1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to set up a VLAN on Tomato

Discussion in 'Tomato Firmware' started by SteveF, Jan 17, 2013.

  1. SteveF

    SteveF Connected Client Member

    Can someone please help me with setting up a VLAN, STEP-BY-STEP? I tried to google it but there is a lot of confusing information. What I want to do is set up a guest wireless network which is separate from my own network, that is, the clients on one network do not see clients on the other network (security). I have never used CLI and I do not know how to get into it. In addition, I have the feeling that doing it via CLI I have to set up SSH. Is the case? Again a step by step instruction would help especially if you had done this before. If you use acronyms, please do not assume that I may know what they mean, so a little expanding would help

    I use tomato-ND-1.28.7633.3-Toastman-VLAN-IPT-ND-Std.trx on an Asus WL-520GU router. The router works fine, no known issues.

    Thanks in advance. I do appreciate your help.

    Steve
  2. gfunkdave

    gfunkdave Networkin' Nut Member

    Why do you want to use the command line? Just use the web interface.

    • Under Basic-Network, create a new LAN bridge, br1. Give it an IP address range that is different from your main LAN. If your main LAN is 192.168.1.0/24, you can give it, say, 192.168.50.0/24. Click Save.
    • Under Advanced-Virtual Wireless, add your guest wireless network and click Save.
    • Under Advanced-VLAN, create a new VLAN for guests and bridge it to br1/LAN1.
    • Under Advanced-VLAN, click on the Wireless section to show it. Bridge eth1 (your main wireless) to your main LAN, which is probably br0. Bridge your guest wireless (wl0.1, probably) to your guest LAN. Click Save.
  3. SteveF

    SteveF Connected Client Member

    Thanks for the reply.

    1. No problem with creating a new br1
    2. Under Advanced-Virtual Wireless I can create wl0.1, check enabled, add a unique SSID, Mode should be Access Point - and here is the question: what do I do with under Bridge?
    3. Under Advanced-VLAN I can create a new VLAN (No. 2). What do I do with ports and the check marks for Tagged and Default? Do I give the same check marls as for the main LAN (LAN(br0))? Also I have to have to have a fourth line (No. 3) to bridge this new LAN for the WAN, right? The new LAN will really have two lines (No. 2 and No. 3)?
    4.Under Advanced-VLAN at the end wl0.1 will be bridged to LAN1(br1) right?

    Last question: how do I make sure that the radio will be connected to the new virtual LAN rather than the old main LAN?

    I hope my questions make send. Thanks in advance for your response.

    Steve
  4. bmupton

    bmupton Reformed Router Member

    In #1 you created BR1, use that for the bridge in step #2.

    #3, leave them alone, unless you want to re-assign one of the ports on the router to the new VLAN. I've done this to provide an ethernet port access to that bridge, but if your user is wireless you don't need to do anything.

    For your last Q, you'd have to change the password for the main lan's wifi so he can't just connect to it, or enable wireless client security so only certain MAC addresses can connect to it. (I think...others may have better suggestions)
  5. bmupton

    bmupton Reformed Router Member

    In #1 you created BR1, use that for the bridge in step #2.

    #3, leave them alone, unless you want to re-assign one of the ports on the router to the new VLAN. I've done this to provide an ethernet port access to that bridge, but if your user is wireless you don't need to do anything.

    For your last Q, you'd have to change the password for the main lan's wifi so he can't just connect to it, or enable wireless client security so only certain MAC addresses can connect to it. (I think...others may have better suggestions)
  6. gfunkdave

    gfunkdave Networkin' Nut Member

    bmupton answered your questions.

    For your last question, I'm not sure I follow. Are you asking how to make wireless connect to the correct VLAN? That's what you're doing when you choose the bridge for the new wireless network.
  7. SteveF

    SteveF Connected Client Member

    gfunkdave and bmupton. thanks for your responses.This weekend when I can shut down the router and work on it will try the new VLAN and will report back after the weekend. Thanks again,

    Steve
  8. gfunkdave

    gfunkdave Networkin' Nut Member

    You shouldn't need to shut anything down. At most, if anything, the router will take 10 seconds to implement the new settings.
  9. alfred

    alfred Reformed Router Member

    Can anyone help for the confirmation:

    I have successfully setup the virtual SSID wl0.1 with RT-N16 @ Toastman 7501.2 VLAN-VPN-NOCAT.
    And it works fine, but after router rebooting, the WAN tab is lost in bwm-24.asp page.
  10. SteveF

    SteveF Connected Client Member

    gfunkdave, when I said 'shut down' I did not mean literally. Sorry. I meant the router will be mine since the clients will be away or shut down, so I can play with it.

    Thanks for the response.
  11. SteveF

    SteveF Connected Client Member

    What is the bwm-24.asp page. Is it 24 hour bandwidth? How do you get this 'page', or are you referring the UI display of the Bandwidth-->Last 24 UI display? And is it a big deal that it is lost?

    On the same topic: since you are talking about 'page', I am assuming that you can save some/all of the Bandwidth and IP Traffic data in case of hard reboot. Is this the case? If so how do you do that. Assume that I would like to save all the relevant info on one of my clients attached to the router.

    Thanks fore your reply in advance.
  12. SteveF

    SteveF Connected Client Member

    My firmware is: tomato-ND-1.28.7633.l3-Toastman-VLAN-IPT-ND-Std.trx

    The setup for LAN(br0) is in the original release (below). One question: should it not have all 4 ports in the LAN(br0) line and the WAN port in the WAN line?

    Line 0 - ports 1,2,3 and WAN: YES, Bridge: LAN(br0)
    Line 1 - port 4: YES, Bridge: WAN

    VLAN
    VID Port 1 Tagged Port 2 Tagged Port 3 Tagged Port 4 Tagged WAN Port Tagged Default Bridge

    0 Yes Yes Yes Yes * LAN (br0)
    1 Yes WAN


    Wireless (Click here to hide)
    Bridge eth1 to LAN(br0)
    *********************************************************************

    I plan to set up the LAN1(br1) bridge as follows by adding to the setup a new line as No. 2.

    Line 2 - port: none, Bridge: LAN1(br1)

    VLAN
    VID Port 1 Tagged Port 2 Tagged Port 3 Tagged Port 4 Tagged WAN Port Tagged Default Bridge

    2
    LAN1(br1)



    Wireless (Click here to hide)

    Bridge eth1 to LAN1(br1)

    I plan to leave lines 0 and 1 (in the original setup) unchanged
    Note that I linked eth1 to LAN1(br1) after the addition of line 2 so this way my wireless will be the new VLAN, separate from the wired LAN, no ports will be associated with the VLAN and there will be only one wireless connection and that is the VLAN. The intent here is that the new VLAN and the original wired LAN will be logically and physically separate, that is, the clients on the different networks will not 'see' each other.
    Am I on the right track?
  13. SteveF

    SteveF Connected Client Member


    Folks I want to tell you that I implemented a VLAN according to the specification above.

    1. Added a new bridge in Basic-->Network: br1, 192.168.2.1, 255.255.255.0, DHCP enable: 192.168.2.52-192.168.2.52 (one address range)

    2. Created new VLAN in Advanced-->VLAN: No. 3, no ports marked, Bridge: LAN1(br1)

    3. In Advanced-->VLAN: Under Wireless (click to hide) - Bridge: bind eth1 to LAN1(br1)

    There are two clients on LAN(br0) wired: 192.168.1.50 and 192.168.1.51

    There are two clients on LAN1(br1) wireless: 192.168.2.52 and and 192.168.2.53

    Now here is the clincher:

    1. I can not ping from either of the wired client to the other wired client - I should be able to do that and I do not know why this is not happening
    2. I can ping from one wired client (192.168.1.50) to one wireless client (192.168.2.52) - I should NOT be able to do this and I do not know why is this happening.

    My original aim was to separate two clients from the other two by having two separate segments. Although I have the two separate segments, they may not be separate and one client on the wireless may 'see' another client on the wired LAN. Is the ping working might mean that?

    Any idea for these last two questions above and the 'hiding' two clients on one network from the other two clients on the other network? How do I know that the two networks are separate and clients do not 'cross-see' one another over the two separate networks? If I can ping across the boundaries what does that mean?
  14. SteveF

    SteveF Connected Client Member

  15. SteveF

    SteveF Connected Client Member

    I set up a VLAN (LAN1, wireless only, 192.168.2.0). In addition I have the previously existed LAN (wired only LAN, 192.168.1.0). I have 2 clients on LAN and 2 clients on VLAN. The setup works fine apart from the inability to ping between client on the wired LAN segment (see my earlier post here, but this is not the issues here).

    Now, I want to make absolutely sure: there could not be any interaction between any of the two clients on VLAN and any of the 2 clients on LAN. In other word, they do not 'see' one another over the LAN segment boundaries. Can someone verify this please?

    Thanks in advance.

    Steve
  16. Bird333

    Bird333 LI Guru Member

    If they are on two different subnets they should not see each other unless you have rules that allow it.
  17. SteveF

    SteveF Connected Client Member

    Bird333, where do I specify those rules you refer to in Tomato? Not that I want access but I want to make sure the access is not there. I have not specified any rules so I assume the two segments are separate. So if you know where to specify those rules, please let me know.

    Thanks in advance for your reply.

    Steve
  18. gfunkdave

    gfunkdave Networkin' Nut Member

    Hi Steve,

    It looks like you have things correctly configured with the new VLAN. I'm not sure what's going on with the WAN and man LAN/br0 config....I don't follow your diagram. If you want wireless to be one VLAN and wired to be a separate one, then uncheck all the boxes on Advanced-VLAN for VLAN 3, assign it to the new bridge (br1, I think you said), and bridge your wireless interface to the br1 vlan.

    Your VLAN that is bridged to the WAN (default VLAN 2) should have only the WAN port checked. Your VLAN that is bridged to br0 should have only each Port 1-4 checked, and no tagged ports.

    You manage cross-network access on Advanced-LAN Access.

    Double-check that you have things set correctly, because it should be working the way you think it should. You might enable DHCP on both networks and make sure that each PC gets an IP in the correct range, thus confirming that it is in fact connected to the VLAN you think it is.
  19. SteveF

    SteveF Connected Client Member

    gfunkdave, thanks for your reply.

    VID=0: In the old LAN(br0) line there are Ports 1,2 and 3 and the WAN port checked and Bridge=LAN(br0) (this line was there in the released version)
    VID=1: Port 4 checked and Bridge=WAN (this line was also there in the released version).
    VID=2: In this new VLAN line I did not check any boxes, Bridge=LAN1(br1); in this line I did not check WAN since it was done in VID=1 line (my thought). What do you think, should I also check the WAN port in this line? The setup seems to be working as is.

    VLAN seems to be working fine, I am using wireless filter and I use Basic-->Static DHCP/ARP to assign a static IPs to the devices. The ranges in my DHCPs in both cases (LAN and LAN1) has only one IP, the rest are assigned by the Static-->DHCP/ARP assignment.

    Thanks again for your fast response.

    Steve
  20. Bird333

    Bird333 LI Guru Member

    You can setup iptables rules that will allow access to different subnets. In the cli run 'iptables -L -nv' to look at most rules. You need to run 'iptables -t nat -L -nv' to look a PREROUTING, POSTROUTING rules.
  21. gfunkdave

    gfunkdave Networkin' Nut Member

    Are you using some weird dual WAN version of Tomato? If not, the WAN port should only be bridged to the WAN interface.

    You should not need to mess with iptables for this to work. Just make sure there are no active rules for cross-LAN communication in Advanced-LAN Access.
  22. SteveF

    SteveF Connected Client Member

    Thanks Bird333, I do not think I will diddle with these commands. I do not need the cross-access anyway.

    Steve
  23. SteveF

    SteveF Connected Client Member

    No I have single WAN. As i said those first two line (VIDs 0 and 1) were in the release version of the Toastman firmware I am using. I followed the article on this link:
    http://www.mcbsys.com/techblog/2011/11/set-up-guest-wireless-with-tomato/

    The difference between the setup in that article and mine is that in mine Port 3 is in line Bridge=WAN and the WAN port is in VID=0 (LANbr0)). As I said this is how it came in the original release by Toastman. Should I interchange Port 3 and the WAN port, so the WAN port will show up in Bridge=WAN line and Port 3 will be in the Bridge=LAN(br0) line?

    And yes I will not use the iptables commands.

    Steve
  24. gfunkdave

    gfunkdave Networkin' Nut Member

    The VLAN table should look exactly like the one in the article you sent. The WAN port should be the only one on the WAN VLAN. Your four LAN ports should be on your LAN/br0. Your wireless should be bridged to LAN1/br1.

    If you plug something into your port 3 as things stand, it may get a public IP and be directly accessible on the Internet. It will not be on your LAN.

    When you're done, reboot the router.
  25. SteveF

    SteveF Connected Client Member

    Thanks gfunkdave, your help greatly appreciated. I will do the change later.
  26. SteveF

    SteveF Connected Client Member

    gfunkdave, I tried to rearrange the ports as they were in the article I sent you, but I had to do it in a haste because there are users on it and I did not want to screw around with it too long. Quickly here is what I think the partial result: after the change I think I had some problem with it, I could not access the web. I could not even log onto the router, but that is not conclusive. I had to use another client where I could log in. I restored the original configuration and now it is working fine as before, I can access the web. I think I need to consult with Toastman, this is his release and ask why he put in the release the WAN port into the LAN(br0) line and why did he put port 4 (not port 3 as you suggested maybe incorrectly based on my earlier post) in the WAN line. Maybe it has to do with the internal port numbering for the Asus WL-520GU, although this release is not router specific. So, the bottom line is that I am confused. Over the weekend when I will have the router to myself, I will try to do it again in a more leisure way rather than being hurried.

    One other thing: I plugged my client into port 4 and it got the right IP address I planned for it and as I said earlier, I can get to the web no problem. Also I can log on to the router as well, so everything seems to be fine.

    One thing sucks with Tomato: when you reboot you lose all your statistics. Not good!

    Thanks for staying with this thread.

    Steve
  27. tvlz

    tvlz Serious Server Member

    It's a display issue, the vlan port numbering was not setup for that specific router so it is just using the defaults
    In the system commands box do a nvram show | grep vlanports it can be fixed.
  28. SteveF

    SteveF Connected Client Member

    tvlz, thanks for the reply. I have not used linux and tomato much so can you:

    1. Tell me how do I get into the system command box
    2. Tell me exactly what command syntax I should be using - This statement is not clear to me: 'nvram show | grep vlanports it can be fixed'

    In addition, do I need to do something else (such as reboot, etc) or just enter the command and it will display it?

    Thank you.
  29. SteveF

    SteveF Connected Client Member

    gfunkdave, you might be interested in this one response regarding the WAN/port 4 issue on the Asus WL-520GU router:

    http://www.linksysinfo.org/index.php?threads/how-to-set-up-a-vlan-on-tomato.65405/#post-219125
  30. gfunkdave

    gfunkdave Networkin' Nut Member

    Steve, note that even if everything is set up correctly you will still be able to ping the router on both its LAN IPs from either VLAN. This is normal. You should not be able to ping clients on a different VLAN, however.
  31. SteveF

    SteveF Connected Client Member

    This is unfortunately not the case. I can NOT ping the other client from my client on the same LAN. But, I can ping a client on LAN1 (VLAN) from my LAN client. I assume this might be because of the WAN/port 4 improper setting. What do you think? I wonder how this problem could be resolved on my Asus WL-520GU router?
  32. gfunkdave

    gfunkdave Networkin' Nut Member

  33. SteveF

    SteveF Connected Client Member

    gfuncdave, that is the setup what I had in the first place. Port 4 is in WAN and ports 1-3 and WAN on br0. When I have the modem connection to labelled as WAN it works, only the pings do not work properly. After receiving your post, I tried to plug the WAN cable to port 4 and I could not even get to the web. So, here is the question: should I connect the WAN cable to the port labelled as WAN or to the port labelled as port 4?

    Thanks for spending the time on this, I really appreciate it.

    SAteve
  34. gfunkdave

    gfunkdave Networkin' Nut Member

    Plug your cable modem into the port labeled WAN on the back of the router. Plug LAN devices into the ports labeled LAN 1-4.

    On the VLAN page, bridge Port 4 and only port 4 to the WAN. Bridge Ports 1-3 and WAN to br0.

    If it's not working after that, post screen shots of your Basic-Network, Advanced-VLAN, Advanced-LAN Access, and Advanced-Virtual Wireless pages.
  35. SteveF

    SteveF Connected Client Member

    gfunkdave, I did as you suggested. Cable modem into port labelled on the back as WAN and 2 wired clients into ports 2 and 3. On the VLAN page I bridged port 4 and only port 4 to the WAN. I bridged ports 1-3 and WAN to br0. On the new LAN (LAN1(br1)) I did not bridge any port. In fact this was the set up at the first time when I said the router worked fine (see earlier posts here). Everything works fine except the pings.

    1. I can not ping from client 1 to client 2 (and vice verse) both on LAN(br0) - I actually should be able to do that
    2. I CAN ping from client 1 on LAN(br0) to client 3 on wireless LAN1(br1) - I should not be able to do that

    Apart from that all 4 clients (2 ON LAN(br0) and 2 on LAN1(br1)) seem to be working properly, the statistics are correctly displayed for all 4 clients, etc.

    Also on this picture:
    http://www.linksysinfo.org/index.php?threads/using-tomato-lan-vlan-on-two-routers.38751/#post-203256

    the WAN port is 'tagged' in both LAN(br0) and LAN1(br1). Do you know why?

    This is the last question: is this ping situation critical due to the ability to ping across the boundaries? Does it mean that the two segments are NOT isolated? This was the main purpose of this exercise in the first place for security reasons. I still think that they are isolated but I am confused about the ping situation.

    I really appreciate your help and time spent on this. Thank you!

    Steve
  36. SteveF

    SteveF Connected Client Member

    gfunkdave, FYI, this is how my VLAN page looks like. I did not know how to copy the VLAN page here so I went via Paint

    Sorry the picture did not show up. Can you tell me how i could copy graphics into forum posts?

    Thanks!
  37. SteveF

    SteveF Connected Client Member

    gfunkdave, I just documented here the Asus WL-520GU Toastman Tomato ports assignment for setting up VLAN. Here it is.


    Toastman Tomato port assignments

    WL-520GU Toastman Tomato port assignment are different from the port assignments of Asus. In red are the Toastman Tomato port assignments.

    For router picture see the following link:
    http://www.linksysinfo.org/index.php?threads/using-tomato-lan-vlan-on-two-routers.38751/#post-203506

    By adding a VLAN one should be using the red nomenclature. That is:

    • For WAN use Port 4
    • For Port 4 use WAN
    • For Port 3 use Port 1
    • For Port 2 use Port 2
    • For Port 1 use Port 3
    Once the VLAN is set up use the on-unit designation to connect to the router. That is:

    • Connect the cable modem to WAN
    • Connect the clients to Ports 1-4
  38. SteveF

    SteveF Connected Client Member

    gfunkdave, The bottom line: it seems to be working but I still would like to paste in the Basic-Network, Advanced-VLAN, Advanced-LAN Access, and Advanced-Virtual Wireless pages. However, I tried ordinary copy-and-paste but it did not seem to work. Can you help me please how to insert those pages? The reason why I am doing this is that the pings do not seem to work as expected. So, I want to make sure that everything is right (specifically the segment separation for security reason).

    Thank you very much for your help.

    Steve
  39. tvlz

    tvlz Serious Server Member

    Tools -> System
    Type in
    Code:
    nvram show | grep vlanports
    nvram show | grep board
    click execute
  40. SteveF

    SteveF Connected Client Member

    tvlz, thank you, I fully understand now. However, the port designations have been resolved thanks to gfunkdave. Here is my reply and summary:

    http://www.linksysinfo.org/index.php?threads/how-to-set-up-a-vlan-on-tomato.65405/#post-219276

    So, I implemented the new VLAN according to this 'port-warping' and the router is working fine. The only thing is that I can not ping from client 1 to client 2 on the old VLAN but that is another, most likely some firewall problem. I am looking into it.

    Thanks again for your reply, I will execute these commands just to see.

    Steve
  41. gfunkdave

    gfunkdave Networkin' Nut Member

    I have no idea why this isn't working for you. If it's all set up the way you say, it should be working. If you can ping across VLANs, then they are not isolated from each other. The only possible reasons for why it's not behaving correctly are:

    1. It's not actually configured the way you think it is.
    2. There is a large bug in the VLAN build of Tomato, and you are the first to discover it.
    3. You have made other config changes that you haven't mentioned.

    I suspect #1 is the most likely, which is why I asked for screen captures. To post them on here, you need to upload them to an image host like Imageshack, Flickr, Smugmug, or your own web server and click the little icon in the message composition window here. Paste the url for the image, and it will show up in your message.

    Remember, in that other thread, the WAN port on the VLAN page is actually LAN 4.
  42. SteveF

    SteveF Connected Client Member

    I have to go out now but later this afternoon I will attempt to post the images. I do not have my own server, so I will have to use the other methods as you suggested. Personally, I have gone over this so many times that I dream about it - lol. I believe my configuration is correct, but nothing is 100%. No other configs I made but I will review that as well.

    Thanks!
  43. SteveF

    SteveF Connected Client Member

    OK gfunkdave here are the screenshots:

    Virtual Wireless
    http://imageshack.us/photo/my-images/26/virtualwirelessintf.jpg/

    LAN Access
    http://imageshack.us/photo/my-images/706/lanaccess.jpg/

    VLAN
    http://imageshack.us/photo/my-images/706/vlan.jpg/

    Status-Overview
    http://imageshack.us/photo/my-images/801/statusoverview1.jpg/
    http://imageshack.us/photo/my-images/145/statusoverview2.jpg/

    So, please let me know what you think.

    Thanks for your help.

    Steve
  44. gfunkdave

    gfunkdave Networkin' Nut Member

    It all looks fine. The way it's set up, you SHOULD be able to ping from LAN to LAN1, that is, from a computer that is plugged in to a wireless client. You should not be able to ping from a wireless client to a wired client. To make both VLANs totally separate, just uncheck the On box on the LAN Access page.
  45. SteveF

    SteveF Connected Client Member

    gfunkdave, you are great! What you are saying partially was confirmed by my being able to ping from my wired client to one of the wireless client. The other way I could not confirm because I have no access to my renter's computer.

    I assume when I uncheck the 'on' box on the LAN Access page I first have to click on the ADD and then on Save. I tried this and indeed the 'on' box will be unchecked and the LAN(br0) turns into just LAN and the LAN1(br1) turns into LAN1. The source will be LAN and the destination will be LAN1 no br0 or br1. The 'on' box will not be checked. There will be a new line below which looks like the first line before the change with the 'on' box checked. Is this the outcome you expected?

    However, after unchecking the 'on' box and adding/saving the set up I tried the ping from my wired client to one of the wireless clients, as before, and the ping was still functioning. I guess this is not what you expected, right? I tried to stick to your instruction to the letter. Comment?

    Thanks,

    Steve
  46. gfunkdave

    gfunkdave Networkin' Nut Member

    No. You're not adding a new rule. You're just disabling the one that is already there. Just click the rule to open it for editing, uncheck the box, click OK, then click Save.
  47. SteveF

    SteveF Connected Client Member

    gfuncdave, clicking on the rule does not do anything. I have the sneaky feeling that this rule is not applied because it is not editable and it does not have a pink background. If this works the same way as other areas, then I would have to add a rule with the right parameters, in this case with the unchecked 'on' box. My experience with Tomato is that the rule can only be edited if it is applied. This rule is not a rule, it is mainly a template to create a rule. Right now this 'rule' can not be clicked on, it does not do anything. My experience with this Tomato is that if a rule is added it has a pink background. Then I can click on it, I can edit the field and the Delete/OK/Cancel action options appear. I say, when I click on it nothing happens. It tells me that this is not an applied rule but is a sort of a template to add, edit and apply a rule.

    If I say click on Add, then it appears on the pink background and then I can un-check the 'on' box and I can say OK/Save. As I say in that case the new rule remains on pink background and the previous line moves down for further adding new rules. That is how this Tomato has been working in my experience.

    What do you think?

    Steve
  48. gfunkdave

    gfunkdave Networkin' Nut Member

    Sorry, I misread your screen grab. There are no rules defined for cross-VLAN access. What is the exact version of Toastman you are running? You may need to upgrade.

    Go to Tools-System and tell me what the following command returns with:

    Code:
    iptables -L FORWARD -v
  49. SteveF

    SteveF Connected Client Member

    Here is what I got as a return after executing your command:
    http://imageshack.us/photo/my-images/10/commandreturn1.jpg/
  50. SteveF

    SteveF Connected Client Member

    Sorry, I forgot: here is the Tomato version I am running:

    tomato-ND-1.28.7633.3-VLAN-IPT-ND-Std.trx. I thought this was the latest.
  51. gfunkdave

    gfunkdave Networkin' Nut Member

    All connections between br0-br1 and br1-br0 are programmed to be dropped. You should not be able to ping between networks.

    What exactly are you pinging? What is the IP address of the computer you're using that is plugged in? What is the IP of the wireless client you're pinging?
  52. SteveF

    SteveF Connected Client Member

    I am pinging from inside Tomato, using the Tool-->Ping function
    My IP address is:192.168.1.50 and I am pinging 192.168.2.52 or 53 (both wireless) - the pings go through
    Also when I ping my wife's client at 192.168.1.51 from my client, the ping does NOT go through.
    I can also ping from my wife's or my client the router IPs (192.168.1.1 and 192.168.2.1) and those pings function fine.
  53. SteveF

    SteveF Connected Client Member

    One more thing I forgot to mention: the command execution was still the old way with the 'On' box checked. It was confusing how to uncheck that box, so I left it checked.
  54. gfunkdave

    gfunkdave Networkin' Nut Member

    <facepalm>

    You are pinging from the router to the client. You will always be able to do that.

    Go to a command prompt on your computer and type ping 192.168.2.52. It should say request timed out.

    Does your wife's client run Windows? Windows 7 and 8 (and later service packs of XP, I think) default to ignore pings. To change this (in Windows 7 at least), do this: http://www.sysprobs.com/enable-ping-reply-windows-7. Then, try pinging your wife's computer. You will be able to do so.

    You will also always be able to ping either of the router's interfaces (192.168.1.1 and 192.168.2.1) from either VLAN. This is just how it works. You might want to add the following to Administration-Scripts-Firewall to prevent your renters from being able to access the router via web or telnet.

    Code:
    iptables -I INPUT 7 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT 8 -i br1 -d 192.168.1.1 -j DROP
    iptables -I INPUT 9 -i br1 -d 192.168.2.1 -j DROP
    
  55. SteveF

    SteveF Connected Client Member

    gfunkdave, now we are cooking. There maybe some fault with the Tomato ping. From the command line I could ping my wife but the pings to both wireless (192.168.2.52 and 53) times out. It works the way it should. I guess I do not have to remove the check mark from the 'On' box, right?

    You are a great guy and a great adviser. Thank you! Could I answer you other questions tomorrow, I have to go to do some errand. I add those script commands to the router tomorrow.

    I feel lot better, I think it seems to be working the way it should. Now the next question, what is wrong with the ping function of Tomato? I do not want you to do anything about it, but as an engineer I always want zero defect. Really I do not care much about this at this point in time.

    A big thank-you to you, you were great and you stayed with this problem. I will talk to you tomorrow.

    Steve
  56. SteveF

    SteveF Connected Client Member

    gfunkdave, one correction, I did not do the test right. I can ping myself, my wife can ping herself but from me to my wife and vice versa the ping times out. Also pinging from any of the two wired clients to any of the wireless clients times out. So this is good. Tomorrow I will look into why the ping does not go through between the two wired ones. I will also install those script commands.

    Thanks again for your help.

    Steve
  57. SteveF

    SteveF Connected Client Member

    gfunkdave, as I said yesterday, I did the following - just to recap:

    Both me and my wife use Windows 7

    1. No ping between any wired and wireless clients - this is good this was the original intent
    2. No ping between my client and my wife's client either way (but there is ping from own client, that is for example, from 192.168.1.51 to 192.168.1.51 - I am working on this and have one question: on that enable ping site there is one panel asking about local and remote IPs (I assume the IPs the ping request is coming from). Here I assume that for the local one I should put my wife's IP and the remote one? What? I have the option of all IPs or I have to specify one or a range of IPs or computers such as default gateway, WINS servers, DHCP servers, DNS servers or local subnet. Local subnet is the br0 subnet or br0 and br1 combined? Could I just put in here my wife's IP again? Ore local subnet? If not please advise.
    3. I added the script commands to the router suggested by you yesterday. I rebooted it. Can you explain in layman's terms what those 3 script commands do to the router? Does one need to know the hardware architecture of the router? And,where can I learn more about iptables commands?

    We are very close to finish this issue, thank you for your help.

    Steve
  58. Bird333

    Bird333 LI Guru Member

    Please
    I'm confused. Did you mean to say that a client can ping itself? Of course it can. Please explain step by step what you are trying to accomplish. Who are you trying to keep separate from whom? Use bullet points if necessary. :)
  59. SteveF

    SteveF Connected Client Member

    Here it is:
    * Created LAN1(br1) VLAN in addition to existing LAN(br0).
    * The two VLANs should be separated. br1 is purely wireless and br0 is purely wired. See binding of eth1 to LAN1(br1) in one of the pictures I later refer to.
    * Client1 and client 2 are wired to LAN(br0) and client3 and client4 have wireless connections to LAN1(br1).
    * The idea is that neither of client1/client2 on br0 should be able to ping (or 'see') any of client3/client4 on br1 and vice versa due to security requirements.
    * This has been achieved, the second segment has been created in addition to the already existing LAN(br0) segment and the clients are behaving as expected. Go back in this thread and see several posts explaining the creation of the second and separate VLAN, there are even links to show the various pages of Tomato, like Overview, VLAN, Virtual Wireless and LAN Access under Advanced.

    When I mentioned that the client can ping itself it was only to complete the description of the ping scenario, that is, who can/can not ping whom - it is there purely to show a complete picture.

    Does this answer your question?
  60. Bird333

    Bird333 LI Guru Member

    If I understand you, VLANS aren't even necessary for this. Just remove wireless from br0, create new br1 with only wireless. Actually you shouldn't have to do a bridge for wireless, but whatever. VLANS are necessary when you want individual, physical (ie 1-4) ports on different networks.
  61. SteveF

    SteveF Connected Client Member

    You might be right but my understanding is that VLAN provides great separation for the segments. So this is what I have and I think this is what I am going with. Just out of curiosity can you tell me step by step what I could have done.

    Thanks.
  62. Bird333

    Bird333 LI Guru Member

    I have a similar setup except I still have the original wireless in br0. I have a separate wireless in addition. I'll have to look at my setup when I get home.
  63. gfunkdave

    gfunkdave Networkin' Nut Member

    Bird is right - you don't technically need VLANs. But, it's not a big deal either way. It's fine the way it is.

    As I said before, Windows 7 by default ignores incoming pings. Follow the instructions in the article I linked to if you want to enable ping response.

    It's all working fine.
  64. SteveF

    SteveF Connected Client Member

    gfunkdave, I have a few screenshot from my avast firewall to see if one of the renters intruded into one of our clients. Are you up for a little investigative challenge? I could post the screenshots. Personally I think there maybe something there. After implementing the 2 VLANs and separate the 2x2 clients the pattern is not there anymore. I sent it to avast but they said our clients were protected - what else would they say? It sounded liked a canned message. So, please let me know if I should upload them and send you the link via the forum.

    I know you are probably busy, if you say no, I will understand.

    Thanks in advance either way.

    Steve
  65. gfunkdave

    gfunkdave Networkin' Nut Member

    if you'd like...though I'm not sure what it will accomplish
  66. SteveF

    SteveF Connected Client Member

    If you think it has diminishing return then let's not do it, I do not want to waste your time. I am basically just curious. The decision is up to you.

    One question from the previous issue: what is the consequence if a client can not be pinged. Like in case of Windows 7, ping is disabled by default. So what?
  67. gfunkdave

    gfunkdave Networkin' Nut Member

    It's a security measure. If you can't ping an address, you assume there's nothing there and move on. But if you can ping it, you might investigate further what ports are open and if you can gain access. If your PCs are just always plugged into your home network, it doesn't matter.
  68. SteveF

    SteveF Connected Client Member

    gfunkdave, this answer convinced me that I should not enable ping on our two computers. We always connect them to the home network. Thanks for the clarification. We will live without ping.

    Curiosity is bugging me. Can I upload the four screenshots for your review?

    Thanks!

    Steve
  69. SteveF

    SteveF Connected Client Member

    gfunkdave, the worst got me and I uploaded the images. A few words:

    My/my wife's client IPs: 192.168.1.50 and 192.168.1.51

    The two students' IPs: 192.168.1.52 and 192.168.1.53

    This was before the installation of the new VLAN

    Here are the four screenshots:

    http://imageshack.us/photo/my-images/14/clientaccess1.jpg/
    (53 is accessing 50?)

    http://imageshack.us/photo/my-images/543/clientaccess2.jpg/
    (53 is accessing 51?)

    http://imageshack.us/photo/my-images/706/clientaccess3.jpg/
    (53 is accessing 50?)

    http://imageshack.us/photo/my-images/27/clientaccess4.jpg/
    (52 is accessing 50?)

    Thesee mjaybe perfectly legit activities, I may be paranoid, but better face thew facts whatever they are.

    Thanks for your help.

    Steve
  70. Bird333

    Bird333 LI Guru Member

    1. Create a new lan on the Basic>Network page (i.e. 'br1'). Enable DHCP. Click 'save' at the bottom of the screen
    2. Goto the Advanced>Virtual Wireless page and reassign your wireless interface from 'br0' to 'br1'. This should remove wireless from 'br0' so that it is separate from your 4 lan ports. Click 'save'.
    3. Add the following iptables rules to Administation>Scripts>Firewall tab
    Code:
    wanf=`nvram get wan_iface`
    /usr/sbin/iptables -I FORWARD -i br1 -o !$wanf -j DROP
    /usr/sbin/iptables -I INPUT -i br1 -m state --state NEW -j DROP
    /usr/sbin/iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    /usr/sbin/iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    /usr/sbin/iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
    Click save and then reboot your router.

    The first line is to set a variable that has your WAN interface name.
    Second line is to stop any access from br1 except to the internet.
    Third line is to drop any new packets destined for the router.
    Fourth line is to allow br1 to get DHCP service from the router.
    Fifth and Sixth lines allow br1 to get DNS service from the router.
    (FYI, using the insert '-I' in iptables makes the rules work in reverse (i.e. the bottom gets matched first)

    That's it. With this setup br1 should be separate from the rest of the network and only be able to access the internet.
  71. gfunkdave

    gfunkdave Networkin' Nut Member

    The rules I suggested do the same thing in just three rules. Your first and second rules are superfluous.

    If your computers are only ever plugged into the LAN, it really doesn't matter if you can ping or not.
  72. SteveF

    SteveF Connected Client Member

    Bird, thanks! I asked about your implementation due to my curiosity regarding your solution. As I said I will keep the VLAN based solution. But I understand what you have done.

    In my solution the VLANs can only access the Internet and not the other VLAN, they are separated. This is my understanding.

    If you do not have the rules, what is the downside? This is a roundabout way of asking so I can understand more about the rules.

    Thanks.

    Steve
  73. SteveF

    SteveF Connected Client Member

    gfuncdave, your three rules do not deal with tcp, Birds' does. Does it matter? Looks like his last three rules look similar to your first one but without tcp. I do not see the equivalent of your last two commands in Birds' implementation. And I assume that Birds' first two rules are superfluous, but I do not know much about iptables so I take your word for it.

    Lastly, I will not have ping enabled on my or my wife's computer. We are always going to be on LAN(br0)

    Thanks!
  74. Bird333

    Bird333 LI Guru Member

    Honestly, I am not sure that you even need the rules if you don't have Advance>LAN Access active. I haven't tested it. These are rules I had with my DD-WRT setup. You could look at them as a safety net. It won't hurt to have them there. I could combine the two udp rules but it isn't a big deal. The FORWARD rule prevents br1 for accessing br0. br1 is locked down to only get DHCP, DNS service from the router and access to the internet. There is usually more than one way to accomplish something. Given what you were doing I think this is a little more straight forward. Most of the time people only bother with vlans when they want to separate the physical ports on the router.
  75. SteveF

    SteveF Connected Client Member

    Thanks Bird. My Advanced-->LAN Access is NOT active as far as I can see. Here it is its screenshot:
    http://imageshack.us/photo/my-images/706/lanaccess.jpg/

    No rule has been added on Advanced-->LAN Access. If my assumption is wrong, please let me know. So, if this is the case, I would not need your second rule:
    /usr/sbin/iptables -I INPUT -i br1 -m state --state NEW -j DROP

    I am assuming that my VLAN solution is safe, that is br1 in locked down and can not access br0.
    If you see anything to the contrary, please let me know.

    Thanks,

    Steve
  76. gfunkdave

    gfunkdave Networkin' Nut Member

    Couple things.

    1. The INPUT chain governs incoming connections to the router, e.g., for accessing its web based config. The FORWARD chain governs routed connections.

    2. Your FORWARD chain already has the appropriate rules to deny br0-br1 connections.

    3. So, all you need is to disallow attempts to access the router from the wireless network. The rules I posted above do that, as I said. The first one allows DHCP and DNS service, and the second two reject all other incoming router connections.
  77. Bird333

    Bird333 LI Guru Member

    It looks like Lan access is active to me.

    It is checked. You are probably separated by the iptables rules that were provided. If you want to what this stuff affects make a backup of your working config and experiment with changes.
  78. SteveF

    SteveF Connected Client Member

    Bird, the way I look at this is that if you want to activate a rule you have to click on the Add. Then it becomes rule on a pink background which you can Accept (OK), Delete or Cancel (the changes you made if any). The user interface works all through the pages this way. I look at what you see there as a template to add a rule.

    Steve
  79. SteveF

    SteveF Connected Client Member

    gfunkdave, thanks for the explanation, The explanation of the commands is what I was looking for. I am good with this additional comment for three script commands you suggested:

    iptables -I INPUT 7 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT 8 -i br1 -d 192.168.1.1 -j DROP
    iptables -I INPUT 9 -i br1 -d 192.168.2.1 -j DROP

    The do not see FORWARD chain. Or, is it hidden? Am I missing something?

    Steve
  80. gfunkdave

    gfunkdave Networkin' Nut Member

    FORWARD rules are already in your iptables rules. Read the rules printout you sent me earlier.
  81. SteveF

    SteveF Connected Client Member

    Gfunkdave, my bad, I missed it. Thank you, I think this case is closed as far as I am concerned.

    I really appreciate what you did. You have great knowledge of this stuff.

    Just on the side: are you an hotshot IT engineer of just an outstanding natural talent who is interested in this stuff?

    Thanks again.

    Steve
  82. Bird333

    Bird333 LI Guru Member

    You may be right I haven't tested it but the addresses fields say they are optional. I thought this was activated automatically when you setup a new lan. I don't know if this is true. I didn't really care to investigate it because my rules lock it down.
  83. gfunkdave

    gfunkdave Networkin' Nut Member

    Hah, I suppose more of the latter. I don't officially work in IT since I figure I should be using this fancy MBA I have.
  84. SteveF

    SteveF Connected Client Member

    gffuncdave, good for you, whatever your heart desires. But I maintain that you could be successful in IT as well.

    Steve
  85. SteveF

    SteveF Connected Client Member

    Bird, you are correct about the rules, and I am not saying I am right either. I just extrapolated from other pages of Tomato how they seemed to work. Let's just agree that this is untested but it is not worth to pursue at this point in time.

    Steve
  86. Bird333

    Bird333 LI Guru Member

    I want to clarify something. Your requirements said br0 also shouldn't be able to reach br1. You will an additional FORWARD rule to block br0 from br1. Assuming LAN access doesn't stop it.
  87. SteveF

    SteveF Connected Client Member

    Bird, talking to gfunkdave, he said that this restriction already exists inside the iptables code.
    He asked me to execute a commend and send him the response.

    Command executed:
    iptables -L FORWARD -v
    Response:
    http://imageshack.us/photo/my-images/10/commandreturn1.jpg/

    So let me know if you have any comment. Thanks!
  88. SteveF

    SteveF Connected Client Member

    Bird, talking to gfunkdave, he said that this restriction already exists inside the iptables code.
    He asked me to execute a commend and send him the response.

    Command executed:
    iptables -L FORWARD -v
    Response:
    http://imageshack.us/photo/my-images/10/commandreturn1.jpg/

    Better copy but the spacing is not right - it may help you if the link is not very readable:

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    1114K 843M all -- any any anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
    1810K 1482M all -- any any anywhere anywhere account: network/netmask: 192.168.2.0/255.255.255.0 name: lan1
    0 0 ACCEPT all -- br0 br0 anywhere anywhere
    0 0 ACCEPT all -- br1 br1 anywhere anywhere
    0 0 DROP all -- any any anywhere anywhere state INVALID
    72242 3689K TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    1669K 1830M L7in all -- vlan1 any anywhere anywhere
    2883K 2323M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
    4 240 DROP all -- br0 br1 anywhere anywhere
    0 0 DROP all -- br1 br0 anywhere anywhere
    0 0 wanin all -- vlan1 any anywhere anywhere
    41037 2111K wanout all -- any vlan1 anywhere anywhere
    20755 1041K ACCEPT all -- br0 any anywhere anywhere
    20282 1070K ACCEPT all -- br1 any anywhere anywhere
    0 0 upnp all -- vlan1 any anywhere anywhere
  89. Bird333

    Bird333 LI Guru Member

    Yeah you are blocking traffic both ways.
  90. SteveF

    SteveF Connected Client Member

    Bird, thanks for your looking at it as well. Also a huge thank to gfunkdave, he helped me a lot and he said the same thing. I was already fine with gfunkdave's evaluation but you wanted to see the command response so this is why I sent it to you. Thanks again.
  91. Bird333

    Bird333 LI Guru Member

    I don't remember asking to see your iptables rules but it's all good. :)
  92. SteveF

    SteveF Connected Client Member

    OK, I must rephrase it. You said I needed a FORWARD script command to block the traffic. I said that I thought I have it in the internal code and suggested that I send you the command given to me by dfunkdave and the response of the command. This is what I did. So you are correct, you did not ask for it and it was my initiative to send it to you because it kind of made me concerned, although gfinkdave said it was OK. I am not an expert with iptables script commands. It never hurts to double check things. I am glad that both you and gfunkdave came to the same conclusion. I stand to be corrected. Thanks for your time and effort to double check it.

    Just one more question: where could I learn more about iptables script commands?
  93. Bird333

    Bird333 LI Guru Member

    http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html also the netfilter.org site.
  94. SteveF

    SteveF Connected Client Member

  95. SteveF

    SteveF Connected Client Member

    gfunkdave, have you had a chance to look at this screenshots of the firewall I sent you about client accesses?

    If you can not or do not want to do it, just say so, I need to know.

    Thanks,

    Steve
  96. gfunkdave

    gfunkdave Networkin' Nut Member

    They don't really tell me anything. Could be anything from your tenants trying to probe your computers to random programs discovering the network. Don't worry about it. They can't access anything now anyway.
  97. SteveF

    SteveF Connected Client Member

    Thanks! In addition, I had the avast firewall and avast told me that I should be protected against any inside and outside attack. Case closed.

    Thanks again, no more mention of this topic.

    Steve
  98. SteveF

    SteveF Connected Client Member

    gfunkdave, just one clarification: the above 3 codes will stop any access the router from the outside, or from both the outside and the inside? You mentioned web or telnet, so I assume it is from the outside, but I do not know for sure so this is why I am asking. I only used the 3 lines nothing else, you preceded it with the word 'code'. I assumed I did not have to use it. Am I correct?

    Thanks for your reply in advance.

    Steve
  99. Bird333

    Bird333 LI Guru Member

    Those rules don't stop access from the outside. Other rules should do that. And I'm sure your router firewall already have those in place.
  100. SteveF

    SteveF Connected Client Member

    Bird, thanks for the response. Can you give me a set of rules (I assume those are iptables entered at the Firewall command line as well) which would protect my router from outside attacks? Thanks for your response in advance.

Share This Page