TechNazgul RSS

Sunday, January 22, 2012

DD-WRT: Creating a Network with Separate VLANs and WLANs



After a successful 2-day quest to wrap my mind around the complexities of this DD-WRT configuration, I wanted to document my experience to hopefully save someone time in a similar situation in the future.

 

Background and Goal:

I'm about to move into a small office where two companies will be sharing a network environment.  Our goal was to set up one router that controlled internet in/out of the office and also create two distinct, firewalled LANs, one for each company's employees.  We also wanted each of the LANs to have a corresponding secured wireless network (WLAN) plus a guest network that was completely isolated from the other two.

 

The hardware:

I happend to have an unused Linksys (Cisco) WRT310N v1 router in my house and decided to put it to use for this job.  I've installed DD-WRT on several different routers in the past, but hadn't had the occasion to configure VLANs, so this was new (and quite difficult at first) to understand.

 

Software:

Not surprisingly, DD-WRT, but more specifically, (SVN revision 15508M NEWD-2 K2.6 Eko mini version).

 

Background reading (seriously, read these, several times):


DD-WRT Router Architecture - This article is key in understanding which ports are which on your router, which you'll have to know before you begin configuration.

 

DD-WRT-Architecture

 

Note that if you have a Gigabit router, focus on the port/vlan names in bold throughout this article.  On my WRT310N, the key names/devices to know were:

  • Port 0: Physical WAN port
  • Ports 1-4:  These map directly to the physical port numbers on the WRT310N.  In other cases, Port 1 internally might map to the physical Port 4 on the router.  You'll need to do a bit of experimenting to determine which is the case with your router.  A good way to determine this is to follow the steps in "Disable LAN ports" on the Switched Ports tutorial. Disable port 1 or port 4 as explained there and take note of whether it maps to the corresponding physical port # or if it is reversed.
  • vlan1: vlan associated with the physical network ports 1-4
  • vlan2: vlan associated with the WAN socket
  • Port 8: Internal port connecting to the internal router (this can be confusing) - what it is important to know is that this port is required to be included in any VLAN that you wish to allow to be routed outside of that specific VLAN. (in almost every scenario you'll be including Port 8 so that the port can be routed
  • Subnets used in the examples below:
    • My main subnet (vlan2) is 192.168.20.1
    • My secondary subnet (vlan11) is 192.168.21.1

 

DD-WRT Switched Ports- this shows you how you can find the initial configuration of your router as it pertains to the VLANs.

 

Below is the output from my router using the commands explained on this page:

root@DD-WRT:~# nvram show|grep vlan.*ports
vlan2ports=0 8size: 20295 bytes (12473 left)vlan1ports=1 2 3 4 8*

root@DD-WRT:~# nvram show|grep port.*vlans
port5vlans=1 2 16
port3vlans=1
port1vlans=1
port4vlans=1
port2vlans=1
size: 20295 bytes (12473 left)
port0vlans=2

root@DD-WRT:~# nvram show|grep vlan.*hwname
vlan2hwname=et0
vlan1hwname=et0

 

Next, the actual code required to isolate ports 1 & 2 to one VLAN (vlan1) and ports 3 & 4 to another (vlan11).

#PUTS PORTS 1 2 INTO 1 VLAN
root@DD-WRT:~# nvram set vlan1ports="1 2 8*"

#ASSIGNS NEW VLAN11 WITH PORTS 3 & 4 FROM THE ROUTER
root@DD-WRT:~# nvram set vlan11ports="3 4 8"

#SETS HWNAME OF VLAN11
root@DD-WRT:~# nvram set vlan11hwname=et0

#DEFINES CHECK BOXES FOR GUI FOR PORT 11
root@DD-WRT:~# nvram set port4vlans="11 18 19"
#DEFINES CHECK BOXES FOR GUI FOR PORT 11
root@DD-WRT:~# nvram set port3vlans="11 18 19"
#ASSIGNS VLAN 11 TO THE CPU PORT OF THE ROUTER (NORMALLY 8 IN GB ROUTER, EXCEPT IN THIS AREA OF THE CONFIG)

root@DD-WRT:~# nvram set port5vlans="1 2 11 16"
root@DD-WRT:~# nvram commit

 

It's worth rebooting at this step as well before continuing.

 

The directions immediately below roughly follow this tutorial (VLAN_Detached_Networks), but those steps did not work for me exactly as written, so my version is below.  The linked article is very helpful, so definitely read it as well to help guide you through the process.

 

At this point, we've defined the two separate VLANs tied to the physical ports.  Next, we have to assign the IP range for the new subnet, and follow steps to create a DHCP IP address pool for each subnet so that any computers connected to the ports receive an IP address in the correct subnet.

 

This can be done from Setup -> Networking.

 

Configure the newly created vlan11 to be unbridged.  Provide a new IP address for the vlan11 subnet with a 255.255.255.0 subnet mask.  This configuration does not appear to work entirely by itself in my router, so I had to enter it into the DDWRT startup script as well.

 

Enter this into the Administration -> Commands -> Startup section.

#!/bin/ash
PATH=&#-108;/sbin:/usr/sbin:/bin:/usr/bin:${PATH}&#-108;
ifconfig vlan11 192.168.21.1 netmask 255.255.255.0
ifconfig vlan11 up

 

This specifies the IP subnet and brings up the VLAN upon each reboot.

 

Lastly, in the DDWRT GUI, configure the DHCP server for this VLAN.

 

Setup -> Networking -> DHCPD

 

Click "Add", then add a new pool for vlan11.

 

"Save" and "Apply" your settings, and at this point you can test by plugging your computer into ports 1 / 2 / 3 / 4 and confirm that you have been assigned an IP address from the right pool.

 

Lastly, you must isolate the networks you have created from each other.  You do so by entering the following firewall rules in Administration -> Commands -> Firewall.  Credit for most of these rules goes to ChristopherKois as those in the DD-WRT wiki did not work for me (thank you!)

 

# Accept traffic into vlan11
iptables -I INPUT -i vlan11 -j ACCEPT
# Allow traffic outbound to forward from vlan11 to vlan2 (WAN)
iptables -I FORWARD -i vlan11 -o vlan2 -m state &#-106;state NEW -j ACCEPT
# Disallow access to the router on vlan11 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan11 -p tcp -m multiport &#-106;dports 21,22,23,80,443 -j DROP
# Disallow anything on .20 (vlan2) to communicate to the other networks
iptables -I INPUT -s 192.168.20.0/255.255.255.0 -d 192.168.21.0/255.255.255.0 -j DROP
# Disallow anything on .21 (vlan11) to communicate to the other networks
iptables -I INPUT -s 192.168.21.0/255.255.255.0 -d 192.168.20.0/255.255.255.0 -j DROP

 

Once in place, you can test your configuration to see if you can ping computers plugged into vlan11 when on vlan2 and vice-versa.  (You should not be able to)

 

The last steps I followed after this were to create virtual wireless interfaces that correspond to each of the VLANs so that both companies in the office have a functional wireless network that bridges to their wired VLAN.  This was relatively simple compared to the previous process.  I might cover this in a future post, but if you've made it this far, you can likely follow this guide (Multiple WLANs) on your own to complete the process.

22 comments:

  1. A straightforward and excellent description. Thank you.

    I have a similar configuration to implement but your details underscore what I have suspected for some time; the bridging functions of dd-wrt are (inappropriately) tied to layer 3.

    No ebtables in dd-wrt makes this needlessly complex.

    ReplyDelete
    Replies
    1. Trắng da có nhiều phương pháp , nhưng hầu hết mọi người điều sử dụng các loại thuốc trắng da nhưng đặt ra nhiều câu hỏi quanh các loại thuốc này như thuốc uống trắng da nào hiệu quả , thuốc uống trắng da ivory caps có hại không , thuốc uống trắng da ivory caps có tốt không ? Đó là một vài câu hỏi liên quan đến thuốc làm trăng da ivory caps , cùng tìm hiểu nhé . Ngoài trắng da thì mỹ phẩm nhật bản sakura còn giúp da giữ được nét tự nhiên và chống lão hóa vì dùng kem chống lão hóa sakura , ngoài làm trắng da thì còn là kem chống nắng và giá cả thì cũng là vấn đề vì vậy có nhiều câu hỏi như mua kem chống nắng loại nào tốt ,.. Có nhiều loại nên có nhiều giá khác nhau . Nếu gót chân bị nứt nẻ thì nên dùng kem trị nứt gót chân hiệu quả neutrogena foot cream sẽ giúp bạn có được bàn chân đẹp như ý.

      Delete
  2. I am curious about the use of VLANs to sort out an issue that I have. I have the E2000 Linksys/Cisco router. On my network, besides my wireless clients, I have wired in, a Netgear ReadyNAS nv+. I notice that when I am downloading NZB files, it brings all of the rest of the network to a crawl.
    Would implementing a VLANs reduce the problems that I am having. For instance, if I am looking at a movie under XBMC with the shares located on the ReadyNAS nv+, and movie files start downloading (again on the ReadyNAS), would a VLAN allow for no need for buffering while the NZB files are coming down?

    ReplyDelete
  3. Great description. Just bought DD-WRT router and will definitely try this.

    ReplyDelete
  4. Informative article. A virtual private network, or just VPN, helps encrypt and secure your router against data theft, misuse and only fraud. A single DDWRT router VPN can protect internet traffic for all of the networked computers, thus saving you an enormous cost for internet security and privacy. Furthermore, Purevpn will also redress individual IPs of each computer or device on the network, therefore helping you secure identities of computer on the World Wide Web.
    http://www.bestvpnservice.com/providers/30/purevpn.html

    ReplyDelete
  5. Có nhiều loại collagen hiện nay trên thị trường , nhưng chất lượng rất khó kiểm chứng chính vì vậy có nhiều câu hỏi đặt ra như : super collagen c có tốt không, fine pure collagen gia bao nhieu, collagen shiseido có tốt, collagen maihada có tốt không, collagen de happy giá bao nhiêu, collagen youtheory có tốt không, collagen neocell có tốt không mục đích để tìm được loại collagen ưng ý nhất , vừa an toàn mà hiệu quả cao.

    ReplyDelete
  6. Bệnh thoái hóa cột sống là bệnh khá phổ biến hiện nay , bệnh thoái hóa cột sống gây cho người mắc phải rất khó chịu và khó khăn trong cuộc sống. Hiện nay có rất nhiều đông trùng hạ thảo tốt trên thị trường , và đông trùng hạ thảo aloha là một trong số đó . Để dể dàng co thai thì hiện nay có rất nhiều phương pháp mà dân gian và bác sĩ truyền lại nhưng tăng khả năng thụ thai bằng thuốc cũng là một phương pháp tồi ưu tốt nhất hiện nay được nhiều người áp dụng . Nếu bạn muốn có một làn da đẹp và chống nắng trong thời tiết hiện nay thì kem chống nắngsakura my pham nhat ban sẽ giúp bạn thực hiện điều nay an toàn và nhanh chóng.

    ReplyDelete
  7. You really help me to learn about dd-wrt router configuration with purevpn

    ReplyDelete


  8. Many thanks for sharing us such an topics that are important us. Continue the good work so we could hope to have more weblog with essential information. https://www.thevpnlab.com/reviews/purevpn-review/

    ReplyDelete
  9. Very nice post. I definitely appreciate this site.
    Stick with it!

    ReplyDelete
  10. Great article! That is the kind of information that are meant to be shared across
    the net. Shame on the seek engines for no longer
    positioning this publish upper! Come on over and consult with
    my site . Thank you =)

    ReplyDelete
  11. CrownQQ | Domino agent QQ | BandarQ | Domino99 Online Largest

    Who Is The Agent Bandarq, Domino 99, And The Trusted Online Poker City in Asia comes to all of you with exciting game games and exciting bonuses for all of you

    Bonus on CrownQQ:
    * Bonus rolling 0.5%, every week
    * Refferal Bonus 10% + 10%, lifetime
    * Bonus Jackpot, which you can get easily

    Featured Games CrownQQ:
    * Online Poker
    * BandarQ
    * Domino99
    * Bandar Sakong
    * Sakong
    * Bandar66
    * AduQ
    * Sakong

    More Info Visit:
    Website: AGEN BANDARQ CrownQQ
    BBM: 2B382398
    FB: AgentCrownqq
    Twitter: crown_qq

    ReplyDelete
  12. Mau menang banyak dengan modal sedikit..
    Ayo gabung di Agen Domino NAGAQQ.
    =>Bonus Refferal 20%
    =>Bonus Turn Over 0,5%
    =>Min Deposit Rp 15.000
    =>1 User ID 4 Games
    Situs yang bisa memberikan kemenangan AGEN BANDARQ TERBAIK
    Raih kemenangan anda segera...
    WHATSAPP : +855967014811
    PIN BB : 2B209F68

    ReplyDelete
  13. Cari Situs Judi BANDAR POKER ONLINE Online yang aman dan terpercaya ?
    Solusinya hanya di CROWNQQ
    Bonus Refferal 20%
    Bonus Turn Over 0,5%
    Hanya dengan minimal deposit 20ribu sudah bisa bermain 8 game sekaligus lohh..
    "NEW AGEN BANDAR 66"
    Ayo daftar dan gabung sekarang juga,,
    WHATSAPP : +855967646513
    PIN BB : 2B382398

    ReplyDelete
  14. Yuk Buruan ikutan bermain di website http://zonaemas.com
    Sekarang CROWNQQ Memiliki Game terbaru Dan Ternama loh...
    => Bonus Refferal 20%
    => Bonus Turn Over 0,5%
    => Minimal Depo 20.000
    => Minimal WD 20.000
    => 100% Member Asli
    => Pelayanan DP & WD 24 jam
    => Livechat Kami 24 Jam Online
    => Bisa Dimainkan Di Hp Android
    => Di Layani Dengan 5 Bank Terbaik
    => 1 User ID 8 Permainan Menarik
    "NEW AGEN BANDAR 66"
    Ayo gabung sekarang juga hanya dengan
    mengklick AGEN BANDARQ
    WHATSAPP : +855967646513
    PIN BB : 2B382398

    ReplyDelete
  15. Cari Situs Judi AGEN BANDARQ Online yang aman dan terpercaya ?
    Solusinya hanya di NAGAQQ
    Bonus Refferal 20%
    Bonus Turn Over 0,5%
    Hanya dengan minimal deposit 15ribu sudah bisa bermain 4 game sekaligus lohh..
    Ayo daftar dan gabung sekarang juga,,
    WHATSAPP : +855967014811
    PIN BB : 2B209F68

    ReplyDelete
  16. Kali ini melalui Blogwalking, KUMPULAN AGEN BANDARQ ingin memperkenalkan kepada anda semua pecinta situs judi BandarQ Online di tanah air indonesia yang dimana sudah banyak diketahui yang paling banyak peminat games seperti ini baik dari pelosok manapun tentunya. Bagi anda pecinta games atau situs yang seperti ini Nagaqq dan CrownQQ bisa anda jadikan sebagai situs pilihan terbaik anda.

    ReplyDelete
  17. TIKETQQ.COM AGEN BANDARQ DOMINO99 BANDAR POKER DAN BANDAR66 ONLINE TERBAIK DI ASIA [/url], Telah menjadi salah satu website / situs Favorite untuk para pemain poker dan domino di seluruh INDONESIA karena di TIKETQQ lah lahir para master poker dan domino handal juga JUTAWAN - JUTAWAN BARU SETIAP HARINYA, Super sekali...!!!

    Kami juga menyediakan bonus - bonus yang sangat menarik untuk para member - member tercinta kami di situs kami TIKETQQ loh...

    BERIKUT HOT PROMO YANG BERLAKU SAAT INI :

    1. BONUS JACKPOT PULUHAN HINGGA RATUSAN JUTA SETIAP HARI
    2. BONUS TURN OVER 0.3% , TERBESAR SE INDONESIA
    3. BONUS TERBESAR REFERRAL 15% UNTUK SEUMUR HIDUP

    HANYA DI TIKETQQ.COM AGEN BANDARQ DOMINO99 BANDAR POKER DAN BANDAR66 ONLINE TERBAIK DI ASIA

    KELEBIHAN TIKETQQ ADALAH :

    1. DEPOSIT & WITHDRAW MINIMAL Rp 15.000,-
    2. DEPOSIT & WITHDRAW TERCEPAT KURANG DARI 2 MENIT
    3. 100% NO ADMIN & NO BOT
    4. 100% PLAYER VS PLAYER
    5. 100% FAIR PLAY
    5. CUSTOMER SERVICE 24 JAM / 7 HARI
    6. SISTEM KEAMANAN TERBARU & TERJAMIN

    AYO TUNGGU APA LAGI, SEGERA BERGABUNG DAN DAFTARKAN DIRI ANDA BERSAMA KAMI DI TIKETQQ, JANGAN SAMPAI KESEMPATAN MENANG ANDA TERLEWATKAN

    AYO SEGERA DAFTARKAN DIRI ANDA DAN AJAK TEMAN - TEMAN ANDA BERGABUNG BERSAMA KAMI HANYA DI TIKETQQ

    Agen Domino99
    Agen BandarQ
    Bandar66 Online

    Contact Us :
    ++ Phone : +6281226127740
    ++ BBM : tiket99
    ++ YM : cstiketqq@yahoo.com
    ++ LINE : Tiketqq
    ++ FACEBOOK :https://www.facebook.com/Tiketqiu
    ++ INSTAGRAM : TIKETQQ
    ++ Twitter : https://twitter.com/TIKETQQ1
    ++ Live Chat Customer Service Profesional 24/7 (NONSTOP)

    TIKETQQ.COM AGEN BANDARQ DOMINO99 BANDAR POKER DAN BANDAR66 ONLINE TERBAIK DI ASIA

    ReplyDelete
  18. Yuk Buruan ikutan bermain di website http://99naga.com
    Sekarang NAGAQQ Memiliki Game terbaru Dan Ternama loh...
    => Bonus Refferal 20%
    => Bonus Turn Over 0,5%
    => Minimal Depo 15.000
    => Minimal WD 15.000
    => 100% Member Asli
    => Pelayanan DP & WD 24 jam
    => Livechat Kami 24 Jam Online
    => Bisa Dimainkan Di Hp Android
    => Di Layani Dengan 6 Bank Terbaik
    => 1 User ID 5 Permainan Menarik
    Ayo gabung sekarang juga hanya dengan
    mengklick AGEN BANDARQ
    WHATSAPP : +855967014811
    PIN BB : 2B209F68

    ReplyDelete
  19. Cari Situs Judi AGEN BANDARQ Online yang aman dan terpercaya ?
    Solusinya hanya di NAGAQQ
    Bonus Refferal 20%
    Bonus Turn Over 0,5%
    Hanya dengan minimal deposit 15ribu sudah bisa bermain 5 game sekaligus lohh..
    Ayo daftar dan gabung sekarang juga,,
    WHATSAPP : +855967014811
    PIN BB : 2B209F68

    ReplyDelete

Followers

Facebook