Hi, I have a WRT54GL running whiterussian 0.9 (and x-wrt) and would like to have my laptop (wired) which i use for vpn'ing into work, completely seperated from my own personal lan, i.e. different vlan, different ip range/subnet etc; and no traffic is allowed between the two; but both must still be able to route out to the internet (and firewalled/natted from the internet).

so basically 192.168.0.x is my wired and wireless lan (192.168.0.1 is openwrt), i'd like the laptop to be 10.0.0.2 or something on a specific physical switch port.

any tips/documentation as to how i do that? do i need specific firewall rules and static routes, not just vlan config?

Set up the vlan2 on port 4 of the router by changing (or creating) the following NVRAM variables.

Add the following line after ifup wifi in /etc/init.d/S40network.

Add the following rules to the '/etc/firewall.user' file to allow vlan2 acces to the internet.

Note: All the added rules have to be placed after the iptables flush lines (Ex: iptables -t nat -F prerouting_rule) or they will be deleted by the flush lines.

Add the following rules to the '/etc/firewall.user' file to cut vlan2 from the lan.

Add the following rules to the '/etc/firewall.user' file to cut vlan2 from the router (except for the dns request).

Rules for allowing the dns replies into vlan2 are not necessary, because the firewall lets all packets go unhindered once the connection starts.

Now rebooooot...  ;)

(Last edited by dominiquefortin on 19 Jun 2008, 05:46)

wow thanks a lot for that, wasn't quite expecting an exact howto!

so basically its a few lines in an init script to create an interface, and then just firewall rules?

so are you saying that the dns lines there are not needed? i'd have thought the usual way to allow dns replies is the state machine:

iptables -A INPUT -i vlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT

otherwise it won't get an replies for any protocol will it?

what about if i have the router itself be the dns server - which is my usual setup using dnsmasq - i guess it would automagically allow traffic from the router?

(Last edited by sej7278 on 19 Jun 2008, 08:53)

No, what I meant was that because the line 'iptables -A <chaine-here> -m state --state RELATED,ESTABLISHED -j ACCEPT' already is in the INPUT, OUTPUT and FORWARD chain (look in the second or third line of the three chains), you don't need any other rules (for example in the output_rule chain) to get the DNS request to work. 

You only need to get the ball rolling and thats what these rules are for:

The two rules above are for just that.