15 December, 2013

Create a VLAN with DD-WRT Based Routers



If you’ve never heard of DD-WRT by now… You should go to that link quickly. (http://www.dd-wrt.com/site/index) DD-WRT is a Linux-based firmware for wireless routers and wireless access points. Basically, it’s a firmware compatible with some cheap end-user wireless routers. Once you load that firmware on your router, you get lots of cool networking features that you would normally find in enterprise products for a lot of $$$. Some of the cool features of DD-WRT are WDS, VLAN, Multiple SSID, QoS, different wiles modes (Access Point, Bridge, Repeater, etc…), and the list goes on…
It’s free to download and use. Please use it at your own risk because during the process of flashing your router, you can also “brick” your router although, I’ve never experienced this personally. Not every router is compatible with DD-WRT, so please check the “compatibility” page before trying anything.
In this article, I’ll not cover how to flash your router or how to set it up for the first time, as there are plenty of articles explaining these “how tos”

DD-WRT documentation
http://www.dd-wrt.com/site/support/documentation

CREATING A SEPERATE VLAN WITH DHCP


  • Make a TELNET connection to your router. I’m using “PuttY” for that.
  • Enter the following commands to show all existing vlans and ports assignments.
    Nvram show | grep vlan.*ports
    Nvram show | grep port.*vlans

Use these commands to configure your vlan2 on your port 4 :
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2ports="4 5*"
nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan2 10.0.0.1 netmask 255.255.255.0
ifconfig vlan2 up
'
nvram set rc_firewall='
iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop
'
nvram commit
  • Now go back to the routers web management interface to assign the the port for for the vlan2. To do that, go to “Setup” under “VLAN” tab, deselect the port 4 and select it on vlan2 as shown in the following screenshot;

  • Apply your settings.
It’s all done. Your port #4 is now assigned to a different vlan. It should also communicate with your WAN port. Now, if you want to add a DHCP service into your vlan with your router again. Follow these steps, if you are in a LAB environment and you would like to use your own DHCP server in your lab, you can assign an IP address manually for that vlan port and use your own servers… Optional.

To activate the DHCP on the VLAN2

  • Go to the management interface again and go to “Services” under “Services” tab, find the section “DNSmasq” section and enter your DHCP options like this;
    interface=vlan2
    dhcp-range=10.0.0.100,10.0.0.200,255.255.255.0,1440m

 



  • Under « Setup », « Networking » tab, under « Port Setup » configuration section, make sure that the « Network Configuration vlan2 » is set to « Unbridged » mode and the « Masquerade / NAT » is enabled. Than you should enter the routers IP address on your vlan. In my case it’s 10.0.0.1 with a subnet mask of 255.255.255.0 as shown on the following screenshot.
  • Make sure that the « use DNSMasq for DHCP » and the « User DNSMasq for DNS » are both checked under “Setup” , “Basic Setup” tab, under “Netwrok Address Server Settings (DHCP)” section as shown on the following screenshot.
 
 
  • After all, if you are not happy with your configuration or you would like to start over... To reset "nvram" from TELNET, use the following commands;
 
 
erase nvram
reboot
Here is a list of all the blogs I've visited during my researches, these are great articles that gives you a better understanding of how vlans work with dd-wrt.

http://www.dd-wrt.ca/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet)

http://www.geek-pages.com/articles-for-geeks-mainmenu-2/1-latest/27-dd-wrt-setting-up-a-separate--isolated-vlan-on-port-4-with-dhcp

Enjoy!


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.