Great Document!! But of course I'm having issues. My normal IP scheme is IP - 10.22.1.1 Sub 255.255.255.0. I have a PC sitting on port 4 but its still getting an IP from my 10.22.* subnet and I want it to obtain an IP from the 192.168.* subnet. So I'm thinking something is wacked in my iptables or I need to add a Route? I would like Ports 1,2,3 to be able to Access Port 4 but I do not want Port 4 to access back because it's going to be a public FTP server. VPN and Shell access works fine.
Any help Would be much Appreciated!!
Thanks,
-lo
I have the following setup.
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Virtual Local Area Network (VLAN)
1 2 3 - LAN
W 4 - NONE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shell:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"
this works for WRT54GL 1.1 as well. you just have to remember that on the GL ports 0 and 4 are switched.
thanks for the awesome tutorial (think about updating the wiki on this one).
only question I have is how do I prevent people from accessing the router at 192.168.1.x? _________________ WRT54GL v1.1
DD-WRT v23 SP2 VPN + 1GB SD Card
Posted: Sun Jun 03, 2007 3:38 Post subject: VLAN help
Hi folks, I posted this to the openwrt list but I post here maybe someone know the answer:
I have a WRT54GSv5.1 and I know the wrt series supports 802.11q but I can't make it work. I simply use other lan on 2 ports which has nothing to do with wireless or the other lan. I don't use the WAN port for anything, the wireless bridged to the lan as usually.
So I have port 1 2 3 on vlan0, wan port on vlan1 and the other vlan on vlan2 but as you can guess it does not work. All ports are in one vlan whatever I do. I tried to setup on console with nvram by this
Still not work. Any idea what's the problem here? I see the vlan0 interface tx-rx stats increasing but not vlan2. Evrything goes on the same lan, and maybe those who wrote it's work, on the forum didn't notice that it's not.
This what I'm looking for and thanks for the tutorial. But, by disabling DHCP server my static IP didn't work anymore and static IP is important for port forwarding. We can still set the static IP in the OS itself but IHMO it's not the best method especially for notebook/pda etc.
So, the question is if I omit the step 4 and 5, how can I setup the router DHCP server to assign IP address to VLAN2 too? and still isolate VLAN2 from the rest of the network.
edit: how about this? iptables -I INPUT -i vlan2 -p udp --dport 67:68 -j ACCEPT
edit2: Problem solve - I didn't turn off dhcp server and add:
interface=vlan2
dhcp-range=192.168.2.100,192.168.2.200,24h
Posted: Mon Jul 02, 2007 11:05 Post subject: VLAN question
Dear all,
I have an equipment ,it can be a DHCP client and can add Vlan-ID.
When I enable the Vlan (e.g. port 4 is VLAN2) on my AP,I find there is no Vlan tag in the DHCP Offer or ACK.
My first question is --- how can I ask the port 4 which enable Vlan2 on my router to send all of packets include the VlanID to 2 to my DHCP Client?
My second question is --- When a device enable the Vlan,but it receive the response packet which is without Vlan tag , should it accept the response message or ignore it?
Posted: Mon Aug 06, 2007 20:22 Post subject: Similar type problem
I am using one of the new Linksys WRT150N Routers. I am trying to get multiple WAN's connected to my firewall. We thought using dd-wrt would do the trick. I am having a hard time getting the VLAN info provisioned correctly. Anybody have any advice? I am hoping someone familiar with dd-wrt code may be able to point us in the right direction. Here is a sample config we were given by the provider:
config t
!
ip routing
!
hostname broadband
!
ip name-server 205.152.37.23
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
no snmp trap link-status
rate-limit output 10000000 250000 250000 conform-action transmit exceed-action drop
no shutdown
!
interface FastEthernet0/0.1
encapsulation dot1Q 259
ip address 68.x.y.170 255.255.255.252
no snmp trap link-status
no cdp enable
no shutdown
!
!
interface FastEthernet0/1
ip address 74.x.y.1 255.255.255.128
speed 100
duplex full
no shutdown
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.x.y.169
no ip http server
!
!
no cdp run
Posted: Thu Aug 23, 2007 21:28 Post subject: Stumped ....
Does anybody have this working on one of the current routers available on the market? I have tried this on a Buffalo WHR-G125 and a Linksys WRT54GSv6 and it doesn't work on either. I have gotten it to work on older routers like the Buffalo G54S though. Are the commands not supported on the newer versions? If you have gotten this to work on a newer router can you list the model so I can go buy one? Thanks!
I'm newbie to VLAN. So forgive me if I'm completely wrong.
This thread is talking about setting up port 4 on another network with DHCP, is that why you need to modify the configuration through command lines?
What I want to achieve is also have port 4 on its own VLAN, but with different approach, I don't want to touch those command lines that I don't understand.
What if I have another router attached to the port 4, and have it's own DHCP server enabled and have a fixed WAN IP, do I still have to go through the procedure like above?
That's say I already DD-WRT on network 10.1.1.0/24 with LAN IP 10.1.1.1, and I have 10.1.1.2 as the fixed WAN IP for the other router I attached to port 4, with LAN IP 192.168.1.1 and its own DHCP server.
So, If I setup port 4 on VLAN 2 and set "Assigned to Bridge" to none, wouldn't that work right away? I mean, all the clients on second router (192.168.1.0 network) should not be able to ping any clients on VLAN 0 (port 1, 2, 3), am I right? Or do I have to enable "Tagged" check boxes on each port?
However, my theory doesn't work, I'm still able to ping any client in 10.1.1.0 network on port 1,2 &3, with or without "Tagged" check boxes enabled, why is that? Anyone can point me to the right direction?
And another question for VLAN is, do I have to have VLAN capabile NIC to be able to use VLAN? Thanks!!!
Posted: Mon Aug 27, 2007 18:10 Post subject: Re: Stumped ....
DDassow01 wrote:
Does anybody have this working on one of the current routers available on the market? I have tried this on a Buffalo WHR-G125 and a Linksys WRT54GSv6 and it doesn't work on either. I have gotten it to work on older routers like the Buffalo G54S though. Are the commands not supported on the newer versions? If you have gotten this to work on a newer router can you list the model so I can go buy one? Thanks!
Dave
I think the WHR-G125 is a work in progress I bought one for a friend who wants to set up a home network like mine WiFI on seperate VLAN and I could not get it to work with the 8/15/07 DD-WRT code. went back to Best Buy and got a WHR-HP-G54 and it works like a champ like it does on my WHR-G54S
I suspect 125 is still new and the bugs are being worked out
If you wanted the new VLAN to obtain an IP address from a remote DHCP server(DHCP Forwarder), how would you do that? What are the command to enter, instead of "DHCP-range........"? Is that possible? Thanks
Posted: Wed Aug 29, 2007 2:25 Post subject: seperate VLAN port 4
I will go and pick up a WHR-HP-G54 and try it with that. Glad to hear you got it working. I wish I could find more of the G54S routers. Those were great little routers. Thanks for the help!
Posted: Fri Aug 31, 2007 2:42 Post subject: Re: Stumped ....
da_ticklah wrote:
I think the WHR-G125 is a work in progress I bought one for a friend who wants to set up a home network like mine WiFI on seperate VLAN and I could not get it to work with the 8/15/07 DD-WRT code. went back to Best Buy and got a WHR-HP-G54 and it works like a champ like it does on my WHR-G54S
I suspect 125 is still new and the bugs are being worked out
grab the HP model if you can
it appears the processor int eh WHR-G125 has the ports numbered differently it appears port 4 (from nvram's perspective is the wan port) I was finally able to split out 2 wired ports on my WHR-G125 by moving ports 0 & 1 as opposed to 3 & 4 or just 4 in some of the sample config's.
see nvram get output below vlan1 is untouched by me
~ # nvram get vlan1ports
4 5
~ # nvram get vlan2ports
0 1 5*
~ # nvram get vlan0ports
2 3 5*
my config is as follows
Code:
nvram set vlan0ports="0 1 5*"
nvram set vlan2ports="2 3 5*"
nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0
ifconfig vlan2 up
'
nvram set rc_firewall='
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop'
nvram commit
I too have got this setup working on a WRT54GL (v1.1)
However I am having a problem using NoCatSplash (Services > Hotspot)
When I set NoCatSplash up before implementing VLANS everything works ok, however when I have the extra VLAN in place internet access doesn't work on VLAN0 anymore (Ports 1-3) however VLAN2 (Port 4) does work with the correct splash screen from NoCatSplash - Can anyone think why this might be?