Primary WAN IP Address
By default, when it is enabled, the WAN interface operates as a DHCP Client and gets its Primary IP address, Gateway and DNS Server IP addresses from an upstream DHCP server.
There is an option to change to Static addresses.
Note that for Mesh WAN mode, using DHCP may be problematic as it takes some time on startup to establish the mesh connections, and the DHCP request from the node may time out before the link is established. It is preferable to use Static IP addressing for the Mesh WAN mode where possible.
Secondary WAN IP Address
In the Ethernet and Mesh WAN modes there is a Secondary IP address that operates on the WAN interface.
This static address may be used to access the router for remote management from the WAN side.
Ethernet WAN Mode
This is the conventional mode of operation for a normal router and allows the SECN device to connect to an upstream router/switch via an Ethernet cable.
When connected to an upstream device (router/switch/modem), the SECN device will appear as a single IP address to the upstream device, while providing network access for a number of client devices connected to it.
The SECN router typically has a number of physical Ethernet connectors, of which one is usually designated for WAN use. By default, in WAN Port Disabled mode, the SECN firmware makes this designated WAN port inactive.
If the WAN Port is selected to be Ethernet, then the WAN Ethernet port is made active.
By default, the WAN IP Mode is set to operate the Ethernet port as a DHCP client.
To set a static IP address for the port, select Static mode and enter the appropriate IP addresses for IP, Netmask, Gateway and DNS.
In the SECN WAN configuration page, there is a checkbox titled 'Set WAN socket to LAN'. Selecting this checkbox makes the designated WAN Ethernet port operate as an additional LAN Ethernet port. This setting may be used when the SECN device is in any WANPort mode except Ethernet.
For devices like the TP Link MR3020 which have only a single physical Ethernet port, the SECN firmware will operate this port as a LAN port by default, and will change it to a WAN port if WAN Port mode is selected as Ethernet.
WiFi WAN Mode
In this mode of operation, the SECN device operates a WiFi Station (Client) interface as the WAN port. This allows the SECN device to connect to an upstream host WiFi Access Point to provide network access.
The SECN device will appear as a single WiFi client to the upstream host Access Point, while providing network access for a number of local client devices connected to it. The SECN device will operate its own local Access Point and Ethernet connections on the LAN side to allow client devices to connect.
This mode of operation may be useful, for example, where there is a community WiFi Access Point providing Internet Access, and a classroom with a number of client devices.
Instead of connecting each individual client device directly to the community Access Point, it is possible to use the SECN device as a single client, located in a position where it has a strong signal, and to provide access for local clients via Ethernet or the WiFi Access Point on the SECN device.
The local clients operate in their own private network address range, while having access to upstream network resources such as Internet gateway and file servers, via the main WiFi link.
The WAN WiFi port may use DHCP or Static IP address settings to match the upstream network.
To connect to the upstream Access Point, the WiFi WAN Host settings for SSID, Passphrase and Encryption must be set to match the upstream host Access Point (see Note below).
The status of the connection to the WiFi host is displayed on the Status page in the Node Signal Strength section.
1. WAN WiFi mode will always disable the mesh interface as the two interfaces can not co-exist in the same radio device. When switching to another mode, you will need to enable the mesh interface manually on the Advanced page as part of setting up the new mode.
2. The Access Point interface will not operate unless the Station interface is operating correctly i.e it is associated with the host AP with correct SSID, Passphrase and Encryption type.
3. Upstream printers may not be available to client devices due to the fact that the printer is in a different network subnet. This depends on the protocol used by the printer.
WiFi Relay WAN Mode
In this mode of operation, the SECN device operates as a WiFi Relay using a WiFi Station (Client) interface connected to an upstream WiFi Access Point.
Within the device, traffic between the WiFi Station (Client) interface and the LAN interface of the SECN device is routed using the relayd package, which provides a pseudo-bridge between the two network interfaces.
The WiFi Station interface is set up to connect to an upstream WiFi Access Point by configuring the appropriate SSID, Passphrase and Encryption parameters.
Other devices connected to the SECN node via Ethernet or WiFi will be transparently connected to the upstream device, just as if they were attached to it directly.
DHCP requests from a connected device will be handled by the upstream device. The DHCP service on the SECN node should thus be disabled for normal operation.
The SECN configuration interfaces (SSH or HTTP) will be available on the device's LAN IP address, by default 10.130.1.20
Note that this LAN address *must* be in a different IP subnet to that of the upstream Access point, or the relayd software will not operate correctly.
The SECN device itself will have access to upstream network resources. For example if the upstream Access Point provides Internet access, then the clock on the SECN device will be set automatically by the NTP process.
Mesh WAN Mode
This mode is similar to the WiFi mode above, but instead of a simple point-to-point WiFi connection to the host, the WAN interface forms part of a mesh network, with each node of the mesh able to pass data to other nodes. The SECN device will operate its own local Access Point and Ethernet connections on the LAN side to allow client devices to connect.
This mode of operation may be useful, for example, where there is a community WiFi Mesh Network providing Internet Access. Instead of connecting each individual client device directly to the community Access Point, it is possible to use the SECN device as a single mesh node, located in a position where it has a strong signal, and to relay the data stream to local clients via Ethernet or the SECN device WiFi Access Point.
In this mode of operation the local clients operate in their own private network address range, while having access to upstream network resources such as an Internet gateway, file servers and printers, via the mesh network.
The Mesh settings for BSSID, SSID, IP Address and Netmask are located on the SECN Advanced configuration page, and these must be set up to match the host mesh.
It is preferable to set the IP Addressing mode to Static for Mesh WAN mode due to potential timing issues with DHCP requests as the mesh initially starts up. Static IP address parameters should be set match the upstream gateway node on the mesh.
Note that Mesh WAN mode will always enable the mesh interface, even if it has been disabled manually on the Advanced page, or by the WiFi WAN mode.
USB Modem WAN Mode
In this mode of operation, a USB Modem may be plugged in to the SECN device in order to provide Internet access.
Client devices attached to the SECN device via its LAN interfaces (Ethernet, WiFi or mesh) may then access the Internet through this shared connection.
The settings for the USB modem appear on the WAN configuration page, along with some status information showing details of the USB device connection. The process for setting up the USB Modem connection is outlined below.
Setting Up a USB Modem Connection
The process for setting up a USB 3G modem in the SECN WAN configuration screen is as follows:
- Plug in the USB Modem and then power up the MP02
- Go to SECN Advanced / WAN page
- Select WAN Mode 'USB Modem'
- Scroll down to USB Modem section and look to see if the device has been detected in the status area.
- Get the Vendor and Product IDs from the detection string and copy them into the required fields.
- Select the USB Modem Service type. UMTS is default for 3G services.
- Set the Service APN field as per your telco service provider eg in Au it is 'telstra.internet' for the Telstra telco.
- Select the USB Serial Port. (Google is your friend to find this out for your particular USB modem. Otherwise trial and error - 0 and 2 are common values).
- Username, Password and (SIM card) PIN fields can be left blank unless your SIM Card / Service requires them.
- Click on 'Save' button and check the settings when the screen refreshes.
- Power cycle the device.
- Check to see if the USB Serial Ports have been detected in the status area. This means that the device ID parameters are correct.
- Check to see if the modem has connected to the service provider in the USB Modem Status line. This depends on the USB Serial port setting being correct, and also on the PIN, Username and Password if these settings are required by your SIM card and service provider.
- If you have to try different settings, it is best to save the settings then power cycle the device, otherwise the USB modem may not initialise correctly.
The easiest set up is with no PIN number on the SIM card, and no Username/Password on the service.
In this case it is just a matter of getting the correct APN and USB Serial port setting.
For debugging, the output from 'dmesg' and 'logread' commands can give an indication about how the PPP connection establishment has worked.
The chat files for the two different modem types are located in /etc/chatscripts/. These are created by the SECN GUI so don't try to edit them by hand as they will be overwritten.
There is a VillageTelco wiki page on how to set up USB Modem from scratch here:
There is a reference there to the OpenWrt Recipe page also.
There is a great range of USB modem devices on the market. The handling of particular device types is done by the Modeswitch package and its database Modeswitch-Data. The database contains configurations for devices current at the time of the SECN firmware build, but obviously new devices get added over time and your particular device may not be included. In this case you may have to create a new entry in the database by manually editing the database file.
The forum at the project site for the USB-Modeswitch package is a very good place to get help for particular devices.