Posted: Fri Apr 23, 2021 23:56 Post subject: Separate LAN ports with Internet?
Got a problem. I had an old Watchguard (pile of junk) router die at a location. We have a Netgear R6400 (v1 I believe) there. I want to separate one LAN port for the guest wireless and leave the other three and built-in WiFi alone. This way the three internal network ports work fine with WiFi and the fourth LAN port goes to a switch and then to some Unifi APs.
With that said, I cannot seem to get it going. I read the DD-WRT wiki article about separating LAN ports and only applied it to port 4. That is to say I put port 4 on vlan3 with no bridge set on the "Switch Config" tab. I then went to the "Networking" tab and moved down to the ports section and found vlan3. I set vlan3 to ubridged, set it to the old guest network router IP of 192.168.0.254, subnet to 255.255.255.0, and enabled "Masquerade/NAT" and "Net isolation". Saved, rebooted. Cannot get the guest network online. What should I do? The private LAN ports are on 194.0.0.0/24 so there is NO conflict. I have never done this on DD-WRT before and imagine I am simply missing something. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sat Apr 24, 2021 7:08 Post subject:
here is a basic explanation of how to do a single vlan using a GUI option ...
I did it for my friend R7000 (broadcom)
1. Set up>Switch Config> create a vlan, click on the box VLAN 3, any port you want to remove from VLAN 1 (there must be 4 ports up on VLAN1) on the very right side (assigned to bridge leave to none) ... save & apply
2. Reboot
3. Set up>networking create a br1 save & apply reboot
4. Set up>networking>assign to bridge br1 vlan3 save & apply
5. Leave Vlan3 to default, find br1, enable NAT,Filter WAN NAT, and Net Isolation and give it an IP use /24 mask, as the other masks are not working with vlan setup yet, at least i tried few with no avail
6. Create dhcpd for br1 and reboot
7. Add to firewall script:
iptables -t nat -A POSTROUTING -s 192.168.x.x/24 -o $(get_wanface) -j MASQUERADE replace 192.168x.x with yr
iptables -I FORWARD -i br1 -o $(get_wanface) -m state --state NEW -j REJECT - kill switch for the new vlan
iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT - to cut off GUI access on this bridge
iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT - to cut off GUI access on this bridge
iptables -A INPUT -i br1 -p udp --dport 502 -j DROP - this is mandatory firewall rule
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
once again i did it all via GUI, no start up script was used, as i do normally with Atheros..
so, it seems GUI option was working on Broadcom (R7000)
you have to adapt it to your case...IP's, Vlan numbers and ect...
i hope it helps...
Good Luck..!! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I will try this. I assumed I needed a bridge but none of the wiki articles which are for my use-case did not use a bridge. Should have gone with my gut and tried. I will post the results after I have a chance to try this. Thank you for your help! _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Your method worked. I now have the WiFi, LAN1, and LAN2 in the default setting and LAN3 in vlan3, and LAN4 in vlan4. Ports 1 and 2 are the main, private network. The domain controller is in port 1 and port 2 goes to the 96-port switch setup. Port 3 is their guest network. It goes to a PoE switch which drives various Unifi APs. Port 4 is their OLD domain, which includes some Server 2008 systems and a few remaining Windows 7 boxes.
This leaves me with one issue. DHCP. I need DHCP ONLY on the guest WiFi (LAN3/vlan3) since the two Active Directory domains have both DHCP and DNS servers. How can I achieve this? The router literally only routes and firewalls, plus hosts our OpenVPN access. I do not want it to enable DHCP on the main LAN, as this would kill AD. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
I know, but this is not my setup. I am debating changing the setup, but not yet. Either way, how can I put DHCP only on vlan3? _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
I tried to follow those instructions but they assume you have DHCP on somewhere else, which I do not do to using AD DCs. When I add DHCP to just one bridge the address defaults to 0.0.0.0/24 which does not work. I have DHCP disabled on the main "Setup" tab and assume that this is why it fails to add additional ones.
Also, the guide I used is linked below. Is this incorrect?
I must have screwed up before. When I added a DHCP to vlan3 it was set to 0.0.0.0/24, but this time it is correct. I am using OpenVPN to program the router from home but will try it on-site later this week to ensure that it is indeed working.
One final question. How do I configure QoS in this bridged setup? I have 100Mbps up and down at this site and want to guarantee at least 50Mbps up and down to the primary network (ports one and two, plus WiFi) as well as limiting the guest network to 10Mbps up and down. I did not see a guide on this but ASSUME I need to use "LAN & WLAN" in the settings and setup limiting per vlan or bridge. Is this correct? _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
I must have screwed up before. When I added a DHCP to vlan3 it was set to 0.0.0.0/24, but this time it is correct. I am using OpenVPN to program the router from home but will try it on-site later this week to ensure that it is indeed working.
One final question. How do I configure QoS in this bridged setup? I have 100Mbps up and down at this site and want to guarantee at least 50Mbps up and down to the primary network (ports one and two, plus WiFi) as well as limiting the guest network to 10Mbps up and down. I did not see a guide on this but ASSUME I need to use "LAN & WLAN" in the settings and setup limiting per vlan or bridge. Is this correct?
The link has nothing to do with DD-WRT. I understand how to use QoS in a basic setup. However, I am using DD-WRT to take advantage of things like vlans and bridges. In this setup the WiFi, LAN1, and LAN2 are in the default setup. LAN3 is an isolated guest network (vlan3 / br1) and LAN4 is isolated for an old network (vlan4 / br2). I need to know how to limit traffic on those two ports and guarantee a minimum bandwidth on 1 and 2.
That said, I could not get DHCP working on the guest network so I factory reset the router and upgraded to the 2021-04-24 firmware. Reset again and setup everything. Now however, I only have vlan1 and vlan2. I no longer have vlan3 or vlan4 despite setting LAN3 to vlan3 and LAN4 to vlan4 on the switch configuration page.
How do I get vlan3 and 4 back? _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Sorry, after using SSH to erase everything and factory reset, the router, now on r46446, works like a charm. DHCP works (typing this while connected to guests wireless), I cannot get into the main network or old network from guests, and all is good now, except for the QoS.
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o $(get_wanface) -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o $(get_wanface) -j MASQUERADE
iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT
iptables -A INPUT -i br1 -p udp --dport 502 -j DROP
iptables -I INPUT -i br2 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br2 -p tcp --dport 443 -j REJECT
iptables -A INPUT -i br2 -p udp --dport 502 -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
With that said, how do I guarantee 50Mbps up and down to the default setup (WiFi/LAN1/LAN2), limit the guests to 10Mbps up and down (LAN3/vlan3/br1), and limit the old stuff to 20Mbps up and down (LAN4/vlan4/br2)? I have never used vlans or bridging in DD-WRT and cannot find guides specific to this kind of setup. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Alright, I played with it for a few hours now and I think I have it. I also discovered that we have a major issue right now. We're only getting 24Mbps down and 33Mbps up. Not good. Spectrum will be called shortly.
I attached an image of the current settings. When I connect to the internal WiFi I get 20/30, and when connecting to the guest network I get 5/5. I simply need to add one for the old network, AFTER the WAN is fixed. Is this setup correct? _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
OK, something isn't right, but I have to go. I setup the old network bridge to have 20Mbps up and down, but I am only getting 9-11Mbps, almost like the first bridge is affecting it. The WAN connection has been fixed. It is back to 93-95Mbps up and down. I set QoS to 81920 (80Mbps) both ways. Still, I cannot get vlan4/br2 to cap at 20Mbps. What have I done wrong? _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!