Internet Access Only Router: Separate Each Ethernet Port Using DD-WRT

Summary

The goal is to use a secondary router to connect computers to the Internet while ensuring that they do not see any other computers on the LAN. DD-WRT must be installed on the secondary router. Client Mode wireless is used to wirelessly connect the secondary router to the primary router for the purpose of providing an Internet connection to all computers plugged into the secondary router. Each physical port on the back of the router is then placed into its own VLAN (Virtual Local Area Network). Finally, firewall rules are added to the router to prevent communication between VLANs and the rest of the LAN.

The following instructions were written specifically for DD-WRT v24 preSP2 running on the WRT54GS 1.0, but they should work fine on any router that supports VLANs.

IMPORTANT NOTE if you are using the WAN port instead of Client Mode wireless:

  1. On the Setup -> Basic Setup page, do not check “Assign WAN Port to Switch”.
  2. On the Setup -> Networking page, do not set VLAN1 to Unbridged nor give it a DHCP server.

Instructions

  1. Reset router to Factory Default settings
    • Reset either by using the web interface or by doing a 30-30-30 Hard Reset.
    • Go to 192.168.1.1 in your web browser and set the Username and Password.
  2. Client Mode Wireless Setup (for Internet Access)
    • Go to Wireless -> Wireless Security.
      • Configure all settings to match your primary router’s wireless settings.
      • Click Save.
    • Go to Wireless -> Basic Settings.
      • Change “Wireless Mode” to Client.
      • Change “Wireless Network Name (SSID)” to your primary router’s SSID. Capitalization and spelling are important.
      • Click Save.
    • Go to Setup -> Basic Setup.
      • (OPTIONAL) Set the “Router Name” to whatever you desire.
      • Under Network Setup -> Router IP change “Local IP Address” to 192.168.2.1.
      • Check “Assign WAN Port to Switch”.
      • Set the “Time Settings” appropriately.
      • Click Save, then Apply Settings.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
  3. VLAN configuration of ports WAN, 1, 2, and 3.
    • Go to 192.168.2.1 in your web browser.
    • Go to Setup -> VLANs.
      • Uncheck ports 1, 2, and 3. Place port 1 into VLAN2, port 2 into VLAN3, and port 3 into VLAN4.
      • Make sure VLAN1 is not assigned to any bridge.
      • Click Save, then Apply Settings.
    • Plug your Ethernet cable into port 4 on the router if it is not already there.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
    • Go to Setup -> Networking.
      • Under “Port Setup” set VLAN1 to Unbridged.
        • Set the IP Address to 192.168.3.1
        • Set the Subnet Mask to 255.555.255.0
      • Under “Port Setup” set VLAN2 to Unbridged.
        • Set the IP Address to 192.168.4.1
        • Set the Subnet Mask to 255.555.255.0
      • Under “Port Setup” set VLAN3 to Unbridged.
        • Set the IP Address to 192.168.5.1
        • Set the Subnet Mask to 255.555.255.0
      • Under “Port Setup” set VLAN4 to Unbridged.
        • Set the IP Address to 192.168.6.1
        • Set the Subnet Mask to 255.555.255.0
      • Click Save.
      • Under DHCPD click Add.
        • Set DHCP 0 to vlan1 with a Leasetime of 1440 (24 hours).
        • Click Save.
      • Under DHCPD click Add.
        • Set DHCP 1 to vlan2 with a Leasetime of 1440 (24 hours).
        • Click Save.
      • Under DHCPD click Add.
        • Set DHCP 2 to vlan3 with a Leasetime of 1440 (24 hours).
        • Click Save.
      • Under DHCPD click Add.
        • Set DHCP 3 to vlan4 with a Leasetime of 1440 (24 hours).
        • Click Save.
      • Click Apply Settings.
    • Plug your Ethernet cable into any port on the router aside from port 4.
    • Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
  4. VLAN configuration of port 4.
    • Go to 192.168.2.1 in your web browser.
    • Go to Setup -> VLANs.
    • Uncheck port 4 and place it into VLAN5.
    • Click Save, then Apply Settings.
  5. Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
  6. Go to Setup -> Networking.
    • Under “Port Setup” set VLAN5 to Unbridged.
    • Set the IP Address to 192.168.7.1
    • Set the Subnet Mask to 255.555.255.0
  7. Click Save.
  8. Under DHCPD click Add.
    • Set DHCP 4 to vlan5 with a Leasetime of 1440 (24 hours).
    • Click Save, then Apply Settings.
  9. Add Firewall rules to isolate the VLANs.
    • Go to Administration -> Commands.
    • Copy and paste the following commands into the textbox:
        iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
        iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -j DROP
  10. Click “Save Firewall”.
  11. Command 1 Notes
    • This command blocks communication between all VLANs. If you were using the WAN port to provide Internet access instead of Client Mode wireless, not only would you not unbridge VLAN1 nor give it a DHCP server, you would also need to add the following commands underneath the first in order to allow communication with VLAN1 (the VLAN that contains the WAN port). Please note that these commands may not do the trick as they have not been tested:
      iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT
      iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT
  12. Command 2 Notes
    • This command blocks all communications with the 192.168.1.x subnet. This subnet is likely the only subnet in use on your primary router. Feel free to change it or replicate it to block all of the subnets used on your primary router.
  13. Finalize Settings
    • Go to Setup -> Basic Setup.
    • Click Save, then Apply Settings.
  14. Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.

Rabins Sharma Lamichhane

Rabins Sharma Lamichhane is senior ICT professional who talks about #it, #cloud, #servers, #software, and #innovation. Rabins is also the first initiator of Digital Nepal. Facebook: rabinsxp Instagram: rabinsxp

Leave a Reply

Your email address will not be published. Required fields are marked *