Up to parent page

Configuring a Linksys WRT54GL Router as a Bridging Access Point

These directions are written for the Backfire 10.03.1 release.

Installing the Firmware

Previous releases of OpenWRT supported the WRT54GL’s wireless interface only via Broadcom’s proprietary driver for Linux 2.4, so it was necessary to use the brcm-2.4 build of OpenWRT. As of the Backfire release, the WRT54GL’s wireless is supported by the mac80211 driver, so it’s possible to use the brcm47xx build of OpenWRT, based on Linux 2.6, instead.

Upgrading an Existing Installation

Upload the .trx file to /tmp on the router and run: mtd -r write openwrt-brcm47xx-squashfs.trx linux

After Installation

After the firmware update and reboot, the router is operating in its default out-of-the-box configuration: there’s a DHCP server running on the LAN ports, handing out IP addresses in the range, and the wireless is disabled for safety. The WAN port will try to get an IP address via DHCP.

For the next stage of the configuration, you’ll need a computer connected to the router’s LAN port. Connect something to one of the four LAN ports and let it get an IP address. Make sure the address you get begins with 192.168.1; if it doesn’t, either your router hasn’t been reflashed, or you’re connected to something other than the router.

The router’s IP address is It has a Telnet server running, which you’ll use to log in and get a shell on the router. No password is needed to log into the telnet server; the router is unsecured at this point, because you haven’t chosen a password yet.

Since Telnet isn’t very useful these days (it’s been obsoleted by SSH), I don’t install Telnet software on my PCs, and I don’t want to have to install a Telnet client temporarily just for the purpose of configuring this router. Therefore, I use the Netcat tool for connecting to the router’s Telnet server: nc 23 will give you a shell on the router. (Since Netcat doesn’t use the Telnet protocol, this method of connecting lacks many of the niceties you’d have with Telnet, such as the ability to use the up/down arrow keys to scroll through your command history, but that’s OK since we only need to run a few simple commands on the router anyway.)

Understanding OpenWRT Configuration

The “Kamikaze” series of OpenWRT releases have all their configuration settings stored in a collection of files in /etc/config. You can edit these files directly if you like, but the preferred way to manage the router’s configuration is with the uci tool, which provides a simple front-end interface to the files in /etc/config.

Run uci show to get a list of all the configuration properties that are currently defined. You’ll see that they’re hierarchial, with names like network.lan.type and wireless.wl0.disabled. You can use a command like uci show network.lan to look at just a particular subset of the configuration, rather than the whole thing.

To change the value of a configuration propery, or define a new property, use uci set. To delete an existing property, use uci del. There are some other uci subcommands as well; run uci with no arguments for more information.

The changes you make with uci are kept only in memory initially. The command uci commit updates the files in /etc/config from the in-memory configuration, so that they won’t be forgotten when the router reboots.

Disabling the WAN Interface

OpenWRT’s default configuration defines two logical network interfaces: the “LAN” interface and the “WAN” interface, which are configured by the uci sections network.lan and network.wan respectively. The LAN interface is meant for connecting to “your” network, and the WAN interface is meant for connecting to an external network, such as an Internet connection provided by your ISP.

By default, the WAN interface uses DHCP to get an IP address from the external network, and routes traffic from the LAN using IP Masquerading (commonly referred to as “NAT”, but masquerading is actually just one particular type of NAT). This is appropriate for using the WRT54GL as a router, but since we want to use it simply as a wireless access point for a LAN, we don’t want it doing any routing. Therefore, we need to disable the WAN interface.

The network.wan.proto configuration property controls how the WAN interface is assigned an IP address. The default value of dhcp means to get an IP address from the external network via DHCP. Changing this property to none will disable the WAN interface: it will not be configured with an IP address, and no routing will be done.

Run uci set network.wan.proto=none to disable the WAN interface.

Changing the LAN Interface from a DHCP Server to a DHCP Client

By default, OpenWRT expects to be acting as the DHCP server for the LAN: the LAN interface is configured with a static IP address of, and it hands out addresses in the 192.168.1.x range to other computers on the LAN. Since we want to use this access point on a network that already has a DHCP server, we need to configure OpenWRT to act as a DHCP client rather than as a DHCP server: that is, to get its IP address by requesting it from the DHCP server rather than using a fixed address of, and to refrain from handing out DHCP leases of its own.

The network.lan.proto configuration property controls how the LAN interface is assigned an IP address. The default value of static means to use a predefined address. The static address is controlled by the network.lan.ipaddr and network.lan.netmask configuration properties, which are set to and respectively. Changing the network.lan.proto property to dhcp will cause the LAN interface to obtain an IP address via DHCP rather than using the statically-configured one.

The dhcp.lan group of configuration properties controls the DHCP server for the LAN interface. The dhcp.lan.start, dhcp.lan.limit, and dhcp.lan.leasetime properties control the range of addresses handed out by the DHCP server. We need to disable this DHCP server, which is done by setting a new property, dhcp.lan.ignore, to 1.

(Note that the dhcp.lan.interface property is set to lan, which is the reason why the dhcp.lan group controls the DHCP server on the LAN interface, network.lan. There’s also a dhcp.wan group which controls the DHCP server on the WAN interface — that is, dhcp.wan.interface is set to wan — and it’s disabled by default.)

Run uci set network.lan.proto=dhcp to enable the DHCP client on the LAN interface, and then run uci del network.lan.ipaddr and uci del network.lan.netmask to remove the static IP configuration. (Alternatively, you can set these to appropriate values for your network, and they'll be used as a fallback if the DHCP client fails, e.g. if the LAN’s DHCP server is not responding.)

Run uci set dhcp.lan.ignore=1 to disable the DHCP server on the LAN interface, and then run uci del dhcp.lan.start, uci del dhcp.lan.limit, and uci del dhcp.lan.leasetime to remove the DHCP server's address configuration.

(Note, The dhcp.@dnsmasq[0] group of configuration properties holds the settings for the dnsmasq daemon that provides both DHCP and DNS service on the LAN interface. Since we’ve turned on dhcp.lan.ignore, dnsmasq won't provide DHCP service, but it still provides DNS service. Other devices on your network will probably never use this, since they get their DNS configuration from the router's DHCP server in the same way that OpenWRT now does, but it's needed for OpenWRT itself to be able to resolve hostnames, so don’t remove the dhcp.@dnsmasq[0] settings.)

Setting the Hostname

Like any Linux-based computer, your OpenWRT router has a hostname, controlled by the system.@system[0].hostname configuration property. The default is “OpenWRT”, but you can change it to anything you like. If your network provides DNS service based on hostnames given in DHCP requests, this setting will control your access point’s name in DNS.

Run uci set system.@system[0].hostname=MyNewHostname to change the router’s hostname. This is optional.

Reconfiguring the Switch

Normally, the router’s LAN interface corresponds to the four Ethernet ports labeled 1–4 on the back of the WRT54GL (the “LAN ports”) together with the wireless, and the WAN interface corresponds to the Ethernet port labeled “Internet” on the back of the WRT54GL (the “WAN port”). Since the WAN interface is disabled, the WAN port on the back of the router is useless. It’s possible to configure it to act as another LAN port instead, so that it doesn’t go to waste. This is optional.

The WRT54GL contains a six-port switch. Five of the ports on the switch are wired to the Ethernet jacks on the back of the unit — the four LAN ones and the single WAN one — and the sixth is wired to the computer inside the unit. This single switch is able to act as two separate logical switches through the use of 802.1q VLANs: the switch is configured so that the four LAN ports are part of VLAN 0 and the WAN port is part of VLAN 1, so traffic cannot cross between the two. The internal computer has access to both VLAN 0 and VLAN 1, so it can talk to both the LAN and the WAN even though it has only a single connection to the switch.

The network.eth0_0 group of configuration properties controls the eth0.0 interface attached to VLAN 0, and the network.eth0_1 group controls the eth0.1 interface attached to VLAN 1. The default value of network.eth0_0.ports is 0 1 2 3 5, which means that switch ports 0–3 (the LAN ports on the back) and 5 (the internal computer) are asscociated with eth0.0. The default value of network.eth0_1.ports is 4 5, which means that switch ports 4 (the WAN port on the back) and 5 (the internal computer) are asscociated with eth0.1. By changing these values to 0 1 2 3 4 5 and 5 respectively, we can associate switch port 4 with eth0:0 instead of eth0:1, effectively turning the WRT54GL’s “WAN port” into another LAN port.

(Note that eth0 represents the internal computer's physical connection to the switch, and the Linux VLAN support creates eth0.0 and eth0.1 representing the two virtual network connections being carried over the single physical connection. These are bound to the LAN and WAN configurations by the network.lan.ifname and network.wan.ifname configuration properties, which are set to eth0.0 and eth0.1 respectively.)

Run uci set network.eth0_0.ports="0 1 2 3 4 5" and uci set network.eth0_1.ports=5 to reconfigure the switch.

Configuring the Wireless Access Point

The wireless.wl0 and wireless.@wifi-iface[0] configuration groups contain the configuration properties for the WRT54GL’s built-in wireless networking. The defaults will work, though they’re insecure, but at the very least you need to enable the wireless, since it’s disabled by default (precisely because the default configuration is insecure).

The details of wireless configuration are no different when using OpenWRT as an access point rather than as a router, so documenting it here would be redundant. See the OpenWRT documentation for information on wireless configuration. Just make sure that at some point you run uci set wireless.wl0.disabled=0 to actually enable the wireless.

I strongly recommend using WPA encryption rather than WEP, which is known to be insecure. Ideally, you should use WPA2 if all your wireless devices support it.

Enabling SSH

If you backed up your hostkeys in /etc/dropbear earlier, now is the time to restore them. If you have the telnet client installed locally, you can probably do this by running telnet "tar xv" < wrt-etc-dropbear.tar, but I haven’t tested this. To do it using only netcat: first run nc -l -p 11235 -q0 < wrt-etc-dropbear.tar locally, then nc 23 to log into the router, and run nc 11235 | tar xv there. This will overwrite the host keys in /etc/dropbear (which were generated automatically during the initial bootup) with the ones you saved from your previous installation.

Next, nc 23 to get a shell on the router if you haven't done so already, and run passwd to change the password. Beware that if you’re using netcat for this, the password you type will not be hidden, so don’t do this if anyone is watching over your shoulder.