Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4  Next
Author Message
merm
DD-WRT Novice


Joined: 08 Jun 2006
Posts: 26

PostPosted: Tue Jul 04, 2006 21:47    Post subject: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP Reply with quote
I just wanted to post this in case someone else is doing exactly what I want to do. I spent several hours reading this morning to get this to work for me. I hope this works for me until BrainSlayer is able to fix the web gui to work for VLAN setup.

Hardware:
WRT54G v 2.2

Software:
DD-WRT v23

What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.

Steps:

1. Per this thread you make your VLAN page in your router look like this.

2. Next, per this thread you go to a telnet or SSH prompt and type the following lines individually (I copied and pasted each one) hitting enter after each line.

Quote:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"


3. Now go back into your router and go to the "Administration" tab, then click on "Diagnostics". Per the same thread above you will type the following line into the box on the screen:

Quote:
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0


After you type that in to the box you click on "Save Startup"

*Note that the IP address can be any address that you want the router to be on that second VLAN. The VLAN (port 4) is going to think that the router is 192.168.2.1 in this case.

3. Now, per the same page above, we're going to modify the iptables to properly route everything. Type the following lines into the same box on the "Diagnostics" page.

Quote:
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan1 -j ACCEPT


This time, click on "Save Firewall"

Now you've just finished the VLAN section, we need to set up DHCP to work properly. If you stop here your DHCP will work on your VLAN 1 (192.168.1.1) but you'll have to use static addresses on the second VLAN on port 4.

Setting up DHCP:

4. Now under the "Administration" tab again on your router, go to the "Management" tab. Find "DNS Masq". Make sure DNS Masq, and Local DNS are both checked. Then, per this thread copy the following lines into the "Additional DNS options box":

Quote:
interface=vlan2
interface=vlan1
interface=vlan0
interface=eth1
dhcp-range=192.168.1.100,192.168.1.200,1h
dhcp-range=192.168.2.100,192.168.2.200,1h


Do you see what's going on here, you're telling DHCP what the two VLANS are, and what addresses to assign them. The "1h" is how long the lease time should be. The first address is the beginning DHCP range, the second is the end of the range for that VLAN. You won't be using your DHCP settings in the GUI on the front page after this, you'll need to edit it here if you want to make changes in the future.

Click on "Save Changes"

5. Lastly, go to the "Setup" tab for your router, and under "basic setup" you're going to turn the DHCP off (this is a different DHCP server that we aren't using any more). Under "DHCP Server" set this to "disable".

6. Now, assuming you've don'e everything correctly, and that I've remembered everything I did. You should be able to reboot your router one final time and have everything work perfectly.

Keep in mind that I'm a complete noob here and don't really know what I'm doing. Just wanted to share what I did to get my ver 2.2 router working perfectly how I wanted it to. Hopefully it will work for you too.

Other resources I found helpful:

DD-WRT Wiki
OpenWRT Documentation
Sponsor
zaw
DD-WRT Novice


Joined: 25 Jul 2006
Posts: 8

PostPosted: Thu Aug 03, 2006 1:20    Post subject: Reply with quote
Verified work with Buffalo WHR-G54S and the HP version.

Thanks!!!!!
merm
DD-WRT Novice


Joined: 08 Jun 2006
Posts: 26

PostPosted: Thu Aug 03, 2006 1:21    Post subject: Reply with quote
Yay! I'm glad it works. Thanks for providing feedback.
aeternis
DD-WRT Novice


Joined: 03 Aug 2006
Posts: 1

PostPosted: Thu Aug 03, 2006 8:40    Post subject: Reply with quote
Works great for me too. I spent an hour sifting through various clues in forum threads (not to mention the tantalizing dead link at the bottom of this page on the wiki) until I stumbled upon yours.

I'm using a WRT54G v2.0 with DD-WRT v23 SP1 Final mini.

Oh, I should also mention that I found it wasn't necessary to use the two iptables lines in the middle (the ones with ppp0).
WaS
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 731
Location: Erlangen, Germany

PostPosted: Thu Aug 03, 2006 9:02    Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP Reply with quote
merm wrote:

What I was looking to do is separate Port 4 of my router into a separate VLAN
that can access the internet, but not access anything on ports 1-3, or the wireless.
However, I want to be able to see everything on port 4 from the other side

Wow -- GREAT! This is almost the same setup I am looking for.

I just started to think about how "the contrary" can be implemented, i.e.,
a particular port (say, #4) must be able to "see" the internet (which is
provided via PPPoE), while neither the other ports nor the WLAN should
be allowed to establish a connection to port 4. (The goal is to make
the computer at port 4 safe against potential "attacks" from the rest of the
local network.)

I suppose, the only difference, as compared with your setup, are the
iptable commands, but I'm really lost in the iptables documentation.
Can you, please, explain me how to modify your commands so as to
reach the desired effect? I'd be very, very grateful!

thank you in advance
WaS
Cynagen
DD-WRT User


Joined: 27 Jul 2006
Posts: 57

PostPosted: Thu Aug 03, 2006 9:13    Post subject: Reply with quote
To get the effect you're looking for, drop the "iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT", the very first line, this will drop computers on vlan1 (ports 1-3+wlan) from being able to see/mess with the computer on port 4 (vlan2), that's a good idea for a server, keep people on the network from messing with it, but leave it entirely open to the internet to do it's thing. Might have to do that myself.
WaS
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 731
Location: Erlangen, Germany

PostPosted: Thu Aug 03, 2006 10:17    Post subject: Reply with quote
Ooops...
I have an unsused WRT54GL to "play with", but I just notice that this won't
work on a GL, because it's ports are numbered differently, and the VLAN
settings page is known to be broken there. Fortunately, there is a Gv3.1 in
my LAN, so I need to swap the devices before I can start experimenting.
I consequence, I have to apologize that I won't be able to implement your
advice immediately.

Cynagen wrote:
To get the effect you're looking for, drop the "iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT", the very first line, this will drop computers on vlan1 (ports 1-3+wlan) from being able to see/mess with the computer on port 4 (vlan2)


Rolling Eyes AFAIK, vlan1 is the WAN, isn't it Question
The WLAN and the other ports are vlan0, as far as I understand.
Cynagen
DD-WRT User


Joined: 27 Jul 2006
Posts: 57

PostPosted: Thu Aug 03, 2006 21:23    Post subject: Reply with quote
My mistake!
merm
DD-WRT Novice


Joined: 08 Jun 2006
Posts: 26

PostPosted: Mon Aug 07, 2006 19:50    Post subject: Reply with quote
Does anyone know the following:

By changing iptables, and creating another vlan, will this mess with QoS, or will QoS continue working the same way?
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 525

PostPosted: Tue Aug 08, 2006 11:45    Post subject: Reply with quote
Can this be done on a micro distribution?
ifconfig is not implemented!!
abx
DD-WRT Novice


Joined: 09 Aug 2006
Posts: 1

PostPosted: Wed Aug 09, 2006 15:39    Post subject: Reply with quote
Hi,

What if I would like to be in the opposite. Ex. VLAN2 should be able to access VLAN0 but VLAN0 can't access VLAN2.
My main purpose is to put separate network like server and some workstations in VLAN2 which has only wired connection. Then, public printer and wireless users in VLAN0. VLAN2 devices should be able to access printer in VLAN0. But none of the device from VLAN0 can access to VLAN2.
What I've tried is to put

iptables -I FORWARD -i vlan2 -o vlan0 -j ACCEPT

but I can't access anything in VLAN0 from VLAN2 anyway. I also try to move WLAN from VLAN0 to VLAN2 by create BR1 that contain VLAN2 and WLAN. (Can't disable BR0, so, I just put BR0 to have only VLAN0)

Thank you,
Unique_Rabbit
DD-WRT Novice


Joined: 18 Sep 2006
Posts: 3

PostPosted: Mon Sep 18, 2006 4:27    Post subject: VLAN Question... Reply with quote
Total n00b... shoot me if this is silly.

First off... do VLAN's work properly with a v5? I don't mind the micro distribution, since the only real feature I need is the VLAN support. I have 5 ports on the back, WAN and LAN1-4, correct?

Second... this is the config I'm trying to build:

I have 3 Subnets:

Public
Protected
Bench

Goal: to have each of them able to access the internet but not each other.

How: Would the internet connection be attached to the WAN (or whatever) port?
Each Switch would be plugged into one of the other ports?

Thanks for the help... if a v5 doesn't work for this, would another version? I'm willing to hunt one down if necessary.
hcb
DD-WRT Novice


Joined: 09 Dec 2006
Posts: 1

PostPosted: Sat Dec 09, 2006 17:32    Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP Reply with quote
merm wrote:

Steps:

1. Per this thread you make your VLAN page in your router look like this.



Hello, the Link is down. Would you please post what they wrote there?
Is it similar to this one: http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp_2.html ?

Thank you!
Luciano
DD-WRT Novice


Joined: 23 Jul 2006
Posts: 26

PostPosted: Thu Dec 21, 2006 9:05    Post subject: Reply with quote
HI,

Thanks to all for your description it helped me a lot:

I wanted to have two LAN's separated:
- LAN1-on port 1-2-3+WIFI
- LAN2 on port 4
and to be able to use QoS ( or other metods ) to control/limit download/upload speed in ALL the LAN 1 and LAN 2.

I think I succed to implement another LAN on port 4 after your description in my Linksys WRT54GL router with Firmware: DD-WRT v23 SP3 (12/17/06) std.

This is what I used for step 2:

nvram set vlan0ports="3 2 1 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"

I had to skip Steps 4 & 5 because I seen that if I set DHCP on LAN2 QoS it is not working any more for LAN2, and there is no limit to download/upload on that segment.

I am not sure if firewall rules are enough to filter/stop trafic from LAN2 to LAN1... I seen that from LAN2 I am able to access Router configuration page and... this is not good.

Anybody knows if is possible ( and what / how to set up ) to use RFlowCollector in LAN1 ( NIC = br0 ) to see trafic from LAN2 (NIC= vlan2 ) ?
In this configuration it is working only for LAN1 ( NIC = br0 ).
Tryed to use in LAN2 but still not working.

thanks for any help
L.
networks
DD-WRT Novice


Joined: 06 Feb 2007
Posts: 6

PostPosted: Sat Mar 24, 2007 1:38    Post subject: I need something similar but with another wireless SSID? Reply with quote
I'm trying to figure out how to create a Separte Wireless SSID, unbridged? with is own DHCP range so this can be a secure guest internet only network which is only able to get out the gateway to the internet.. I'm running DD-WRT version 24 beta. I've setup a Virtual SSID, called it guests. Set WPA security to that virtual SSID, set it as unbridged, then once that was done it allowed me to set the virtual SSID's IP and subnet. So now I have a new SSID that I can authenticate to, and with ifconfig I have a interface called wl0.1 showing
Link encap:Ethernet HWaddr 00:13:XX:XX:XX:XX
inet addr:10.10.15.1 Bcast:10.10.15.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Problem is when connecting to that SSID it does not give me a IP address. So
Now I need to figure out how to run a DHCP server on the DD-wrt router that only listens to this subnet and will issue out IP's in the 10.10.15.0 range to wireless clients that authenticate with the WPA key. Right now the main DHCP server inside the DD_wrt router is turned off as we have our own DHCP server on our 192.168.1.0 network to which I do not want it giving DHCP leases to this private network.

Any Ideas guys. This will be a cool setup to have a secured wireless network to allow guest to connect to without having access to our private subnet. If I can get it working?
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum