1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Second LAN-Subnet only on switch Port 4

Discussion in 'DD-WRT Firmware' started by Honki, Sep 21, 2005.

  1. Honki

    Honki Network Guru Member

    I would like to config a second Subnet on LAN-Side. Can i use Vlan to put it only on one Switch Port. For Example:

    Lan Port 1 to 3: 192.168.1.1
    Lan Port 4: 10.0.0.1

    But both Subnet´s are going to WAN to use the PPPoE connection.

    Any Ideas?
     
  2. wrt-vogon

    wrt-vogon Network Guru Member

    That's what I'm looking for too :) This way you could use a whole subnet as DMZ and not just one IP-adress.
    There are older threads in different forums (i.e. sveasoft, search for 'vlan') which discuss this point but since everyone is focussing on WLAN functionality the LAN side is underestimated. You can seperate LAN-ports, you can seperate WLAN from LAN and you can even break the bridge between WLAN and LAN.
    In any case you have to create new firewall rules with iptables, which will surely not be implemented in DD-WRT GUI. But this can be done with FW-Builder as far as I know, in case you are not familiar with iptables.
    Since I'm no Linux-geek at all, I would highly appreciate a way to implement subnets on LAN-Ports in DD-WRT via the GUI:
    - creating vlans and assigning subnets to vlans
    - working DNS for subnets
    - DHCP (incl. static IPs) for every subnet
    - automaticly committing a set of default rules (like: no access from WAN to LAN-subnets, no access from subnet to subnet, or whatever rules would make sense as default)

    Maybe brainslayer will implement something like this since a lot of people would find that very useful I think.

    :)
     
  3. wrt-vogon

    wrt-vogon Network Guru Member

    Are there any known plans to implement this into DD-WRT? Seems like Talisman 1.1 has this feature already.

    :)
     
  4. Honki

    Honki Network Guru Member

    Can anybody help us?
     
  5. big_boi

    big_boi Network Guru Member

    to add on to this "feature request" i would like to ask that if we do get this capability that we also get the capability to make it a spanning or mirror port. it would be real nice to mirror traffic off to this port and run a snort box on the other end.
     
  6. vincentfox

    vincentfox Network Guru Member

    You can already do what you want from the command-line if you don't want to wait around for it to be in the GUI.

    Just ssh into the box and go for it.

    Between vconfig and brctl you can do this in a few lines. See the Advanced Routing Howto for Linux or the man pages for the commands themselves.
     
  7. big_boi

    big_boi Network Guru Member

    vincentfox, if you're implying i add a rule to iptables directly then you haven't seen my thread asking where exatcly the iptables rules are stored. if you have an answer i'd love to hear it :)

    TIA,
    big boi
     
  8. vincentfox

    vincentfox Network Guru Member

    This has nothing to do with iptables.

    Use ssh to login to the WRT. Or telnet if you prefer.

    Either way, then run commands vconfig or brctl and it will spit back the command list for it's operation. Or you can look it up on the internet. Some other day I would spoon-feed you what you need. Today, I feel like going to listen to some music. :rockon:

    I have pointed you in a useful direction, best of luck. :thumb:
     
  9. 4Access

    4Access Network Guru Member

    Hopefully vincentfox is enjoying his music. :roll:

    Instead of trying to use vconfig & brctl I'd suggest you simply set the nvram variables manually. It's probably easier.

    The info on the Configuration page from the OpenWRT wiki is an invaluable reference for what you're trying to accomplish. (You don't need to worry about anything below or including the Robocfg stuff - Section 2.2.2)

    Additionally, I found this document to be really helpful as well since it pretty much spells out how to put one of the LAN ports on its own subnet. There is a lot of unrelatted stuff in the doc though so here's the good parts:

    (Although according to the OpenWRT docs mentioned above it would be best NOT to move port 1 out of vlan0 so I wouldn't recommend cutting and pasting the commands directly.)

    After you've got all that setup you may still need to configure some static routes and/or iptables rules for filtering depending on exactly what you're trying to accomplish.

    Good luck.
     
  10. Honki

    Honki Network Guru Member

    hmm...

    I had done this with Telent:

    nvram set vlan2hwname=et0
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan2ports="4 5"
    nvram set sub_ifname=vlan2
    nvram set sub_hwaddr=$(nvram get et0macaddr)
    nvram set sub_proto=static
    nvram set sub_ipaddr=10.0.0.1
    nvram set sub_netmask=255.255.255.0
    nvram set sub_mtu=1500
    nvram set rc_startup="
    ifup sub
    "
    nvram commit
    reboot

    But it will not work... :cry:

    when i do manuell "ifup sub" i see this error:

    ifup: /etc/network/interfaces: No such file or directory

    Any Ideas?
     
  11. 4Access

    4Access Network Guru Member

  12. Honki

    Honki Network Guru Member

    I think ist is "ifconfig up sub", or?

    But it will not work.

    When i send a Ping from the PC (10.0.0.2) in vlan2 on WRT Port4 there is no response... :(

    Any Ideas?
     
  13. vincentfox

    vincentfox Network Guru Member

    The advantage of using vconfig and brctl commands is you can directly manipulate the setup and see immediate results. No need to commit and reboot. I said it was a path, not the only one. Perhaps I am also cautious and prefer to test out network configs in a way where i can reboot and return to normal. Changing nvram var's, committing, and it being really wrong can leave you unusable WRT. Then you must do factory reset and start over.
     
  14. Honki

    Honki Network Guru Member

    ok, and wich is your (config)-way to work this solution?

    I take this too:

    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan1ports="0 5"
    nvram set vlan2ports="4 5"

    nvram set rc_startup="
    vconfig add eth0 2
    ifconfig vlan2 hw ether $(nvram get et0macaddr)
    ifconfig vlan2 10.0.0.1 netmask 255.255.255.0
    ifconfig vlan2 up
    "
    nvram commit

    But this won´t work, too.. :sad:
     
  15. 4Access

    4Access Network Guru Member

    OK I'm testing it on a WRT54GS v2

    For some reason the following nvram variables don't seem to be affecting anything:

    nvram set sub_ifname=vlan2
    nvram set sub_hwaddr=$(nvram get et0macaddr)
    nvram set sub_proto=static
    nvram set sub_ipaddr=10.0.0.1
    nvram set sub_netmask=255.255.255.0
    nvram set sub_mtu=1500

    they exist but aren't being applied to vlan2...

    To manually bring the interface up use:

    ifconfig vlan2 up

    Then I bet if you check the output of 'ifconfig' you'll see that vlan2 is up but doesn't have an IP address assigned. In that case you can manually do a:

    ifconfig vlan2 10.0.0.1 netmask 255.255.255.0

    I believe you'll also want to assign vlan2 a different MAC address but I can't seem to get that to work right now.
     
  16. Honki

    Honki Network Guru Member

    and now ? - ideas? :eyebrow:
     
  17. vincentfox

    vincentfox Network Guru Member

    I don't have a WRT to play on right now to test everything. So I can't send you a simple "cut and paste this and it will work". Aside from which there are differences in the WRT models I have GS 1.0 units.

    My next post will be a raw copy of the notes file I used when building a OpenWRT unit with some VLAN fun thrown in.

    The post after that I will try to extract out only the stuff that I think might be directly useful.
     
  18. vincentfox

    vincentfox Network Guru Member

    OpenWRT project notes

    In this example I was setting up a unit to act as a ChilliSpot "captive portal" gateway. It was at a remote house.

    The idea was there were GREEN networks on ports 1-3 for household PC's. The VLAN's there were straightforward local traffic and had plain dnsmasq providing DHCP for them.

    Then for the BLUE network on port 4 and the WiFi interface, which were bridged together into VLAN4, you had the chilli daemon managing clients. The only reason for having port 4 on the chilli daemon also was so I had a test-point where I could plug up a wired host to make sure chilli was doing it's job for testing purposes.

    Here it is:

    OpenWRT

    uploaded openwrt20050202

    telnet 192.168.1.1

    # First we turn off the radio:
    nvram set wl0_radio=0

    # Now we set the WAN properties:
    nvram set wan_ipaddr=192.168.71.65
    nvram set wan_proto=static
    nvram set wan_netmask=255.255.255.0
    nvram set wan_dns=216.27.175.2
    nvram set wan_hostname=alpha
    nvram set wan_gateway=192.168.71.1

    # Next the LAN properties
    nvram set lan_ipaddr=192.168.6.1
    nvram set lan
    # Have to save changes before rebooting!
    nvram commit

    # Create a hosts file
    vi /etc/hosts
    127.0.0.1 localhost
    192.168.71.65 alpha-gw
    192.168.6.1 alpha
    216.27.163.184 troll scribe
    216.27.163.41 state1219

    # Install ssh package
    ipkg update
    ipkg install dropbear

    # Disable telnet
    rm /etc/init.d/S50telnet
    # Disable web
    rm /etc/init.d/S50httpd

    # Have to make a dnsmasq.conf for our locale:
    rm /etc/dnsmasq.conf
    cp /rom/etc/dnsmasq.conf /etc/
    vi /etc/dnsmasq.conf
    # Change LAN range to match lan_ipaddr so it reads as:
    dhcp-range=vlan1,192.168.6.100,192.168.6.199,255.255.255.0,12h
    # And also exclude the port 4 VLAN:
    except-interface=vlan4

    # Create /etc/resolv.conf
    nameserver 127.0.0.1
    nameserver 216.27.175.2
    nameserver 216.231.41.2

    # Install NTP client package
    ipkg install ntpclient

    # Set timezone
    cat >/etc/TZ
    EST5EDT

    # Create script to set clock at boot time
    cat >/etc/init.d/S46ntpclient
    #!/bin/sh
    /usr/sbin/ntpclient -l -h tick.gatech.edu -i 5 -s

    chmod 755 /etc/init.d/S46ntpclient

    # Prep to modify S10boot
    rm /etc/init.d/S10boot
    cp /rom/etc/init.d/S10boot /etc/init.d/S10boot
    # Now edit
    vi /etc/init.d/S10boot
    # Change line to read: syslogd -R scribe

    # Okay, first test!
    reboot


    Okay, here's the tricky bits for breaking the bridge and doing VLANs:
    ---------------------------------------------------------------------

    ipkg install http://www.xs4all.nl/~rop/openwrt/admcfg_0.6996-wrt1_mipsel.ipk

    # Started from vlan.sh example found at same site above:

    #!/bin/sh
    insmod adm.o
    admcfg port0 PVID:0 vlan0
    admcfg port1 PVID:1 vlan1
    admcfg port2 PVID:2 vlan2
    admcfg port3 PVID:3 vlan3
    admcfg port4 PVID:4 vlan4
    vconfig add eth0 0
    vconfig add eth0 1
    vconfig add eth0 2
    vconfig add eth0 3
    vconfig add eth0 4
    ifconfig vlan0 192.168.99.1 netmask 255.255.255.0
    ifconfig vlan1 192.168.1.1 netmask 255.255.255.0
    ifconfig vlan2 192.168.2.1 netmask 255.255.255.0
    ifconfig vlan3 192.168.3.1 netmask 255.255.255.0
    ifconfig vlan4 192.168.4.1 netmask 255.255.255.0

    # Created a simple /etc/init.d/S41vlan

    #!/bin/sh
    /bin/admcfg port4 PVID:4 vlan4
    /sbin/vconfig add eth0 4
    /sbin/ifconfig vlan4 192.168.4.1 netmask 255.255.255.0

    chmod 755 /etc/init.d/S41vlan

    # Cleanup item, need to remove port 4 from vlan0
    nvram set vlan0ports="1 2 3 5*"
    nvram commit

    # Now reboot and test out the VLAN on port 4.
    --------------------------------------------------------------

    # Need tun module for ChilliSpot
    ipkg install kmod-tun
    # Next, we load up ChilliSpot 1.0RC2
    ipkg install http://www.chillispot.org/download/chillispot_1.0RC2-1_mipsel.ipk

    # Now, edit the /etc/chilli.conf file:
    net 192.168.186.0/24
    dns1 216.27.175.2
    dns2 216.231.41.2
    radiusserver1 216.27.163.184
    radiusserver2 216.27.163.184
    dhcpif vlan4
    uamserver https://troll/cgi-bin/hotspotlogin.cgi
    uamsecret XXXXXXX
    uamallowed www.chillispot.org,192.168.186.1,XXX.YYY.ZZZ.AAA
    # Create a ChilliSpot startup script as /etc/init.d/S99chilli
    #!/bin/sh
    insmod tun >/dev/null 2>&1
    [ -d /var/run ] || mkdir -p /var/tun
    sleep 5
    /usr/sbin/chilli

    chmod +x /etc/init.d/S99chilli

    # Okay, now reboot and check it out!
    reboot


    -----------------------------------------------------------------------
    # Now let's setup the internal radio and bridge it to vlan4
    -----------------------------------------------------------------------

    nvram set wl0_ssid="http://HomeParkWiFi.net"
    nvram set wl0_channel=6
    nvram set wl0_radio=1
    nvram set txpwr=32
    nvram commit

    nvram set lan_ifname=vlan0

    brctl delif br0 eth1
    brctl addbr br1
    brctl addif br1 vlan4
    brctl addif br1 eth1

    ------------------------------------------------------------------------
    # Next idea, OpenVPN to link them all up together!
    # Can find it using Package Tracker, likely in Nico repository.
    ------------------------------------------------------------------------
     
  19. Honki

    Honki Network Guru Member

  20. vincentfox

    vincentfox Network Guru Member

    I guess the relevant bits would be:

    Perhaps it would help you most if you do an nvram show | grep vlan that will give you info on the current vlan setup.

    If vlan0ports looks like
    vlan0ports=1 2 3 4 5*

    Then the first thing you need to do is remove port 4.

    nvram set vlan0ports="1 2 3 5*"
    nvram commit

    From there I'm not sure how to do the admcfg step to set vlan4 up as bound to port4. I logged into a DD-WRT unit and there is no admcfg command. I believe older models like my GS 1.0 used the ADM chipset for the switch, so this was the utility to manipulate vlans on those models. I was just using vlan4 to keep it obvious. You could just as easily bind vlan2 to port4.

    Anyhow, after vlan4 is setup, then you can create a bridge if you want, and ifconfig it.

    /bin/admcfg port4 PVID:4 vlan4
    /sbin/vconfig add eth0 4
    /sbin/ifconfig vlan4 192.168.4.1 netmask 255.255.255.0
     
  21. vincentfox

    vincentfox Network Guru Member

    I'm sorry if this is a bit of a jumble, it's been a while since I did that project. If I get some time soon to sit down and play with a WRT I will do a better job. I think you can do it with the nvram var's as previous posters said, but have to test. I suppose I can write a section of the Wiki for this VLAN thing if we get it working....

    I think you should be able to do the VLAN setup part just through the GUI in DD-WRT these days. Just go into Setup->VLANs and deselect port 4. This will ungrey the port 4 checkboxes down the line. Now go down to vlan2 and select port 4. I think leave "Assigned to Bridge" set to none since you want vlan2 off on it's own not part of the LAN.

    Then it's just a matter of plumbing the interface itself. Still thinking about that. Perhaps I have a WRT in my production network whose port 4 is not in use, that I could test on.
     
  22. Honki

    Honki Network Guru Member

    ok, but what is with WRT54GS V1.1 or other with BCM-Chips???

    Any ideas?
     
  23. 4Access

    4Access Network Guru Member

    Just remembered this myself and came back to mention it but I see that vincentfox beat me to it.

    In summary:
    Forget all the nvram commands related to the vlans. (Update:Due to what seems to be a bug some VLAN related nvram variables must still be manually entered. Necessary commands added in red below.)

    Start by going to the Setup > VLANs page and make it look like this:

    [​IMG]

    Next enter the following command via telnet or ssh:

    nvram set rc_startup="ifconfig vlan2 10.0.0.1 netmask 255.255.255.0"
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="4 5"

    nvram set rc_firewall="iptables -I INPUT 2 -i vlan2 -j ACCEPT"
    nvram commit
    reboot

    Finally connect a cable to port 4 and then statically assign your PC an IP address in the 10.0.0.X range. You should now be able to ping the router (or connect to ssh etc) using 10.0.0.1

    Works great here. Takes about 60 seconds to setup.

    :thumb:
     
  24. Honki

    Honki Network Guru Member

    sorry, but it will not work :(

    i can not Ping the second subnet with this solution. When i do the DHCP the Router give me on Port 4 the IP-Adress from the first subnet.
    With IFCONFIG the VLAN2 is up with IP from second Subnet but it is not Pingable...
     
  25. vincentfox

    vincentfox Network Guru Member

    I feel bad about leaving this problem in the middle, but have a long drive ahead of me to the Left Coast. Hope someone else jumps in and y'all get this worked out!
     
  26. u3gyxap

    u3gyxap Network Guru Member

    I am trying to assign the WAN port to the LAN bridge from the VLANs tab, but it doesn't work. Tried Alchemy, DD-WRTv22 r2, DD-WRT v23 latest beta.
    Anyone succeeded on VLANs? Some guidelines?
     
  27. 4Access

    4Access Network Guru Member

    Notice I said statically assign your PC an IP address in the 10.0.0.X range... When you do that I assume you can ping the router at 10.0.0.1? (We'll look into DHCP after we're sure you can get connectivity with static IP addresses.)
     
  28. 4Access

    4Access Network Guru Member

    So if I'm guessing correctly you simply want to make the router a 5 port switch...? You'll probably need to disable the firewall. I'll try to find time to test this later.
     
  29. Honki

    Honki Network Guru Member

    @4Acces:

    i have test it first with static IP 10.0.0.2. with this it will not work (no Ping to 10.0.0.1-Router VLAN2). Then I make DHCP and i´m wondering that i became the IP-Adress from the first Subnet (192.168.1.10).
     
  30. 4Access

    4Access Network Guru Member

    @Honki,
    I found two reasons it's probably not working for you. One related to what I believe is a bug in the web config for VLANs, and the other more than likely being firewall related. I've updated my post above to reflect the necessary changes so try reading it again.

    You'll still have to configure a static IP address on your PC for the time being. (BTW the DHCP issue you noticed is normal. I know how to fix it but will save that for another post.)

    Let me know how it goes!!
     
  31. 4Access

    4Access Network Guru Member

    HowTo: Use the Internet port as a 5th LAN port

    @u3gyxap

    To use the Internet/WAN port as a 5th LAN port simply:

    1. Configure the Setup > VLANs page as follows:

    [​IMG]

    2. Enter the following commands: (Note the only reason you have to enter these commands is due to what I feel is a bug in the current firmware... hopefully soon these steps won't be necessary.)

    nvram set vlan0ports="0 1 2 3 4 5*"
    nvram set vlan1ports=5
    nvram commit
    reboot

    3. Enjoy :thumb:

    Oh, and it turned out there is no need to disable the firewall.

    (Tested on a WRT54GS v2)
     
  32. BrainSlayer

    BrainSlayer Network Guru Member

    vlan setup works only correctly with adm6996 based chipsets and not with all wrt's. i added some new backend code for supporting the other chipsets, but nothing concrete yet
     
  33. 4Access

    4Access Network Guru Member

    VLANs are working great on a WRT54GS v2 (BCM5325 chip) for me if the proper nvram variables are set.

    The only problem is you have to manually configure some of the nvram variables as mentioned in my posts above. As best I can tell, all it would take to fix the problem is have the following nvram variables get updated properly when making changes to the Setup > VLANs configuration page:

    vlan0ports
    vlan1ports
    vlan2ports
    vlan3ports
    vlan4ports

    vlan5ports DOES appear to be updated properly... so nothing to fix here.

    vlanXhwname=et0
    is not being properly configured either but VLANs actually appear to work without it...
    (X = 2-15)

    BrainSlayer, could you please fix this? I image it should be a fairly quick change.
     
  34. bigjohns

    bigjohns Network Guru Member

    dumb question, but how do we tell which chipset we have?
     
  35. u3gyxap

    u3gyxap Network Guru Member

    Re: HowTo: Use the Internet port as a 5th LAN port

    Thanks dude, it works. I use it on routers that work in client mode (internet coming to the router trough the WiFi). Since the WAN port is not used for anything, now it is a port of the switch :rockon:
    What is weird is that I was doing the exact same thing - do it on the web interface, then save, then do the commands trough SSH, commit, reboot, and didn't work.
    Well, I must have done something wrong back then, since now it works :cheering:
    Thanks again. :thumb:

    Tested on a WRT54G v2.0 running dd-wrt v23 and on a WRT54GS v1.0 running dd-wrt v22 r2.
     
  36. bytes2000

    bytes2000 Network Guru Member

  37. Honki

    Honki Network Guru Member

  38. 4Access

    4Access Network Guru Member

    I don't have time to test these rules right now but they should prevent any traffic from passing between vlan2 (port 4) and the other LAN ports:

    iptables -I FORWARD -i vlan2 -o br0 -j DROP
    iptables -I FORWARD -i br0 -o vlan2 -j DROP

    Is that what you wanted??
     
  39. Honki

    Honki Network Guru Member

    Hey Thanks for your fast solution, but sorry i tried this befor i post the last question and it will not work.

    The Ping goes always from LAN to VLAN2.

    With "iptables -I INPUT -i vlan2 -d 10.0.0.0/24 -j ACCEPT" the Ping from Port4 (VLAN2) it will not go to LAN (192.168.1.1)...
     
  40. 4Access

    4Access Network Guru Member

    I'd have to see your rules to be sure but I bet it's actually the router responding to the pings due to the way some of the default rules are configured. (Try pinging a 192.168.1.X IP address that's not in use from VLAN2 and see if you get a reply.) Basically what I'm trying to say is I still think that your regular LAN ports are safe from all traffic coming from vlan2 (port4) with the rules I suggested above. (You could always try and port scan a computer in the 192.168.1.X LAN from VLAN2 just to be sure.)

    But if you want, instead of the rules I suggested last try these two instead:

    iptables -t nat -I PREROUTING -i vlan2 -d 192.168.1.0/24 -j DROP
    iptables -t nat -I PREROUTING -i br0 -d 10.0.0.0/24 -j DROP

    They also should block all traffic between vlan2 & the other LAN ports, as well as prevent the router from responding to pings sent between the subnets.
     
  41. kerozen

    kerozen Network Guru Member

    Hi, i tried your solution 4Access and it work.

    My LAN 192.168.0.x can ping my Vlan2 10.0.0.x, that sound good for me.
    My Vlan2 can not ping LAN and its good too for me...

    But my Vlan2 could not ping internet adress at all..

    I use your first iptable rule only:
    nvram set rc_firewall="iptables -I INPUT 2 -i vlan2 -j ACCEPT"

    Maybe i need another one to enable VLAN2 to use the router as a dns and to access wan adress...

    If you can help me...

    Edit:

    In fact, i've just used WallWatcher to see that router allow Lan to Lan dialog, but answers are not sent to Vlan2....

    Same thing for Vlan2 to Wan adress, they pass through the router but no answer to Vlan2...

    @peluche
     
  42. Honki

    Honki Network Guru Member

    This Solution work:

    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan1ports="0 5"
    nvram set vlan2ports="4 5"
    nvram set vlan2hwname=et0
    nvram set rc_startup="ifconfig vlan2 10.0.0.1 netmask 255.255.255.0"
    nvram set rc_firewall="
    iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I INPUT -i ppp0 -j ACCEPT
    "
    nvram commit
    reboot

    Thanks to 4Access :thumbup:
     
  43. kerozen

    kerozen Network Guru Member

    Ok, thanks, i'll try this now...

    i'll just add
    nvram set rc_firewall="
    iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
    iptables -I INPUT -i ppp0 -j ACCEPT
    "
    as others are already active...
     
  44. kerozen

    kerozen Network Guru Member

    Hum....my vlan2 could not ping the router anymore....nor access to internet...

    What i done is:

    nvram set rc_startup="ifconfig vlan2 10.0.0.254 netmask 255.255.255.0"
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="4 5"
    nvram set rc_firewall="iptables -I INPUT 2 -i vlan2 -j ACCEPT"

    plus what you say:

    nvram set rc_firewall="
    iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
    iptables -I INPUT -i ppp0 -j ACCEPT
    "
    nvram commit
    reboot

    So, there are little differences with your settings...

    How can i delete what i put to retry ?

    Ok, i see that with "nvram get rc_firewall", i miss to add "iptables -I INPUT -i vlan2 -j ACCEPT" so i renter it and now i got :

    iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I INPUT -i ppp0 -j ACCEPT

    I can ping router but no internet (maybe i need to put dns of my isp on the ip setting of the pc....)

    or, that's not ppp0 i need to put in rules....
     
  45. kerozen

    kerozen Network Guru Member

    Ok, now it's working:

    Here is what i did on my WRT54G v2.2 with DD-WRT build #22:

    nvram set rc_startup="ifconfig vlan2 10.0.0.254 netmask 255.255.255.0"
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="4 5"
    nvram set rc_firewall="
    iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I INPUT -i vlan1 -j ACCEPT
    "
    nvram commit
    reboot

    I can now ping internet from LAN and VLAN2, ping VLAN2 from LAN.

    But i need to manually enter My isp ip on VLAN2 to access internet.

    Do you know a way to get dns from the router (if i put 10.0.0.254 or 192.168.0.254, wich are my LAN and VLAN2 ports, on dns, it does not work)?

    Edit:

    i remove
    iptables -I INPUT -i vlan1 -j ACCEPT

    because it opens all my lan to internet....
     
  46. 4Access

    4Access Network Guru Member

    1. Go to the 'Administration -> Management' page and add the option: "bind-interfaces" to the DNS Masq - Additional DNS Options text box. (Do NOT include the quotes & make sure "bind-interfaces" is on it's own line.) Save.

    2. Add the following command to the end of your rc_firewall nvram variable:

    dnsmasq -z -i vlan2 -I lo -F 10.0.0.100,10.0.0.200,1440m -l /tmp/dnsmasq.wifi.leases

    - 10.0.0.100,10.0.0.200 = DHCP Scope. (Range of addresses that will be given out.) It can be customized.
    - 1440m = How long the lease is good for in minutes. 1440 = 24hrs. (The 'm' can also be replaced with 'h' for hours if you like.)
    - You could try adding the command to rc_startup instead of rc_firewall but I've had problems when running it from rc_startup

    That rule wouldn't expose your LAN to the internet... at worst it would expose the router to the internet. Which isn't really desirable either so it's probably good you got rid of it.

    The following rule on the other hand could potentially expose vlan2 to the internet:

    iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT

    You shouldn't need it at all actually, try deleting it. (The default rules already include something that will allow established internet traffic to pass through the router to vlan2)
     
  47. kerozen

    kerozen Network Guru Member

    Yeah, thanks a lot for solutions, i will try later...

    For the rule:

    iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT

    This is exactly what i need to my mind...

    I need to put a dns, a web server and a mail server on this vlan2 (a real dmz)

    Of course, i could configure rules just to accept packets from certain ports to vlan2, i will see this later, but for now, you solution to create a VLAN2 on the router works like a charm for me.

    I'll try later to configure rules under FWBuilder and then put them on the router.

    Thanks again....
     
  48. ghost48

    ghost48 Network Guru Member

    My working setup. I used the information in this thread to develop a working environment.
    Thanks to all users who posted their configuration.

    Hardware:
    WRT54G v3.1

    Firmware:
    dd-wrt v23-beta2 build 2005/12/12 - Standard


    Enabling Switch Port 4 as VLAN2. I put Switch Port4 on VLAN2 using the GUI and did the following using SSH:
    Code:
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="4 5"
    
    Assigning IP to VLAN2:
    Code:
    nvram set rc_startup='ifconfig vlan2 192.168.200.10 netmask 255.255.255.0'
    Setting Firewall rules.
    This allows access from VLAN0 to VLAN2 but not from VLAN2 to VLAN0 (that is exactly what I need).
    VLAN0 and VLAN2 are both allowed to access Internet using a PPoE connection (VLAN1 & ppp0).
    Please note that ppp1, ppp2 is used for every dial-in, if you enable the onboard pptp for inbound VPN connections. You might need more iptables rules for that kind of configuration.
    Code:
    nvram set rc_firewall='iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
    iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I INPUT -i vlan1 -j ACCEPT'
    
    Final steps:
    Code:
    nvram commit
    reboot
    

    If you want to disable access from VLAN0 to VLAN2 as well, you could add these lines to your firewall script (untested code):
    Code:
    iptables -I FORWARD -i vlan0 -o vlan2 -j DROP
    iptables -I FORWARD -i vlan2 -o vlan0 -j DROP
    Please note:
    DHCP will work on VLAN0 but not on VLAN2.
     
  49. Geego

    Geego Network Guru Member

    When I go to the VLAN tab I am getting syntax errors.
    Is there a bug that is causing that?
    I am running the latest vpn 12/21/05 Beta 2 on the wrt54gs V2

    I get a syntax error from line 116.
    I am new to VLAN and I cannot get the help page either.

    Does anyone have any idea what is wrong?
     
  50. kerozen

    kerozen Network Guru Member

    @helloz

    Geego --> your problem did not happen for me, but i do not use the vpn firmware...

    Now, the configuration of rc_firewall is working well for me.

    But now, i need to manage the firewall rules with fwbuilder for exemple, so:

    Rules set by rc_firewall are not appearing in the firewall rules as they are in the nvram, is that true ?

    so if i change the firewall rules with ones from fwbuilder, i will loose all my rules that are actually set by the web interface but not the ones in nvram ?

    to my mind, the best way to do is to create new set of rules with fwbuilder, to forget to use the web interface on the router and to delete rules in nvram, but of course, i'm not sure.....

    Edit:

    Ho, one more thing:

    Do you know if it is possible to backup actual firewall rules to insert them into a new fwbuilder template ?
    This wil be easier to create my rules from the ones that already exists...
    Thanks...
     
  51. quichedood

    quichedood Network Guru Member

    how to make 2 vlan

    Hi',

    After trying to make these vlans working i found this very interresting post.
    I read it and it seems that to obtain vlan who works i need to use telnet and set var myself.

    The solution brought by ghost48 looks good for me but i didn't understand some points, here they are :

    - Why when you set vlanXports there is six numbers available ?? (i got only 5 ports on my WRT54G :p), what's the 0 ? the 5 ?

    - What's et0 in "nvram set vlan2hwname=et0", is it "eth0" ?

    - What means the star at the end of this line : "nvram set vlan0ports="1 2 3 5*" " ?

    Here is what i want to do :
    Ports 1, 2, 3 and wireless on VLAN0
    Port 4 on VLAN1
    Disable all communication between VLAN0 and VLAN1
    Enable access to internet from VLAN0 and VLAN1

    Code:
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan1hwname=et0
    nvram set vlan1ports="4 5"
    nvram set rc_startup='ifconfig vlan1 192.168.200.1 netmask 255.255.255.0'
    nvram commit
    reboot
    but i don't understand how to enable with 'iptables' how to enable acces to internet.
    Can someone help me / correct me

    Thx a lot
     
  52. dicion

    dicion Network Guru Member

    Hey, on my v4 GS, Stock off the nvram, fresh firmware v23, it's reported like this:

    vlan0ports=3 2 1 0 5*
    vlan0hwname=et0
    vlan1ports=4 5
    vlan1hwname=et0
    lan_ifnames=vlan0 eth1 eth2 eth3
    wan_ifnames=vlan1


    So does that mean that port '0'=1 '1'=2 '2'=3 '3'=4, as those 4 are the 4 'lan' ports in vlan0

    and port '4' would be the WAN port... and 5 is the router's internal port? Might be why its not working for some peeps... I'll try it with moving port '3' to vlan2... and post my results.

    UPDATE: HAHAA.. you're gonna love this
    port '0' = port 4, as labelled on the router's case
    port '1' = port 3
    port '2' = port 2 (yay!)
    port '3' = port 1
    port '4' = WAN
    port '5' = Router

    At least thats what its seeming like so far... rofl.. I'll keep this place updated

    Update2: Yep, confirmed.. Port '3' is port 1 on my router... rofl... haha, would explain why its not working for some peeps. Set vlan2 to use port '3' and plug your cable into port 1 on the router.. see what pops up :) In my case, the pings started working :)
    Also explains why it's in This order in the nvram:
    vlan0ports=3 2 1 0 5*
    -----Label=1 2 3 4 Router
     
  53. quichedood

    quichedood Network Guru Member

    Help

    I tried to do exactly the same schema as ghost48
    So i test with ping :
    From a station in vlan0 i can ping : vlan2 (the ip specified in rc_startup) and a station in vlan2 (so it's ok)

    From a station in vlan2 : i can't ping other stations on vlan0 (ok) but i can't access to Internet !!

    Is there something else to configure in the router ? (i put the dd-wrt 2.3-final)

    PS : i define dns manualy (like ip and gateway)
    i tried different gateway ... what should i put ? the ip of the router no ? (the one of vlan0 or vlan2 ?)
     
  54. quichedood

    quichedood Network Guru Member

    Okay it works !!
    That's my fault (so stupid ... i enter rc_firewall rule on only one entire line so the router doesn't understand it :p)

    Here is what i've entered :
    (1 more vlan (vlan2) on port 4, it has only access on Internet)

    Code:
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="4 5"
    nvram set rc_startup='ifconfig vlan2 192.168.1.1 netmask 255.255.255.0'
    nvram set rc_firewall='iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT'
    nvram commit
    reboot
    Pay attention not to attribute 192.168.1.1 to station or access point you plug on port 4, use 192.168.1.2 and over.

    Thanks a lot everyone for this thread !!!
     
  55. Wikking

    Wikking Network Guru Member

    Hey, i got a question.
    Is it possible to make port 4 only available to the wlan and not to wan or any other lan ports? while still having the other lan ports and wan bridged! i definetly need to make the wan port inaccessible to wlan and lan port 4!
    I've tried it but without any success.

    anyone out there who could help?
    Thanks!
     
  56. 251range

    251range Guest

    Unfortunately code below is not working

    Code:
    nvram set wan2_ifname=vlan2
    nvram set wan2_hwaddr=00:0F:66:C5:2C:04
    nvram set wan2_proto=static
    nvram set wan2_ipaddr=192.168.61.1
    nvram set wan2_netmask=255.255.255.252
    nvram set wan2_mtu=1500
    nvram commit
    does anybody know how to setup vlan2 ipaddr etc through nvram varibles??
    and how to change MAC addr of vlan2??
     
  57. darkblue

    darkblue LI Guru Member

    how to separate the LAN from WLAN and the then LAN divide into 2 vlans?
    I could successfully seperate the LAN into two vlan like this:

    nvram set vlan0ports="2 3 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="0 1 5"
    nvram set rc_startup="ifconfig vlan2 192.168.99.254 netmask 255.255.255.0"
    nvram commit
    reboot

    br0 ip addr:192.168.0.254/24
    vlan2 ip addr:192.168.99.254/24

    my laptop ip_addr:192.168.0.2/24
    my desktop ip_addr:192.168.99.1/24

    laptop could ping and access desktop, and desktop could ping the vlan2 gateway:192.168.99.254, but very strange, it could not ping laptop, what is wrong with this situation?

    I have another question, after dividing the LAN into 2 vlans, the vlan2 could not be natted, but vlan0 just work normally. why? I perfer the vlan2 could only access Internet through the WAN port, just as the vlan0, how to solve this problem?
     
  58. darkblue

    darkblue LI Guru Member

    hello,
    sorry, after I got the answer after reading the whole thread.
    Actually,I would like to treat the vlan2 as another internal vlan, not DMZ, so vlan2 should have the ability to access vlan0 and reverse as well.

    hmm, after add such iptables rules,

    nvram set rc_firewall="
    iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    "
    the vlan2 could access outside through vlan1, but the vlan2 still could not access vlan0, and I try this rules:

    nvram set rc_firewall="
    iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan0 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I INPUT -i vlan0 -j ACCEPT
    "

    failed too!
    is there anybody can help me?

    and the, I have another question,
    the wrt54's telnet service seems to be hang several minutes later after I add "iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT"
     
  59. BigDog_UMG

    BigDog_UMG Network Guru Member

    I have LAN and WAN seperated and port 4 seperated from ports 1-3 with the following changes:

    From the GUI:

    Setup -> VLAN
    Wireless = NONE

    Administration -> Services
    DNS Masq
    Local DNS = Enabled
    Additional DNS Options:
    ---------------
    listen-address=10.0.0.1
    listen-address=192.168.200.1
    dhcp-range=192.168.200.100,192.168.200.149,1440m
    dhcp-range=10.0.0.100,10.0.0.149,1440m

    Administration -> Diagnostics
    rc_startup:
    -----------------
    ifconfig eth1 10.0.0.1 netmask 255.255.255.0
    wlconf eth1 up
    -----------------
    rc_firewall:
    -----------------
    ifconfig vlan2 192.168.200.1 netmask 255.255.255.0
    iptables -I INPUT 9 -i vlan2 -p udp --dport 67:68 --sport 67:68 -j logaccept
    iptables -I INPUT 9 -i vlan2 -p udp --dport 53 -j logaccept
    iptables -I INPUT 9 -i eth1 -p udp --dport 67:68 --sport 67:68 -j logaccept
    iptables -I INPUT 9 -i eth1 -p udp --dport 53 -j logaccept
    iptables -I INPUT 2 -i vlan1 -p udp --dport 1194 -m state --state NEW -j logaccept
    iptables -I FORWARD 11 -i vlan2 -o vlan1 -m state --state NEW -j logaccept
    iptables -I FORWARD 11 -i eth1 -o vlan1 -m state --state NEW -j logaccept
    iptables -I FORWARD 5 -i vlan2 -o vlan1 -j lan2wan
    ------------------

    Router Setup From The SSH:
    --------------------------
    --for gs v 1-2
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan2ports="4 5"
    --for gs v 3
    nvram set vlan0ports="3 2 1 5*"
    nvram set vlan2ports="0 5"
    --all
    nvram set vlan2hwname=et0
    nvram commit
     
  60. darkblue

    darkblue LI Guru Member

    sorry for late, I spend last two week for another project :)
    thanks for BigDog_UMG's reply.
    I have try your configuration, and the dhcp service work fine with there three vlans, but unfortunately, vlan 2 still stay outside of the vlan0(LAN) and eth1(wireless vlan).even more worse, the eth1 could not access vlan0(LAN) and vlan1(WAN).
    hmm, I think there must be something wrong with the iptables rules, so I telnet onto the wrt54 and show the result as this:

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    logaccept udp -- anywhere anywhere udp dpt:1194 state NEW
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    logaccept tcp -- anywhere darkblue_wrt.chinamobile.com tcp dpt:ssh
    DROP icmp -- anywhere anywhere
    DROP igmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state NEW
    logaccept udp -- anywhere anywhere udp dpt:domain
    logaccept udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
    logaccept udp -- anywhere anywhere udp dpt:domain
    logaccept udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
    logaccept all -- anywhere anywhere state NEW
    DROP all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT gre -- 192.168.0.0/24 anywhere
    ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:1723
    ACCEPT all -- anywhere anywhere
    logdrop all -- anywhere anywhere state INVALID
    lan2wan all -- anywhere anywhere
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    lan2wan all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    TRIGGER all -- anywhere anywhere TRIGGER type:in match:0 relate:0
    trigger_out all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state NEW
    logaccept all -- anywhere anywhere state NEW
    logaccept all -- anywhere anywhere state NEW
    DROP all -- anywhere anywhere

    I am very curios with the source and destination column.
    It should not be anywhere to anywhere.
    take this for exmaple:
    iptables -I FORWARD 11 -i vlan2 -o vlan1 -m state --state NEW -j logaccept
    Isn't that mean the packet come from src:vlan2 to dst:vlan1 with new state could be go to logaccept chain(ACCEPT)?
    so to my opinion it should look like this:
    target prot opt src dst
    logaccept all -- vlan2(192.168.x.0/24) vlan1(192.168.y.0/24) state NEW

    anybody could help me?
     
  61. rearden

    rearden Network Guru Member

    I have spent a few hours on this and dramaticly increased my understanding of iptables and the dd-wrt implementation to "novice" status.

    For those who use DSL instead of vlan1 try ppp0.

    When I sent things to vlan1 nothing worked, but when I used ppp0 then I could see traffic being sent to that rule.

    Now things seem to be mostly seperated, I haven't tried automatic DNS and DHCP on the newly isolated side. Whenever I try to add the listen-address and dhcp strings to the "additional DNSmasq" parameters window. DNS stops working on the unseperated side of the network. From what I understand from the DNSmasq man page I assume these commands go into a .conf file and the general syntax seems correct, but it breaks things for me.

    Does QoS work or do I need to setup additional stuff?

    rearden
     
  62. MMZ_TimeLord

    MMZ_TimeLord Networkin' Nut Member

    I'd like to thank all the folks that provided the various ways you can configure these devices.

    That said, I was looking for EXACTLY what the OP was looking for. Here is how I was able to achieve exactly that.

    Hardware Info:
    Code:
    System 
    Router Name       DD-WRT
    Router Model      Linksys WRT54G/GL/GS
    Firmware Version  DD-WRT v24-sp2 (01/29/09) std - build 11514
    CPU Model         Broadcom BCM5352 chip rev 0 
    CPU Clock         200 MHz 
    Setup desired:

    VLAN1 = 10.0.0.0 - Ports 1,2,3 and WiFi - DHCP enabled + access to WAN only
    VLAN2 = 10.10.10.0 - Port 4 - DHCP enabled + access to WAN only

    Steps used to achieve desired setup:

    1. Basic working setup with PPPoE for WAN, Wireless with security in place and DHCP running for 10.0.0.0 initially.
    2. Altered Setup>VLAN page so that VLAN0 has ports 1, 2 and 3 checked. VLAN2 has port 4 checked. VLAN1 has WAN checked.
    3. Telnet to device on 10.0.0.1. Enter User Name: root and password. Enter the following commands at the console. (These are the only ones you should have to enter in the console.)

    nvram set vlan0ports="3 2 1 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="0 5"

    Don't forget the following two commands to make the nvram changes permanent.

    nvram commit
    reboot

    NOTE: The port numbers I use are not the same as the physical ports.
    ==========================================================
    vlan.ports numbers reference

    0 = Physical port 4
    1 = Physical port 3
    2 = Physical port 2
    3 = Physical port 1
    4 = WAN
    5 = CPU internal
    5* = CPU internal default

    port.vlans reference

    port5vlan = CPU
    port4vlan = Physical port 4
    port3vlan = Physical port 3
    port2vlan = Physical port 2
    port1vlan = Physical port 1
    port0vlan = WAN port
    ==========================================================

    3. Added the following on the Administration>Commands page.

    Startup (enter the line in the command window and click "Save Startup")

    ifconfig vlan2 10.10.10.1 netmask 255.255.255.0 broadcast 10.10.10.255

    Firewall (enter the line in the command window and click "Save Firewall")

    iptables -t nat -I PREROUTING -i vlan2 -d 10.0.0.0/24 -j DROP
    iptables -t nat -I PREROUTING -i br0 -d 10.10.10.0/24 -j DROP
    iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT

    4. In the Setup>Networking page, in the Ports section, select "Unbridged" for VLAN2 and supply the following settings: IP Address - 10.10.10.1, Subnet Mask - 255.255.255.0.

    5. In the Setup>Networking page, in the DHCPD section, under Multiple DHCP Server, click Add and select "VLAN2" as the interface. (Once the page refreshes, it should also show the IP address of the interface. i.e. - "Interface vlan2: IP 10.10.10.1/255.255.255.0"

    What this achieves:

    VLAN1 gets it's default DHCP assignments and can reach the internet with the firewall in place.
    VLAN2 gets it's default DHCP assignments and can reach the internet with the firewall in place.

    VLAN1 and VLAN2 can not communicate directly, thus isolating the two VLANs from each other while still allowing each to access the WAN.

    Thanks again to all who contributed!
     
  63. mstombs

    mstombs Network Guru Member

    Doesn't that version of dd-wrt have a web gui for creating the vlans, without have to do it manually via console?
     
  64. MMZ_TimeLord

    MMZ_TimeLord Networkin' Nut Member

    Not one that works completely. The nvram set commands still have to be entered via the console, unless I am mistaken.
     

Share This Page