Posted: Sat Oct 13, 2007 19:57 Post subject: no vlan support
Hi,
I have a feeling that not all WRT54G supports vlan. If you put DDWRT on them, and try to set it on different schemes it will give u the same all the time. All port in one lan eventually and u dont need 5 computer to test this. Just setup 2 VLAN and put 2 computer to that port, then switch one to the other vlan, if you still can get a ping then it fucked.
I telling you that vlan option doesnt do difference.
I GOT IT WORKING ON A WRT54GS V4 FINALLY!!!!!!!!! took me like 3 weeks.
this is what i had to do:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"
it used to be:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"
port 4 on the back of the router is not port 4 on the board here is the layout for this router:
0 = port 4
1 = port 3
2 = port 2
3 = port 1
4 = WAN
5 = CPU internal
5* = CPU internal default
I GOT IT WORKING ON A WRT54GS V4 FINALLY!!!!!!!!! took me like 3 weeks.
this is what i had to do:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"
it used to be:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"
port 4 on the back of the router is not port 4 on the board here is the layout for this router:
0 = port 4
1 = port 3
2 = port 2
3 = port 1
4 = WAN
5 = CPU internal
5* = CPU internal default
Thanks! Took me two days to realize the ports on this WRT54GS V4 are NOT as they appear.
Posted: Tue Feb 19, 2008 0:20 Post subject: VLANS more info if anyone knows
Hi, I have found the info most useful and am nearly there with implementing it. My reasoning is that I have some VoIP phones that need to be on a separate LAN as they pick up thier config from a different server remotely. What I need to do is put them on to a VLAN and have DHCP requests forwarded to a different server externally. Also I would want the other PC's on my network to communicate with the Windows 2003 DHCP server rather than the router. So in effect 2 VLANS forwarding DHCP requests to two different DHCP servers. Also on the phones VLAN I need to forward some of the ports. I have seen the DHCP-fwd command and think that it may work, but I dont know how to go about implementing it. Any ideas would be useful.
Posted: Tue Jul 01, 2008 23:27 Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP
merm wrote:
I just wanted to post this in case someone else is doing exactly what I want to do. I spent several hours reading this morning to get this to work for me. I hope this works for me until BrainSlayer is able to fix the web gui to work for VLAN setup.
Hardware:
WRT54G v 2.2
Software:
DD-WRT v23
What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.
Steps:
1. Per this thread you make your VLAN page in your router look like this.
2. Next, per this thread you go to a telnet or SSH prompt and type the following lines individually (I copied and pasted each one) hitting enter after each line.
Quote:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"
3. Now go back into your router and go to the "Administration" tab, then click on "Diagnostics". Per the same thread above you will type the following line into the box on the screen:
Quote:
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0
After you type that in to the box you click on "Save Startup"
*Note that the IP address can be any address that you want the router to be on that second VLAN. The VLAN (port 4) is going to think that the router is 192.168.2.1 in this case.
3. Now, per the same page above, we're going to modify the iptables to properly route everything. Type the following lines into the same box on the "Diagnostics" page.
Now you've just finished the VLAN section, we need to set up DHCP to work properly. If you stop here your DHCP will work on your VLAN 1 (192.168.1.1) but you'll have to use static addresses on the second VLAN on port 4.
Setting up DHCP:
4. Now under the "Administration" tab again on your router, go to the "Management" tab. Find "DNS Masq". Make sure DNS Masq, and Local DNS are both checked. Then, per this thread copy the following lines into the "Additional DNS options box":
Do you see what's going on here, you're telling DHCP what the two VLANS are, and what addresses to assign them. The "1h" is how long the lease time should be. The first address is the beginning DHCP range, the second is the end of the range for that VLAN. You won't be using your DHCP settings in the GUI on the front page after this, you'll need to edit it here if you want to make changes in the future.
Click on "Save Changes"
5. Lastly, go to the "Setup" tab for your router, and under "basic setup" you're going to turn the DHCP off (this is a different DHCP server that we aren't using any more). Under "DHCP Server" set this to "disable".
6. Now, assuming you've don'e everything correctly, and that I've remembered everything I did. You should be able to reboot your router one final time and have everything work perfectly.
Keep in mind that I'm a complete noob here and don't really know what I'm doing. Just wanted to share what I did to get my ver 2.2 router working perfectly how I wanted it to. Hopefully it will work for you too.
This is a good tutorial but there is one HUGE security risk... the last line in your modded iptables enables access into the router from the wan... so people out on the Internet could potentially logon, and you don't want this.
Posted: Wed Jul 02, 2008 4:13 Post subject: Re: VLANS more info if anyone knows
Purpletriangle wrote:
Hi, I have found the info most useful and am nearly there with implementing it. My reasoning is that I have some VoIP phones that need to be on a separate LAN as they pick up thier config from a different server remotely. What I need to do is put them on to a VLAN and have DHCP requests forwarded to a different server externally. Also I would want the other PC's on my network to communicate with the Windows 2003 DHCP server rather than the router. So in effect 2 VLANS forwarding DHCP requests to two different DHCP servers. Also on the phones VLAN I need to forward some of the ports. I have seen the DHCP-fwd command and think that it may work, but I dont know how to go about implementing it. Any ideas would be useful.
Thanks a lot
Not really possible... you would need to have the phones looking for a certain IP on the net. DHCP cannot broadcast over the Internet or a VPN tunnel.
I would recommend like what we have setup at my office. We have a port mapped inbound to out trixbox. the phones outside the network are pointed to our global IP.
Posted: Sun Nov 09, 2008 15:14 Post subject: WAN not working
I tried this methood, and my WAN stopped working after this.
My ISP uses DHCP to supply ip addresses, and I simply didn't get one. After a factory reset, everything worked fine again, I got a ip address (WAN ip address) and the internet started working again.
Anyone know what might be causing this? I'm running wrt54gl and dd-wrt v23 sp2 VPN.
Then I tried to ping this computer 192.168.1.104 from vlan0. Didn't have any problems with that, so it might seem that the iptables are not loading. I'm no expert in iptables though, so this experiment might be totaly wrong.
Here is a printout from iptables -L when I ssh to the router. I disabled all portforwarding for the moment for clarity. It seems so me that the iptables don't get loaded, although like I said, I'm no expert in these things.
~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
logdrop all -- anywhere baldur
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logaccept tcp -- anywhere terminal tcp dpt:www
logaccept tcp -- anywhere terminal tcp dpt:ssh
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
logaccept all -- anywhere anywhere state NEW
logdrop all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT gre -- 192.168.1.0/24 anywhere
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
ACCEPT all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
lan2wan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop tcp -- anywhere vectra tcp spts:13000:13020
logdrop udp -- anywhere vectra udp dpts:13000:13020
TRIGGER all -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
logdrop all -- anywhere anywhere
I have a netgear router and a dd-wrt Linksys router.
[ADSL]-----[Netgear]-----[Linksys]------[2PC]
The netgear router (directly connected to adsl) restrict access to internet from 01:00am to 07:00 am for some user like my roommate.
I have the ip address 192.168.100.2 and my roommate 192.168.100.7. The netgear router drop any paquet from 192.168.100.7 to internet between 01h00am and 07:00am each day. The problem is that my roommate has changed his ip and took mine. In this way, he have a permanent access to internet. Is your solution with vlan could solve my problem? I think create 2 dhcp, one on 192.168.100.0 and an other on 192.168.101.0. Without vlan, he can change his ip and take mine. Is it possible if we are in 2 differents vlans? I need an anti-spoofing fonctionality in fact...