[Tutorial] Port Based VLANs (Separated / Internet Only)

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3  Next
Author Message
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Dec 16, 2012 23:56    Post subject: Re: DIR-825 Reply with quote
StevenDR wrote:
My D-Link DIR-825 does not have the VLAN tab either. Should I follow the X86 instructions as well?

Edit: I would only want to accomplish a second WAN port (not for DUAL WAN, but for attaching my Setup box and getting it to receive an IP from my ISP as well). This worked on my old US Robotics, but I replaced that one for performance sake.

No not really. If you try to add software tagging on a device with an integrated switch then it may or may not work and if it does then it will add tagging for all the physical ports that the switch has put in a vlan.

The right way would be to configure the switch to tag the vlan's but I'm not sure if it's possible with DD-WRT on Atheros hardware. I think it may be possible with the swconfig command but I haven't had the time to explore it at all.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Sponsor
Jonathan
DD-WRT User


Joined: 12 Jan 2007
Posts: 87

PostPosted: Sun Dec 23, 2012 15:35    Post subject: Reply with quote
I read this guide with great interest. But I'm wondering about its applicability to trunked VLANs...

In my network, I have one router configured as an access point (a Buffalo WHR-HP-G54, running build 14929). On the access point, I have set up two SSIDs, one intended as a "main" wireless network and the other intended as a "guest" network (thanks to phuzi0n for his multiple WLAN guide). Each wireless interface is bridged to its own VLAN, which is tagged and sent out through the WAN port.

The next step is a smart, VLAN-aware switch (a D-Link DGS-1100-0Cool, which takes care of ensuring various network resources, such as servers, are only seen by the appropriate VLAN. All of this is tested and working.

The part that I'm working on now is the main network router: it's an ASUS RT-N66U running Fractal's 20363 build with the 64k CFE update. This router is being used solely for its wired capabilities.

What I'm trying to do is have both the main and the guest VLANs enter through a single trunked port, rather than use multiple ports. I'd like to have both VLANs able to access the Internet, but, of course, not bridge the VLANs so they can't talk with each other. And I'd like to have the main router be the sole source for DHCP service.

Should this guide also work with multiple VLANs on a single trunked port, assuming the VLAN GUI page is set up correctly?
Jonathan
DD-WRT User


Joined: 12 Jan 2007
Posts: 87

PostPosted: Mon Dec 24, 2012 2:11    Post subject: Reply with quote
Actually, I've now solved my configuration (described above) with the GUI alone--no separate iptables rules necessary.

- Setup/VLANs: WAN moved to VLAN 15 to get it out of the way
- Setup/VLANs: Port 1 tagged, VLANs 1 and 2 checked; Ports 2-4 VLAN 1
- Setup/Networking/Bridging: Bridge br1 added, with a different subnet than the main subnet
- Setup/Networking/Bridging: VLAN 2 assigned to Bridge br1
- Setup/Networking/Port Setup: WAN Port Assignment set to vlan15 (still using startup nvram mods to get this to stick)
- Setup/Networking/Port Setup: VLAN 2 network configuration set to "unbridged"; Masquerade / NAT enabled
- Setup/Networking/DHCPD: DHCPD 0 added to bridge br1

...and that's it. VLAN 1 and VLAN 2 can both see the WAN/Internet. VLAN 1 receives DHCP service from the main pool, VLAN 2 receives DHCP service from the bridge br1 pool defined on the networking page. And VLAN 1 and VLAN 2 are isolated from each other.

At some point, perhaps I'll try to see whether this will work on port-based (non-trunked) vlans without iptables rules.
StevenDR
DD-WRT Novice


Joined: 07 Dec 2012
Posts: 14

PostPosted: Fri Jan 04, 2013 12:56    Post subject: no VLAN tab Reply with quote
Jonathan wrote:
Actually, I've now solved my configuration (described above) with the GUI alone--no separate iptables rules necessary.

- Setup/VLANs: WAN moved to VLAN 15 to get it out of the way
- Setup/VLANs: Port 1 tagged, VLANs 1 and 2 checked; Ports 2-4 VLAN 1
- Setup/Networking/Bridging: Bridge br1 added, with a different subnet than the main subnet
- Setup/Networking/Bridging: VLAN 2 assigned to Bridge br1
- Setup/Networking/Port Setup: WAN Port Assignment set to vlan15 (still using startup nvram mods to get this to stick)
- Setup/Networking/Port Setup: VLAN 2 network configuration set to "unbridged"; Masquerade / NAT enabled
- Setup/Networking/DHCPD: DHCPD 0 added to bridge br1

...and that's it. VLAN 1 and VLAN 2 can both see the WAN/Internet. VLAN 1 receives DHCP service from the main pool, VLAN 2 receives DHCP service from the bridge br1 pool defined on the networking page. And VLAN 1 and VLAN 2 are isolated from each other.

At some point, perhaps I'll try to see whether this will work on port-based (non-trunked) vlans without iptables rules.


The problem is that I don't have a Setup/VLAN tab ...
pgats
DD-WRT Novice


Joined: 09 Jan 2013
Posts: 6

PostPosted: Fri Jan 11, 2013 21:34    Post subject: NO separation on E1000 with build 16785 v24 sp2 Reply with quote
First time posting, hello all.
Need some guidance. followed all exactly and also the suggested wiki (which is same) at:
http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_%28Separate_Networks_With_Internet%29#New_Instructions, thx for putting it there.

Including some attachments of my E1000 router config settings and commands, the commands are same as in wiki or this post with exception of changing the appopiate designation to vlan2 where the wan port resides.

What i have is NO isolation, port 4 which is what i am attempting to isolate can still see other ports.
I do not want DHCP on port4, just the static assignment i assigned.


Even if I plug into port 4 it DHCP's an addr in the main default LAN range..

any guidance? pls refer to attachments for screenshots.[img][/img][img][/img]
pgats
DD-WRT Novice


Joined: 09 Jan 2013
Posts: 6

PostPosted: Fri Jan 11, 2013 21:37    Post subject: NO separation on E1000 with build 16785 v24 sp2 Reply with quote
forgot last image which shows port assignments:
pgats
DD-WRT Novice


Joined: 09 Jan 2013
Posts: 6

PostPosted: Sun Jan 13, 2013 21:06    Post subject: partially resolved Reply with quote
Well as there were no responses thus far, dug into this ovr the weeknd and came up with a partial resolution. (Also the very small image attachments to my original 2 posts are now gone, poof!)

Anywayz, in short,
vlan1 has ports 1,2,3 and designated LAN, also has the bridged br0 for wireless assigned to LAN
vlan1 is in the 192.168.1.x range, all works well)

vlan2 has the WAN for ISP feed

vlan3 has port 4 (actually physical port 1 on this E1000 v1 unit) vlan3 is in the 192.168.50.x range with NO DHCP (no DHCP desired)

WHAT IS NOW WORKING!! (HOORAY!!! Finally!!)
iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j DROP

SO no access from vlan3 to any of the computers on vlan1, that's what was desired, port based isolation from anything plugged into that port designated as vlan3.
BUT access from any computer in vlan1 to be able to access vlan3 resources. SO that WORKS!! GREAT thus far!


what i still want is for vlan3 computers NOT to be able to bring up the DD-WRT GUI or telnet into the DD-WRT E1Kv1 unit.

ANy help??
rocky13
DD-WRT User


Joined: 25 Apr 2008
Posts: 158

PostPosted: Mon Jan 14, 2013 1:07    Post subject: Re: partially resolved Reply with quote
pgats wrote:
Well as there were no responses thus far, dug into this ovr the weeknd and came up with a partial resolution. (Also the very small image attachments to my original 2 posts are now gone, poof!)

Anywayz, in short,
vlan1 has ports 1,2,3 and designated LAN, also has the bridged br0 for wireless assigned to LAN
vlan1 is in the 192.168.1.x range, all works well)

vlan2 has the WAN for ISP feed

vlan3 has port 4 (actually physical port 1 on this E1000 v1 unit) vlan3 is in the 192.168.50.x range with NO DHCP (no DHCP desired)

WHAT IS NOW WORKING!! (HOORAY!!! Finally!!)
iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j DROP

SO no access from vlan3 to any of the computers on vlan1, that's what was desired, port based isolation from anything plugged into that port designated as vlan3.
BUT access from any computer in vlan1 to be able to access vlan3 resources. SO that WORKS!! GREAT thus far!


what i still want is for vlan3 computers NOT to be able to bring up the DD-WRT GUI or telnet into the DD-WRT E1Kv1 unit.

ANy help??



You can use the following code:

#Restricts vlan3 from accessing br0 router configurations, telnet, ssh
iptables -I INPUT -i vlan3 -m state --state NEW -j DROP
#Allow vlan3 to access DHCP on the router
iptables -I INPUT -i vlan3 -p udp --dport 67 -j ACCEPT
#Allow vlan3 to access DNS on the router
iptables -I INPUT -i vlan3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i vlan3 -p tcp --dport 53 -j ACCEPT

That should be it.
sobers_2002
DD-WRT Novice


Joined: 08 Feb 2012
Posts: 1

PostPosted: Tue Apr 02, 2013 19:58    Post subject: Reply with quote
Jonathan wrote:
Actually, I've now solved my configuration (described above) with the GUI alone--no separate iptables rules necessary.

- Setup/VLANs: WAN moved to VLAN 15 to get it out of the way
- Setup/VLANs: Port 1 tagged, VLANs 1 and 2 checked; Ports 2-4 VLAN 1
- Setup/Networking/Bridging: Bridge br1 added, with a different subnet than the main subnet
- Setup/Networking/Bridging: VLAN 2 assigned to Bridge br1
- Setup/Networking/Port Setup: WAN Port Assignment set to vlan15 (still using startup nvram mods to get this to stick)
- Setup/Networking/Port Setup: VLAN 2 network configuration set to "unbridged"; Masquerade / NAT enabled
- Setup/Networking/DHCPD: DHCPD 0 added to bridge br1

...and that's it. VLAN 1 and VLAN 2 can both see the WAN/Internet. VLAN 1 receives DHCP service from the main pool, VLAN 2 receives DHCP service from the bridge br1 pool defined on the networking page. And VLAN 1 and VLAN 2 are isolated from each other.

At some point, perhaps I'll try to see whether this will work on port-based (non-trunked) vlans without iptables rules.


Hi Jonathan,

Thanks for the useful addition to the thread! I am trying to do exactly the same as you had done (that's how I see it anyways).

Port 1 of the 4 LAN ports will be on a separate subnet, unable to access the computers on the other ports. Am I right?

There are a couple of other things that I wanted to confirm / clarify:

    1. How does the interface with wifi work? Is the computer on LAN port 1 able to connect to wifi connected machine? Asking as I don't see any specific segregation
    2. What if the WAN port is left in vlan2? Wouldn't the startup nvram mod be unnecessary? Ports 2-4 can be assigned to a separate vlan in such a case


Appreciate your feedback / insight into this!
sheldor
DD-WRT Novice


Joined: 03 May 2013
Posts: 3

PostPosted: Fri May 03, 2013 22:20    Post subject: iptables... Reply with quote
hello, first of all thanks a lot for the tutorial. unfortunately i've got some
problems with the firewall and access to the internet in the seperated vlan.
my setup: wrt54gl, build 21286

vlan0: lan 2&3&4
vlan1: wan
vlan2: lan 1
br0: eth0(wireless), vlan0
ip subnet for br0: 192.168.0.0/24

vlan2 unbridged, ip adress 192.168.2.1
subnet mask same as vlan0
multicast fwd disbled
masquerade/nat enabled
2nd DHCP server vlan2,

with no firewall rules and spi fw enabled clients get an i.p. on vlan2, but
no internet access. if i disable the spi-fw vlan2 gets internet access.

adding following to the firewall rules
Code:
iptables -I FORWARD -i vlan2 -o vlan0 -j DROP
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan0 -o vlan1 -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan0 -j ACCEPT

no internet for vlan2, same with
Code:
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o br0 -m state --state NEW -j DROP

following
http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN#Step_3:_Controlling_Access
i tried several combinations of fw rules, without success. with
Code:
iptables -I FORWARD -i vlan2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i vlan2 -o br0 -m state --state NEW -j DROP

i got internet access but also access to the vlan0. changing the order of the rules didn't help either.

presumbly it's just an easy problem for people who are mor into iptables than i am. any help would be much appreciated!
sheldor
DD-WRT Novice


Joined: 03 May 2013
Posts: 3

PostPosted: Tue May 21, 2013 16:14    Post subject: Reply with quote
push
Darthpenguin42
DD-WRT Novice


Joined: 06 Jul 2015
Posts: 6

PostPosted: Mon Jul 06, 2015 3:14    Post subject: Reply with quote
terran wrote:
Hi there,
First, thanks for the great manual.

I have one problem, i made all steps but i can't get received IP from each VLAN. If i plug in cable on portx i don't received IP. what more steps i need to do?

The pc OS is windows7.

Thanks for help.


phuzi0n wrote:
Make sure you have your Multiple DHCP Server settings correct on the Networking page and that the DHCP Server is enabled in the Basic settings.


I am having the same problem. I have tried to set one port on a separate VLAN on two different router models (Lynksys WRT160N V3 and ASUS RT-AC66U). In both cases after assigning a port to VLAN3 the router reboots and I fail to get an IP address. I move the LAN cable to different ports but none give me an IP. I manually set static IP on my laptop and still cannot ping the router or get into the web interface. After assigning a port (say port 4 to VLAN3 as an example) the router reboots and I cannot get back in without a factory reset (manually reset with HW button). I have DHCP enabled but still have the problem. Not sure what I am doing wrong.
spacemancw
DD-WRT Novice


Joined: 13 Nov 2008
Posts: 20

PostPosted: Sat Oct 22, 2016 1:58    Post subject: Re: partially resolved Reply with quote
pgats wrote:
Well as there were no responses thus far, dug into this ovr the weeknd and came up with a partial resolution. (Also the very small image attachments to my original 2 posts are now gone, poof!)

Anywayz, in short,
vlan1 has ports 1,2,3 and designated LAN, also has the bridged br0 for wireless assigned to LAN
vlan1 is in the 192.168.1.x range, all works well)

vlan2 has the WAN for ISP feed

vlan3 has port 4 (actually physical port 1 on this E1000 v1 unit) vlan3 is in the 192.168.50.x range with NO DHCP (no DHCP desired)

WHAT IS NOW WORKING!! (HOORAY!!! Finally!!)
iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j DROP

SO no access from vlan3 to any of the computers on vlan1, that's what was desired, port based isolation from anything plugged into that port designated as vlan3.
BUT access from any computer in vlan1 to be able to access vlan3 resources. SO that WORKS!! GREAT thus far!


what i still want is for vlan3 computers NOT to be able to bring up the DD-WRT GUI or telnet into the DD-WRT E1Kv1 unit.

ANy help??


Hi, so glad I found this.
I have the exact same setup,
VLAN2 WAN
VLAN1, 1,2,3 -192.168.7.0/24
VLAN3, 4. -192.168.8.0/24

I want to place a vendor device in VLAN3. I don't want that to get to my stuff in VLAN1, but it does need internet access.

With your iptables rules I can get to VLAN3 from my VLAN1 which is great.
I cannot ping devices on VLAN1 from VLAN3 which is great too, but I can ping the VLAN interfaces, which would allow access to the router mgmt via web/telnet/ssh.

So to stop that I ended up with these rules:

iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j DROP
iptables -I INPUT -s 192.168.8.0/24 -p tcp --destination-port 443 -j DROP
iptables -I INPUT -s 192.168.8.0/24 -p tcp --destination-port 80 -j DROP
iptables -I INPUT -s 192.168.8.0/24 -p tcp --destination-port 23 -j DROP
iptables -I INPUT -s 192.168.8.0/24 -p tcp --destination-port 22 -j DROP
iptables -I INPUT -s 192.168.8.0/24 -p tcp --destination-port 21 -j DROP

All is good, VLAN3 can ping 192.168.x.1, on both VLAN1 and VLAN3 but cannot get in as I've blocked https, http, 23, 22 and 21.

I can get to the vendor device in VLAN3, and that device can get out to the internet.
Everybody's happy.

thanks!
Pdobrien3
DD-WRT User


Joined: 12 Dec 2015
Posts: 150

PostPosted: Thu Feb 09, 2017 11:46    Post subject: Reply with quote
Hello everyone,

I have successfully created two guest networks on vlan14 and vlan15. My setup works great with multiple WAPs that allow roaming throughout my setup. The issue I have is that my switch had a default management vlan1 setup. took me a long time to work through the issue but finally got everything working by moving the default vlan on my RT-AC66Us to vlan10. Problem is, after reboot, the default vlan1 comes back and I have to connect wirelessly to change the settings.

Anyone know a fix to this?

Thanks,
Dan
kikigak
DD-WRT Novice


Joined: 14 May 2017
Posts: 1

PostPosted: Sun May 14, 2017 14:14    Post subject: Reply with quote
Pdobrien3 wrote:
Hello everyone,

I have successfully created two guest networks on vlan14 and vlan15. My setup works great with multiple WAPs that allow roaming throughout my setup. The issue I have is that my switch had a default management vlan1 setup. took me a long time to work through the issue but finally got everything working by moving the default vlan on my RT-AC66Us to vlan10. Problem is, after reboot, the default vlan1 comes back and I have to connect wirelessly to change the settings.

Anyone know a fix to this?

Thanks,
Dan


Dan,

1. Put this in your Commands tab then click "Save Startup" button.

swconfig dev eth0 vlan 1 set ports "0t 2 3 4"
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 vlan 3 set ports "0t 5"
swconfig dev eth0 set apply
vconfig add eth0 3
ifconfig vlan3 192.168.12.1 netmask 255.255.255.0
ifconfig vlan3 up

2. Under Networking tab Unbridge VLAN 3 then provide 192.168.12.1 and add DHCP Server. Done!

Modify above based on your requirements.
My setup is as follows using WZR-HP-G450H,
VLAN 1 = private, 192.168.11.1, port 2,3,4
VLAN 3 = guest, 192.168.12.1/24, port 5
VLAN 2 = WAN, DHCP, port 1

Ref: http://faq.buffalo.jp/app/answers/detail/a_id/14954
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum