Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4
Author Message
Janzzen
DD-WRT Novice


Joined: 16 Mar 2009
Posts: 1

PostPosted: Mon Mar 16, 2009 11:35    Post subject: Reply with quote
Hello,

I have now installed V24-SP1 and I have setup a seperate VLan with this wiki: http://tinyurl.com/cw8c82

But, I have the same wish as the Topic Starter. I have a second router on port 4 and I like to have access to this router.

The Wiki says at the end that you can block all the acces from the two networks by using this parameter:

iptables -I FORWARD -i br0 -o vlan2 -j DROP

It works, it blocks all the traffic to port 4 and port 4 cannot see any PC on the other LAN-ports.

But, so as I said, I like to have access to the router on port 4. I have try different parameters such as:

iptables -I FORWARD -i vlan0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan0 -j DROP

Nothing works for me.
Can anybody help me with the right parameters for access port 4 from the other ports, but also that port 4 canNOT access the other LAN-ports???

Thanks in advance,

Roland.
Sponsor
kevindd992002
DD-WRT User


Joined: 27 Feb 2009
Posts: 457

PostPosted: Fri May 15, 2009 20:09    Post subject: Reply with quote
Hi phuzion, can I ask help from you? My goal is simple but I can't make it work, really.

So, I have a pfsense box with two NICs, one is for LAN and the other is for WAN. I have two cable modems so pfsense would be responsible for LOAD BALANCING. My problem is I don't have an extra PCI slot in my pfsense box to add another NIC so I seeked the help of a dd-wrt router which can do VLANs and 802.1q tagging.

My DD-WRT device is a WRT54G v2 router. I disabled it's DHCP and NAT fucntion for it to act as a managed switch.

So, in short, Modem1/2 - > Port1/2 DD-WRT, DD-WRT Port3 -> pfsense WAN port, and pfsense LAN port -> my internal network.

What I did was this in dd-wrt:



for the VLANs subtab and this:



for the Networking subtab.

It should've worked right? I assigned vlan tag 11 and 22 interfaces in pfsense properly.

By the way, I did all this in the webgui of dd-wrt, should I still need to do some extra command line fiddling with it? Or the webgui would be fine? I'm not too good at command lines.

I hope you can help me. Thanks.
mben26
DD-WRT Novice


Joined: 16 Dec 2009
Posts: 4

PostPosted: Fri Dec 18, 2009 23:53    Post subject: Reply with quote
I have a WRT54GL-TM flashed with Pre SP2 Mega version
connected to internet through another router in DHCP Mode, but also connected to windows 2003 VPN server, i want to dedicate one Port to the trafic with the PPTP server while the other port will be used for internet. is that possible , as i understand from the post, it s achievable but i don't know how to use iptables at all i am a newbee.


Thanks for your help
8GBWRT54GL
DD-WRT Novice


Joined: 06 Jun 2010
Posts: 3

PostPosted: Sun Jun 06, 2010 19:17    Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP Reply with quote
What do I need to modify if I want port 4 to access ports 1 2 3 and the wireless?


merm wrote:
I just wanted to post this in case someone else is doing exactly what I want to do. I spent several hours reading this morning to get this to work for me. I hope this works for me until BrainSlayer is able to fix the web gui to work for VLAN setup.

Hardware:
WRT54G v 2.2

Software:
DD-WRT v23

What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.

Steps:

1. Per this thread you make your VLAN page in your router look like this.

2. Next, per this thread you go to a telnet or SSH prompt and type the following lines individually (I copied and pasted each one) hitting enter after each line.

Quote:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"


3. Now go back into your router and go to the "Administration" tab, then click on "Diagnostics". Per the same thread above you will type the following line into the box on the screen:

Quote:
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0


After you type that in to the box you click on "Save Startup"

*Note that the IP address can be any address that you want the router to be on that second VLAN. The VLAN (port 4) is going to think that the router is 192.168.2.1 in this case.

3. Now, per the same page above, we're going to modify the iptables to properly route everything. Type the following lines into the same box on the "Diagnostics" page.

Quote:
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan1 -j ACCEPT


This time, click on "Save Firewall"

Now you've just finished the VLAN section, we need to set up DHCP to work properly. If you stop here your DHCP will work on your VLAN 1 (192.168.1.1) but you'll have to use static addresses on the second VLAN on port 4.

Setting up DHCP:

4. Now under the "Administration" tab again on your router, go to the "Management" tab. Find "DNS Masq". Make sure DNS Masq, and Local DNS are both checked. Then, per this thread copy the following lines into the "Additional DNS options box":

Quote:
interface=vlan2
interface=vlan1
interface=vlan0
interface=eth1
dhcp-range=192.168.1.100,192.168.1.200,1h
dhcp-range=192.168.2.100,192.168.2.200,1h


Do you see what's going on here, you're telling DHCP what the two VLANS are, and what addresses to assign them. The "1h" is how long the lease time should be. The first address is the beginning DHCP range, the second is the end of the range for that VLAN. You won't be using your DHCP settings in the GUI on the front page after this, you'll need to edit it here if you want to make changes in the future.

Click on "Save Changes"

5. Lastly, go to the "Setup" tab for your router, and under "basic setup" you're going to turn the DHCP off (this is a different DHCP server that we aren't using any more). Under "DHCP Server" set this to "disable".

6. Now, assuming you've don'e everything correctly, and that I've remembered everything I did. You should be able to reboot your router one final time and have everything work perfectly.

Keep in mind that I'm a complete noob here and don't really know what I'm doing. Just wanted to share what I did to get my ver 2.2 router working perfectly how I wanted it to. Hopefully it will work for you too.

Other resources I found helpful:

DD-WRT Wiki
OpenWRT Documentation
8GBWRT54GL
DD-WRT Novice


Joined: 06 Jun 2010
Posts: 3

PostPosted: Sun Jun 13, 2010 16:10    Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP Reply with quote
When you set this up the primary DNS is automatically pointed to the router's IP address. How can I change it to outside DNS servers?


merm wrote:
I just wanted to post this in case someone else is doing exactly what I want to do. I spent several hours reading this morning to get this to work for me. I hope this works for me until BrainSlayer is able to fix the web gui to work for VLAN setup.

Hardware:
WRT54G v 2.2

Software:
DD-WRT v23

What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.

Steps:

1. Per this thread you make your VLAN page in your router look like this.

2. Next, per this thread you go to a telnet or SSH prompt and type the following lines individually (I copied and pasted each one) hitting enter after each line.

Quote:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"


3. Now go back into your router and go to the "Administration" tab, then click on "Diagnostics". Per the same thread above you will type the following line into the box on the screen:

Quote:
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0


After you type that in to the box you click on "Save Startup"

*Note that the IP address can be any address that you want the router to be on that second VLAN. The VLAN (port 4) is going to think that the router is 192.168.2.1 in this case.

3. Now, per the same page above, we're going to modify the iptables to properly route everything. Type the following lines into the same box on the "Diagnostics" page.

Quote:
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan1 -j ACCEPT


This time, click on "Save Firewall"

Now you've just finished the VLAN section, we need to set up DHCP to work properly. If you stop here your DHCP will work on your VLAN 1 (192.168.1.1) but you'll have to use static addresses on the second VLAN on port 4.

Setting up DHCP:

4. Now under the "Administration" tab again on your router, go to the "Management" tab. Find "DNS Masq". Make sure DNS Masq, and Local DNS are both checked. Then, per this thread copy the following lines into the "Additional DNS options box":

Quote:
interface=vlan2
interface=vlan1
interface=vlan0
interface=eth1
dhcp-range=192.168.1.100,192.168.1.200,1h
dhcp-range=192.168.2.100,192.168.2.200,1h


Do you see what's going on here, you're telling DHCP what the two VLANS are, and what addresses to assign them. The "1h" is how long the lease time should be. The first address is the beginning DHCP range, the second is the end of the range for that VLAN. You won't be using your DHCP settings in the GUI on the front page after this, you'll need to edit it here if you want to make changes in the future.

Click on "Save Changes"

5. Lastly, go to the "Setup" tab for your router, and under "basic setup" you're going to turn the DHCP off (this is a different DHCP server that we aren't using any more). Under "DHCP Server" set this to "disable".

6. Now, assuming you've don'e everything correctly, and that I've remembered everything I did. You should be able to reboot your router one final time and have everything work perfectly.

Keep in mind that I'm a complete noob here and don't really know what I'm doing. Just wanted to share what I did to get my ver 2.2 router working perfectly how I wanted it to. Hopefully it will work for you too.

Other resources I found helpful:

DD-WRT Wiki
OpenWRT Documentation
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Jun 13, 2010 21:41    Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP Reply with quote
8GBWRT54GL wrote:
When you set this up the primary DNS is automatically pointed to the router's IP address. How can I change it to outside DNS servers?

See the DNSMasq page on the wiki.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
gunrunnerjohn
DD-WRT User


Joined: 12 Jan 2008
Posts: 74
Location: SE-PA

PostPosted: Thu Aug 05, 2010 17:44    Post subject: Reply with quote
I used the GUI setup from this guide to configure a virtual GUEST wireless network with just Internet access.

http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

Other than the different names for the wireless networks, it works right out of the box. I have the Atheros based router, so this might not even be an issue for your.
c.caldwell
DD-WRT Novice


Joined: 11 Aug 2010
Posts: 2

PostPosted: Tue Aug 17, 2010 3:50    Post subject: Help Reply with quote
Hello Everyone,
I was woundering if someone could help me out with a problem I'm having. I am a DD-WRT newbie.

Now im trying to setup two vlans. One is my home network the other is my work network. Both should have access to the internet.
Home=vlan1=10.22.1.1 able to see vlan 3
Work=vlan3=10.22.2.1 can not see vlan 1
Vlan2 is connected to the wan port

Now i have tired the setup process post on every forum i could find but no success. One i follow the steps my Vsphere server or any other devices can not obtain a ip address.
Here is the script i used to set up the vlan

nvram set vlan3ports="3"

nvram set rc_startup='

#!/bin/ash

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

ifconfig vlan3 10.22.2.1 netmask 255.255.255.0

ifconfig vlan3 up

'
nvram commit

If anybody could help me that would be great.

Christian Caldwell
Chief of Information and Technology Services
The Brotherhood

PS: DD-WRT is install on a Linksys E2000 and im running DD-WRT v24-sp2 (07/28/10) big
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Aug 17, 2010 5:50    Post subject: Reply with quote
@c.caldwell

You don't need to do anything in rc_startup, you can use the GUI to set the IP/netmask and those directories are already in $PATH. You're not setting the vlan3ports variable correctly and you need to set vlan3_hwname.

To learn how to configure the nvram variables correctly (the GUI is broken on your model):
http://www.dd-wrt.com/wiki/index.php/Switched_Ports

To learn how to configure the IP/netmask/DHCP:
http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_%28Separate_Networks_With_Internet%29#GUI_Tutorial

To add a WLAN bridged with the new VLAN:
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
sjs
DD-WRT Novice


Joined: 02 Oct 2010
Posts: 4

PostPosted: Sun Oct 03, 2010 16:27    Post subject: Reply with quote
blackcell wrote:
mejor wrote:
I GOT IT WORKING ON A WRT54GS V4 FINALLY!!!!!!!!! took me like 3 weeks.

this is what i had to do:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"

it used to be:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"

port 4 on the back of the router is not port 4 on the board here is the layout for this router:
0 = port 4
1 = port 3
2 = port 2
3 = port 1
4 = WAN
5 = CPU internal
5* = CPU internal default


Thanks! Took me two days to realize the ports on this WRT54GS V4 are NOT as they appear.


hi,
its works i can ping vlan 2 , but i cant ping any device connected to vlan 2 from vlan 1...
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Oct 03, 2010 18:50    Post subject: Reply with quote
sjs wrote:
hi,
its works i can ping vlan 2 , but i cant ping any device connected to vlan 2 from vlan 1...

Make sure you have software firewalls turned off on the PC you're trying to ping because they block traffic from outside their LAN subnet.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
sjs
DD-WRT Novice


Joined: 02 Oct 2010
Posts: 4

PostPosted: Mon Oct 04, 2010 1:04    Post subject: Reply with quote
phuzi0n wrote:
sjs wrote:
hi,
its works i can ping vlan 2 , but i cant ping any device connected to vlan 2 from vlan 1...

Make sure you have software firewalls turned off on the PC you're trying to ping because they block traffic from outside their LAN subnet.

I used the firwall command you posted on other forum and managed to get it work but one strange thing when I FTP from this subnet to other it doesn't show the ipaddress of vlan1 instead shows the ip of vlan2 gateway
akhnaten
DD-WRT Novice


Joined: 28 Oct 2012
Posts: 3

PostPosted: Sun Oct 28, 2012 22:16    Post subject: Reply with quote
The following discussion applies to dd-wrt v24-sp2 and has not been tested by me on any earlier version.

I have found the following two iptables entries to be unnecessary and cause security holes.

iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan1 -j ACCEPT

Thse two lines get executed first no matter the order of entry. They match just about every packet that ends up on the INPUT chain, thereby invalidating all the other entries on the chain. These two lines basically say: any packet from vlan1 or vlan2 accept them without further processing. This has the affect of allowing anyone on either vlan1 or vlan2 to be able to access the administrative ports on the router, even if other iptables rules shut the ports down. Needless to say this is a big security risk. I removed these two lines and have not noticed any difference in the operation of the router, other than the other iptables entries executing as expected.
razzul11
DD-WRT Novice


Joined: 08 May 2013
Posts: 2

PostPosted: Wed May 08, 2013 16:57    Post subject: Reply with quote
My goal was to have each of the 4 ports on there own VLAN and the wireless not sharing any of the VLANs. Wanted to share the config that seemed to work. Each VLAN has its own dhcp server plus the wireless using the default dchp server.Curious why vlan5 would not start up on its own, had to add a rc_startup script.

Hardware: Asus RT-N12B
Firmware: DD-WRT v24-sp2 (12/08/11) mini - build 17990M NEWD-2 K2.6 Eko

VLAN info: (First number is internal ID)
3 - port 1 - vlan5 - 192.168.5.1
2 - port 2 - vlan4 - 192.168.4.1
1 - port 3 - vlan3 - 192.168.3.1
0 - port 4 - vlan2 - 192.168.2.1
4 = WAN
5 = CPU internalf
5* = CPU internal default
Wireless on default network 192.168.1.1

nvram settings:
Quote:

nvram set vlans=4

nvram set vlan0ports="5*"
nvram set vlan2ports="0 5"
nvram set vlan3ports="1 5"
nvram set vlan4ports="2 5"
nvram set vlan5ports="3 5"

nvram set port5vlans="0 1 2 3 4 16"
nvram set port0vlans=1
nvram set port1vlans=5
nvram set port2vlans=4
nvram set port3vlans=3
nvram set port4vlans=2

nvram set vlan2hwname=et0
nvram set vlan3hwname=et0
nvram set vlan4hwname=et0
nvram set vlan5hwname=et0

nvram set vlan2_bridged=0
nvram set vlan2_ipaddr="192.168.2.1"
nvram set vlan2_mtu=1500
nvram set vlan2_multicast=0
nvram set vlan2_nat=1
nvram set vlan2_netmask="255.255.255.0"
nvram set vlan3_bridged=0
nvram set vlan3_ipaddr="192.168.3.1"
nvram set vlan3_mtu=1500
nvram set vlan3_multicast=0
nvram set vlan3_nat=1
nvram set vlan3_netmask="255.255.255.0"
nvram set vlan4_bridged=0
nvram set vlan4_ipaddr="192.168.4.1"
nvram set vlan4_mtu=1500
nvram set vlan4_multicast=0
nvram set vlan4_nat=1
nvram set vlan4_netmask="255.255.255.0"
nvram set vlan5_bridged=0
nvram set vlan5_ipaddr="192.168.5.1"
nvram set vlan5_mtu=1500
nvram set vlan5_multicast=0
nvram set vlan5_nat=1
nvram set vlan5_netmask="255.255.255.0"

nvram set mdhcpd_count=4
nvram set mdhcpd="vlan2>On>100>50>1440 vlan3>On>100>50>1440 vlan4>On>100>50>1440 vlan5>On>100>50>1440"

nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

ifconfig vlan5 192.168.5.1 netmask 255.255.255.0

ifconfig vlan5 up
'

nvram set rc_firewall='
iptables -I FORWARD -i vlan2 -o vlan3 -j DROP
iptables -I FORWARD -i vlan2 -o vlan4 -j DROP
iptables -I FORWARD -i vlan2 -o vlan5 -j DROP
iptables -I FORWARD -i vlan3 -o vlan2 -j DROP
iptables -I FORWARD -i vlan3 -o vlan4 -j DROP
iptables -I FORWARD -i vlan3 -o vlan5 -j DROP
iptables -I FORWARD -i vlan4 -o vlan2 -j DROP
iptables -I FORWARD -i vlan4 -o vlan3 -j DROP
iptables -I FORWARD -i vlan4 -o vlan5 -j DROP
iptables -I FORWARD -i vlan5 -o vlan2 -j DROP
iptables -I FORWARD -i vlan5 -o vlan3 -j DROP
iptables -I FORWARD -i vlan5 -o vlan4 -j DROP
'

nvram commit
reboot


The vlans=4 seems to be a count of the number of vlans to bring up after the first 2 (vlan0 & vlan1), but it only seems to bring up the VLANs to vlan4. Had to put in the rc_startup script for VLAN5 to start.
Goto page Previous  1, 2, 3, 4 Display posts from previous:    Page 4 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum