Options to Isolate Device (AT&T 3G Microcell) from Network

Discussion in 'Tomato Firmware' started by chowyungfatso, Apr 10, 2014.

  chowyungfatso

    chowyungfatso

    I would like to put the ATT 3G Microcell in an isolated network from a network that has the rest of my devices, by which I mean I want the ATT 3G Microcell to only be able to access the Internet, but not "see" or access my internal network. I understand a popular option for configuring this on my Asus RT-AC66U running Tomato (Shibby Version: 1.28.0000 MIPSR2-1.23.16 K26AC USB AIO-64K) is using VLAN.

    My understanding is that to use VLAN, I have to "create" a different physical segment, which means I have to give up one of the LAN ports on my router to assign to the VLAN. Undesirable because of the way I have my network set-up, which is that the Microcell is connected to a switch to which other devices that do need to be on the internal network are connected, and that switch is connected to my router (LAN port 1), which sits in a completely different part of the house, where LAN ports 2-4 are used to connect a server with multiple Ethernet adapters.

    Am I miss understanding how VLAN works?

    If not, is there a way to do this by using routing tables? Firewall rules?

    FWIW, these are the only ports that ATT Microcell uses:

    TCP/UDP Ports [
NOTE: All ports listed need to be configured for inbound and outbound connections.]

    • 123/UDP: NTP timing (NTP traffic)
    • 443/TCP: Https over TLS/SSL for provisioning and management traffic
    • 4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic)
    • 500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
    • 4500/UDP: After NAT detection, 4500/UDP is used
  rs232

    rs232

    Technically speaking if the switch understands VLAN you could setup trunking on port1 of tomato and the uplink on the external switch.
    Realistically speaking I would keep it simple! Assign a dedicated port to the 3G Microcell.

  chowyungfatso

    chowyungfatso

    I'm beginning to think that VLAN would be "easier", although because the Microcell needs to be next to a window to get GPS signals, I would need to take the Microcell off the switch in the other part of the house and plug it into the router with a dedicated cable.

    If it can be done with IPtables, I would like to try it eventually, so let me know so I'm not spinning my wheels.
  rs232

    rs232

    I'd say if you can plug a longish cable from wherever the microcell is to tomato and assign that physical port to a dedicated VLAN you would solve nicely. If a long cable is not an option have you ever considered using a second tomato router? You could set this up as wireless client of the main tomato. On the main tomato you would only need a GWLAN running on a separate VLAN, a piece of cake...
