Inflatablepig

I just wanted to post this in case someone else is doing exactly what I want to do. I spent several hours reading this morning to get this to work for me. I hope this works for me until BrainSlayer is able to fix the web gui to work for VLAN setup.

Hardware: WRT54G v 2.2

Software: DD-WRT v23

What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.

Steps:

1. Per this thread you make your VLAN page in your router look like this.

2. Next, per this thread you go to a telnet or SSH prompt and type the following lines individually (I copied and pasted each one) hitting enter after each line.

Quote: nvram set vlan0ports="1 2 3 5*" nvram set vlan2hwname=et0 nvram set vlan2ports="4 5"

3. Now go back into your router and go to the "Administration" tab, then click on "Diagnostics". Per the same thread above you will type the following line into the box on the screen:

Quote: ifconfig vlan2 192.168.2.1 netmask 255.255.255.0

After you type that in to the box you click on "Save Startup"


 * Note that the IP address can be any address that you want the router to be on that second VLAN. The VLAN (port 4) is going to think that the router is 192.168.2.1 in this case.

3. Now, per the same page above, we're going to modify the iptables to properly route everything. Type the following lines into the same box on the "Diagnostics" page.

Quote: iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT iptables -I INPUT -i vlan2 -j ACCEPT iptables -I INPUT -i vlan1 -j ACCEPT

This time, click on "Save Firewall"

Now you've just finished the VLAN section, we need to set up DHCP to work properly. If you stop here your DHCP will work on your VLAN 1 (192.168.1.1) but you'll have to use static addresses on the second VLAN on port 4.

Setting up DHCP:

4. Now under the "Administration" tab again on your router, go to the "Management" tab. Find "DNS Masq". Make sure DNS Masq, and Local DNS are both checked. Then, per this thread copy the following lines into the "Additional DNS options box":

Quote: interface=vlan2 interface=vlan1 interface=vlan0 interface=eth1 dhcp-range=192.168.1.100,192.168.1.200,1h dhcp-range=192.168.2.100,192.168.2.200,1h

Do you see what's going on here, you're telling DHCP what the two VLANS are, and what addresses to assign them. The "1h" is how long the lease time should be. The first address is the beginning DHCP range, the second is the end of the range for that VLAN. You won't be using your DHCP settings in the GUI on the front page after this, you'll need to edit it here if you want to make changes in the future.

Click on "Save Changes"

5. Lastly, go to the "Setup" tab for your router, and under "basic setup" you're going to turn the DHCP off (this is a different DHCP server that we aren't using any more). Under "DHCP Server" set this to "disable".

6. Now, assuming you've don'e everything correctly, and that I've remembered everything I did. You should be able to reboot your router one final time and have everything work perfectly.

Keep in mind that I'm a complete noob here and don't really know what I'm doing. Just wanted to share what I did to get my ver 2.2 router working perfectly how I wanted it to. Hopefully it will work for you too.

Other resources I found helpful:

DD-WRT Wiki OpenWRT Documentation