Posted: Tue Jul 04, 2006 21:47 Post subject: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP
I just wanted to post this in case someone else is doing exactly what I want to do. I spent several hours reading this morning to get this to work for me. I hope this works for me until BrainSlayer is able to fix the web gui to work for VLAN setup.
WRT54G v 2.2
What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.
Now you've just finished the VLAN section, we need to set up DHCP to work properly. If you stop here your DHCP will work on your VLAN 1 (192.168.1.1) but you'll have to use static addresses on the second VLAN on port 4.
Setting up DHCP:
4. Now under the "Administration" tab again on your router, go to the "Management" tab. Find "DNS Masq". Make sure DNS Masq, and Local DNS are both checked. Then, per this thread copy the following lines into the "Additional DNS options box":
Do you see what's going on here, you're telling DHCP what the two VLANS are, and what addresses to assign them. The "1h" is how long the lease time should be. The first address is the beginning DHCP range, the second is the end of the range for that VLAN. You won't be using your DHCP settings in the GUI on the front page after this, you'll need to edit it here if you want to make changes in the future.
Click on "Save Changes"
5. Lastly, go to the "Setup" tab for your router, and under "basic setup" you're going to turn the DHCP off (this is a different DHCP server that we aren't using any more). Under "DHCP Server" set this to "disable".
6. Now, assuming you've don'e everything correctly, and that I've remembered everything I did. You should be able to reboot your router one final time and have everything work perfectly.
Keep in mind that I'm a complete noob here and don't really know what I'm doing. Just wanted to share what I did to get my ver 2.2 router working perfectly how I wanted it to. Hopefully it will work for you too.
Joined: 06 Jun 2006 Posts: 731 Location: Erlangen, Germany
Posted: Thu Aug 03, 2006 9:02 Post subject: Re: Howto: VLAN Setup - Port 4 on Separate VLAN with DHCP
What I was looking to do is separate Port 4 of my router into a separate VLAN
that can access the internet, but not access anything on ports 1-3, or the wireless.
However, I want to be able to see everything on port 4 from the other side
Wow -- GREAT! This is almost the same setup I am looking for.
I just started to think about how "the contrary" can be implemented, i.e.,
a particular port (say, #4) must be able to "see" the internet (which is
provided via PPPoE), while neither the other ports nor the WLAN should
be allowed to establish a connection to port 4. (The goal is to make
the computer at port 4 safe against potential "attacks" from the rest of the
I suppose, the only difference, as compared with your setup, are the
iptable commands, but I'm really lost in the iptables documentation.
Can you, please, explain me how to modify your commands so as to
reach the desired effect? I'd be very, very grateful!
To get the effect you're looking for, drop the "iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT", the very first line, this will drop computers on vlan1 (ports 1-3+wlan) from being able to see/mess with the computer on port 4 (vlan2), that's a good idea for a server, keep people on the network from messing with it, but leave it entirely open to the internet to do it's thing. Might have to do that myself.
Joined: 06 Jun 2006 Posts: 731 Location: Erlangen, Germany
Posted: Thu Aug 03, 2006 10:17 Post subject:
I have an unsused WRT54GL to "play with", but I just notice that this won't
work on a GL, because it's ports are numbered differently, and the VLAN
settings page is known to be broken there. Fortunately, there is a Gv3.1 in
my LAN, so I need to swap the devices before I can start experimenting.
I consequence, I have to apologize that I won't be able to implement your
To get the effect you're looking for, drop the "iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT", the very first line, this will drop computers on vlan1 (ports 1-3+wlan) from being able to see/mess with the computer on port 4 (vlan2)
AFAIK, vlan1 is the WAN, isn't it
The WLAN and the other ports are vlan0, as far as I understand.
What if I would like to be in the opposite. Ex. VLAN2 should be able to access VLAN0 but VLAN0 can't access VLAN2.
My main purpose is to put separate network like server and some workstations in VLAN2 which has only wired connection. Then, public printer and wireless users in VLAN0. VLAN2 devices should be able to access printer in VLAN0. But none of the device from VLAN0 can access to VLAN2.
What I've tried is to put
iptables -I FORWARD -i vlan2 -o vlan0 -j ACCEPT
but I can't access anything in VLAN0 from VLAN2 anyway. I also try to move WLAN from VLAN0 to VLAN2 by create BR1 that contain VLAN2 and WLAN. (Can't disable BR0, so, I just put BR0 to have only VLAN0)
Thanks to all for your description it helped me a lot:
I wanted to have two LAN's separated:
- LAN1-on port 1-2-3+WIFI
- LAN2 on port 4
and to be able to use QoS ( or other metods ) to control/limit download/upload speed in ALL the LAN 1 and LAN 2.
I think I succed to implement another LAN on port 4 after your description in my Linksys WRT54GL router with Firmware: DD-WRT v23 SP3 (12/17/06) std.
This is what I used for step 2:
nvram set vlan0ports="3 2 1 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5"
I had to skip Steps 4 & 5 because I seen that if I set DHCP on LAN2 QoS it is not working any more for LAN2, and there is no limit to download/upload on that segment.
I am not sure if firewall rules are enough to filter/stop trafic from LAN2 to LAN1... I seen that from LAN2 I am able to access Router configuration page and... this is not good.
Anybody knows if is possible ( and what / how to set up ) to use RFlowCollector in LAN1 ( NIC = br0 ) to see trafic from LAN2 (NIC= vlan2 ) ?
In this configuration it is working only for LAN1 ( NIC = br0 ).
Tryed to use in LAN2 but still not working.
Posted: Sat Mar 24, 2007 1:38 Post subject: I need something similar but with another wireless SSID?
I'm trying to figure out how to create a Separte Wireless SSID, unbridged? with is own DHCP range so this can be a secure guest internet only network which is only able to get out the gateway to the internet.. I'm running DD-WRT version 24 beta. I've setup a Virtual SSID, called it guests. Set WPA security to that virtual SSID, set it as unbridged, then once that was done it allowed me to set the virtual SSID's IP and subnet. So now I have a new SSID that I can authenticate to, and with ifconfig I have a interface called wl0.1 showing
Link encap:Ethernet HWaddr 00:13:XX:XX:XX:XX
inet addr:10.10.15.1 Bcast:10.10.15.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Problem is when connecting to that SSID it does not give me a IP address. So
Now I need to figure out how to run a DHCP server on the DD-wrt router that only listens to this subnet and will issue out IP's in the 10.10.15.0 range to wireless clients that authenticate with the WPA key. Right now the main DHCP server inside the DD_wrt router is turned off as we have our own DHCP server on our 192.168.1.0 network to which I do not want it giving DHCP leases to this private network.
Any Ideas guys. This will be a cool setup to have a secured wireless network to allow guest to connect to without having access to our private subnet. If I can get it working?