VLAN Seperation not working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
adriandaz
DD-WRT User


Joined: 15 May 2008
Posts: 84

PostPosted: Tue Mar 17, 2009 16:02    Post subject: VLAN Seperation not working Reply with quote
Hello, I am trying to create a seperate WVLAN on a different SSID which will have internet access but no access to the rest of the LAN. I am using a WRT54GS v1.1 (CGN20) with the latest eko firmware.

My normal network is on the 192.168.1.0 subnet which has access to the internet via an adsl router on 192.1685.1.254

The WRT54GS WAN is to be plugged into a switch on the network and assigned an IP of 192.168.1.253 and the normal LAN/WIFI side of the WRT54GS will be in the 192.168.0.0 subnet, while I want the VLAN/WVLAN to be in the 192.168.2.0 subnet.

I have created a new bridge (br1) with an interface address 192.168.2.253, created a VLAN (vlan2) from port 4 on the WRT54GS and created a second SSID (wl0.1).

I have then added vlan2 and wl0.1 to br1 along with a couple of iptables rules to allow internet access, but it seems it also has access to the rest of the network.

I was using the instructons from the following tutorial, but using the newer features of the latest builds of firmware to assign and create the bridge, vlan and ssid:

http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_each_with_Wireless_and_Internet

Any advice greatly appreciated...
(I will add some screen shots)

screenshots:
Quote:

advanced routing page - http://download.adriandaz.co.uk/advrout.jpg
basic config - http://download.adriandaz.co.uk/basic.jpg
firewall rules - http://download.adriandaz.co.uk/firewall.jpg
networking - http://download.adriandaz.co.uk/networking.jpg
vlans - http://download.adriandaz.co.uk/vlan.jpg
wireless - http://download.adriandaz.co.uk/wireless.jpg
also services for dhcp:
http://download.adriandaz.co.uk/services.jpg


Last edited by adriandaz on Wed Mar 18, 2009 2:00; edited 1 time in total
Sponsor
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Mar 17, 2009 23:58    Post subject: Reply with quote
how well does this tutorial fit your requirements?

http://www.pennock.nl/dd-wrt/Multiple_BSSIDs.html
adriandaz
DD-WRT User


Joined: 15 May 2008
Posts: 84

PostPosted: Wed Mar 18, 2009 0:59    Post subject: Reply with quote
Quite well, but produces similar results...
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Wed Mar 18, 2009 3:20    Post subject: Reply with quote
I think what you are looking to do is adjust the current iptables script to also block communication between the subnets and/or interfaces.
H4ttori
DD-WRT Novice


Joined: 16 Mar 2009
Posts: 23

PostPosted: Thu Mar 19, 2009 14:00    Post subject: Reply with quote
I have the same problem, i've upgraded to eko dd-wrt.v24-11296_NEWD_micro.bin and re worked everything, i follow this tutorial http://www.dd-wrt.com/wiki/index.php/V24:_WLAN_separate_from_LAN%2C_with_independent_DHCP
and i had both lan and Wlan working but no internet on Wlan, has any 1 make it work?
ddeo
DD-WRT Novice


Joined: 24 Sep 2008
Posts: 31

PostPosted: Thu Mar 19, 2009 14:06    Post subject: Reply with quote
Just curious... Are you on DSL? I have never been able to separate VLANs successfully. I am of the opinion that there is a bug of some sort with DD-WRT and DSL/PPPoE with respect to separating vlans (wireless or wired makes no diff)

I tried many diff configs and a few diff hardware with no success.
adriandaz
DD-WRT User


Joined: 15 May 2008
Posts: 84

PostPosted: Thu Mar 19, 2009 14:15    Post subject: Reply with quote
I am using a seperate speedtouch adsl router, which takes care of my Internet via PPPoA not E. but I only really use the wrt54gs in an AP sort of way.

Ive managed to keep my WVLAN seperate from the rest of the network and from accessing the ddwrt config pages, while having the wrt54gs connected to my LAN via one of its LAN ports, which means I can have my normal wifi and lan devices on the rest of my network and the WVLAN still stays seperate.

Hattori, why are you trying to seperate wireless from the LAN? Wouldn't it be easier to have wireless and lan the same, but a seperate WVLAN for the "independant access"

FWIW, im using the latest mega eko build...
H4ttori
DD-WRT Novice


Joined: 16 Mar 2009
Posts: 23

PostPosted: Thu Mar 19, 2009 14:25    Post subject: Reply with quote
look, im using 2 WRT54G2 Routers the 1st feeds internet to my officve Lan the 2nd is for a "Hotspot" but i need that 1 pc connects to it and have access to my offcie lan, so i need 2nd Wlan don't access my office Lan. rigth now it works fine as separate LANs but no Internet on the "hotspot"
sebek72
DD-WRT Novice


Joined: 21 Jan 2009
Posts: 16

PostPosted: Thu Mar 19, 2009 14:30    Post subject: Reply with quote
Same scenario here (2 wrt54g2's) seperate hotspot vlan working but no internet...or seperate vlan working with internet, but access to my lan, witch i don't want Sad
H4ttori
DD-WRT Novice


Joined: 16 Mar 2009
Posts: 23

PostPosted: Thu Mar 19, 2009 14:35    Post subject: Reply with quote
mine worked fine no Lan access with the tutoria posted above, witch version of DD-WRT are you using?
adriandaz
DD-WRT User


Joined: 15 May 2008
Posts: 84

PostPosted: Thu Mar 19, 2009 14:48    Post subject: Reply with quote
Similar to what I have here in a way, I am using a WRT54GS v1.1.

My ADSL router (192.168.1.254) to my 5 port switch...
My WRT54GS (192.168.1.253) connected to the switch via one of its LAN sockets.

Made a bridge (br1) with subnet 192.168.2.253
Made a WVLAN (wl0.1 - AP isolation!) and added it to br1

Added the dnsmasq to serve 192.168.2.0 subnet IPs to the br1 interfaces.

Now LAN ports and normal SSID act as part of the normal network, and the WVLAN seperate SSID has no access to the rest of the network but has internet access.

Quote:

iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j ACCEPT

iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

... to stop the WVLAN access to config pages...

So I did not need to mess about adding an extra VLAN in the end...
adriandaz
DD-WRT User


Joined: 15 May 2008
Posts: 84

PostPosted: Thu Mar 19, 2009 15:04    Post subject: Reply with quote
Anyone know the iptables rules which would only allow br1 access to dns and http/https ?

cheers,
H4ttori
DD-WRT Novice


Joined: 16 Mar 2009
Posts: 23

PostPosted: Thu Mar 19, 2009 15:19    Post subject: Reply with quote
what gate way are you reciving via Wlan? i thinkk that may be thats the problem

Edit: look at the commands Here
adriandaz
DD-WRT User


Joined: 15 May 2008
Posts: 84

PostPosted: Thu Mar 19, 2009 15:27    Post subject: Reply with quote
Using the wrt54gs as the gateway, on both subnets, so 192.168.1.253 and 192.168.2.253. The wrt's gateway is 192.168.1.254

Tried some of those rules, but I think I need to change them a little...
adriandaz
DD-WRT User


Joined: 15 May 2008
Posts: 84

PostPosted: Thu Mar 19, 2009 16:24    Post subject: Reply with quote
Basically I only want to allow dns, http and https to be used from br1

cheers,
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum