Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
lodogg
DD-WRT Novice


Joined: 29 Mar 2007
Posts: 5

PostPosted: Thu Mar 29, 2007 20:35    Post subject: Reply with quote
Great Document!! But of course I'm having issues. My normal IP scheme is IP - 10.22.1.1 Sub 255.255.255.0. I have a PC sitting on port 4 but its still getting an IP from my 10.22.* subnet and I want it to obtain an IP from the 192.168.* subnet. So I'm thinking something is wacked in my iptables or I need to add a Route? I would like Ports 1,2,3 to be able to Access Port 4 but I do not want Port 4 to access back because it's going to be a public FTP server. VPN and Shell access works fine.

Any help Would be much Appreciated!!

Thanks,
-lo

I have the following setup.
Code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Virtual Local Area Network (VLAN)

1 2 3 - LAN
W 4   - NONE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shell:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Startup:
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0

openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 permisc up
echo "
-----BEGIN OpenVPN Static key V1-----

key

-----END OpenVPN Static key V1-----" > /tmp/static.key
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --port 666 --proto udp --verb 1 --comp-lzo --daemon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Firewall:
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan1 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 666 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.2.10 --dport 21 -j ACCEPT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DNS Mas:
interface=vlan2
interface=vlan1
interface=vlan0
interface=eth1
dhcp-range=10.22.1.100,10.22.1.105,1h
dhcp-range=192.168.2.100,192.168.2.105,1h

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sponsor
csundar
DD-WRT Novice


Joined: 20 Jan 2007
Posts: 15

PostPosted: Mon Apr 02, 2007 3:12    Post subject: Reply with quote
this works for WRT54GL 1.1 as well. you just have to remember that on the GL ports 0 and 4 are switched.

thanks for the awesome tutorial (think about updating the wiki on this one).

only question I have is how do I prevent people from accessing the router at 192.168.1.x?

_________________
WRT54GL v1.1
DD-WRT v23 SP2 VPN + 1GB SD Card
Luciano
DD-WRT Novice


Joined: 23 Jul 2006
Posts: 26

PostPosted: Mon Apr 02, 2007 6:49    Post subject: Reply with quote
if your router addres it is 192.168.1.1 then ad this rule ( will drop traffic from vlan2 to specified IP ):

iptables -I INPUT -i vlan2 -d 192.168.1.1 -j logdrop




Joined: 01 Jan 1970
Posts:

PostPosted: Sun Jun 03, 2007 3:38    Post subject: VLAN help Reply with quote
Hi folks, I posted this to the openwrt list but I post here maybe someone know the answer:

I have a WRT54GSv5.1 and I know the wrt series supports 802.11q but I can't make it work. I simply use other lan on 2 ports which has nothing to do with wireless or the other lan. I don't use the WAN port for anything, the wireless bridged to the lan as usually.

So I have port 1 2 3 on vlan0, wan port on vlan1 and the other vlan on vlan2 but as you can guess it does not work. All ports are in one vlan whatever I do. I tried to setup on console with nvram by this

http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp.html

tutorial.

After that I read http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160

Still not work. Any idea what's the problem here? I see the vlan0 interface tx-rx stats increasing but not vlan2. Evrything goes on the same lan, and maybe those who wrote it's work, on the forum didn't notice that it's not.
adx
DD-WRT User


Joined: 08 Apr 2007
Posts: 123

PostPosted: Mon Jun 04, 2007 9:11    Post subject: Reply with quote
This what I'm looking for and thanks for the tutorial. But, by disabling DHCP server my static IP didn't work anymore and static IP is important for port forwarding. We can still set the static IP in the OS itself but IHMO it's not the best method especially for notebook/pda etc.

So, the question is if I omit the step 4 and 5, how can I setup the router DHCP server to assign IP address to VLAN2 too? and still isolate VLAN2 from the rest of the network.

edit: how about this? iptables -I INPUT -i vlan2 -p udp --dport 67:68 -j ACCEPT

edit2: Problem solve - I didn't turn off dhcp server and add:
interface=vlan2
dhcp-range=192.168.2.100,192.168.2.200,24h

Thanks.

_________________
- adx -
Corine
DD-WRT Novice


Joined: 02 Jul 2007
Posts: 1

PostPosted: Mon Jul 02, 2007 11:05    Post subject: VLAN question Reply with quote
Dear all,
I have an equipment ,it can be a DHCP client and can add Vlan-ID.
When I enable the Vlan (e.g. port 4 is VLAN2) on my AP,I find there is no Vlan tag in the DHCP Offer or ACK.
My first question is --- how can I ask the port 4 which enable Vlan2 on my router to send all of packets include the VlanID to 2 to my DHCP Client?
My second question is --- When a device enable the Vlan,but it receive the response packet which is without Vlan tag , should it accept the response message or ignore it? Embarassed
albundy
DD-WRT Novice


Joined: 06 Aug 2007
Posts: 1

PostPosted: Mon Aug 06, 2007 20:22    Post subject: Similar type problem Reply with quote
I am using one of the new Linksys WRT150N Routers. I am trying to get multiple WAN's connected to my firewall. We thought using dd-wrt would do the trick. I am having a hard time getting the VLAN info provisioned correctly. Anybody have any advice? I am hoping someone familiar with dd-wrt code may be able to point us in the right direction. Here is a sample config we were given by the provider:

config t
!
ip routing
!
hostname broadband
!
ip name-server 205.152.37.23
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
no snmp trap link-status
rate-limit output 10000000 250000 250000 conform-action transmit exceed-action drop
no shutdown
!
interface FastEthernet0/0.1
encapsulation dot1Q 259
ip address 68.x.y.170 255.255.255.252
no snmp trap link-status
no cdp enable
no shutdown
!
!
interface FastEthernet0/1
ip address 74.x.y.1 255.255.255.128
speed 100
duplex full
no shutdown
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.x.y.169
no ip http server
!
!
no cdp run
DDassow01
DD-WRT Novice


Joined: 24 Jul 2007
Posts: 5

PostPosted: Thu Aug 23, 2007 21:28    Post subject: Stumped .... Reply with quote
Does anybody have this working on one of the current routers available on the market? I have tried this on a Buffalo WHR-G125 and a Linksys WRT54GSv6 and it doesn't work on either. I have gotten it to work on older routers like the Buffalo G54S though. Are the commands not supported on the newer versions? If you have gotten this to work on a newer router can you list the model so I can go buy one? Thanks!

Dave
etherboy
DD-WRT User


Joined: 08 Jun 2007
Posts: 70

PostPosted: Mon Aug 27, 2007 7:07    Post subject: Reply with quote
I'm newbie to VLAN. So forgive me if I'm completely wrong.

This thread is talking about setting up port 4 on another network with DHCP, is that why you need to modify the configuration through command lines?



What I want to achieve is also have port 4 on its own VLAN, but with different approach, I don't want to touch those command lines that I don't understand.

What if I have another router attached to the port 4, and have it's own DHCP server enabled and have a fixed WAN IP, do I still have to go through the procedure like above?

That's say I already DD-WRT on network 10.1.1.0/24 with LAN IP 10.1.1.1, and I have 10.1.1.2 as the fixed WAN IP for the other router I attached to port 4, with LAN IP 192.168.1.1 and its own DHCP server.

So, If I setup port 4 on VLAN 2 and set "Assigned to Bridge" to none, wouldn't that work right away? I mean, all the clients on second router (192.168.1.0 network) should not be able to ping any clients on VLAN 0 (port 1, 2, 3), am I right? Or do I have to enable "Tagged" check boxes on each port?

However, my theory doesn't work, I'm still able to ping any client in 10.1.1.0 network on port 1,2 &3, with or without "Tagged" check boxes enabled, why is that? Anyone can point me to the right direction?

And another question for VLAN is, do I have to have VLAN capabile NIC to be able to use VLAN? Thanks!!!
da_ticklah
DD-WRT Novice


Joined: 27 Aug 2007
Posts: 11

PostPosted: Mon Aug 27, 2007 18:10    Post subject: Re: Stumped .... Reply with quote
DDassow01 wrote:
Does anybody have this working on one of the current routers available on the market? I have tried this on a Buffalo WHR-G125 and a Linksys WRT54GSv6 and it doesn't work on either. I have gotten it to work on older routers like the Buffalo G54S though. Are the commands not supported on the newer versions? If you have gotten this to work on a newer router can you list the model so I can go buy one? Thanks!

Dave


I think the WHR-G125 is a work in progress I bought one for a friend who wants to set up a home network like mine WiFI on seperate VLAN and I could not get it to work with the 8/15/07 DD-WRT code. went back to Best Buy and got a WHR-HP-G54 and it works like a champ like it does on my WHR-G54S

I suspect 125 is still new and the bugs are being worked out


grab the HP model if you can
cenriq
DD-WRT User


Joined: 17 Oct 2006
Posts: 192

PostPosted: Tue Aug 28, 2007 13:11    Post subject: Reply with quote
Hi all,

If you wanted the new VLAN to obtain an IP address from a remote DHCP server(DHCP Forwarder), how would you do that? What are the command to enter, instead of "DHCP-range........"? Is that possible? Thanks
DDassow01
DD-WRT Novice


Joined: 24 Jul 2007
Posts: 5

PostPosted: Wed Aug 29, 2007 2:25    Post subject: seperate VLAN port 4 Reply with quote
I will go and pick up a WHR-HP-G54 and try it with that. Glad to hear you got it working. I wish I could find more of the G54S routers. Those were great little routers. Thanks for the help!
nicheplayer
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 8

PostPosted: Thu Aug 30, 2007 15:23    Post subject: Reply with quote
csundar wrote:
this works for WRT54GL 1.1 as well. you just have to remember that on the GL ports 0 and 4 are switched.


So, aside from changing Step 2 to this:

Code:
nvram set vlan0ports="3 2 1 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"


Do you make any other changes to the procedure in the first post here? Does the VLANs setup page change?

Thanks!
da_ticklah
DD-WRT Novice


Joined: 27 Aug 2007
Posts: 11

PostPosted: Fri Aug 31, 2007 2:42    Post subject: Re: Stumped .... Reply with quote
da_ticklah wrote:


I think the WHR-G125 is a work in progress I bought one for a friend who wants to set up a home network like mine WiFI on seperate VLAN and I could not get it to work with the 8/15/07 DD-WRT code. went back to Best Buy and got a WHR-HP-G54 and it works like a champ like it does on my WHR-G54S

I suspect 125 is still new and the bugs are being worked out


grab the HP model if you can



it appears the processor int eh WHR-G125 has the ports numbered differently it appears port 4 (from nvram's perspective is the wan port) I was finally able to split out 2 wired ports on my WHR-G125 by moving ports 0 & 1 as opposed to 3 & 4 or just 4 in some of the sample config's.

see nvram get output below vlan1 is untouched by me

~ # nvram get vlan1ports
4 5
~ # nvram get vlan2ports
0 1 5*
~ # nvram get vlan0ports
2 3 5*

my config is as follows

Code:

nvram set vlan0ports="0 1 5*"
nvram set vlan2ports="2 3 5*"

nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

ifconfig vlan2 192.168.2.1 netmask 255.255.255.0

ifconfig vlan2 up
'

nvram set rc_firewall='
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop'
nvram commit


dnsmaq
interface=vlan2
dhcp-option=3,192.168.2.1
dhcp-range=192.168.2.32,192.168.2.192,1440m
mattbunce
DD-WRT Novice


Joined: 30 Sep 2007
Posts: 9

PostPosted: Wed Oct 03, 2007 14:23    Post subject: Reply with quote
I too have got this setup working on a WRT54GL (v1.1)

However I am having a problem using NoCatSplash (Services > Hotspot)

When I set NoCatSplash up before implementing VLANS everything works ok, however when I have the extra VLAN in place internet access doesn't work on VLAN0 anymore (Ports 1-3) however VLAN2 (Port 4) does work with the correct splash screen from NoCatSplash - Can anyone think why this might be?
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum