1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

2 routers, 2 networks

Discussion in 'Tomato Firmware' started by gijs73, Jun 26, 2011.

  1. gijs73

    gijs73 LI Guru Member

    My setup:
    * WRT54GSv4 running Tomato ND 1.28 + speedmod 120, WPA2 + AES
    * Netgear MRT814v2 802.11b router on stock FW, open ("Free Public WiFi")

    Cable modem -> WRT54GS WAN port
    WRT54GS issuing DHCPs to 192.168.1.0/24

    WRT54GS port 4 -> Netgear WAN port, static IP assigned 192.168.1.254
    Netgear issuing DHCPs to 192.168.2.0/24

    Clients connected to the Netgear are thus double-NATted to the internet

    Question: How do I keep the Netgear clients from accessing computers on the WRT54GS network? (192.168.1.1/24) This line in Firewall is not doing the job:

    iptables -A INPUT -s 192.168.1.254 -d 192.168.1.0/24 -j DROP
     
  2. WRobertE

    WRobertE Addicted to LI Member

    It sounds like you need to create a new VLAN on the WRT54GSv4 running Tomato and connect the Netgear MRT814v2 to the port on the WRT54GS you've isolated for use with that VLAN.

    There are numerous posts on this forum and on the dd-wrt web site describing how to do this. Just search for "VLAN".

    For example, here's one from the dd-wrt web site that should get you going:
    http://www.dd-wrt.com/wiki/index.php/Switched_Ports
     
  3. mpegmaster

    mpegmaster Addicted to LI Member

    WRT54GS port 4 -> Netgear WAN port, static IP assigned 192.168.1.254
    Netgear issuing DHCPs to 10.10.10.0/24

    This would be out of range for the Cable modem -> WRT54GS WAN port
    WRT54GS issuing DHCPs to 192.168.1.0/24

    I.E. not drill-able...


    Cheers!
     
  4. gijs73

    gijs73 LI Guru Member

    This does not seem like it would work, because 192.168.1.0/24 and 192.168.2.0/24 should be in different subnets already.

    I will try the vlan solution when I get a chance. I suppose that ports in a vlan are not subject to firewall between one another, which is why I need to create a vlan2 for my extra router... so it will be checked against firewall rules?

    Thanks for the help.
     
  5. WRobertE

    WRobertE Addicted to LI Member

    Sorry...I'm not sure what you're asking here...

    Here's another site that might help:
    http://catsmacsandhacks.blogspot.com/2010/09/how-to-vlan-your-network-with-tomato.html

    A few important points...
    1. You WON'T use the WAN port on the Netgear MRT814v2. Instead, connect one of the LAN ports on the Netgear MRT814v2 to the port on the WRT54GSv4 you're using for the new VLAN. This eliminates the double-NAT situation you have in your current setup.
    2. You'll need to disable DHCP on the Netgear MRT814v2 since it will now be getting IP addresses from the WRT54GSv4. The configuration on the WRT54GSv4 sets up a separate DHCP server for the new VLAN so the Netgear shouldn't be assigning IP addresses.
     
  6. gijs73

    gijs73 LI Guru Member

    Thanks guys. I followed the advice here:
    http://tomatousb.org/tut:two-isolated-separate-lan-subnets

    Everything is working great, except the provided QoS command doesn't work, it throws a syntax error. No big deal: I just used the GUI to classify everything to/from 10.0.0.0/24 to Lowest.

    Whoever Josh is in my neighborhood, I'm sure he now appreciates the "Free Public WiFi" from my house.
     

Share This Page