Options to Isolate Device (AT&T 3G Microcell) from Network

Discussion in 'Tomato Firmware' started by chowyungfatso, Apr 10, 2014.

  1. chowyungfatso

    chowyungfatso Networkin' Nut Member

    I would like to put the ATT 3G Microcell in an isolated network from a network that has the rest of my devices, by which I mean I want the ATT 3G Microcell to only be able to access the Internet, but not "see" or access my internal network. I understand a popular option for configuring this on my Asus RT-AC66U running Tomato (Shibby Version: 1.28.0000 MIPSR2-1.23.16 K26AC USB AIO-64K) is using VLAN.

    My understanding is that to use VLAN, I have to "create" a different physical segment, which means I have to give up one of the LAN ports on my router to assign to the VLAN. Undesirable because of the way I have my network set-up, which is that the Microcell is connected to a switch to which other devices that do need to be on the internal network are connected, and that switch is connected to my router (LAN port 1), which sits in a completely different part of the house, where LAN ports 2-4 are used to connect a server with multiple Ethernet adapters.

    Am I miss understanding how VLAN works?

    If not, is there a way to do this by using routing tables? Firewall rules?

    FWIW, these are the only ports that ATT Microcell uses:

    TCP/UDP Ports [
NOTE: All ports listed need to be configured for inbound and outbound connections.]

    • 123/UDP: NTP timing (NTP traffic)
    • 443/TCP: Https over TLS/SSL for provisioning and management traffic
    • 4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic)
    • 500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
    • 4500/UDP: After NAT detection, 4500/UDP is used
  2. rs232

    rs232 Network Guru Member

    Technically speaking if the switch understands VLAN you could setup trunking on port1 of tomato and the uplink on the external switch.
    Realistically speaking I would keep it simple! Assign a dedicated port to the 3G Microcell.

  3. chowyungfatso

    chowyungfatso Networkin' Nut Member

    I'm beginning to think that VLAN would be "easier", although because the Microcell needs to be next to a window to get GPS signals, I would need to take the Microcell off the switch in the other part of the house and plug it into the router with a dedicated cable.

    If it can be done with IPtables, I would like to try it eventually, so let me know so I'm not spinning my wheels.
  4. rs232

    rs232 Network Guru Member

    I'd say if you can plug a longish cable from wherever the microcell is to tomato and assign that physical port to a dedicated VLAN you would solve nicely. If a long cable is not an option have you ever considered using a second tomato router? You could set this up as wireless client of the main tomato. On the main tomato you would only need a GWLAN running on a separate VLAN, a piece of cake...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice