Seperate Lan and WLan

From DD-WRT Wiki

Revision as of 03:47, 22 May 2005 by Sveasoft (Talk | contribs)
Jump to: navigation, search

You are here: Main Page/DD-WRT Docu (EN)/Seperate Lan and WLan

Contents


THIS WIKI IS A WORK IN PROGRESS. PLEASE HELP

Introduction

While Linksys never intended their WRT54G/GS router to allow multiple local networks, it is possible to seperate the WLan network from the Lan network and allow both to independantly access the internet. Since this was not supported by the origional Linksys firmware, and all custom firmwares are a derivation of this, performing this setup will yield unexpected results when configuring certain options from the Web Interface. Users wishing to perform this setup should be very familiar with the command line interface, as those Web Interface configurations broken by this setup can still be set from the command line interface.

Users wishing to configure their routers this way might choose to install the OpenWRT firmware instead as it does not offer a web interface that can get screwed up.

Keep in mind that Brainslayer is currently in the processes of merging DD-WRT with OpenWRT. While it was already true that things said for OpenWRT were likely the same or similar for DD-WRT since they both share the same Linksys firmware roots, this statement is even more true now and will eventually read: Things said for OpenWRT can be said for DD-WRT. We are not there yet.

Hardware

The Physically the WRT54G is a 2 port router and a 6 port switch. 1 Port of the switch is connected to the router. 1 Port of the Switch is the the WAN port. The other 4 ports of the switch are the 4 LAN ports seen on the back of the router. The remaining port on the router is connected to the WLAN adapter.

By default, inside the switch exist 2 Virtual LANs (VLans), vlan0 and vlan1. vlan0 contains ports 1-4 (Lan ports) and port 6 (router). vlan1 contains port 0 (WAN) and port 6 (router). IPTables are then implemented on the router such that NAT'd routing is possible between the VLans.

By default, inside the router there is a bridge (br0) bridging eth1 (WLAN) and eth0 (switch port 0). This is what allows the WLAN and LAN to share the same IP address. When the router needs to send information to client machines, it is broadcast out br0 (sending it to eth1 and vlan0). Then the router needs to send information to the WAN port, it is sent directly to vlan1.

Please read OpenWRT: OpenWRT DOCS/Configuration as it is short and quite in depth.

Configuration Overview

There are two methods for running seperate IP ranges on each of the interfaces which yeild two rather dissimilar results.

iptables method

Rather than splitting up br0, some may find it addequate to use the Iptables command to allow routing between two subnets on the LAN/WLAN side. Since br0 is not being split up, there are no/fewer problems caused in the web interface. The major draw back to this is that if wireless users statically assign an IP on the LAN ip address range, the bridge will allow them access. A trick might be to set the WLAN ip range to the default (192.168.1.x) and the LAN ip range to something odd (10.15.25.x, or 192.168.152.x or something) to prevent WLAN users from guessing the ip range.

You can use any private ip ranges you would like, but for this example I will use 192.168.1.x for the LAN ports and 192.168.2.x for the WLAN port.

Basic Steps:

Enable a static route for 192.168.1.x to vlan0
Enable a static route for 192.168.2.x to eth1
Enable DHCP for 192.168.1.x for vlan0
Enable DHCP for 192.168.2.x for eth1

Bypass the bridge method

In this method we will bypass the br0, disconnecting the Lan and the WLan ports ensuring that everything is processed inside the router. The down side with this is that more web interface options that depend on br0's existance will be broken. Currently it would appear this includes web interface configuration of WEP/WDS.

Basic Steps: After this stage, br0 is not created using the contents of lan_ifnames as would normally be the case. wlan_* variables have now been created for use with ifup. These steps need only be done once.

Set the lan_ifname nvram variable to vlan0
Set wlan_ifnam to eth1
Set wlan_proto to static
Set wlan_ipaddr to the IP you want your WLan adapter on
Set wlan_netmask to the your wlan netmask (probably 255.255.255.0)
commit to nvram 
reboot

The following commands will need to be done every boot (rc_firewall perhaps?)

Enable a static route for <lan_adapter_network> to/from vlan0 and wan
Enable a static route for <wireless_network> to/from eth1 and wan
Enable DHCP for <lan_adapter_network> for vlan0
Enable DHCP for <wireless_network> for eth1

To match the above example, replace <lan_adapter_network> with 192.168.1.x and <wireless_network> with 192.168.2.x

Vlan Web Interface method

Someone experimenting in the forums discovered that by not assigning the WLAN interface to any vlan he could seperate the wireless and lan to seperate networks. He was unable to configure WEP/WDS on the wireless link, however. I don't intend to explore this option further in the wiki, as I can find no other documentation describing this type of method for other firmwares. If you don't care about WEP/WDS, this might be easier than the bypass method described above.

Basic Steps (as I understand them)

Change "Wireless to None" under VLAN in the [Web Interface]
ADD "wlconf eth1 up" to rc_startup or Wlan back up.
Enable a static route for <lan_adapter_network> to/from vlan0 and wan
Enable a static route for <wireless_network> to/from eth1 and wan
Enable DHCP for <lan_adapter_network> for vlan0
Enable DHCP for <wireless_network> for eth1

To match the above example, replace <lan_adapter_network> with 192.168.1.x and <wireless_network> with 192.168.2.x

Config Implementation

Here we will describe the actual commands needed to accompolish the basic steps overviewed above.

Using iptables

needs to be written

Bypassing the Bridge

needs to be written
Looks like this will require a /etc/network/interfaces file, which isn't in the DD-WRT firmware. OpenWRT has it, and I think we could save it to /jffs/ or /tmp and use the -c tag of ifup. The OpenWRT file can be found here: http://openwrt.org/CentralNvramMaps/SbinIfup?highlight=%28ifup%29

External Resources

A DD-WRT Forum Thread on the topic
OpenWRT FAQ: 13. Using OpenWRT as a router, instead of a bridge?
OpenWRT FAQ: what is BR0
OpenWRT Mini howto: 3.1. Individual control of all network devices
OpenWRT: How to VLans
OpenWRT: The Ethernet Switch


You are here: Main Page/DD-WRT Docu (EN)/Seperate Lan and WLan