Asus RT-N16 – Vlans - Step by Step How to

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
80sguitartist
DD-WRT User


Joined: 18 Feb 2010
Posts: 218

PostPosted: Sat Feb 22, 2014 20:46    Post subject: Asus RT-N16 – Vlans - Step by Step How to Reply with quote
Well after struggling over and over again and with the help of the forums and numerous hours of trial and error I was finally able to get VLANs working on an Asus RT-N16 router. I’d like to post exactly what I did to get it working. While there is a lot of information about VLANs there are no precise How-To’s for the Asus Rt-N16 that I could fine. I found that what is out there (http://www.christopherkois.com/?p=497) does not work on any version of firmware I tested (Build 13309, 18024, 14896, 14929). When looking more deeply at the code on that page, I believe thre are a lot of things that are wrong with it.

I am completely open minded with any of the Gurus telling me that something is missing or something does not need to be there. So if you are certain something doesn't look right, please let me know.

Setting up Vlans on an Asus Rt-N16

Here is what will be accomplished:
- The physical Port 1 on the back of router called LAN1 will broadcast an IP address on the 192.168.1.X subnet.
- Physical Port 2 (LAN2) will broadcast an IP address on the 192.168.2.X subnet.
- Physical Port 3 (LAN3) will broadcast an IP address on the 192.168.3.X subnet.
- Physical Port 4 (LAN4) will broadcast an IP address on the 192.168.4.X subnet.
- NO Firewall scripts have been put into place to prevent anyone from talking to each other on other subnets. This is a tutorial on getting VLANs working NOT restricting Access. If everything looks good to those on the board I will update this with Firewall scripts but for now I just want to make sure what I have is correct and there are no major flaws.
- Everyone should be able to get out to the Internet. (Obvioulsy, you need a working Internet connection going into the WAN port.)

1. First and Foremost. I have only tested these instructions on the following build’s of DD-WRT. Others could work but your mileage may vary.

DD-WRT v24-18024_NEWD-2_K2.6_mega.bin
DD-WRT v24-14896_NEWD-2_K2.6_mini.bin


2. Freshly install one of the builds above and reset to factory defaults. I have found the easiest way to do this is to log in to the router via telnet command and type in “erase nvram”. Hit the Enter key and then type in “reboot”. The Factory defaults will be restored. After you have reset everything wait a couple of minutes before you proceed. Go take a piss or something.

3. Plug your computer into LAN1 on the back of the router.

4. Open a browser (IE or Firefox, not sure about Chrome) and go to 192.168.1.1.

5. Change the username and password when prompted. I used the typical username “root” and password “admin”.

6. Once you changed the username and password and you know they work Close Internet Explorer.

7. Open a Command prompt and Telnet into the router 192.168.1.1, log in, and then input these commands below. After each line, hit the Enter key.

nvram set vlan1ports="4 8"
nvram set vlan3ports="2 8"
nvram set vlan4ports=”1 8”
nvram set vlan5ports=”3 8”
nvram commit
reboot


8. Gonna have to wait a few minutes for it to reboot. Get a cup of coffee or something.

9. Login into web interface 192.168.1.1 and then go to Setup-->Vlans.

Uncheck Port 1 and put a checkmark for VLAN 4 for Port 1.
Uncheck Port 2 and put a checkmark for VLAN 3 for Port 2.
Uncheck Port 3 and put a checkmark for VLAN5 for Port 3.


10. Click Save

11. Go to the Administration tab and then click Reboot Router. You must do this to get the Vlan 2, 3 and 4 options to show up in the next steps.

12. Yep, you’re waiting a few minutes for it to reboot again. Just think about how happy you’ll be when this works. But make sure to think for a couple minutes.

13. Log back in to the router and go to Setup-->Networking.

14. Go down to Port Setup and for each of the Network Configurations for vlan3, vlan4, and vlan5 click on Unbridged. This will let you enter in the values below (enter those values)

Network Confiuration vlan3 = Unbridged
IP address: 192.168.3.1
Subnet Mask: 255.255.255.0

Network Confiuration vlan4 = Unbridged
IP address: 192.168.4.1
Subnet Mask: 255.255.255.0

Network Confiuration vlan5 = Unbridged
IP address: 192.168.2.1
Subnet Mask: 255.255.255.0

15. After all the above have been entered click on Save.

16. You should still be in the Setup-->Networking Page. Go to the bottom and for the section on DHCPD click on Add under Multiple DHCP Server.

17. Click on the Dropdown where it currently says eth0 and choose vlan3. Then click on Save.

18. Again, click on the Add button in the DHCP section like you just did. This time we want to change the DHCP 1 entry to vlan 4. Then click on Save.

19. One more time, click on the Add button and change it to vlan5. Then click on Save.

20. Now click on Apply Settings.

21. Go to the Administration tab and then click Reboot Router.

22. This should be the last time you have to wait. So get ready for some ultimate VLAN’ing fun. Oh Yeah!

23. Moment of Truth! Here is what your results should be below. VERY IMPORTANT! If you are quickly unplugging and plugging into the various ports on the router you need to release and renew your IP address on your computer. Otherwise, your NIC will cache the old IP address it just got. So, when plugging into different ports, do a release and renew of your IP address. Results should be:

- Plugging into LAN4 (Actual port on the router itself) should give you a 192.168.4.X address.
- Plugging into LAN3 should give you a 192.168.3.X address.
- Plugging into LAN2 should give you a 192.168.2.X address.
- Plugging into LAN1 give you 192.168.1.X addresses.
- Any port should be able to get out to the Internet.

24. Now, You’ve got some VLANs but everyone can talk to everyone else. You need to setup firewall scripts to prevent that. Continue on to the Firewall Scripts.

Firewall Scripts


I had a lot of trouble getting my Firewall Scripts working. Initially, what I found on the web for setting the Asus RT-N16 did not work. I found that every page that referenced the VLAN firewall scripts appeared to be with the use of the command INPUT versus the command FORWARD. Once I got this correct the following results should occur when following the instructions below.

- Routing will work like any common network on the LAN (192.168.1.1)
- Clients on VLAN3 (192.168.3.1), VLAN4 (192.168.4.1), and VLAN5 (192.168.2.1) will not be able to Access the router’s IP at 192.168.1.1 via telnet, web, etc. They will be able to ping the IP.
- Each VLAN cannot access each other or the clients that are connected through a different VLAN. For example, Clients on VLAN3 cannot access anything but other clients on VLAN3 and the Internet.
- If a client tries to ping anyone on a different VLAN there is no response.

1. Plug your computer in LAN1 on the back of the router.

2. Open a browser (IE or Firefox, not sure about Chrome) and go to 192.168.1.1.

3. Go to Administration-->Commands.

4. Input the commands below into the Command window. You should be able to copy and paste.

# Accept traffic into vlan5
iptables -I INPUT -i vlan5 -j ACCEPT
# Allow traffic outbound to forward from vlan5 to vlan2 (WAN)
iptables -I FORWARD -i vlan5 -o vlan2 -m state --state NEW -j ACCEPT
# Disallow access to the router on vlan5 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan5 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
# Disallow anything on 192.168.2.X (vlan5) to communicate to the other networks
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.3.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -j DROP
# Disallow anything on the bridge interface to communicate to vlan5
iptables -I FORWARD -i br0 -o vlan5 -j logdrop

# Accept traffic into vlan3
iptables -I INPUT -i vlan3 -j ACCEPT
# Allow traffic outbound to forward from vlan3 to vlan2 (WAN)
iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT
# Disallow access to the router on vlan3 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan3 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
iptables -I FORWARD -s 192.168.3.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.3.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.3.0/255.255.255.0 -d 192.168.4.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.3.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -j DROP
# Disallow anything on the bridge interface to communicate to vlan3
iptables -I FORWARD -i br0 -o vlan3 -j logdrop

# Accept traffic into vlan4
iptables -I INPUT -i vlan4 -j ACCEPT
# Allow traffic outbound to forward from vlan4 to vlan2 (WAN)
iptables -I FORWARD -i vlan4 -o vlan2 -m state --state NEW -j ACCEPT
# Disallow access to the router on vlan4 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan4 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
iptables -I FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.3.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -j DROP
# Disallow anything on the bridge interface to communicate to vlan4
iptables -I FORWARD -i br0 -o vlan4 -j logdropic into vlan5
iptables -I INPUT -i vlan5 -j ACCEPT

5. Click on Save Firewall.

6. Go to Administration-->Management

7. Click on Reboot Router.

You should now have an Asus RT-N16 with Firewall scripts to prevent VLANs from accessing other VLANs.
Sponsor
WoodmanMN
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 2

PostPosted: Fri Feb 28, 2014 17:50    Post subject: Excellent Write Up! Reply with quote
Thank you for this very helpful write up. I just used it to configure a RT-N16 to split a hotel's network into 4 separate networks, 3 for individual access points for each floor and one for their office.
80sguitartist
DD-WRT User


Joined: 18 Feb 2010
Posts: 218

PostPosted: Sat Mar 01, 2014 23:03    Post subject: Reply with quote
Glad it worked out for you WoodmanMN. Curious if you found any of those other websites out there that had similar instructions. I couldn't get one of them to work.

As for using it for a hotel's access points and LAN that's one of the main reasons why I needed the VLANs. Really helps to keep everything completely separate.
norkle
DD-WRT Novice


Joined: 30 Jan 2014
Posts: 11

PostPosted: Fri Mar 07, 2014 0:23    Post subject: Reply with quote
Nice work, thanks for the summary.
Masterman
DD-WRT Guru


Joined: 24 Aug 2009
Posts: 2070
Location: South Florida

PostPosted: Fri Mar 07, 2014 21:58    Post subject: Reply with quote
Very nice, and great detail too. I gave up on trying to VLAN K26 routers a long time ago.

This should be put in the Wiki, as the current method does not work for all devices.

Thanks again for your contribution, and please, Add this to the Wiki or I will
Cool

_________________
Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
80sguitartist
DD-WRT User


Joined: 18 Feb 2010
Posts: 218

PostPosted: Mon Mar 10, 2014 18:37    Post subject: Reply with quote
Sorry I missed your post Masterman. Just happened to be digging for something else and came across this. I don't mind at all if you put this in the Wiki "Giving me full credit of course Mr. Spicoli"...hope you got that Fast Times reference.

I'm actually doing a presentation for a professional tech group this week about DD-WRT and I've already gotten some complaints from those attending about the firmware. But to be more precise, I think it's the level of frustration on accurate documentation. There just seems to be more and more misinformation out there on How-To's and such. I think most of the issues stem from testing. I know it's a pain to write up detailed instructions and go back over them again and again to make sure they are spot on. But when you don't do that and there are mistakes it really causes a lot of aggravation for the end user. Certainly not blaming the DD-WRT developers or testing team as usually it's a problem with the documentation.

I'm going to try to post some other How To's I've done that I mainly keep for my records on both the RT-N16 and the RT-N12. Side note: I recently discovered that along with the RT-N16 the Asus RT-N12 can do Port based VLANs. Setup is a little different though. Hard to believe you can pick up a $30 router that does VLANs.

So how does one go about getting a Wiki Login Account? Do I need to pass a test or pay some one a large sum of money? Ha!

Thanks for the kudos!
truehomie35
DD-WRT Novice


Joined: 27 May 2019
Posts: 22

PostPosted: Wed Jun 12, 2019 15:21    Post subject: Reply with quote
I CONFIRM YOUR CONFIGURATION APPLICABLE FOR RT-N12, but how about tagging vlans ?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum