1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VLAN Separation

Discussion in 'DD-WRT Firmware' started by CompGuy49, Apr 13, 2006.

  1. CompGuy49

    CompGuy49 LI Guru Member

    I have a motorola WR850GP router.

    I have a vlan0 that has port 3 in it only. I have vlan2 bridged to eth1 (wireless). vlan2 can't access the internet, which is what I want, but it can still access vlan0, which I don't want.

    vlan0 has an ip of 192.168.1.1, subnet mask 255.255.255.0

    br1 (containing vlan2 and eth1) has an ip of 10.0.0.1, subnet mask 255.0.0.0

    I don't want any access (ping, etc.) between vlan0 and br1, but as it stands I can still ping things on different vlans. Can anyone help me with this. I'm sort of new to this stuff, so as much walkthrough as you can provide would be great. Thank you.
     
  2. BigDog_UMG

    BigDog_UMG Network Guru Member

    The following iptables commands should block all traffic between vlan0 and br1.

    iptables -t nat -I PREROUTING -i vlan0 -d 10.0.0.0/24 -j DROP
    iptables -t nat -I PREROUTING -i br1 -d 192.168.1.0/24 -j DROP

    The commands can be entered from putty or from the web interface (Administration->Diagnostics). If you want them to survive a reboot, put them in rc_firewall.

    Good luck
     
  3. foq99

    foq99 Network Guru Member

    By the way, you should be able to put those commands in the 'Administration' --> 'Diagnostics' page, then click "Save Firewall" to set this and allow it to survive reboot. Please correct me if I'm wrong.

    On a slightly different topic, shouldn't different VLANs be automatically segregated from each other? For example, if I've got port2 on VLAN2, unless that VLAN is bridged to the LAN, the two should be invisible (unroutable?) to each other, correct?

    Additionally, I think this is how the 'Wireless' setting works below the VLAN setup: It is on a separate VLAN, but the drop menu determines whether it is bridged to the LAN or not.

    Please forgive my ignorance. I'd ask my Network Architect at work, but he knows WAY too much about this stuff and is WAY too busy to dumb it down enough for me to get it.
     
  4. BigDog_UMG

    BigDog_UMG Network Guru Member

    I'm not sure why, but ping traffic gets through even if specifically filtered in the iptables FORWARD chain. I even tried the INPUT chain since both vlans are on the same hardware interface - eth0. The nat PREROUTING chain, which is not normally used for filtering, stops the ping traffic.

    Maybe it has to do with the fact that the same physical router is responding to both addresses (10.0.0.1 and 192.168.1.1).
     
  5. BigDog_UMG

    BigDog_UMG Network Guru Member

    As far as 'automatically segregated' VLANs from the WEB GUI, I haven't had much luck. I saw traffic from VLAN0 getting through to VLAN2, but none from VLAN2 to VLAN0. As a result, I use iptables commands to filter the traffic.

    The easiest way to do some quick checking is to use pings. A port scanner will do a more through job. There are free scanners on the Internet. Just do google search.
     

Share This Page