10)  Click the Save Settings button at the bottom of the page.

11)  Back to the telnet window.  At the prompt type reboot and hit <enter>

You should now have a WRT54G/S/L running DD-WRT with port 4 on its own VLAN/Network with access to the internet.

If you have any questions or issues please leave a comment and we will see if we can help.

 

 

 

Comments

The iptables rules Written by confusion on 2006-08-06 14:15:45 I'm no expert in iptables, but if I'm not entirely wrong the iptables in fact do not isolate the vlans from eachother ?

Written by Kevan on 2006-08-06 21:00:06 DD-WRT's default ruleset protects Br0 from VLAN2. I will admit that there were a few issues with the iptables rules and I have since updated them.     Kevan

The iptables rules Written by confusion on 2006-08-07 00:03:38 Hmm, i see, could you provide comments on each of the iptables rules you have applied, that is, what they do. Oh, and what is ppp0 and br0 in this context?

iptables rules Written by confusion on 2006-08-07 05:02:30 In fact   the assumption as I understand is that the last port should only get access to internet. the port and internet port is defined as vlan2.     iptables -I INPUT -i vlan2 -j ACCEPT  #Accept data destined for vlan2.  iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT  #accept data desitned to vlan1 from vlan2. Shouldn't there be an ",ESTABLISHED" in there. And what is Vlan1? I only saw vlan0 and vlan2 in the setup.     Assuming vlan1 is vlan0 it would mean that it is fine for that single port (-i vlan2) to access vlan0??        iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT    I'm not sure what ppp0 is, but i'm assuming it is the WAN interface. again, should there not be a --state NEW,ESTABLISHED in there?     iptables -I FORWARD -i br0 -o vlan2 -j logdrop  this one, br0 is a bridge between wireless and vlan0, and here, anything coming from this bridge is not allowed to access that isolated port?    Somehow it looks like that single vlan2 port should have access to everything, while the rest of the ports are supposed to be isolated?    Or am i mistaken?

Written by Kevan on 2006-08-07 10:01:41 Let me cover this as best I can...    Br0 is the bridge device for vlan0 and eth1 (Port 1, 2, 3 and wireless).    VLAN1 is the "WAN"/Internet    VLAN2 is the separate VLAN assigned to port 4.    PPP0 is the hardware device that comes into play when using PPPOE.    # Accept data inbound from vlan2  iptables -I INPUT -i vlan2 -j ACCEPT    # Forward traffic from VLAN2 to VLAN1 (Port 4 to the internet/WAN)  iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT    # Forward traffic from VLAN2 to ppp0 (Port 4 to the PPPOE interface)  iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT    #Drop traffic destine from Br0 to VLAN2.  iptables -I FORWARD -i br0 -o vlan2 -j logdrop    The default rules that exist in DD-WRT do not allow traffic from VLAN2 to Br0. They do however allow traffic from Br0 to VLAN. This is why the "iptables -I FORWARD -i br0 -o vlan2 -j logdrop" statement is used.    The NEW, ESTABLISHED debate could on for a while. Again the default rules in DD-WRT are allowing the "established" connections to come back in via the WAN intereface. You could add the ESTABLISHED state for good measure but it does not appear to matter.    Kevan

Interesting Written by mango on 2006-08-27 13:11:00 Hi, Firstly thanks for the in-depth info.    I would like to create an isolated port similar to a DMZ port on some firewall/routers. This would be to host a machine running a website on.  Could I use this information to acheive this? I would not need DHCP so if I omit the DNS Masq part, would things still function correctly? I would of course use a static IP and route port 80 to it.  I would like your input if possible to the security aspect of doing this, ie: would my VLAN on the other 3 ports be secure from port 4 and possible attackers would only have access to the new VLAN setup?    Thanks!

Written by pwhalley on 2006-10-20 20:40:30 Hi all,    Thanks to all contributors for all the great work and info that allows us to wring so much value out of the humble WRT.    I have a couple questions about this process - no doubt becaues I am a complete NOOB. Please bear with.    In attempting to find answers before posting, I found this http://www.sns.ias.edu/~jns/wp/2006/03/24/iptables-on-a-linksys-cisco-wrt54gl-broadband-router-howto/#more-135 .   Secton 4 refers to problems with changes to firewall. Is this applicable to DD-WRT v23 sp2 ?    I am using DD-WRT v23 sp2 on 3 WRT54GS models; 1 v1, 1 v1.1, and 1 v4 . My intended config is a v1 router connected to the web and my home net. Initially, all connections to this router will be wire. One of the ports will connect to another of the V1 routers configured for WDS connecting to the V4 which will have one or more wired PCs connected. Everything coming in to the second WRT over the radio needs to be isolated from my home net. There may eventually be several WRTs connecting to the 'middle' WRT - all equally restricted. I also would like to restrict access to only 'known' PCs - by MAC address I assume - this part can be dealt with later if needed.    In the instructions I find " iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT "    This line refers to PPP0. Is this the same as the PPPoE Wan port? If I am using Static IP connection, what should I substitute here? The IP addr.? correct format?    If I want to use DHCP for all connected to the WDS would I be correct to turn it on in the 'middle' WRT?    Ultimately, I will want to see/log stats for each computer so static IP addresses for all might be best. Would it be a bad idea to try to do some kind of static assignment via DHCP? Can I assign an IP addr to a specific MAC address and let DHCP handle gateway and DNS parameters? Is there a better way? I have a SUSE 10.1 server on my private net that I would like to put all the log info on automatically and then be able to access easily with some pgm compatible with both Linux and Windoze.    Please be kind.    Thanks again to all.    Peter

DHCP gateway / route setting Written by vali on 2006-10-28 08:54:26 For my FON-vLan I used another network-range as my internal network  uses. With the settings for the dhcp-range you find in this tutorial the  FON router will not accept the gateway setting the dhcp-server sends.    This is, indeed, the correct behaivior. I use 10.0.0.0/24 as my internal net, 10.0.2.0/24 for my vlan2. In the standard-setting the dhcp-server sends in the vlan2 the gateway-adress 10.0.0.1, which is not in the netmask 255.255.255.0. Unfortunateley some clients (e.g. windows) accept it - and its working because routing to 10.0.0.1 is allowed from vlan2.    But standard-conform clients will drop this setting. You need to send  the gateway/standard route adress 10.0.2.1.     To do this, add the following below the dhcp-range= setting:  dhcp-option=3,10.0.2.1   (while 10.0.2.1 is the IP of your router in vlan2)      I also would hereby confirm that this tutorial also works with the ASUS wl500g Premium (wl500gP).    cheers,  vali

Written by pwhalley on 2006-11-12 21:01:27 I am loosing hope. I have continued my search for answers to my previous post here with no success. Perhaps I should re -state my question.    This example references ppp0. Later comments clarify that this is specifically for PPPoE connections to internet. As a shot in the dark, I replaced \"ppp0\" with \"wan\" . This seems to work for me. Should it work for an internet connection type of static? Is there a better reference to use?    regards,    Peter    The other thing I would like to do is extend this example to permit access to the admin pages of the wrt providing wireless access and other wrt\'s over the wireless link also. It would be great if i could put in a line or 2 that would permit a range of 16 or so ip addresses using wildcards that could permit me to get to any wrt - in my private/protected network (192.168.1.x) in the range of -say 192.168.1.17 to 32. While making them relatively hard to see on the public/unprotected net on 192.168.2.x .

Written by supern0va on 2006-11-14 21:13:57 There\'s an issue with client on the Vlan2. Some website doesn\'t work (Timeout). Any idea?    Reference trend :   http://www.dd-wrt.com/phpBB2/viewtopic.php?t=5977

Written by hcb on 2006-12-09 13:04:20 Hello,    I have to separate 3 vlans (2 Ports for me (flat and garage), one for my neighbours, and a separate one for a external WiFi-AP). None of them should have acces to the others of course, and a separate switch will be connected to each port .    Because iptables are not my native ones (even as english :- ), I like to make my FW-Rules - Provider One like - with fwbuilder.    Is there any way to do this with dd-wrt?    (It is up and running with openwrt and iptables - a friend did the \"tables\" for me - but I\'am not able to build new ones, and I really need to do so :-) and I like to use the other advantages of dd-wrt.)    It would be very great, if you would give another example... :-)))    Thank you!