How can I subdivide the network? With subnets?

Discussion in 'Tomato Firmware' started by beezageeza, Jan 16, 2008.

  1. beezageeza

    beezageeza LI Guru Member

    Hi all, hope someone can point me in the right direction. I have a wrt54gs v1.1 with Tomato 1.13 on it.

    I have a mix of machines at home:
    1. family PCs which I really want DHCPed
    2. a number of work machines, that I currently have static addresses on

    I don't want the family machines to be able to see/access the work machines. Don't mind the other way around.

    I have tried to separate the two using subnets as follows:
    Router: subnet
    DHCP for family machines: subnet
    Work machines all on 10.1.0.X subnet

    It nearly works - the family machines only see the router.
    But the router can't see the work machines so don't they have internet access.

    As it stands, to make this work, I think I need the router subnet to be so it can see everything. When I do this though the DHCPed machines get the same subnet so they can see everything too.

    I think I need to be able to set the subnet for the router as and subnet for DHCP to, but Tomato doesn't seem to support this, at least not through the GUI.

    Anybody know if this can be done. Or more likely, if there is a different and probably better way of separating the machines.

    I case you hadn't guessed, this is not really my area. I'm OK with configuring parameters through the SSH terminal, but I'm not into compiling kernals etc. and I don't really want to go back to DD-WRT.

    Thanks in advance.

  2. FRiC

    FRiC LI Guru Member

    Do a search for VLAN.
  3. ifican

    ifican Network Guru Member

    2 easy ways to do this, 1)get a more capable router or 2)get another router. I think 2 will be easy for you. Connect router 1 to your internet provider and connect all of the family machine to router 1, connect the wan port of router 2 to lan of router one keep router 2 in gateway mode and put all of your work machine on router 2. This will keep the family machine out of work but will let work access family and the internet. That i think will be the easiest way for you. Another more complicated option would be to install dd-wrt which will let you software partition each port to seperate vlans, i dont know how well it work but that is an option. Good luck.
  4. beezageeza

    beezageeza LI Guru Member

    FRiC, VLAN doesn't seem to be an option for me if I want to stick with Tomato (which I very much do). It did however get me to another thread which pointed me in the direction of a second router, also suggested by ifican.

    Thanks therefore to you both as it is now working very well :) (I had my recently replaced BEFSR41 to hand).

    One problem remains at the moment ... PPTP through to my work lan - the second lan in the chain.

    Router 1 now forwards port 1723 to Router 2 which in turn forwards port 1723 to the VPN server.

    Should this work? (it's not at the moment:confused:).

    Thanks to both again for excellent and rapid replies.
  5. humba

    humba Network Guru Member

    Why should he get another router? Even if you have a router that has the "router on a stick" functionality exposed in the GUI - you still have to either use VLANs to put different machines in different subnets, or you physically separate the different subnets (e.g. port 1 on the router is for your net (mask and port 2 is for your subnet (mask

    And thus, you can do it just fine with Tomato. For instance, I have created two subnets behind my router.. machines plugged to port 1 on my router are in one subnet, machines plugged into ports 2-4 are in another.. each has its own DHCP, both have Internet, but machines cannot talk to each other across subnets (if you want that as well, it's just one iptable rule away). For more info, refer to this thread

    As I'm writing this I've just moved another port to the other subnet and I even have vpn access into both separate subnets.. granted the lack of a GUI (I'd really like to see that in the future as it's not bloat.. all the tools needed are already on board.. it's just wrapping the scripting into a GUI) makes this less than obvious and it took me long enough to get it done, but now that the documentation is around, I don't see the point for another router if you're happy with Tomato.
  6. ifican

    ifican Network Guru Member

    CLI modification is an option indeed but personally not one that i thought beezageeza would be comfortable with. The second router option is an easy one especially for troubleshooting in this case.

    Are you trying to pptp to your "work machines" from outside your network or are you trying to do this the other way around?
  7. beezageeza

    beezageeza LI Guru Member

    I have work colleagues who need to be able to access the work network from across the internet.
  8. humba

    humba Network Guru Member

    You really are trying to do pretty much the same thing as I... I do have roadkill's vpn mod running on four boxes. I have two instances of openvpn running, one bridged to vlan0 (equivalent to your personal network) and one bridged to vlan2 (equivalent to your professional network). I even have two routers connected statically to these VPNs so dependig on which port on the client router I plug myself into, I'm connected to either of the nets - and PCs that cannot physically reach a port of one of the client PCs use the openvpn client to connect to one of the two networks.

    I can't say it was easy to get it working but once you understand how things work behind the scenes.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice