TechNazgul RSS

Sunday, January 22, 2012

DD-WRT: Creating a Network with Separate VLANs and WLANs

After a successful 2-day quest to wrap my mind around the complexities of this DD-WRT configuration, I wanted to document my experience to hopefully save someone time in a similar situation in the future.


Background and Goal:

I'm about to move into a small office where two companies will be sharing a network environment.  Our goal was to set up one router that controlled internet in/out of the office and also create two distinct, firewalled LANs, one for each company's employees.  We also wanted each of the LANs to have a corresponding secured wireless network (WLAN) plus a guest network that was completely isolated from the other two.


The hardware:

I happend to have an unused Linksys (Cisco) WRT310N v1 router in my house and decided to put it to use for this job.  I've installed DD-WRT on several different routers in the past, but hadn't had the occasion to configure VLANs, so this was new (and quite difficult at first) to understand.



Not surprisingly, DD-WRT, but more specifically, (SVN revision 15508M NEWD-2 K2.6 Eko mini version).


Background reading (seriously, read these, several times):

DD-WRT Router Architecture - This article is key in understanding which ports are which on your router, which you'll have to know before you begin configuration.




Note that if you have a Gigabit router, focus on the port/vlan names in bold throughout this article.  On my WRT310N, the key names/devices to know were:

  • Port 0: Physical WAN port
  • Ports 1-4:  These map directly to the physical port numbers on the WRT310N.  In other cases, Port 1 internally might map to the physical Port 4 on the router.  You'll need to do a bit of experimenting to determine which is the case with your router.  A good way to determine this is to follow the steps in "Disable LAN ports" on the Switched Ports tutorial. Disable port 1 or port 4 as explained there and take note of whether it maps to the corresponding physical port # or if it is reversed.
  • vlan1: vlan associated with the physical network ports 1-4
  • vlan2: vlan associated with the WAN socket
  • Port 8: Internal port connecting to the internal router (this can be confusing) - what it is important to know is that this port is required to be included in any VLAN that you wish to allow to be routed outside of that specific VLAN. (in almost every scenario you'll be including Port 8 so that the port can be routed
  • Subnets used in the examples below:
    • My main subnet (vlan2) is
    • My secondary subnet (vlan11) is


DD-WRT Switched Ports- this shows you how you can find the initial configuration of your router as it pertains to the VLANs.


Below is the output from my router using the commands explained on this page:

root@DD-WRT:~# nvram show|grep vlan.*ports
vlan2ports=0 8size: 20295 bytes (12473 left)vlan1ports=1 2 3 4 8*

root@DD-WRT:~# nvram show|grep port.*vlans
port5vlans=1 2 16
size: 20295 bytes (12473 left)

root@DD-WRT:~# nvram show|grep vlan.*hwname


Next, the actual code required to isolate ports 1 & 2 to one VLAN (vlan1) and ports 3 & 4 to another (vlan11).

root@DD-WRT:~# nvram set vlan1ports="1 2 8*"

root@DD-WRT:~# nvram set vlan11ports="3 4 8"

root@DD-WRT:~# nvram set vlan11hwname=et0

root@DD-WRT:~# nvram set port4vlans="11 18 19"
root@DD-WRT:~# nvram set port3vlans="11 18 19"

root@DD-WRT:~# nvram set port5vlans="1 2 11 16"
root@DD-WRT:~# nvram commit


It's worth rebooting at this step as well before continuing.


The directions immediately below roughly follow this tutorial (VLAN_Detached_Networks), but those steps did not work for me exactly as written, so my version is below.  The linked article is very helpful, so definitely read it as well to help guide you through the process.


At this point, we've defined the two separate VLANs tied to the physical ports.  Next, we have to assign the IP range for the new subnet, and follow steps to create a DHCP IP address pool for each subnet so that any computers connected to the ports receive an IP address in the correct subnet.


This can be done from Setup -> Networking.


Configure the newly created vlan11 to be unbridged.  Provide a new IP address for the vlan11 subnet with a subnet mask.  This configuration does not appear to work entirely by itself in my router, so I had to enter it into the DDWRT startup script as well.


Enter this into the Administration -> Commands -> Startup section.

ifconfig vlan11 netmask
ifconfig vlan11 up


This specifies the IP subnet and brings up the VLAN upon each reboot.


Lastly, in the DDWRT GUI, configure the DHCP server for this VLAN.


Setup -> Networking -> DHCPD


Click "Add", then add a new pool for vlan11.


"Save" and "Apply" your settings, and at this point you can test by plugging your computer into ports 1 / 2 / 3 / 4 and confirm that you have been assigned an IP address from the right pool.


Lastly, you must isolate the networks you have created from each other.  You do so by entering the following firewall rules in Administration -> Commands -> Firewall.  Credit for most of these rules goes to ChristopherKois as those in the DD-WRT wiki did not work for me (thank you!)


# Accept traffic into vlan11
iptables -I INPUT -i vlan11 -j ACCEPT
# Allow traffic outbound to forward from vlan11 to vlan2 (WAN)
iptables -I FORWARD -i vlan11 -o vlan2 -m state &#-106;state NEW -j ACCEPT
# Disallow access to the router on vlan11 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan11 -p tcp -m multiport &#-106;dports 21,22,23,80,443 -j DROP
# Disallow anything on .20 (vlan2) to communicate to the other networks
iptables -I INPUT -s -d -j DROP
# Disallow anything on .21 (vlan11) to communicate to the other networks
iptables -I INPUT -s -d -j DROP


Once in place, you can test your configuration to see if you can ping computers plugged into vlan11 when on vlan2 and vice-versa.  (You should not be able to)


The last steps I followed after this were to create virtual wireless interfaces that correspond to each of the VLANs so that both companies in the office have a functional wireless network that bridges to their wired VLAN.  This was relatively simple compared to the previous process.  I might cover this in a future post, but if you've made it this far, you can likely follow this guide (Multiple WLANs) on your own to complete the process.


  1. A straightforward and excellent description. Thank you.

    I have a similar configuration to implement but your details underscore what I have suspected for some time; the bridging functions of dd-wrt are (inappropriately) tied to layer 3.

    No ebtables in dd-wrt makes this needlessly complex.

    1. Trắng da có nhiều phương pháp , nhưng hầu hết mọi người điều sử dụng các loại thuốc trắng da nhưng đặt ra nhiều câu hỏi quanh các loại thuốc này như thuốc uống trắng da nào hiệu quả , thuốc uống trắng da ivory caps có hại không , thuốc uống trắng da ivory caps có tốt không ? Đó là một vài câu hỏi liên quan đến thuốc làm trăng da ivory caps , cùng tìm hiểu nhé . Ngoài trắng da thì mỹ phẩm nhật bản sakura còn giúp da giữ được nét tự nhiên và chống lão hóa vì dùng kem chống lão hóa sakura , ngoài làm trắng da thì còn là kem chống nắng và giá cả thì cũng là vấn đề vì vậy có nhiều câu hỏi như mua kem chống nắng loại nào tốt ,.. Có nhiều loại nên có nhiều giá khác nhau . Nếu gót chân bị nứt nẻ thì nên dùng kem trị nứt gót chân hiệu quả neutrogena foot cream sẽ giúp bạn có được bàn chân đẹp như ý.

  2. I am curious about the use of VLANs to sort out an issue that I have. I have the E2000 Linksys/Cisco router. On my network, besides my wireless clients, I have wired in, a Netgear ReadyNAS nv+. I notice that when I am downloading NZB files, it brings all of the rest of the network to a crawl.
    Would implementing a VLANs reduce the problems that I am having. For instance, if I am looking at a movie under XBMC with the shares located on the ReadyNAS nv+, and movie files start downloading (again on the ReadyNAS), would a VLAN allow for no need for buffering while the NZB files are coming down?

  3. Great description. Just bought DD-WRT router and will definitely try this.

  4. Informative article. A virtual private network, or just VPN, helps encrypt and secure your router against data theft, misuse and only fraud. A single DDWRT router VPN can protect internet traffic for all of the networked computers, thus saving you an enormous cost for internet security and privacy. Furthermore, Purevpn will also redress individual IPs of each computer or device on the network, therefore helping you secure identities of computer on the World Wide Web.

  5. Có nhiều loại collagen hiện nay trên thị trường , nhưng chất lượng rất khó kiểm chứng chính vì vậy có nhiều câu hỏi đặt ra như : super collagen c có tốt không, fine pure collagen gia bao nhieu, collagen shiseido có tốt, collagen maihada có tốt không, collagen de happy giá bao nhiêu, collagen youtheory có tốt không, collagen neocell có tốt không mục đích để tìm được loại collagen ưng ý nhất , vừa an toàn mà hiệu quả cao.

  6. Bệnh thoái hóa cột sống là bệnh khá phổ biến hiện nay , bệnh thoái hóa cột sống gây cho người mắc phải rất khó chịu và khó khăn trong cuộc sống. Hiện nay có rất nhiều đông trùng hạ thảo tốt trên thị trường , và đông trùng hạ thảo aloha là một trong số đó . Để dể dàng co thai thì hiện nay có rất nhiều phương pháp mà dân gian và bác sĩ truyền lại nhưng tăng khả năng thụ thai bằng thuốc cũng là một phương pháp tồi ưu tốt nhất hiện nay được nhiều người áp dụng . Nếu bạn muốn có một làn da đẹp và chống nắng trong thời tiết hiện nay thì kem chống nắngsakura my pham nhat ban sẽ giúp bạn thực hiện điều nay an toàn và nhanh chóng.

  7. You really help me to learn about dd-wrt router configuration with purevpn