[beasty]

Hi DD-WRT folks. I need your help and advice concerning the VLAN setup I have.

There is Nothing wrong with the way it routes traffic, and all subnets can get the internet. I simply want to stop the the people on VLAN2, VLAN3, and VLAN4 (ports 1,2, and 3 respectively) from being able to access the DD-WRT web management GUI pages. leaving VLAN5 on port4 as a port that can be used to access the GUI interface of the router.
If it helps, To set up the VLANs
I followed [url=https://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet)]this set of instructions[/url]

Edit:
I have just noticed that if I am on 192.168.7.1 I can get the ddwrt administration GUI if I type into a browser 192.168.7.1, also on 8.1, 9.1, and 6.1 but also 1.1.
Hoping someone can help as it would help me make a great system perfect.

I have searched for a solution to this but can find very little about it and, what I can find on the subject explains very little about the commands they say to use. I followed one set of instructions and it cut the internet for all the vlans and locked up the GUI interface so I am hoping for answers which also explain what each command or instruction is actually going to achieve

Just to be certain. I am clear. I just want the gui accessible on port 4 VLAN 5 from the address 192.168.9.1 if possible
Thanks very much for any help you can offer

[Per Yngve Berg]

Use a IPTABLES statements in the INPUT chain.

iptables -I INPUT -i VLAN+ -p tcp -dport http -m state --state NEW -j DROP
iptables -I INPUT -i VLAN5 -p tcp -dport http -m state --state NEW -j ACCEPT

[Alozaros]

or use mac address authentication

iptables -I INPUT -i VLAN -p tcp --dport 80 -j REJECT
iptables -I INPUT -i VLAN -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

[beasty]

Thank's for the replies, I will try those...

... Sorry Alozaros that did not work
here is what i put in
iptables -I INPUT -i VLAN -p tcp --dport 80 -j REJECT
iptables -I INPUT -i VLAN -p tcp --dport 80 -m mac --mac-source F4:6D:04:4E:F0:F3 -j ACCEPT

It is exactly the same as if I had not entered that.
There is no difference


Per Yngve Berg
the perfect solution THANK YOU !

[beasty]

Oh wait
it was a glitch
neither of those solutions worked
but my method of inputting the commands was to go to the GUI and enter them in
administration > commands
text box
then saved them to firewall
It must be something to do with my method
is there another way?

[Per Yngve Berg]

Commands->Save as firewall is the correct way.

sorry there was a syntax error in my example.

iptables -I INPUT -i VLAN+ -p tcp --dport http -m state --state NEW -j REJECT
iptables -I INPUT -i VLAN5 -p tcp --dport http -m state --state NEW -j ACCEPT

dport which is a sub option of proto, needs double dash --

[Alozaros]

iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

you can try with bridge instead of VLAN just check your bridge format...

[beasty]

Thanks for the new answers. I really appreciate your help. I will let you know what happens

[beasty]

Something is DEFINITELY wrong with this setup as none of these suggestions work. I must be doing something wrong

When first setting up vlan I put this into the command box
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT

That, I am told, is the instruction to separate the VLANs

Now I want to stop all but VLAN number 5 being able to access the gui
so i now put this in and save it to firewall.

iptables -I INPUT -i VLAN+ -p tcp --dport http -m state --state NEW -j REJECT
iptables -I INPUT -i VLAN5 -p tcp --dport http -m state --state NEW -j ACCEPT


As I understand it.
I must also put the first set of instructions in again at the same time
so what I am putting into the command box and saving to the firewall and then rebooting the router is this

iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT
iptables -I INPUT -i VLAN+ -p tcp --dport http -m state --state NEW -j REJECT
iptables -I INPUT -i VLAN5 -p tcp --dport http -m state --state NEW -j ACCEPT

Is that correct?

[Per Yngve Berg]

Is the interfaces set as "unbridged"?

Does you router have a proper vlan set-up? That depends of the chip-set it contains. Most Broadcom and newer Atheros supports vlan.

[beasty]

Yes it's a broadcom router (Netgear WNR2000v2) but the vlans are unbridged. I will try bridging them

[beasty]

Every time i try to bridge the VLANS I lose all connectivity to the router with no internet and no web GUI. I think I should learn more about DD-WRT myself instead of troubling the forumes. I will do more research and work it out. Thanks for all your help. I deeply appreciate your time spent helping me, but I think what I will do is use a Draytek Vigor with its own firmware to set up the VLAN stuff.

I will use the netgear with DDWRT as wireless interfaces behind the Draytek. I think that would be the quickest way and then it gives me time to experiment with DD-WRT further.

Thank you all

[Per Yngve Berg]

Post the output of "nvram show | grep vlan.*ports"

[beasty]

size: 20682 bytes (12086 left)
vlan0ports=4 3 2 1 5*
vlan1ports=0 5

[Per Yngve Berg]

You only have vlan 0 and 1. There is no vlan 5.
This should configure the vlans:

nvram set vlan2hwname=`nvram get vlan0hwname`
nvram set vlan3hwname=`nvram get vlan0hwname`
nvram set vlan4hwname=`nvram get vlan0hwname`
nvram set vlan5hwname=`nvram get vlan0hwname`
nvram set vlan2ports="1 5"
nvram set vlan3ports="2 5"
nvram set vlan4ports="3 5"
nvram set vlan5ports="4 5"
nvram commit
reboot