Isolated vlan with 2 routers running DDWRT

vdub12

vdub12

New Member
Reaction score
2
Im sure this is easy for many of you guys but for those that have a hard time with it I have a good tip.

I wanted an isolated vlan that I could use on my bench to keep infected computers away from my network. To do this I used a second wrt54G router thinking that by giving it a different subnet it would isolate the network. Well I was wrong. It isolated the bench from my main network but did not isolate my main network from the bench. I already had a switch on my bench and my workstation had to stay on the main vlan so I just up-linked the new router to the switch on my bench making the gateway in the new router my main network. Because of this I could ping my entire network from my bench. Kind of defeated the purpose of the new vlan.

I found an easy fix.

Both routers are running ddwrt but only the new router required tweaking. Go to administration and click on the commands tab. In the text box enter these two lines and click the button save firewall.

iptables -I FORWARD -s 192.168.0.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.0.1 -j ACCEPT

Make sure you modify the addresses to match your main network. What this does is first blocks all access to the main network and second allows access to the gateway. If you don't add the second line you will not have Internet access.

I then added a second network card to my bench computer (running Linux so I am not worried about it) and added it to the second vlan. I need access to my bench computer for saving images and other file server stuff.

I am sure theres a better way to do it but this worked.

I found tons of how to on line and they where all supper complicated and I found this to be a much quicker and easier fix.
 
Last edited:
I have a separate VLAN for the bench but did it with a network switch (Netgear GS108T for those curious). Just configure the VLAN's and port memberships and you're done.

-Randy
 
This can also be done with just one DD-WRT router.

I have one router with two VLANS and two wireless SSIDs. There's plenty of info about it out there and as long as you have a good DD-WRT capable router, you can do some pretty useful things.
 
14049752 said:
This can also be done with just one DD-WRT router.

I have one router with two VLANS and two wireless SSIDs. There's plenty of info about it out there and as long as you have a good DD-WRT capable router, you can do some pretty useful things.
Click to expand...

I know you can do a lot of hacking with some of the earlier models, but this I never heard of. Thanks for the tip, going to look into it.
 
ProTech Support said:
I know you can do a lot of hacking with some of the earlier models, but this I never heard of. Thanks for the tip, going to look into it.
Click to expand...

If you try it, make sure you have a router with enough ram. I originally tried to get that configuration to work on a WRT54G v6 and it didn't work. The router basically crapped out after a minute or two and I had to reset it. Too much for it to handle because it didn't have enough ram, only 4mb I think..

I ended up getting a WRT54GL and it works fine, it has 8mb of ram. I actually added an 80mm fan and heatsinks inside the router so that it wouldn't die on me in a few months....I'd probably recommend an even better router if you want to get too crazy with it.
 
The problem with running dual access points is you need to get a router that can support dual MAC addresses and there is no way of telling what ones do or don't by version numbers you just need to take a chance. Linksys used different WIFI chips in the same version router.

For my situation I have one system on my bench that had to be part of the main vlan and I didn't want to run another cable so doing it with 2 routers was the best choice. BTW both of my WRT54G routers do not support dual MAC addresses. Since the router uses MAC addresses for port identification there is no way to successfully run a virtual access point without a second unique MAC.
 
vdub12 said:
The problem with running dual access points is you need to get a router that can support dual MAC addresses and there is no way of telling what ones do or don't by version numbers you just need to take a chance. Linksys used different WIFI chips in the same version router.

For my situation I have one system on my bench that had to be part of the main vlan and I didn't want to run another cable so doing it with 2 routers was the best choice. BTW both of my WRT54G routers do not support dual MAC addresses. Since the router uses MAC addresses for port identification there is no way to successfully run a virtual access point without a second unique MAC.
Click to expand...


Very simple solution! It does exactly what I need and in about 2 seconds.
 
You must log in or register to reply here.

Similar threads

Velvis
Unifi Access Point showing up as connected via mesh
Replies
9
Views
1K
JoelM
JoelM
callthatgirl
How Signatures Work with New Outlook
Replies
0
Views
237
callthatgirl
callthatgirl
callthatgirl
Outlook Classic Search vs New Outlook Search
Replies
0
Views
366
callthatgirl
callthatgirl
callthatgirl
Older CRM products and New Outlook
Replies
2
Views
291
callthatgirl
callthatgirl
DanF
VLANs challenge
Replies
7
Views
985
DanF
DanF
Back
Top