For years I have been running a regular PC with 3 interfaces and Shorewall for my firewall. I had a dedicated DMZ interface and I figured I would replace this box with one of my WRT54G boxes. I wanted to keep a dedicated DMZ that would consist of 2 devices so what I did was peel off port 4 on the WRT and created a vlan2 containing only port 4 and assigned it the DMZ address that my old firewall used. I have a switch plugged in to port 4 and the DMZ devices plugged into that switch.

Now using the stock firewall script on the WRT I can ping all my LAN devices from the DMZ and I can ping the LAN and WAN interfaces on the WRT from the DMZ. I can not ping anything out on the Internet from the DMZ. I can ping the DMZ devices from the LAN and can ping out to the internet from the LAN. I can not get any traffic from the DMZ to the Internet using either the stock firewall script or the Shorewall configuration copied from my old firewall. If I run a "tcpdump -i vlan1" (WAN interface) and try to ping something out on the Internet from the DMZ I can see echo requests but no echo replies.

Setup:

WRT54G v2 + OpenWRT WR RC2 (latest squashfs binary)

DMZ vars:
dmz_enable=1
dmz_hwaddr=00:0C:41:D3:4F:BE
dmz_ifname=vlan2
dmz_ifnames=vlan2
dmz_ipaddr=172.16.214.1
dmz_netmask=255.255.255.0
dmz_proto=static

LAN vars:
lan_domain=
lan_hwaddr=00:0C:41:D3:4F:BC
lan_hwnames=
lan_ifname=br0
lan_ifnames=vlan0 eth1 eth2 eth3
lan_ipaddr=192.168.0.1
lan_lease=86400
lan_netmask=255.255.255.0
lan_proto=static
lan_stp=0
lan_wins=

WAN vars:
wan_hwaddr=00:0C:41:D3:4F:BD
wan_hwname=
wan_ifname=vlan1
wan_ifnames=vlan1
wan_mtu=1500
wan_proto=dhcp

VLAN vars:
vlan0hwname=et0
vlan0ports=1 2 3 5*
vlan1hwname=et0
vlan1ports=0 5
vlan2hwname=et0
vlan2ports=4 5

Any pointers would be greatly appreciated.

Thanks!

ifup dmz?

Nope, the interface is already up. Like I said I can get traffic to and from devices connected to the LAN ports from devices connected to the DMZ port. I just can't get traffic to and from the Internet from devices connected to the DMZ port (port 4 which I have put on it's own VLAN).

how about

iptables -A FORWARD -i vlan2 -o vlan1 -j ACCEPT

?
I'm not too familiar with the dmz setup, so maybe this routing is accomplished somewhere else that I'm not realizing.

It  would seem that if you tcpdump on the wan interface, and you don't see your icmp replies returning, it's not your fault.

I also wonder where the :BE mac address you chose for the dmz came from? IIRC if your LAN is :BC then your WAN is BD and your wifi is :BE.  I could have wan and wifi mixed up, though.  And, given my weak knowledge of setting up a dmz on the wrts, maybe this is obvious too, and this message should just be deleted

(Last edited by mrmoj on 26 Aug 2005, 19:56)

Thanks, I'll check on that this evening. I'm thinking it almost has to be some sort of iptables issue. I also noticed that when using my Shorewall configuration I could ssh into a machine in my DMZ from a selected machine out on the internet which is something I have configured in shorewall. I just expected to be able to use the same rules from my old firewall and just have everything work the same. It was late last night when I decided to do all this so tired eyes may also have something to do with it. Hopefully I'll spot a problem right away this evening. Will report back with more information if I can't get it to work. Thanks!

Ok, it's definitely an iptables oversight by my part because I added the forward rule for vlan2 as you suggested and I can now ping out. I realize after looking at the included firewall script that there is no statement for the interface I created (duh, should have figured that). The MAC address does not conflict with any other interface in the list:

br0       Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
eth0      Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
eth1      Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
vlan0     Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
vlan1     Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BD
vlan2     Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BE

Ahhhhh, I found the problem. I got my interface names mixed up in /etc/shorewall/masq. Just as I thought, tired eyes. Thanks guys!

Now that I have everything straight and my firewall with dedicated DMZ port working perfectly it brings up another question. How would I do the same thing on a v1.x WRT54G? I also have a v1.0 and v1.1 router. The v2 router uses the nvram vlan?ports variables. The documentation doesn't really cover what to do with v1.x routers other than it says they do not have these variables set:

http://wiki.openwrt.org/OpenWrtDocs/Con … 1864c6aa39

Is it just a matter of setting the variables? On an earlier version of WRT I use the adm.o kernel module and admcfg utility to do something similar, even though I never could get it working properly. Any light on this would be most appreciated!

Hi Void Man,

Does the DMZ setup like you describe here apply to the WRT54GS v2.0? Or do I need to specify the variables differently? And what is special about port number 4?

Thank you.

I meant Void Main, not Void Man. Sorry (-:))

According to this chart your GS should have the same interface configuration as my G:
http://wiki.openwrt.org/OpenWrtDocs/Con … 23a7b6acab

There is nothing special about port 4 other than that is the one I happened to pick from the 4 LAN ports to create another VLAN out of. I could have picked any of the 4, or more than one of the 4. I have another switch plugged into port 4 so I can have multiple machines in the DMZ.

So with the WAN port connected to the NET, I can consider the 4 LAN ports as 4 different NICs and if I setup correctly, I can have 4 different local subnets, right? That's amazing.

Thanks.

Yes, as you can see in the illustration it's just a smart VLAN capable/configurable 6 port switch. By default 4 of the ports are tied together in a VLAN and bridged together with the wireless interface to make the logical LAN interface. 1 of the ports is in it's own VLAN for the WAN interface and the last port is not exposed but internally connected to the physical/actual ethernet eth0 interface. All I did was take one of the 4 ports out of the LAN and created a new VLAN to become my new logical DMZ interface. It works great on my WRT54G v2.0 and is very easy to do. I just wish I could do the same thing on my v1.1 router, the hardware is different in it and the configuration and drivers are completely different. I haven't actually been successful in making it work on the 1.1 box.

Oh and yes, it is amazing!

-----
br0       Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
eth0      Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
eth1      Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
vlan0     Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BC
vlan1     Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BD
vlan2     Link encap:Ethernet  HWaddr 00:0C:41:D3:4F:BE
-----

Hi Void Main,

I would like to setup DMZ like you did. Mine is WRT54GS v2.1. I wonder why you can have 3 different MAC addresses whereas I have only 2? 'ifconfig' after flashing with RC3 shows

br0/eth0/eth1/vlan0      Link encap:Ethernet  HWaddr 00:13:10:EE:82:C2

and
vlan1                           Link encap:Ethernet  HWaddr 00:13:10:EE:82:C3
--

Or did you fake one for vlan2?

Also assume that I can setup DMZ on port 4. If I have only one computer in DMZ, can use normal cable to connect that PC to port 4? With normal PC I need to use cross-over but I guess for this I do not need it.

Thank you.

Yes, there is an NVRAM variable to set the MAC address. In my case I set it like this:
dmz_hwaddr=00:0C:41:D3:5F:BE

I just picked the next higher address than was already assigned to other interfaces.

Yes, I think you should be able to do it just like I did. I think the interface layout is the same on yours. No, you do not need a crossover cable because you are going from PC->switch. If you were going PC->PC or switch->switch then you would need a crossover cable (unless one of your switchports is a crossover port).

My wrt54g's seem to be autodetect on the ports. Maybe it's only the new hw v's? Mine are all v3 or v3.1.

- dl

Wow, that would be cool, I'll check my v1.x and v2.x tonight to see if it's also the case on the earlier ones. And to think, I might have just wasted 15 minutes the other night making 3 crossover cables (I'm slow). I need to get with the times.