[madburg]

I would like to start with hello to all first as a newbie. I have a wintel background and not in networking , but love learning, and this is a learning curve. Interesting stuff as I am aware of busybox, etc... My first moded router was a buffalo with T0m@to. Now I am:

# Using a WRT600N v1.1 on Firmware Version: DD-WRT v24-sp2 (10/12/10) mega - build 15437
# Note all # are for remarks in this post as comment/questions and my understand of commands.
---------------------------------------------------------------------------------------------
# ***DEFAULTS*** = vlan0 per documentation not used (weird because my understand is all unknown/untagged traffic should be vlan0)
# vlan1 ALL Ports (1-4), vlan2 port 0 (WAN), 8* used to state GB Router Proccssor

# telnet or SSH in

# Clear any ports from vlan0 (they seem to come right back after reboot,
# assuming from what I know VLAN0 always spans all ports? as stated above)
nvram unset vlan0ports (I also tried nvram set vlan0ports="", wondering if nvram set vlan0ports="8*" would be any different)

# Set Ports 2,3,4 to vlan1 (removing port 1 from default setup)
nvram set vlan1ports="2 3 4 8*"

# Set Port 0 to vlan2 (WAN port default)
nvram set vlan2ports="0 8*"

# Set Port 1 to vlan3 (new vlan we are introducing, not sure if this is really creating one,
# as i see there is a vconfig command out there...? maybe I should have a "vconfig add eth0 3" here or "vconfig add et0 3")
nvram set vlan3ports="1 8*"

# clear vlan0 hw name (since we are trying to remove all ports from vlan0,
# it should not have a hwname, right? seems to remove and stick)
nvram unset vlan0hwname

# Set vlan1 hw name (eth0) (confused here read from post set all vlan hwname's to et0 which is Linksys eth0,
# but eth0 is the 2.4Ghz wireless???, what the right thing to do here?)
nvram set vlan1hwname=et0

# Set vlan2 hw name (eth0)
nvram set vlan2hwname=et0

# Set vlan3 hw name (eth0)
nvram set vlan3hwname=et0

# Set lan devs (sets both wireless ports AND vlan1 as LAN devices (hope this is the proper terminology),
# Not sure if it should be set as wl0 or eth0 and wl1 or eth1, but it does stick after reboot)
nvram set landevs="vlan1 wl0 wl1"

# Set lan ifnames (sets both wireless ports AND vlan1 LAN's to default bridge br0, hope this is correct?,
# Not sure if it should be set as eth0 or wl0 and eth1 or wl1, but it does stick after reboot)
nvram set lan_ifnames="vlan1 eth0 eth1"

# Next we insert the following code into the Startup Script (Not sure were this is actually stored?)
nvram set rc_startup='

# I see this following line in many post (but starts with #), is it just a remark? or is it doing something???
#!/bin/ash

# Seems we are adding "/sbin:/usr/sbin:/bin:/usr/bin" to the PATH?
# How do you know if these dir exist? What is JUST the default path?
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# Make sure vlan1 is always set to below network
ifconfig vlan1 192.168.0.1 netmask 255.255.255.0

# Make sure vlan3 is always set to below network
ifconfig vlan3 192.168.99.1 netmask 255.255.255.0

# Bridge Control = Add new Bridge as br1
brctl addbr br1

# Configure Bridge br1 network
ifconfig br1 192.168.99.1 netmask 255.255.255.0

# make sure to bring up vlan1
ifconfig vlan1 up

# Bring up vlan3, not sure if command nvram set vlan3ports="1 8*" earlier above actually created vlan3
ifconfig vlan3 up

# Bridge Control = Add vlan3 to Bridge br1
brctl addif br1 vlan3

# Bring up Bridge br1
ifconfig br1 up
'

# Next we insert the following code into the Firewall Script (Not sure were this is actually stored?)
# I am pretty lost here, their are some many post many seem like good ideas, but need to know what to apply to my
# to reach my goal, which is dont allow any device to get to vlan3 but vlan3 must we able to go out to the internet,
# but not allow any vlan3 device anywhere else. My understand is on either side clients will be able to ping the
# gateways 192.168.0.1 (vlan1) and 192.168.99.1 (vlan3) but that is it, no more than than if I do things right.
nvram set rc_firewall='

# Is this following line even needed?
iptables -I INPUT -i br1 -j ACCEPT

# Is this following line even needed? to allow to go out the WAN port?
iptables -I FORWARD -i br1 -o vlan2 -m state --state NEW -j ACCEPT

# Is this following line even needed? to allow to use PPP?
iptables -I FORWARD -i br1 -o ppp0 -m state --state NEW -j ACCEPT

# Here are some line I found that may help me achieve my goal, not sure which is appropriate...

# My understanding here is drop anything coming from Bridge br1 (which vlan3 is on)
# that is trying to go to Default Bridge br0. Does this apply vise versus?
iptables -I FORWARD -i br0 -o br1 -j logdrop

# Did should prevent br1 talking to br0 (vlan1 & WiFi) and prevent br0 talking to br1 (vlan3)
iptables -t nat -I PREROUTING -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j logdrop
iptables -t nat -I PREROUTING -i br0 -d $(nvram get br1_ipaddr)/$(nvram get br1_netmask) -j logdrop

# Or a sping the the above, instead of PREROUTING use FORWARD? I tried this one and it worked. You
# can tell the network is there and getting dropped, versus if there was no route at all.
# But it works !!!
iptables -I FORWARD 1 -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j logdrop
iptables -I FORWARD 2 -i br0 -d $(nvram get br1_ipaddr)/$(nvram get br1_netmask) -j logdrop

'
nvram commit
reboot
---------------------------------------------------------------------------------------------
# DNSMasq (Setup) - I am setting up 1 DHCP address to be assigned to a device on port 1 / vlan3 ONLY.
# Enables DHCP on br1 (Bridge)
interface=br1
# Set the default gateway for Bridge br1 client
dhcp-option=br1,3,192.168.99.1
# Set the DHCP range and default lease time of 24 hours for the Bridge br1 clients (in my case just 1)
dhcp-range=br1,192.168.99.99,192.168.99.99,255.255.255.0,24h

# Works, Client receives the sole IP avaiable on port1/Vlan3

I know the post is long, but I didn't want to just post little questions here and there to learn, I have really read alot (wiki's, post, etc..) and tried many bits of code and worked at it (almost brick at one point, Wifi was the only connection back into the router) before posting this post. And appreciate what light can be shed to my questions above.

///////////////////////////////////////////////
notes from ifconfig
///////////////////////////////////////////////
br0 = [LAN MAC] 00:1E:E5:A6:2B:2F is a Bridge connecting the 4 LAN and the WIFI together
br0.0 = [LAN MAC] 00:1E:E5:A6:2B:2F (inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0)
br1 = [LAN MAC] 00:1E:E5:A6:2B:2F created this for VLAN3
eth0 = [Wl MAC1] 00:1E:E5:A6:2B:31 (wl0 [2.4Ghz] SSID1)
eth1 = [Wl MAC2] 00:1E:E5:A7:03:93 (wl1 [5 Ghz ] SSID2)
eth2 = [LAN MAC] 00:1E:E5:A6:2B:2F
lo = Loopback net addr:127.0.0.1 Mask:255.0.0.0
vlan1 = [LAN MAC] 00:1E:E5:A6:2B:2F
vlan2 = [WAN MAC] XX:XX:XX:XX:XX:XX is the WAN port (ppp0 is the WAN interface when PPPoE is used, I am not but keeping in my notes)
vlan3 = [LAN MAC] 00:1E:E5:A6:2B:2F

[phuzi0n]

If there's a question somewhere in there I can't find it.

[madburg]

All my questions end with a "?", read the post. If you scrolled through then the questions are not apparent. Hard to believe no one can help with at least a few of the questions.

If I was wrong to post one large thread and should break it into parts, please let me know and I will do so. I appreciate someone taking the time out to read and anwser what they know the anwsers to. Many thanks in advanced.

[phuzi0n]

Those are dozens of nitpicking doubts about the configuration... Do you have an actual problem with it or are you just second guessing everything you do?

Many of the answers you've probably already read but forgot/overlooked but here's a few answers:

Don't worry about vlan0 on gigabit hardware, the firmware automatically creates these variables even though they're not used and will recreate them every reboot.

et0 is correct and not the same as eth0.

You do not need to do anything with the PATH and you could echo it to see that you're adding the same directories that are there by default.


Your configuration looks alright with only some minor insignificant excess commands but most of what you're doing can be done in the GUI as explained well in this somewhat unrelated guide (just leave out the VAP portion if you want).

http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs