OpenWrt Forum Archive

Topic: isolating ports/networks, creating multiple vlans

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
slypix
2 Mar 2008, 00:20

Hi everybody, I've been reading the forums and howtos, but I can't find details on how to accomplish what i want to do (if it's possible):

I have a wrt54g v2 running kamikaze 7.09, and want to isolate the ports

ex:
port 1 & 2 and wireless on    subnet 192.168.1.x
port 3 one computer as DMZ subnet 192.168.2.x
port 4 connect a second switch that will have open wifi and wired guests subnet 192.168.3.x

I want to make sure all computer(s) on each subnet are not able to see each other, but able to access the internet

so basically:
1 subnet would be a private network
2nd subnet would have non-NATed asterisk server
3rd subnet would be for guests wired & wireless

If someone can post detailed instructions for configurations files /network , firewall.user etc. or point me in the right direction, it would be much appreciated.

thank you in advance.

Post #2
Wodin
2 Mar 2008, 10:36
slypix wrote:

port 4 connect a second switch that will have open wifi and wired guests subnet 192.168.3.x

Do you mean you will have another access point plugged into the switch that is attached to port 4?

I hope this points you in the right direction smile

Have a look at the "setting up the switch" section of this document.  It tells you how to put the different ports into different VLANs.

The LAN network will, by default, contain vlan0 (ports 1 to 4) and the Wifi, so you should be able to remove ports 3 and 4 from vlan0 for the 192.168.1.x network.  (Note, the port numbers on the back of the router are not necessarily the same as the port numbers in the configuration.)

Leave vlan1 as the WAN port.

Create a new vlan2 with port 3 in it (again, the number you need to use might not be 3.)
Create a new vlan3 with port 4 in it (ditto.)

Post #3
slypix
3 Mar 2008, 00:05

Hey Wodin thanks for the help,

port 4 will have an old 802.11b router, setup as a switch only (DHCP turned off). so guests can logon wired/wirelessly to the net without having access to the other 2 vlans.

while reading up on the link you posted, I managed to find a tutorial on setting up DMZ, I figured I can start there, and then add another vlan, once I got the first step working.

I'm glad I got the first step working, but still having trouble getting 3 vlans working.

here is what I have so far:

/etc/config/network

#### VLAN configuration
config switch eth0
        option vlan0    "2 3 5*"        # private lan
        option vlan1    "0 5"           # wan
        option vlan2    "4 5"           # DMZ
        option vlan3    "1 5"           # public lan

#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface        lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0
       
#### WAN configuration DHCP                         
config interface        wan                         
        option ifname   "eth0.1"                   
        option proto    "dhcp"                     
        option hostname "kamikaze"   
                                     
### DMZ configuration               
config interface        dmz         
        option ifname   "eth0.2"     
        option  proto   static       
        option  ipaddr  192.168.2.1 
        option netmask  255.255.255.0
                                     
### Public lan configuration         
config interface        pub         
        option ifname   "eth0.3"                                       
        option proto    static                                         
        option ipaddr   192.168.3.1                                     
        option netmas   255.255.255.0

/etc/config/dhcp

config dhcp
        option interface        lan
        option start    100
        option limit    150
        option leasetime        12h

config dhcp
        option interface        wan
        option ignore   1

config dhcp
        option interface        dmz
        option start    100
        option limit    150
        option leasetime        12H

config dhcp
        option interface        pub
        option start    100
        option limit    150
        option leasetime        12H

/etc/firewall.user

!/bin/sh
# Copyright (C) 2006 OpenWrt.org

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

# Get DMZ interface
[ -z "$DMZ" ] && config_get DMZ dmz ifname

# Allow DMZ->WAN
[ -n "$DMZ" -a -n "$WAN" ] &&
iptables -A forwarding_rule -i $DMZ -o $WAN -j ACCEPT

# Allow LAN->DMZ                                               
[ -n "$LAN" -a -n "$DMZ" ] &&                                   
iptables -A forwarding_rule -i $LAN -o $DMZ -j ACCEPT           
                                                     
# Get Public interface                               
[ -z "$PUB" ] && config_get PUB pub ifname           
                                                     
# Allow PUB->WAN                                     
[ -n "$PUB" -a -n "$WAN" ] &&                       
iptables -A forwarding_rule -i $PUB -o $WAN -j ACCEPT


so the above configuration, when connected to port 2 or 3, I'm able to get a 192.168.1.x address through DHCP , and when connected to port 4, I get a 192.168.2.1 address... perfect!!

1. I can access the net from both vlans.
2. I can ping from 192.168.1.x => 192.168.2.x so from private to public
3. I can't ping from 192.168.2.x => 192.168.1.x ... great the public network can't access my private subnet.

the trouble now is my last vlan 192.168.3.1 doesnt work (port 1), I don't get an automatically 192.168.3.x assigned IP, and even when I set it manually,  I can't ping anything.

any ideas?

thanks again.

Post #4
dzl
14 Mar 2008, 05:48

I want the exact same set up, except that I want each port on a separate VLAN, and I have a WRTSL54GS. The interfaces are not the same as the WRT54G, so I won't post my switch config because it might cause some confusion.

I have gotten all ports on their own specific IP range, but can ping freely to all the interfaces. I think that can be rendered with some firewall rules. My real problem is that the only port that can get out to the WAN is physical port one. What do the default gateways/dns servers need to be set for each of the other VLAN's in order to reach the Internet?

Post #5
bowmore
14 Mar 2008, 18:20
slypix wrote:

### Public lan configuration         
config interface        pub         
        option ifname   "eth0.3"                                       
        option proto    static                                         
        option ipaddr   192.168.3.1                                     
        option netmas   255.255.255.0

there appears to be a typo in: option netmask

The discussion might have continued from here.