1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

GUIDE: How to setup an new WIRED LAN Segment ... and Isolate a specific device

Discussion in 'Tomato Firmware' started by Livin, Feb 13, 2013.

  1. Livin

    Livin Serious Server Member

    I needed to create a new physical LAN segment as to isolate a device and stop it from communicating with another device on my network - and stop that problem device's uPnP & DHCP broadcasts.

    After days of searching and posting, much to my surprise I could find zero info on how to set this up for a WIRED segment - the only info available was for wireless - and there was almost no info on how to isolate a device. I got no real help except for one person, so many thanks go to SteveF who helped me fill the gaps in my understandings and together we go this working.


    Here's how to do it...
    • Basic \ Network:
      • Create a new LAN bridge, br1.
        • Give 'br1' an IP address range that is different from other LANs.
      • Click Save.
    [​IMG]
    ... my example: x.x.2.x range already existed, I added x.x3.x for the new segment

    • Advanced \ VLAN
      • Create a new VLAN for DeviceV
        • Bridge the new VLAN to br1/LAN1.
      • Select a VLAN that owns a port you want to use for your new VLAN
        • uncheck the port
        • Click OK
      • Select the new VLAN
        • check the port you just unchecked from the old VLAN
        • Click OK
      • Click Save - router will reboot
    Original VLAN table...
    [​IMG]

    New VLAN table...
    [​IMG]
    ... my example: VLAN 1 & 2 were the original ones, VLAN3 is what I added new. In order to bind VLAN3 to a physical port I had to figure out what port on the physical router went to what port in the VLANs table... they were not obvious.
    Notice the port I changed was Port 1. You might need to do what I did, pick a port and start plugging in a device that is DHCP enabled to see if it gets added to your new segment -I used a spare laptop to do this.

    • Advanced \ LAN Access
      • setup each IP address and/or range you want TO ALLOW to communicate with each LAN. Must To/From for each LAN, each direction, separately.
    [​IMG]
    ... my example:
    All devices on LAN (the original segment) needs access to all devices on the new LAN1 segment- this is line 1 above
    All devices on LAN1 gets access to all devices on LAN, EXCEPT x.x.x.12 so notice I had to make this two separate lines where Line 2 includes .1 to .11 and Line 3 includes .13 to .254 - thus EXCLUDING .12 and making sure it could not communicate with the any device I put on segment x.x.3.x


    Below is how the Routing looks like. Notice the newly added br1 (LAN1) shows the segment x.x.3.0. This is created automatically if you have done the above correctly...

    [​IMG]
     
  2. SteveF

    SteveF Serious Server Member

    Livin, thanks for mentioning my name. I just wanted to help you because there were others helping me so I just wanted to reciprocate. It is great that your network is working the way you wanted it to work and you are happy.
     

Share This Page