Posted: Tue Jul 11, 2006 14:33 Post subject: breaking network bridge for LAN port4 - internet access only
I have a wrt54gsV2 connected to my dsl modem and a second wrt54gsV4 connected to the first router on port 4 (both running ddwrt v23 sp1).
What i would like to achieve is anyone connecting to the 2nd router will only get access to the internet (wired or wireless) and not see the internal network connected to the first router.
Moreover anyone connected to the first router shall be able to see everything (both routers and network devices attached including internet access).
I have been searching the web and found how to separate the WLAN from LAN but not the LAN ports 1-3 from 4.
Till now i have the first router on 192.168.1.1 255.255.255.0 & the second on 192.168.0.1 255.255.255.0 the only other difference is I have moved the tick from VLAN0 port 4 and moved it to VLAN2 with the assigned to bridge set to none. Both routers are running dhcp.
I am attempting the same exact thing. I have not found any answers except using VLANs which don't seem to accomplish what I am trying to. Maybe I am just not understanding the way the VLANs work here.
Posted: Wed Jul 19, 2006 6:14 Post subject: The Fix
I managed to find the definitive set of configuration needed to complete this task. Additionally its tested and works.
see below:
1) You need to open the vlan page of the dd-wrt web panel and move the tick for port 4 to vlan2
2) login to the router using shh or telnet and run the below commands
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5"
nvram set rc_startup='ifconfig vlan2 192.168.10.1 netmask 255.255.255.0'
nvram set rc_firewall='
iptables -F INPUT
iptables -A INPUT -i br0 -s 192.168.1.0/24 -d 0/0 -p all -j ACCEPT
iptables -A INPUT -i vlan2 -s 192.168.10.0/24 -d 192.168.1.0/24 -p all -j DROP
iptables -A INPUT -i vlan2 -s 192.168.10.0/24 -d 192.168.10.1/32 -p all -j DROP
iptables -F FORWARD
iptables -A FORWARD -i br0 -s 192.168.1.0/24 -d 0/0 -p all -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vlan2 -s 192.168.10.0/24 -d 192.168.1.0/24 -p all -j DROP'
nvram commit
reboot
(note: This was done on a v1.1 wrt54gs router the port assignments are as labled on the case. I notice with my v4 router the ports were in different order
v1.1
label on case 1 2 3 4 WAN
Firmware Ass. 1 2 3 4 5
v4
label on case 4 3 2 1 WAN
Firmware Ass. 0 1 2 3 4
)
3) all should be working now just remember all equipment on port 4 need to be assigned a static IP in the 192.168.10.0 255.255.255.0 range
(note: the firewall rules were done using ip address and not interfaces therefore if you change ip's you will also need to change the rule accordingly).