Topic: how to configure dmz with additional vlan

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

heinb

12 Sep 2007, 20:55

Hi,

how should i configure a single port to work at an dmz. i want to connect a wlan ap at port lan4 and want to isolate from my own lan.
i have a asus wl500gx and i add an additional vlan and configure the interface but it doesnt work

#### VLAN configuration
config switch eth0
        option vlan0    "1 2 3 5*"
        option vlan1    "0 5"
        option vlan2    "4 5"

#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0

#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   '192.168.1.1'
        option netmask  255.255.255.0

#### WAN configuration
config interface        wan
        option ifname   "eth0.1"
        option proto    'pppoe'
        option username 'xxx'
        option password 'xxx'

#### LAN2 configuration
config interface        dmz
        option ifname   "eth0.2"
        option proto    static
        option ipaddr   '192.168.0.1'
        option netmask  255.255.255.0

Whats wrong? I donÂ´t know what should i do - so please help me.

Thanks,
Michael

Post #2

heinb

13 Sep 2007, 12:08

More infos?!

i can ping from a client at subnet 192.168.1.x the interface 192.168.0.1, but i canÂ´t ping the AP behind this interface. i can connect a wireless client at the additional AP - the client became a IP from the subnet 192.168.1.x and has access to the subnet 192.168.1.x and internet.

Post #3

alexsamad

13 Sep 2007, 22:24

have you checked the firewall ?

Post #4

heinb

13 Sep 2007, 22:57

alexsamad wrote:

have you checked the firewall ?

i think so, but i canÂ´t see any firewall logs. how can i enable the firewall logs?

Post #5

alexsamad

13 Sep 2007, 23:35

try dmesg or logread

also try

iptables -nvL

or you could turn it off /etc/init.d/firewall stop - just for testing though

First I would try a tcpdump -pni <interface>, trace the packet on the inbound and then the outbound.

Post #6

heinb

14 Sep 2007, 07:42

Thanks a lot for your help, but it was my fault. At my router ASUS wl500gx there is a strange port allocation.

BACKSIDE            WAN          LAN1         LAN2        LAN3         LAN4
ASUS

internal
Portnumber          PORT0       PORT4        PORT3       PORT2        PORT1

(Last edited by heinb on 14 Sep 2007, 07:43)

Post #7

heinb

14 Sep 2007, 08:24

And here are my result to seperate a vlan from another and give access to internet:

/etc/config/network

#### VLAN configuration
config switch eth0
        option vlan0    "1 2 3 5*"
        option vlan1    "0 5"
        option vlan2    "4 5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   '192.168.1.1'
        option netmask  255.255.255.0


#### WAN configuration
config interface        wan
        option ifname   "eth0.1"
        option proto    'pppoe'
        option username 'xxx'
        option password 'xxx'

#### LAN2 configuration
config interface        dmz
        option ifname   "eth0.2"
        option proto    static
        option ipaddr   '192.168.0.1'
        option netmask  255.255.255.0

/etc/config/dhcp

config dhcp
        option interface        lan
        option start    100
        option limit    150
        option leasetime        12h

config dhcp
        option interface        wan
        option ignore   1

config dhcp
        option interface        dmz
        option start    100
        option limit    150
        option leasetime        12h

add to /etc/init.d/firewall

config_get DMZ dmz ifname

and change from

# allow
        iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
        [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
        [ -z "$DMZ" ] || iptables -A FORWARD -i $DMZ -o $WAN -j ACCEPT

# allow
        iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
        [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
        [ -z "$DMZ" ] || iptables -A FORWARD -i $DMZ -o $WAN -j ACCEPT

ThatÂ´s all!

Post #8

heinb

14 Sep 2007, 09:20

But i have one question more: How is it possible to get a access from vlan0 to dmz to manage the ap in vlan2 without any access from vlan2 to vlan0? i only can ping direct from router to vlan2 but not from a client in vlan0.

Post #9

atomota

5 Oct 2007, 03:51

After I set up a dmz vlan, I added this to /etc/firewall.user rather than editing /etc/init.d/firewall. This allows the DMZ to connect to the WAN, and the LAN to connect to the DMZ. This doesn't restrict WAN or DMZ connections to the router itself though. That could either be done by using new chains instead of ACCEPT, or the software on the router can be secure enough that it doesn't matter.

# Get DMZ interface
[ -z "$DMZ" ] && config_get DMZ dmz ifname

# Allow DMZ->WAN
[ -n "$DMZ" -a -n "$WAN" ] &&
    iptables -A forwarding_rule -i $DMZ -o $WAN -j ACCEPT

# Allow LAN->DMZ
[ -n "$LAN" -a -n "$DMZ" ] &&
    iptables -A forwarding_rule -i $LAN -o $DMZ -j ACCEPT

Post #10

fratel

5 Oct 2007, 21:40

I figured out this thread and now a client in my DMZ can Ping 192.168.0.1, a client from the LAN can Ping 192.168.1.1
But from the DMZ the DNS Server in my WL500GP doesn't work, from LAN everything is fine. I tried to set the IP in the LAN2 configuration to the same IP then in the LAN configuration but that seems to be wrong.

Is it possible that DMZ and LAN have the same subnet (but can't make traffic between, of course)?

And is it possible, that I can add a printer to the switch so that I can print from both, LAN and DMZ ?

A simple yes will give me the power to work on, some help will make me happy!:)

The discussion might have continued from here.

Page 1 of 1