1 Vogor

Wan Port Assignment Vlan 2

At FlashRouters, our primary goal is to inform users of what they can do if they decide to take control back of their network and learn more about what their router does. From VPN (Virtual Private Network) integration to QoS (Quality of Service) to DNSMasq & Bandwidth Monitoring/Access controls, DD-WRT is a feature laden firmware alternative ready to maximize your router capabilities and performance.

In this post, we will explore a very popular feature most commonly found in alternative firmwares like DD-WRT called VLAN or VLAN tagging.

What is VLAN (Virutal LAN)?

According to Wikipedia,”In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN… More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs…”

Basically a VLAN is a method of created separate networks on the same router for security and segmentation purposes. VLAN setup is a useful procedure if you have some devices on your network that you want to isolate from other devices like multiple guest networks for family friends or office visitors. Provide Internet access with a VLAN without giving them access to your entire network. The settings can easily be changed and adapted to however you want the network to be setup.

VLAN Benefits

A VLAN has the same attributes as a physical local area network (LAN), but it allows for devices to be grouped together more easily even if they are not on the same network switch. Most enterprise-level networks today use the virtual LANs.

Without VLAN functionality, this setup would require a separate, a collection of network cables and equipment separate from the primary network that would be costly and create the need for wiring an entire home or office again. Unlike physically separate networks, VLANs share bandwidth, so VLAN trunks may require aggregated links and/or quality of service prioritization for maximizing the capability.

For many users, VLAN alone is a enough of a reason to switch to third-party alternative firmware, but you can read the Intro to DD-WRT for more.

How to Setup VLAN in DD-WRT

Netgear R7000 AC1900 Nighthawk DD-WRT

Now on to the fun!

In this DD-WRT tutorial, we will setup VLANs for each Ethernet port. This will create a network on each port that is isolated from all the other ports. An Asus RT-AC66U has been used for this tutorial but this same interface is pretty constant throughout any popular DD-WRT enhanced router like the Netgear Nighthawk R7000 AC1900.

VLAN Configuration of Ports 1-4

Go to https://192.168.1.1/ (or your router management IP address) in your web browser.

Select Setup -> VLANs.

Uncheck ports 1, 2, 3, and 4. Place port 1 into VLAN1, port 2 into VLAN2, and port 3 into VLAN3, port 4 into VLAN4. Set the WAN port to VLAN0.

When this is done, the VLAN configuration page should look like this.

 

 

Click Save, then Apply Settings.

VLAN Configuration on Each Port

  1. Next, plug an Ethernet cable into port 1 on the router from your computer.
  2. Unplug the router power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
  3. Go to Setup -> Networking.

In this tutorial, we will create a subnet for each VLAN.

VLAN1 will have the subnet 192.168.1.0. VLAN2 will have the subnet 192.168.2.0. VLAN3 will have the subnet 192.168.3.0. VLAN4 will have the subnet 192.168.4.0.

That means devices on VLAN1 will be assigned addresses such as 192.168.1.15 and for VLAN2 192.168.2.50

Under Port Setup set VLAN1 to Unbridged.

Set the IP Address to 192.168.1.1. Set the Subnet Mask to 255.255.255.0

Change VLAN2 to Unbridged.

Set the IP Address to 192.168.2.1. Set the Subnet Mask to 255.255.255.0

Change VLAN3 to Unbridged.

Set the IP Address to 192.168.3.1. Set the Subnet Mask to 255.255.255.0

Change set VLAN4 to Unbridged.

Set the IP Address to 192.168.4.1. Set the Subnet Mask to 255.255.255.0

Save your changes by clicking Save. When the interface responds, the Port Setup section should look like this.

Below the Port Setup area you will see a section titled DHCPD.

What this area does is allow you to create multiple automatic assignment addresses for IP addresses in a network. So whenever someone authenticates into this section, this VLAN will assign it a user address in your network. This is create 4 sets of automatic assignments within the 4 new segments of your network to be handled by the router automatically in the future.

Under DHCPD click Add. Set DHCP 0 to vlan0 with a Leasetime of 1440 (24 hours). Click Save.

Click Add again. Set DHCP 1 to vlan1 with a Leasetime of 1440 (24 hours). Click Save.

Under DHCPD Click Add. Set DHCP 2 to vlan2 with a Leasetime of 1440 (24 hours). Click Save.

Once again, Once again,Set DHCP 3 to vlan3 with a Leasetime of 1440 (24 hours). Click Save.

And a final time, click Add. Set DHCP 4 to vlan4 with a Leasetime of 1440 (24 hours).

Click Save. Let it save. Then, click Apply Settings.

Once completed, the DHCPD -> Mutliple DHCP Server section should look like this:

Plug your Ethernet cable into any port on the router aside from port 4 or the WAN port. Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.

 Adding Firewall Rules to Isolate the VLANs.

Now we have created 4 network segments but we need to use a firewall to fully isolate them from each other. These commands block all VLANs from communication with each other.

Browse to Administration -> Commands.

Copy and paste the following commands into the Commands text box:

iptables -I  FORWARD -s 192.168.1.0/255.255.255.0 -j DROP
iptables -I  FORWARD -s 192.168.2.0/255.255.255.0 -j DROP
iptables -I  FORWARD -s 192.168.3.0/255.255.255.0 -j DROP
iptables -I  FORWARD -s 192.168.4.0/255.255.255.0 -j DROP

Click “Save Firewall”.

Your DD-WRT VLAN basic configuration is now complete.

Testing the VLAN DD-WRT Setup

To test each VLAN, connect to that wireless network and port. Take note of your IP address and seeing if your local IP address changes in your network. If it changes you have correctly setup VLANs, great job!

Looking for some VLAN ready routers? Check our our full selection of DD-WRT pre-installed routers.

Updated: Nov 14, 2016

Tags:

, DD-WRT Advanced Features, Segment Wireless Network, Separate Subnets in Router, Virtual SSID DD-WRT, VLAN Configuration, VLAN DD-WRT, VLAN Routing, VLAN Tagging, VLAN Tutorial, vpn, What is a Virtual LAN

02 April 2014 Karim Elatov

DD-WRT 3Trunk Port 2


I was running an ESXi host in my home network and I wanted to dedicate on NIC of the ESXi for VM traffic. Since I was planning on having different networks, I decide to plug this NIC into a trunk port of the dd-wrt router. This way, I can just assign the VM to an appropriate virtual network and it will have access to it’s corresponding network.

Add another VLAN to dd-wrt

So I decided to allow vlans 1 and 3 to go through port 4 of the dd-wrt router. First let’s add vlan 3 to the dd-wrt configuration and assign a 10.0.0.0/24 network range to this vlan. This is done in the management UI. Point your browser to the dd-wrt router, after you login you should see the following:

Now let’s add vlan3 to port 4:

  1. Go to Setup -> VLANs.
  2. Uncheck port 4.
  3. Place port 4 into VLAN3.
  4. Click Save, then Apply Settings.

Next let’s configure vlan 3’s network:

  1. Go to Setup -> Networking -> Port Setup
  2. Set Vlan3 to unbridged
  3. Set the IP address to 10.0.0.1
  4. Set the Subnet Mask to 255.255.255.0
  5. Save the configuration

Let’s also enable DHCP for VLAN3:

  1. Go to Setup -> Networking -> DHCPD
  2. Set DHCP 0 to vlan3 with a Leasetime of 3600.
  3. Click Save and Apply Settings

Now let’s bring up the vlan3 interface on boot. To do this:

  1. Go to Administration -> Commands
  2. Enter the following in the commands text field

    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" ifconfig vlan3 10.0.0.1 netmask 255.255.255.0 ifconfig vlan3 up
  3. Click Save Startup

After it’s done you should see the following under the Start up section:

If you have SSH enabled on the router you can run the following to assign vlan3 to port 4:

Since I was enabling DHCP and defining the network range, I just did that in the UI.

Enabling Trunk VLANs on port 4

These commands have to be run from the command line. To enable SSH on the dd-wrt, follow the instruction laid out here. Before making any changes, I checked out my vlan configuration and here is what I saw:

The ports are described here. From that page:

0 = WAN 1 = port 1 2 = port 2 3 = port 3 4 = port 4

Gigabit routers

[0-4] = Can be forward or reverse like above 8 = CPU internal 8* = CPU internal default

Here are the other numbers mean:

16 = Tagged is checked 17 = Auto-Negotiate is unchecked 18 = 100 Mbit is unchecked or greyed because Auto-Negotiate is checked 19 = Full-Duplex is unchecked or greyed because Auto-Negotiate is checked 20 = Enabled is unchecked.

So from the above we can see port 4 allows vlan3, which is perfect. Now let’s set up vlan1 and vlan3 to come in tagged on port 4 and then enable both VLANS on that port. This can be accomplished with the following:

Then apply the change and reboot the router:

Allow Vlan3 to talk to the internet

The following commands will allow access to the WAN for vlan3:

I was using fwbuilder, so I had to add the vlan3 interface to the configuration and allow access to and from it.

Now I can configure two Virtual PortGroups on my Virtual Switch and tag vlans 1 and 3 on them. Then I can put any VM on any of those networks just by assigning their nics to the appropriate port group.


blog comments powered by

Leave a Comment

(0 Comments)

Your email address will not be published. Required fields are marked *