1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible to prevent access between machines on LAN?

Discussion in 'Tomato Firmware' started by Atari, Oct 23, 2007.

  1. Atari

    Atari Guest

    Curious if I can do this with Tomato (any of the other firmwares here)

    I have a WRT54GS V1, currently running the latest version of Tomato.

    I have the following devices connected to the 4 wired LAN ports:

    computer 1
    computer 2
    computer 3

    Basically, I want to set things up so that all the computers can access the network printer, but CAN NOT ACCESS EACH OTHER.

    My girlfriend is going to put her computer on the network & she's prone to getting viruses, so I want to sandbox her off away from everything else. ;)

    Is this possible?

    Could someone walk me through this?
  2. samov

    samov LI Guru Member

    SANDBOX the girlfriend... i second that :)

    You might be able to setup different subnet masks on each port...
  3. Toxic

    Toxic Administrator Staff Member

    do you have any shares setup on each PC?
  4. mstombs

    mstombs Network Guru Member

    Some routers have bridge filters that could be used for this at MAC address level - Tomato doesn't seem to. You may also be able to split the LAN switch into vlans - I think dd-wrt has web gui interface for this - probably could be done with command line in Tomato but a lot of effort and trojan/virus writers may be more adept at finding their way round every block you attempt to impose!

    I recommend some education on safe surfing plus decent antivirus and software firewalls on all machines - forget the sand!
  5. RonWessels

    RonWessels Network Guru Member

    I have to agree with the previous posters: there is no way to do that from the web GUI in Tomato.

    The problem is that the LAN ports are configured as a single VLAN, so it acts as a switch with no software intervention required to forward packets from one LAN port to the other. Hence no way of intercepting those packets. Have a look here for a picture of how the VLANs are set up.

    What you will need to do is move some of the LAN ports to a new vlan2 network which you can then set up as a secondary "LAN" network. DD_WRT apparently has a web interface to do this. That would be my guess for the easiest way. You could also modify appropriate nvram variables and firewall settings on most other firmwares to do this. If you're going the command-line route, I'd recommend OpenWRT.

    [ edit: Oops, I just saw your network printer requirement. That makes the vlan configuration that much more difficult, since you will either have to NAT between vlan0 and vlan2 or set up yet another vlan3 for your network printer. I don't know if the DD_WRT interface is flexible enough to do what you want. You can do it in OpenWRT, but you need to completely understand that diagram and how firewalls are configured to do it. ]

    You do have another alternative. Buy a second router and install it between the first router and any machines you wish to keep "safe". Overall, I'd say this would be simplest.
  6. Rafatk

    Rafatk Network Guru Member

    I used DD-WRT about 6 months ago, and since that I did not follow much the DD-WRT development because I started using Tomato.
    But I do remember that the VLAN interface just works with a couple of routers models.
    You might check it before go though all this work.
  7. RonWessels

    RonWessels Network Guru Member

    That's probably because not all routers supported by DD-WRT have a switch that can be configured into VLANs. However, I'd be willing to bet that it would be supported for the WRT54GSv1 that the OP has. The only possible gotcha would be that the VLAN setup is different from modern WRT54G* routers, but that's a solved problem that I'll bet DD-WRT already handles.
  8. Rafatk

    Rafatk Network Guru Member

    Yeah I don't know for sure.
    But anyways it is possible to do it even with Tomato or a router with DD-WRT that the VLAN interface does not work.
    It just need to be done thru SSH or Telnet.
    But it might require a little bit of work and research to set it in the nvram settings.

Share This Page