Accessing the Wireless Router/AP through the zonecd machine
In order to “access” the wireless router(s)/AP(s) connected to the zonecd machine you MUST know the IP address assigned to the eth0 interface on the zonecd machine! This is required so you will know the URL IP address to use to access the web interface on the wireless access point/router.
If you have the zonecd machine configured to use DHCP to assign the IP address of the eth0 interface you can not use this technique – unless you can assign a known IP address to the zonecd machine through the
DHCP server where the zonecd machine gets it’s IP address assigned.
If your zonecd machine is “behind” a DSL/Cable router you will need to be able to specify a translation through this router as well – multiple translations are not a problem (most of the time). It is beyond the scope of this document to describe the “how” of performing this – it has been left up to you as an exercise.
The following describes a method which will allow you to setup a “link” through the zonecd machine using a technique called “Reverse NAT/PAT translation” – this is nothing more than converting an IP/Port combination on the eth0 side of the zonecd machine to an equivalent IP/Port combination on the eth1 side of the machine. (Hint: If you are behind a DSL/Cable router you would use the same technique to access the eth0 side of the zonecd machine).
Here are the firewall rules needed to perform this “magic” – these firewall commands are specific to using
the Free Controller version of the PublicIP system. Some minor changes are needed to use the commands with the Premium System and are listed a little later in this article.
Here are the commands and comments about specific parts of the command:
# Allow WEB access to the wireless router(s) on the wireless side…
# replace the xxx.xxx.xxx.xxx with your controller’s eth0 IP address
# to access a wireless router/ap you would use:
# http://xxx.xxx.xxx.xxx:8001 to access the first one..
# and http://xxx.xxx.xxx.xxx:8002 to access the second one.
# setup NAT translation to wireless router…
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p tcp -d xxx.xxx.xxx.xxx –dport 8001 -j DNAT –to-destination 10.10.10.2:80
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p tcp -d xxx.xxx.xxx.xxx –dport 8002 -j DNAT –to-destination 10.10.10.3:80
# you can access snmp on a wireless router/ap
# (if it has the capability) by doing the same thing as was done
# to access the web interface – but substitute the settings below…
# to access the snmp port on the first wireless router/ap you would
# use: xxx.xxx.xxx.xxx:9001 and to…
# access the second router/ap you would use xxx.xxx.xxx.xxx:9002
# Allow SNMP access to the wireless router(s) on the wireless side…
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p udp -d xxx.xxx.xxx.xxx –dport 9001 -j DNAT –to-destination 10.10.10.2:161
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p udp -d xxx.xxx.xxx.xxx –dport 9002 -j DNAT –to-destination 10.10.10.3:161
# the wireless router/ap must be able to respond back through the firewall without requiring authentication.
# the following firewall rules will allow this to occur.
# allow wireless router(s) to respond back
/usr/local/nocat/bin/access.fw permit xx:xx:xx:xx:xx:xx Liberated
/usr/local/nocat/bin/access.fw permit xx:xx:xx:xx:xx:xx Liberated
The above firewall commands are executed either on a command line or can be executed from within an executable script file – such as the init.sh script that will be executed when the unit is booted up or rebooted.
That is all there is to it!