TechNazgul RSS

Sunday, January 22, 2012

DD-WRT: Creating a Network with Separate VLANs and WLANs



After a successful 2-day quest to wrap my mind around the complexities of this DD-WRT configuration, I wanted to document my experience to hopefully save someone time in a similar situation in the future.

 

Background and Goal:

I'm about to move into a small office where two companies will be sharing a network environment.  Our goal was to set up one router that controlled internet in/out of the office and also create two distinct, firewalled LANs, one for each company's employees.  We also wanted each of the LANs to have a corresponding secured wireless network (WLAN) plus a guest network that was completely isolated from the other two.

 

The hardware:

I happend to have an unused Linksys (Cisco) WRT310N v1 router in my house and decided to put it to use for this job.  I've installed DD-WRT on several different routers in the past, but hadn't had the occasion to configure VLANs, so this was new (and quite difficult at first) to understand.

 

Software:

Not surprisingly, DD-WRT, but more specifically, (SVN revision 15508M NEWD-2 K2.6 Eko mini version).

 

Background reading (seriously, read these, several times):


DD-WRT Router Architecture - This article is key in understanding which ports are which on your router, which you'll have to know before you begin configuration.

 

DD-WRT-Architecture

 

Note that if you have a Gigabit router, focus on the port/vlan names in bold throughout this article.  On my WRT310N, the key names/devices to know were:

  • Port 0: Physical WAN port
  • Ports 1-4:  These map directly to the physical port numbers on the WRT310N.  In other cases, Port 1 internally might map to the physical Port 4 on the router.  You'll need to do a bit of experimenting to determine which is the case with your router.  A good way to determine this is to follow the steps in "Disable LAN ports" on the Switched Ports tutorial. Disable port 1 or port 4 as explained there and take note of whether it maps to the corresponding physical port # or if it is reversed.
  • vlan1: vlan associated with the physical network ports 1-4
  • vlan2: vlan associated with the WAN socket
  • Port 8: Internal port connecting to the internal router (this can be confusing) - what it is important to know is that this port is required to be included in any VLAN that you wish to allow to be routed outside of that specific VLAN. (in almost every scenario you'll be including Port 8 so that the port can be routed
  • Subnets used in the examples below:
    • My main subnet (vlan2) is 192.168.20.1
    • My secondary subnet (vlan11) is 192.168.21.1

 

DD-WRT Switched Ports- this shows you how you can find the initial configuration of your router as it pertains to the VLANs.

 

Below is the output from my router using the commands explained on this page:

root@DD-WRT:~# nvram show|grep vlan.*ports
vlan2ports=0 8size: 20295 bytes (12473 left)vlan1ports=1 2 3 4 8*

root@DD-WRT:~# nvram show|grep port.*vlans
port5vlans=1 2 16
port3vlans=1
port1vlans=1
port4vlans=1
port2vlans=1
size: 20295 bytes (12473 left)
port0vlans=2

root@DD-WRT:~# nvram show|grep vlan.*hwname
vlan2hwname=et0
vlan1hwname=et0

 

Next, the actual code required to isolate ports 1 & 2 to one VLAN (vlan1) and ports 3 & 4 to another (vlan11).

#PUTS PORTS 1 2 INTO 1 VLAN
root@DD-WRT:~# nvram set vlan1ports="1 2 8*"

#ASSIGNS NEW VLAN11 WITH PORTS 3 & 4 FROM THE ROUTER
root@DD-WRT:~# nvram set vlan11ports="3 4 8"

#SETS HWNAME OF VLAN11
root@DD-WRT:~# nvram set vlan11hwname=et0

#DEFINES CHECK BOXES FOR GUI FOR PORT 11
root@DD-WRT:~# nvram set port4vlans="11 18 19"
#DEFINES CHECK BOXES FOR GUI FOR PORT 11
root@DD-WRT:~# nvram set port3vlans="11 18 19"
#ASSIGNS VLAN 11 TO THE CPU PORT OF THE ROUTER (NORMALLY 8 IN GB ROUTER, EXCEPT IN THIS AREA OF THE CONFIG)

root@DD-WRT:~# nvram set port5vlans="1 2 11 16"
root@DD-WRT:~# nvram commit

 

It's worth rebooting at this step as well before continuing.

 

The directions immediately below roughly follow this tutorial (VLAN_Detached_Networks), but those steps did not work for me exactly as written, so my version is below.  The linked article is very helpful, so definitely read it as well to help guide you through the process.

 

At this point, we've defined the two separate VLANs tied to the physical ports.  Next, we have to assign the IP range for the new subnet, and follow steps to create a DHCP IP address pool for each subnet so that any computers connected to the ports receive an IP address in the correct subnet.

 

This can be done from Setup -> Networking.

 

Configure the newly created vlan11 to be unbridged.  Provide a new IP address for the vlan11 subnet with a 255.255.255.0 subnet mask.  This configuration does not appear to work entirely by itself in my router, so I had to enter it into the DDWRT startup script as well.

 

Enter this into the Administration -> Commands -> Startup section.

#!/bin/ash
PATH=&#-108;/sbin:/usr/sbin:/bin:/usr/bin:${PATH}&#-108;
ifconfig vlan11 192.168.21.1 netmask 255.255.255.0
ifconfig vlan11 up

 

This specifies the IP subnet and brings up the VLAN upon each reboot.

 

Lastly, in the DDWRT GUI, configure the DHCP server for this VLAN.

 

Setup -> Networking -> DHCPD

 

Click "Add", then add a new pool for vlan11.

 

"Save" and "Apply" your settings, and at this point you can test by plugging your computer into ports 1 / 2 / 3 / 4 and confirm that you have been assigned an IP address from the right pool.

 

Lastly, you must isolate the networks you have created from each other.  You do so by entering the following firewall rules in Administration -> Commands -> Firewall.  Credit for most of these rules goes to ChristopherKois as those in the DD-WRT wiki did not work for me (thank you!)

 

# Accept traffic into vlan11
iptables -I INPUT -i vlan11 -j ACCEPT
# Allow traffic outbound to forward from vlan11 to vlan2 (WAN)
iptables -I FORWARD -i vlan11 -o vlan2 -m state &#-106;state NEW -j ACCEPT
# Disallow access to the router on vlan11 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan11 -p tcp -m multiport &#-106;dports 21,22,23,80,443 -j DROP
# Disallow anything on .20 (vlan2) to communicate to the other networks
iptables -I INPUT -s 192.168.20.0/255.255.255.0 -d 192.168.21.0/255.255.255.0 -j DROP
# Disallow anything on .21 (vlan11) to communicate to the other networks
iptables -I INPUT -s 192.168.21.0/255.255.255.0 -d 192.168.20.0/255.255.255.0 -j DROP

 

Once in place, you can test your configuration to see if you can ping computers plugged into vlan11 when on vlan2 and vice-versa.  (You should not be able to)

 

The last steps I followed after this were to create virtual wireless interfaces that correspond to each of the VLANs so that both companies in the office have a functional wireless network that bridges to their wired VLAN.  This was relatively simple compared to the previous process.  I might cover this in a future post, but if you've made it this far, you can likely follow this guide (Multiple WLANs) on your own to complete the process.

3 comments:

  1. A straightforward and excellent description. Thank you.

    I have a similar configuration to implement but your details underscore what I have suspected for some time; the bridging functions of dd-wrt are (inappropriately) tied to layer 3.

    No ebtables in dd-wrt makes this needlessly complex.

    ReplyDelete
  2. I am curious about the use of VLANs to sort out an issue that I have. I have the E2000 Linksys/Cisco router. On my network, besides my wireless clients, I have wired in, a Netgear ReadyNAS nv+. I notice that when I am downloading NZB files, it brings all of the rest of the network to a crawl.
    Would implementing a VLANs reduce the problems that I am having. For instance, if I am looking at a movie under XBMC with the shares located on the ReadyNAS nv+, and movie files start downloading (again on the ReadyNAS), would a VLAN allow for no need for buffering while the NZB files are coming down?

    ReplyDelete
  3. Great description. Just bought DD-WRT router and will definitely try this.

    ReplyDelete

Followers

Facebook