hi everyone,

sorry if this becomes a repost but i couldn't find the answer to my problem.

i am running Kamikaze bleeding edge r11339. i had stock 7.09 and dd-wrt but they had their issues.

i set up a separated vlan port on my WRT54GL pretty much as described here: http://forum.openwrt.org/viewtopic.php?id=12509

everything seems to work but i can not connect to the internet from the separated port. i can access the router though (web/ssh).

originally(stock 7.09) i had the following rule in /etc/firewall.user (and it worked)
iptables -A forwarding_rule -i eth0.2 -d ! 192.168.1.0/24 -j ACCEPT

now i also tried
###Get LAN2 interface
[ -z "$LAN2" ] && config_get LAN2 lan2 ifname

###Isolated Host
## -- This allows outgoing traffic for (V)lan2 (Port 4) of the router
[ -n "$LAN2" -a -n "$WAN" ] && iptables -A forwarding_rule -i $LAN2 -o $WAN -j ACCEPT

i just don't get out from the isolated port. is there something broken in the bleeding edge? is there also something like cutting edge maybe? or have i done something wrong?

thx for your help!

Did you also add a MASQUERADE rule for LAN2?  By default only the LAN network gets NAT'ed-

if [ $NAT_LAN -ne 0 ]
then
    [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE

Hope this helps,
Charlie

hi,

thx for your advice. i found the above code in /etc/init.d/firewall . but i don't see how to change/apply this for LAN2. could you please give exact intructions. best would be a rule to add to /etc/firewall.user .

thx a lot!

Hi,
I have exactly the same problem (See http://forum.openwrt.org/viewtopic.php?id=13636 ). As you say, I cant get "out" from the vlan2. I can ping the the vlan gatewas 192.168.3.1 but nothing outside i.e. another vlan or the internet.

Tex

Here you go-

iptables -t nat -A postrouting_wan -i $LAN2 -o $WAN -j MASQUERADE

Hope this helps,
Charlie

still not working. can i post some logs or anything to provide debugging info?

in my case this gives me the following error:

root@ap:~# export WAN=eth0.1 && export LAN2=br-lan_public
root@ap:~# iptables -t nat -A postrouting_wan -i $LAN2 -o $WAN -j MASQUERADE
iptables: No chain/target/match by that name

(Last edited by Tex-Twil on 1 Jul 2008, 06:49)

D'oh!  Sorry that was supposed to be postrouting_rule (not postrouting_wan)-

iptables -t nat -A postrouting_rule -i $LAN2 -o $WAN -j MASQUERADE

Hope this helps,
Charlie

Hmm it doesn't seem to work. I still cannot ping anything outside of my vlan2

This is the rule I added :

# eth0.1 -> $WAN
# br-lan_public -> $LAN2 associated to my vlan2 
iptables -t nat -A postrouting_rule -i br-lan_public -o eth0.1 -j MASQUERADE

Thanks for your help,
tex

(Last edited by Tex-Twil on 1 Jul 2008, 06:48)

well It look like I finally made it. I wanted my LAN2 (192.168.3.1/24) to have access to the internet. So I needed these 3 rules:

WAN=eth0.1
LAN2=br-lan_public
$LAN_NET2=192.168.3.0
$LAN_MASK2=255.255.255.0

# this is the same rule as in /etc/init.d/firewall but for lan2
root@ap:~# iptables -t nat -A POSTROUTING --src LAN_NET2/LAN_MASK2 -o $WAN -j MASQUERADE
root@ap:~# iptables -t nat -A postrouting_rule -i $LAN2 -o $WAN -j MASQUERADE
root@ap:~# iptables -A forwarding_rule -i $LAN2 -o $WAN -j ACCEPT

So now I have to add it to /etc/firewall.user with the correct config_get ..
Tex

(Last edited by Tex-Twil on 1 Jul 2008, 07:26)