Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
buggers
DD-WRT Novice


Joined: 03 Mar 2007
Posts: 13

PostPosted: Sat Oct 13, 2007 19:57    Post subject: no vlan support Reply with quote
Hi,

I have a feeling that not all WRT54G supports vlan. If you put DDWRT on them, and try to set it on different schemes it will give u the same all the time. All port in one lan eventually and u dont need 5 computer to test this. Just setup 2 VLAN and put 2 computer to that port, then switch one to the other vlan, if you still can get a ping then it fucked.
I telling you that vlan option doesnt do difference.
Sponsor
mejor
DD-WRT Novice


Joined: 02 Nov 2007
Posts: 25

PostPosted: Sat Jan 05, 2008 16:59    Post subject: Reply with quote
I GOT IT WORKING ON A WRT54GS V4 FINALLY!!!!!!!!! took me like 3 weeks.

this is what i had to do:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"

it used to be:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"

port 4 on the back of the router is not port 4 on the board here is the layout for this router:
0 = port 4
1 = port 3
2 = port 2
3 = port 1
4 = WAN
5 = CPU internal
5* = CPU internal default
Darkshadow
DD-WRT Novice


Joined: 24 Aug 2006
Posts: 3

PostPosted: Thu Jan 17, 2008 13:52    Post subject: Firewall - Port forward Reply with quote
If I perform the commands to create 2 VLAN's are they still behind the forewall and do the portforward rules setup in the GUI still work / apply?
blackcell
DD-WRT Novice


Joined: 11 Feb 2008
Posts: 2
Location: Oregon

PostPosted: Mon Feb 11, 2008 4:54    Post subject: Reply with quote
mejor wrote:
I GOT IT WORKING ON A WRT54GS V4 FINALLY!!!!!!!!! took me like 3 weeks.

this is what i had to do:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"

it used to be:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"

port 4 on the back of the router is not port 4 on the board here is the layout for this router:
0 = port 4
1 = port 3
2 = port 2
3 = port 1
4 = WAN
5 = CPU internal
5* = CPU internal default


Thanks! Took me two days to realize the ports on this WRT54GS V4 are NOT as they appear.
Purpletriangle
DD-WRT Novice


Joined: 19 Feb 2008
Posts: 1

PostPosted: Tue Feb 19, 2008 0:20    Post subject: VLANS more info if anyone knows Reply with quote
Hi, I have found the info most useful and am nearly there with implementing it. My reasoning is that I have some VoIP phones that need to be on a separate LAN as they pick up thier config from a different server remotely. What I need to do is put them on to a VLAN and have DHCP requests forwarded to a different server externally. Also I would want the other PC's on my network to communicate with the Windows 2003 DHCP server rather than the router. So in effect 2 VLANS forwarding DHCP requests to two different DHCP servers. Also on the phones VLAN I need to forward some of the ports. I have seen the DHCP-fwd command and think that it may work, but I dont know how to go about implementing it. Any ideas would be useful.

Thanks a lot
LinuxGnuru
DD-WRT Novice


Joined: 01 Jul 2008
Posts: 1

PostPosted: Tue Jul 01, 2008 23:27    Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP Reply with quote
merm wrote:
I just wanted to post this in case someone else is doing exactly what I want to do. I spent several hours reading this morning to get this to work for me. I hope this works for me until BrainSlayer is able to fix the web gui to work for VLAN setup.

Hardware:
WRT54G v 2.2

Software:
DD-WRT v23

What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.

Steps:

1. Per this thread you make your VLAN page in your router look like this.

2. Next, per this thread you go to a telnet or SSH prompt and type the following lines individually (I copied and pasted each one) hitting enter after each line.

Quote:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"


3. Now go back into your router and go to the "Administration" tab, then click on "Diagnostics". Per the same thread above you will type the following line into the box on the screen:

Quote:
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0


After you type that in to the box you click on "Save Startup"

*Note that the IP address can be any address that you want the router to be on that second VLAN. The VLAN (port 4) is going to think that the router is 192.168.2.1 in this case.

3. Now, per the same page above, we're going to modify the iptables to properly route everything. Type the following lines into the same box on the "Diagnostics" page.

Quote:
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan1 -j ACCEPT


This time, click on "Save Firewall"

Now you've just finished the VLAN section, we need to set up DHCP to work properly. If you stop here your DHCP will work on your VLAN 1 (192.168.1.1) but you'll have to use static addresses on the second VLAN on port 4.

Setting up DHCP:

4. Now under the "Administration" tab again on your router, go to the "Management" tab. Find "DNS Masq". Make sure DNS Masq, and Local DNS are both checked. Then, per this thread copy the following lines into the "Additional DNS options box":

Quote:
interface=vlan2
interface=vlan1
interface=vlan0
interface=eth1
dhcp-range=192.168.1.100,192.168.1.200,1h
dhcp-range=192.168.2.100,192.168.2.200,1h


Do you see what's going on here, you're telling DHCP what the two VLANS are, and what addresses to assign them. The "1h" is how long the lease time should be. The first address is the beginning DHCP range, the second is the end of the range for that VLAN. You won't be using your DHCP settings in the GUI on the front page after this, you'll need to edit it here if you want to make changes in the future.

Click on "Save Changes"

5. Lastly, go to the "Setup" tab for your router, and under "basic setup" you're going to turn the DHCP off (this is a different DHCP server that we aren't using any more). Under "DHCP Server" set this to "disable".

6. Now, assuming you've don'e everything correctly, and that I've remembered everything I did. You should be able to reboot your router one final time and have everything work perfectly.

Keep in mind that I'm a complete noob here and don't really know what I'm doing. Just wanted to share what I did to get my ver 2.2 router working perfectly how I wanted it to. Hopefully it will work for you too.

Other resources I found helpful:

DD-WRT Wiki
OpenWRT Documentation


This is a good tutorial but there is one HUGE security risk... the last line in your modded iptables enables access into the router from the wan... so people out on the Internet could potentially logon, and you don't want this.
mejor
DD-WRT Novice


Joined: 02 Nov 2007
Posts: 25

PostPosted: Wed Jul 02, 2008 4:13    Post subject: Re: VLANS more info if anyone knows Reply with quote
Purpletriangle wrote:
Hi, I have found the info most useful and am nearly there with implementing it. My reasoning is that I have some VoIP phones that need to be on a separate LAN as they pick up thier config from a different server remotely. What I need to do is put them on to a VLAN and have DHCP requests forwarded to a different server externally. Also I would want the other PC's on my network to communicate with the Windows 2003 DHCP server rather than the router. So in effect 2 VLANS forwarding DHCP requests to two different DHCP servers. Also on the phones VLAN I need to forward some of the ports. I have seen the DHCP-fwd command and think that it may work, but I dont know how to go about implementing it. Any ideas would be useful.

Thanks a lot


Not really possible... you would need to have the phones looking for a certain IP on the net. DHCP cannot broadcast over the Internet or a VPN tunnel.

I would recommend like what we have setup at my office. We have a port mapped inbound to out trixbox. the phones outside the network are pointed to our global IP.
dreamspy
DD-WRT Novice


Joined: 16 Jun 2007
Posts: 12

PostPosted: Sun Nov 09, 2008 15:14    Post subject: WAN not working Reply with quote
I tried this methood, and my WAN stopped working after this.

My ISP uses DHCP to supply ip addresses, and I simply didn't get one. After a factory reset, everything worked fine again, I got a ip address (WAN ip address) and the internet started working again.

Anyone know what might be causing this? I'm running wrt54gl and dd-wrt v23 sp2 VPN.

regards
Frímann
mejor
DD-WRT Novice


Joined: 02 Nov 2007
Posts: 25

PostPosted: Thu Nov 20, 2008 21:19    Post subject: Reply with quote
The ports are not the same as labeled. Look above and see what I did.
dreamspy
DD-WRT Novice


Joined: 16 Jun 2007
Posts: 12

PostPosted: Sun Nov 23, 2008 18:04    Post subject: Reply with quote
Thanks, that got it working. But now I'm having troubles accessing the internet from Vlan2.

I'we set everything up as in the first post, except switched port 4 and 0.

Vlan2 is on a 192.168.2.* subnet
Vlan0 is on a 192.168.1.* subnet

I can ping both 192.168.2.1 and 192.168.1.1 from vlan2 (the router), but for some reason I can't access the internet.

When I try f.x.:
nslookup yahoo.com 192.168.1.1
or
nslookup yahoo.com 192.168.2.1

I just get a timeout error. Also If I try to ping known internet ipaddresses, I get no reply.

Anyone know what might be the problem?
mejor
DD-WRT Novice


Joined: 02 Nov 2007
Posts: 25

PostPosted: Sun Nov 23, 2008 18:06    Post subject: Reply with quote
make sure your IP tables are correct:

iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan1 -j ACCEPT
dreamspy
DD-WRT Novice


Joined: 16 Jun 2007
Posts: 12

PostPosted: Sun Nov 23, 2008 18:21    Post subject: Reply with quote
A quick reply Smile Yeah that are the exact iptables that I have, can't see what might be wrong.
mejor
DD-WRT Novice


Joined: 02 Nov 2007
Posts: 25

PostPosted: Sun Nov 23, 2008 18:23    Post subject: Reply with quote
but you can get online from VLAN 1
dreamspy
DD-WRT Novice


Joined: 16 Jun 2007
Posts: 12

PostPosted: Sun Nov 23, 2008 18:48    Post subject: Reply with quote
I can get online from VLAN0.

But you ask about VLAN1, isn't VLAN1 the WAN port? At least according to my VLAN page it is. Take a look at the attachment.

Is there any way of checking if the iptables are loading? I tried adding this line to the firewall:

iptables -I INPUT -i vlan0 -d 192.168.1.104 -j logdrop

Then I tried to ping this computer 192.168.1.104 from vlan0. Didn't have any problems with that, so it might seem that the iptables are not loading. I'm no expert in iptables though, so this experiment might be totaly wrong.

Here is a printout from iptables -L when I ssh to the router. I disabled all portforwarding for the moment for clarity. It seems so me that the iptables don't get loaded, although like I said, I'm no expert in these things.


~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
logdrop all -- anywhere baldur
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logaccept tcp -- anywhere terminal tcp dpt:www
logaccept tcp -- anywhere terminal tcp dpt:ssh
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
logaccept all -- anywhere anywhere state NEW
logdrop all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT gre -- 192.168.1.0/24 anywhere
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
ACCEPT all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
lan2wan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop tcp -- anywhere vectra tcp spts:13000:13020
logdrop udp -- anywhere vectra udp dpts:13000:13020
TRIGGER all -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
logdrop all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain advgrp_1 (0 references)
target prot opt source destination

Chain advgrp_10 (0 references)
target prot opt source destination

Chain advgrp_2 (0 references)
target prot opt source destination

Chain advgrp_3 (0 references)
target prot opt source destination

Chain advgrp_4 (0 references)
target prot opt source destination

Chain advgrp_5 (0 references)
target prot opt source destination

Chain advgrp_6 (0 references)
target prot opt source destination

Chain advgrp_7 (0 references)
target prot opt source destination

Chain advgrp_8 (0 references)
target prot opt source destination

Chain advgrp_9 (0 references)
target prot opt source destination

Chain grp_1 (0 references)
target prot opt source destination

Chain grp_10 (0 references)
target prot opt source destination

Chain grp_2 (0 references)
target prot opt source destination

Chain grp_3 (0 references)
target prot opt source destination

Chain grp_4 (0 references)
target prot opt source destination

Chain grp_5 (0 references)
target prot opt source destination

Chain grp_6 (0 references)
target prot opt source destination

Chain grp_7 (0 references)
target prot opt source destination

Chain grp_8 (0 references)
target prot opt source destination

Chain grp_9 (0 references)
target prot opt source destination

Chain lan2wan (1 references)
target prot opt source destination

Chain logaccept (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain logdrop (8 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `WEBDROP '
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset

Chain trigger_out (1 references)
target prot opt source destination



vlan.jpg
 Description:
 Filesize:  18.9 KB
 Viewed:  16040 Time(s)

vlan.jpg


d4rt95
DD-WRT Novice


Joined: 07 Sep 2008
Posts: 26

PostPosted: Tue Dec 16, 2008 10:26    Post subject: Reply with quote
I have a netgear router and a dd-wrt Linksys router.

[ADSL]-----[Netgear]-----[Linksys]------[2PC]

The netgear router (directly connected to adsl) restrict access to internet from 01:00am to 07:00 am for some user like my roommate.

I have the ip address 192.168.100.2 and my roommate 192.168.100.7. The netgear router drop any paquet from 192.168.100.7 to internet between 01h00am and 07:00am each day. The problem is that my roommate has changed his ip and took mine. In this way, he have a permanent access to internet. Is your solution with vlan could solve my problem? I think create 2 dhcp, one on 192.168.100.0 and an other on 192.168.101.0. Without vlan, he can change his ip and take mine. Is it possible if we are in 2 differents vlans? I need an anti-spoofing fonctionality in fact...
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum