Difference between revisions of "WRT54GL Linksys Routers"

From HeadBackup
Jump to navigationJump to search
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
 +
Note that most of the below information is out of date, as the vlan trunking configuration can now be done completely via the web interface.  Custom DHCP settings and iptables firewall rules can also be entered via the web interface now, so startup scripts are no longer needed.
 +
 
Things I have done with a WRT54GL router running ddwrt custom firmware:
 
Things I have done with a WRT54GL router running ddwrt custom firmware:
  
Line 10: Line 12:
  
 
* Multiple wireless networks on the same router with different SSIDs and different vlan tags
 
* Multiple wireless networks on the same router with different SSIDs and different vlan tags
 +
 +
== WRT54GL port diagram ==
 +
[[Image:WRT54_sw2_internal_architecture.png|640px]]
 +
 +
== Useful Links ==
 +
 +
=== WRT54GL ports in a table ===
 +
http://nuwiki.openwrt.org/toh/linksys/wrt54gl#switch.ports.for.vlans
 +
 +
=== VLAN Detached Networks (Separate Networks With Internet) ===
 +
http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet)
 +
 +
=== 802.1q trunking instructions (old method) ===
 +
http://www.geek-pages.com/articles/latest/802.1q_trunking_on_the_linksys_wrt54g/s/l_with_dd-wrt.html
 +
 +
=== Additional DNSmasq notes (for setting default gateway, etc) ===
 +
http://www.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server<br>
 +
http://osdir.com/ml/network.dns.dnsmasq.general/2005-08/msg00046.html
  
 
== Details ==
 
== Details ==
 +
 +
=== Custom IPTables Rules ===
 +
To be pasted into Administration -> Commands
 +
 +
==== IPTables Rule to reject traffic from vlan3 to br0 ====
 +
The following rule will block traffic from vlan3 to the default bridge:
 +
<pre>
 +
iptables -I FORWARD -i vlan3 -o br0 -j REJECT
 +
</pre>
 +
 +
==== IPTables Rules to isolate vlans (doesn't address bridging though) ====
 +
<pre>
 +
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
 +
iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT
 +
iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT
 +
</pre>
 +
 +
=== Configuring multiple DHCP ranges ===
 +
The instructions linked above suggest adding only the second range under services>Additional DNSMasq Options, however we ran into trouble when the number of connected clients got too large.  The primary range as configured under setup>network setup uses the maximum number of clients to define the end of the range.  This is a problem because your total maximum clients may be much larger when you combine multiple ranges or use subnets larger than /24.  In order to work around this issue we did the following:
 +
 +
# Disable DHCP under setup>network
 +
# Add statements to services>Additional DNSMasq Options to configure all of the DHCP ranges, including the primary one and the maximum number of clients.
 +
<pre>
 +
dhcp-leasefile=/tmp/dnsmasq.leases
 +
dhcp-lease-max=301
 +
dhcp-option=3,192.168.1.1
 +
dhcp-authoritative
 +
dhcp-range=192.168.1.101,192.168.1.200,255.255.255.0,1440m
 +
interface=vlan3
 +
dhcp-range=wifi,192.168.2.50,192.168.2.250,255.255.255.0,60m
 +
dhcp-option=wifi,3,192.168.2.1
 +
</pre>
 +
 +
You can check your work by viewing the config file on the router via ssh at /tmp/dnsmasq.conf before and after making the change.
 +
 +
One side effect of doing this is that you lose the ability to view DHCP status via the web interface.  As a workaround you can view the leases at /tmp/dnsmasq.leases via ssh.
 +
 +
=== Configure an AP running DDWRT to do trunking ===
 +
These steps assume you want to split out the wireless and the wired ports.  Wired will be on vlan2 and wireless will be on vlan3 with both vlans trunked via the WAN port to a vlan aware switch.  This router already has DHCP disabled and is not acting as a firewall, only an AP.
 +
<pre>
 +
nvram set vlan0ports=
 +
nvram set vlan2ports="0 1 2 3 4t"
 +
nvram set vlan3ports="4t 5t"
 +
nvram set vlan3hwname=et0
 +
nvram commit
 +
reboot
 +
</pre>
 +
The last step is to configure your vlans in the web interface as follows:<br>
 +
<br>
 +
[[Image:ddwrt_ap_vlans.jpg]]
 +
<br>
 +
The end result is that you can use the same router to connect wired and wireless devices while keeping them on separate vlans.
  
 
=== Adding a third vlan and network ===
 
=== Adding a third vlan and network ===
These steps assume you already have two other vlans configured.
+
These steps assume you already have two other vlans configured and you only want to trunk the new vlan up to another switch.  Also, there are additional steps required if you wanted to enable DHCP service on the new network.
  
 
==== Add ports to the new vlan ====
 
==== Add ports to the new vlan ====
Line 21: Line 93:
 
nvram commit
 
nvram commit
 
</pre>
 
</pre>
==== Create a startup script to load firewall rules and configure the interface ===
+
==== Create a startup script to load firewall rules and configure the interface ====
 
<pre>
 
<pre>
 
echo '
 
echo '
Line 30: Line 102:
 
iptables -I FORWARD -i vlan4 -o vlan1 -j ACCEPT  
 
iptables -I FORWARD -i vlan4 -o vlan1 -j ACCEPT  
 
iptables -I INPUT -i vlan4 -j ACCEPT   
 
iptables -I INPUT -i vlan4 -j ACCEPT   
ip addr add 10.7.1.7/24 brd + dev vlan4  
+
ip addr add x.x.x.x/yy brd + dev vlan4  
 
ifconfig vlan4 up
 
ifconfig vlan4 up
 
' > /jffs/etc/config/vlan4.startup   
 
' > /jffs/etc/config/vlan4.startup   
 
chmod 750 /jffs/etc/config/vlan4.startup  
 
chmod 750 /jffs/etc/config/vlan4.startup  
 
</pre>
 
</pre>
 +
x.x.x.x/yy is the IP and mask you want to assign to the router on the new vlan.
 +
 +
==== Add the new vlan to the trunk port ====
 +
In the web based DDWRT GUI add the additional vlan to your trunk port.

Latest revision as of 16:09, 15 December 2015

Introduction

Note that most of the below information is out of date, as the vlan trunking configuration can now be done completely via the web interface. Custom DHCP settings and iptables firewall rules can also be entered via the web interface now, so startup scripts are no longer needed.

Things I have done with a WRT54GL router running ddwrt custom firmware:

  • Single router with 2 subnets each with seperate vlan, IP block, DHCP server, and firewall rules.
  • VLAN trunking
  • QoS traffic prioritization based on IP address
  • WPA encrypted wireless point to multipoint bridging

Things I may implement in the future:

  • Multiple wireless networks on the same router with different SSIDs and different vlan tags

WRT54GL port diagram

WRT54 sw2 internal architecture.png

Useful Links

WRT54GL ports in a table

http://nuwiki.openwrt.org/toh/linksys/wrt54gl#switch.ports.for.vlans

VLAN Detached Networks (Separate Networks With Internet)

http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet)

802.1q trunking instructions (old method)

http://www.geek-pages.com/articles/latest/802.1q_trunking_on_the_linksys_wrt54g/s/l_with_dd-wrt.html

Additional DNSmasq notes (for setting default gateway, etc)

http://www.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server
http://osdir.com/ml/network.dns.dnsmasq.general/2005-08/msg00046.html

Details

Custom IPTables Rules

To be pasted into Administration -> Commands

IPTables Rule to reject traffic from vlan3 to br0

The following rule will block traffic from vlan3 to the default bridge:

iptables -I FORWARD -i vlan3 -o br0 -j REJECT

IPTables Rules to isolate vlans (doesn't address bridging though)

iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT

Configuring multiple DHCP ranges

The instructions linked above suggest adding only the second range under services>Additional DNSMasq Options, however we ran into trouble when the number of connected clients got too large. The primary range as configured under setup>network setup uses the maximum number of clients to define the end of the range. This is a problem because your total maximum clients may be much larger when you combine multiple ranges or use subnets larger than /24. In order to work around this issue we did the following:

  1. Disable DHCP under setup>network
  2. Add statements to services>Additional DNSMasq Options to configure all of the DHCP ranges, including the primary one and the maximum number of clients.
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=301
dhcp-option=3,192.168.1.1
dhcp-authoritative
dhcp-range=192.168.1.101,192.168.1.200,255.255.255.0,1440m
interface=vlan3
dhcp-range=wifi,192.168.2.50,192.168.2.250,255.255.255.0,60m
dhcp-option=wifi,3,192.168.2.1

You can check your work by viewing the config file on the router via ssh at /tmp/dnsmasq.conf before and after making the change.

One side effect of doing this is that you lose the ability to view DHCP status via the web interface. As a workaround you can view the leases at /tmp/dnsmasq.leases via ssh.

Configure an AP running DDWRT to do trunking

These steps assume you want to split out the wireless and the wired ports. Wired will be on vlan2 and wireless will be on vlan3 with both vlans trunked via the WAN port to a vlan aware switch. This router already has DHCP disabled and is not acting as a firewall, only an AP.

nvram set vlan0ports=
nvram set vlan2ports="0 1 2 3 4t"
nvram set vlan3ports="4t 5t"
nvram set vlan3hwname=et0
nvram commit
reboot

The last step is to configure your vlans in the web interface as follows:

Ddwrt ap vlans.jpg
The end result is that you can use the same router to connect wired and wireless devices while keeping them on separate vlans.

Adding a third vlan and network

These steps assume you already have two other vlans configured and you only want to trunk the new vlan up to another switch. Also, there are additional steps required if you wanted to enable DHCP service on the new network.

Add ports to the new vlan

nvram set vlan4ports="0t 5t"
nvram commit

Create a startup script to load firewall rules and configure the interface

echo '
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
iptables -I FORWARD -i br0 -o vlan4 -j ACCEPT
iptables -I FORWARD -i vlan4 -o br0 -j ACCEPT
iptables -I FORWARD -i vlan4 -o vlan1 -j ACCEPT 
iptables -I INPUT -i vlan4 -j ACCEPT  
ip addr add x.x.x.x/yy brd + dev vlan4 
ifconfig vlan4 up
' > /jffs/etc/config/vlan4.startup  
chmod 750 /jffs/etc/config/vlan4.startup 

x.x.x.x/yy is the IP and mask you want to assign to the router on the new vlan.

Add the new vlan to the trunk port

In the web based DDWRT GUI add the additional vlan to your trunk port.