Creating VLANs in DD-WRT (Part 2)

In the first part of this post I created some VLANs on my NetGear WNR3500L router that I’ve flashed with DD-WRT firmware. In this second part of the post I will be assigning IP address ranges to those VLANs and configuring the router’s firewall.

I want the VLANs that I setup previously to use separate IP Address ranges. To do this it’s back into to the telnet session and enter the following command:

nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan6 192.168.6.254 netmask 255.255.255.0
ifconfig vlan7 192.168.7.254 netmask 255.255.255.0
ifconfig vlan8 192.168.8.254 netmask 255.255.255.0
ifconfig vlan9 192.168.9.254 netmask 255.255.255.0
ifconfig vlan10 192.168.10.254 netmask 255.255.255.0
ifconfig vlan11 192.168.11.254 netmask 255.255.255.0
ifconfig vlan12 192.168.12.254 netmask 255.255.255.0
ifconfig vlan13 192.168.13.254 netmask 255.255.255.0
ifconfig vlan14 192.168.14.254 netmask 255.255.255.0
ifconfig vlan15 192.168.15.254 netmask 255.255.255.0

ifconfig vlan6 up
ifconfig vlan7 up
ifconfig vlan8 up
ifconfig vlan9 up
ifconfig vlan10 up
ifconfig vlan11 up
ifconfig vlan12 up
ifconfig vlan13 up
ifconfig vlan14 up
ifconfig vlan15 up
'

(There is actually a way to do this step through the router’s GUI too.)

Reboot the router again for the changes to take effect.

The final configuration that needs to be made is to the internal firewall of the router. With all of these new interfaces created, we need to define some rules to permit (or deny) traffic between them.

Now I could have just turned the firewall off but that wouldn’t be a very good idea. Instead I modified the rules. For a single VLAN (VLAN 6 for example) the following commands were required:

iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state --state NEW -j ACCEPT

The first line allows traffic from VLAN6 to talk to the router. The second line allows VLAN6 to talk to the default LAN network (VLAN1). The final line allows VLAN6 to access the WAN interface (internet).

There are two ways of applying these rules. The first is by executing the following on the router’s telnet interface:

nvram set rc_firewall='
iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state --state NEW -j ACCEPT'

The other method is to use the GUI. Under Administration >> Commands there is a text are to enter the commands. Then all you need to do is click the “Save Firewall” button to have the commands take effect at the next reboot of the router. Additionally you can click the “Run Commands” button to execute them immediately. (Bear in mind though that commands run immediately are not persistent across a reboot.)

I thought that would sort everything out so I made the same changes for all of the VLANs. However, when it came to using those VLANs I discovered that although the could “talk” to the internet and to wireless clients, they could not “talk” to each other. This meant a revision to the firewall rules that I set out above was required.

Whilst working out what I needed, I discovered that a wildcard character exists and that what I wanted to achieve could be done in just 4 lines:

iptables -I INPUT -i vlan+ -j ACCEPT
iptables -I FORWARD -i vlan+ -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan+ -o vlan+ -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan+ -o ppp0 -m state --state NEW -j ACCEPT

Line 1 accepts input from any of the VLAN interfaces into the router.

Line 2 allows any traffic coming from the VLAN interfaces to access the bridge (this is connected to the RJ45 ports and the wireless)

Line 3 allows traffic to come from any VLAN and go to any VLAN (this was the rule I was missing the first time around)

Line 4 allows traffic coming from any of the VLANs to go to the internet.

However, a quick word on the internet (WAN) interface, ppp0, and security in general. The WNR3500L router does not have an ADSL modem in it. (I have a separate one of those (Draytek Vigor 120)). Configuration of the WAN for my environment is therefore completed using the PPPoE protocol and hence the WAN interface gets called ppp0. If you use this router with cable broadband (e.g. Virgin Media) you may end up with a different WAN interface name. Not only will you have to adjust the rules above accordingly, you need to make sure that you don’t inadvertently open up a gaping security hole!

Which is why it might be best to stick the following rules into the router instead of the ones above:

iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan7 -j ACCEPT
iptables -I FORWARD -i vlan7 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan7 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan8 -j ACCEPT
iptables -I FORWARD -i vlan8 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan8 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan9 -j ACCEPT
iptables -I FORWARD -i vlan9 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan9 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan10 -j ACCEPT
iptables -I FORWARD -i vlan10 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan10 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan11 -j ACCEPT
iptables -I FORWARD -i vlan11 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan11 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan12 -j ACCEPT
iptables -I FORWARD -i vlan12 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan12 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan13 -j ACCEPT
iptables -I FORWARD -i vlan13 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan13 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan14 -j ACCEPT
iptables -I FORWARD -i vlan14 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan14 -o vlan+ -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan15 -j ACCEPT
iptables -I FORWARD -i vlan15 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan15 -o vlan+ -m state --state NEW -j ACCEPT

Whilst it’s not as elegant a solution as the one with the wildcards, it is more specific and hence more secure and I’m not an iptables expert so I’m going for the safer option. Also note that in the above example, I’ve only given VLAN6 access to the ppp0 (internet / WAN) interface.

That’s just the simple firewall changes that can be made. More complex setups can be achieved but you need to know what you’re doing. There’s an introduction to IPTABLES that can be found on the DD-WRT site.

That’s it for the router’s configuration. In the third and final part of the post I describe how the VLANs are defined on the Cisco SLM2008 switches that I have connected to the router.

Michael is a Senior Consultant for Xtravirt. If it's got buttons or flashy lights on it then it'll probably be on his radar. When not "mending computers" (it's sometimes easier than explaining "cloud" to relatives), Michael provides essential education, entertainment and trampoline services to his two children.

Comments

  1. says

    Hi Michael. These posts are very inspiring. I am a newbie with DD-WRT, and am trying to set up a NETGEAR WNDR3300 running DD-WRT v24-sp2 (10/10/09) std – build 13064 such that I have 2 separate VLANS that share the router and WAN connection. One VLAN needs DHCP, the other VLAN does not. I followed part 1 of these posts, and wondered why VLANs were not isolated until I got to this here Part 2. But I find it a tad overwhelming, since i only care avout having 2 VLANs. I now see this
    — snip —
    root@DD-WRT:~# nvram show | grep vlan.*ports
    vlan0ports=1 2 3 5*
    vlan3ports=4 5
    vlan1ports=0 5
    size: 25285 bytes (7483 left)
    root@DD-WRT:~# nvram show | grep port.*vlans
    port5vlans=0 1 3 16
    port3vlans=0
    port1vlans=0
    port4vlans=3 18 19
    port2vlans=0
    size: 25285 bytes (7483 left)
    port0vlans=1
    root@DD-WRT:~# nvram show | grep vlan.*hwname
    vlan3hwname=et0
    vlan1hwname=et0
    size: 25285 bytes (7483 left)
    vlan0hwname=et0
    — /snip —
    I guess I need some iptables stuff now, right? And I am not sure how I can set DHCP to work on one VLAN only.

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *