[darth_tater]

Hey all. Ill try to keep this as simple as i can.

I have a WHR-HP-54G acting as a gateway.

I need to create two separate VLANS. Both of which *must* be separate and one of which *must* include wifi.


ports 1-3 are VLAN 0

ports WAN are VLAN 1

ports 4 + wifi are VLAN 2


How can i create a bridge for port 4 and WIFI
How can i create a bridge for ports 1-3?

Thanks for your help!

[phuzi0n]

The wiki has lots of guides that explain how.

[darth_tater]

I know. Ive been using the guide on the wiki. I searched around, but the search on these forums is crap.

Ive tried google as well, but i cant find any instructions on how to use the GUI to make bridges.

Every time i try to create a new bridge the changes don't stick through the GUI.

I can try creating one through the command line, but how will i know which ethX devices correspond to which port?

its a 10/100 router, so the ports are going to range from 0-5, but which ones are lan/wan/wifi?

[phuzi0n]

It seems that you don't understand the interfaces which is probably causing the rest of your trouble. By default this router should have the WAN port in vlan1, the 4 LAN ports in vlan0, the wireless is its own interface (run nvram get wl0_ifname to find out the interface name), and a bridge br0 with vlan0 and the wireless interface in it.

Creating bridges works perfectly fine from the GUI if you're using any build from the last year, but you should really need to anyways unless you're trunking to another device. Instead of moving port 4 to vlan2 and bridging it with the wifi, you can just leave it in vlan0 which is already bridged with the wifi. Just move ports 1-3 to vlan2 on the VLAN page, save, and reboot.

[darth_tater]

[darth_tater]

I tried testing out those iptable rules... and i have a question.

I plug my router into port 4 (vlan0) which put it in the 192.168.13.X/24 network.

But why can i also access 192.12.34.1 (the router's *other* ip for vlan2)

Shouldn't my iptables rule drop all packets coming from one interface and attempting to go to the other?

Whats up?

Thanks for sticking with me!

[phuzi0n]

Both IP's are assigned to the router itself and although the IP is associated with a certain interface, the traffic never actually goes out the interface to reach any of the router's own addresses. If you really wanted to deny access to a subnet including the router's own IP for an interface, you would specify a destination (-d) instead of an out interface (-o).

[darth_tater]

That's what i thought.

Thanks for clearing that up.

The reason i ask is because the people i'm setting this up for will want to "check" that theses rules work. I looked up the man page for iptables and verified the two rules; i trust that they will work. But the people i'm setting this up for might not.

If they decide to do the same 'check' i did, i'll need to have an explanation ready.

Thanks so much phuzi0n!

PS: I'm with team CoCo as well