Separate LAN ports with Internet?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Fri Apr 23, 2021 23:56    Post subject: Separate LAN ports with Internet? Reply with quote
Got a problem. I had an old Watchguard (pile of junk) router die at a location. We have a Netgear R6400 (v1 I believe) there. I want to separate one LAN port for the guest wireless and leave the other three and built-in WiFi alone. This way the three internal network ports work fine with WiFi and the fourth LAN port goes to a switch and then to some Unifi APs.

With that said, I cannot seem to get it going. I read the DD-WRT wiki article about separating LAN ports and only applied it to port 4. That is to say I put port 4 on vlan3 with no bridge set on the "Switch Config" tab. I then went to the "Networking" tab and moved down to the ports section and found vlan3. I set vlan3 to ubridged, set it to the old guest network router IP of 192.168.0.254, subnet to 255.255.255.0, and enabled "Masquerade/NAT" and "Net isolation". Saved, rebooted. Cannot get the guest network online. What should I do? The private LAN ports are on 194.0.0.0/24 so there is NO conflict. I have never done this on DD-WRT before and imagine I am simply missing something.

_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sat Apr 24, 2021 7:08    Post subject: Reply with quote
here is a basic explanation of how to do a single vlan using a GUI option ...
I did it for my friend R7000 (broadcom)


1. Set up>Switch Config> create a vlan, click on the box VLAN 3, any port you want to remove from VLAN 1 (there must be 4 ports up on VLAN1) on the very right side (assigned to bridge leave to none) ... save & apply
2. Reboot
3. Set up>networking create a br1 save & apply reboot
4. Set up>networking>assign to bridge br1 vlan3 save & apply
5. Leave Vlan3 to default, find br1, enable NAT,Filter WAN NAT, and Net Isolation and give it an IP use /24 mask, as the other masks are not working with vlan setup yet, at least i tried few with no avail
6. Create dhcpd for br1 and reboot
7. Add to firewall script:
iptables -t nat -A POSTROUTING -s 192.168.x.x/24 -o $(get_wanface) -j MASQUERADE replace 192.168x.x with yr
iptables -I FORWARD -i br1 -o $(get_wanface) -m state --state NEW -j REJECT - kill switch for the new vlan
iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT - to cut off GUI access on this bridge
iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT - to cut off GUI access on this bridge
iptables -A INPUT -i br1 -p udp --dport 502 -j DROP - this is mandatory firewall rule
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT

once again i did it all via GUI, no start up script was used, as i do normally with Atheros..
so, it seems GUI option was working on Broadcom (R7000)

you have to adapt it to your case...IP's, Vlan numbers and ect...

i hope it helps...
Good Luck..!!

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Sat Apr 24, 2021 16:12    Post subject: Reply with quote
I will try this. I assumed I needed a bridge but none of the wiki articles which are for my use-case did not use a bridge. Should have gone with my gut and tried. I will post the results after I have a chance to try this. Thank you for your help!
_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Sun Apr 25, 2021 14:19    Post subject: Reply with quote
Your method worked. I now have the WiFi, LAN1, and LAN2 in the default setting and LAN3 in vlan3, and LAN4 in vlan4. Ports 1 and 2 are the main, private network. The domain controller is in port 1 and port 2 goes to the 96-port switch setup. Port 3 is their guest network. It goes to a PoE switch which drives various Unifi APs. Port 4 is their OLD domain, which includes some Server 2008 systems and a few remaining Windows 7 boxes.

This leaves me with one issue. DHCP. I need DHCP ONLY on the guest WiFi (LAN3/vlan3) since the two Active Directory domains have both DHCP and DNS servers. How can I achieve this? The router literally only routes and firewalls, plus hosts our OpenVPN access. I do not want it to enable DHCP on the main LAN, as this would kill AD.

_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Apr 25, 2021 17:54    Post subject: Reply with quote
194.0.0.0/24 is in the public Ip address space.

The private address space is 10.0.0.0/8, 172.16-32.0.0/16 and 192 168.0.0/24
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Tue Apr 27, 2021 19:21    Post subject: Reply with quote
I know, but this is not my setup. I am debating changing the setup, but not yet. Either way, how can I put DHCP only on vlan3?
_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Apr 28, 2021 8:04    Post subject: Reply with quote
look at point 6...
6. Create dhcpd for br1 and reboot or for vlan3

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Wed Apr 28, 2021 14:22    Post subject: Reply with quote
I tried to follow those instructions but they assume you have DHCP on somewhere else, which I do not do to using AD DCs. When I add DHCP to just one bridge the address defaults to 0.0.0.0/24 which does not work. I have DHCP disabled on the main "Setup" tab and assume that this is why it fails to add additional ones.

Also, the guide I used is linked below. Is this incorrect?
Code:
https://wiki.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet)

_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Apr 28, 2021 14:44    Post subject: Reply with quote
You do not need a DHCP server but I think the bridge must have an IP address in the subnet it belongs to, it is like a static IP address.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Thu Apr 29, 2021 6:06; edited 1 time in total
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Wed Apr 28, 2021 23:24    Post subject: Reply with quote
I must have screwed up before. When I added a DHCP to vlan3 it was set to 0.0.0.0/24, but this time it is correct. I am using OpenVPN to program the router from home but will try it on-site later this week to ensure that it is indeed working.

One final question. How do I configure QoS in this bridged setup? I have 100Mbps up and down at this site and want to guarantee at least 50Mbps up and down to the primary network (ports one and two, plus WiFi) as well as limiting the guest network to 10Mbps up and down. I did not see a guide on this but ASSUME I need to use "LAN & WLAN" in the settings and setup limiting per vlan or bridge. Is this correct?

_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
atifak
DD-WRT Novice


Joined: 02 Apr 2021
Posts: 14

PostPosted: Thu Apr 29, 2021 5:39    Post subject: Reply with quote
Sephiroth wrote:
I must have screwed up before. When I added a DHCP to vlan3 it was set to 0.0.0.0/24, but this time it is correct. I am using OpenVPN to program the router from home but will try it on-site later this week to ensure that it is indeed working.

One final question. How do I configure QoS in this bridged setup? I have 100Mbps up and down at this site and want to guarantee at least 50Mbps up and down to the primary network (ports one and two, plus WiFi) as well as limiting the guest network to 10Mbps up and down. I did not see a guide on this but ASSUME I need to use "LAN & WLAN" in the settings and setup limiting per vlan or bridge. Is this correct?

Try this link
https://www.laptopmag.com/articles/change-your-routers-quality-of-service-qos-settings-how-to
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Thu Apr 29, 2021 20:17    Post subject: Reply with quote
The link has nothing to do with DD-WRT. I understand how to use QoS in a basic setup. However, I am using DD-WRT to take advantage of things like vlans and bridges. In this setup the WiFi, LAN1, and LAN2 are in the default setup. LAN3 is an isolated guest network (vlan3 / br1) and LAN4 is isolated for an old network (vlan4 / br2). I need to know how to limit traffic on those two ports and guarantee a minimum bandwidth on 1 and 2.

That said, I could not get DHCP working on the guest network so I factory reset the router and upgraded to the 2021-04-24 firmware. Reset again and setup everything. Now however, I only have vlan1 and vlan2. I no longer have vlan3 or vlan4 despite setting LAN3 to vlan3 and LAN4 to vlan4 on the switch configuration page.

How do I get vlan3 and 4 back?

_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Thu Apr 29, 2021 20:40    Post subject: Reply with quote
Sorry, after using SSH to erase everything and factory reset, the router, now on r46446, works like a charm. DHCP works (typing this while connected to guests wireless), I cannot get into the main network or old network from guests, and all is good now, except for the QoS.

As far as QoS goes, here is my setup.
Code:

WAN - 100Mbps / 100Mbps / Static Address
WiFi - Default \
LAN1 - Default +- 194.0.0.254/24
LAN2 - Default /
LAN3 - vlan3 / br1 / 192.168.4.254/24
LAN4 - vlan4 / br2 / 192.168.0.254/22

iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o $(get_wanface) -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o $(get_wanface) -j MASQUERADE
iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT
iptables -A INPUT -i br1 -p udp --dport 502 -j DROP
iptables -I INPUT -i br2 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br2 -p tcp --dport 443 -j REJECT
iptables -A INPUT -i br2 -p udp --dport 502 -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT

With that said, how do I guarantee 50Mbps up and down to the default setup (WiFi/LAN1/LAN2), limit the guests to 10Mbps up and down (LAN3/vlan3/br1), and limit the old stuff to 20Mbps up and down (LAN4/vlan4/br2)? I have never used vlans or bridging in DD-WRT and cannot find guides specific to this kind of setup.

_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Thu Apr 29, 2021 22:10    Post subject: Reply with quote
Alright, I played with it for a few hours now and I think I have it. I also discovered that we have a major issue right now. We're only getting 24Mbps down and 33Mbps up. Not good. Spectrum will be called shortly.

I attached an image of the current settings. When I connect to the internal WiFi I get 20/30, and when connecting to the guest network I get 5/5. I simply need to add one for the old network, AFTER the WAN is fixed. Is this setup correct?

_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Sephiroth
DD-WRT User


Joined: 22 Aug 2013
Posts: 154

PostPosted: Thu Apr 29, 2021 22:53    Post subject: Reply with quote
OK, something isn't right, but I have to go. I setup the old network bridge to have 20Mbps up and down, but I am only getting 9-11Mbps, almost like the first bridge is affecting it. The WAN connection has been fixed. It is back to 93-95Mbps up and down. I set QoS to 81920 (80Mbps) both ways. Still, I cannot get vlan4/br2 to cap at 20Mbps. What have I done wrong?
_________________
Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum