How to vlan your network with Tomato.
Since my last post, I have been working to get my home network up, on 2 vlans, with two working wireless access points. I was surprised at how hard this was, as it seems like a relatively simple setup to me. Let's recap the requirements:
• A private LAN for me to access share drives, media centers, etc. I used 192.168.0.0/24
• A guest LAN with wifi for guest access, and no access to share drives, etc. I used 192.168.10.0/24
• A caching DNS server with internal dns (so I can type r to get to my router, for instance).
How I did it:
I used a total of 3 routers and the Comcast gateway. Here's the details:
Router 1: Cisco/Linksys WRT54GL running tomato. Used as the gateway for both vlans/networks, as well as the DNS server and DHCP server. Wireless is off.
Router 2: Netgear WNDR3700 running OEM firmware. Used solely as a wireless G and N access point for my private network
Router 3: Buffalo WHR-HP-G54 running Tomato. This is used as a guest AP for the public network.
Diagram:
I originally thought that by simply double NATing the Buffalo and connecting it's WAN port to my Linksys' LAN port, I would have two independent networks. This was not the case. Because the Buffalo was connected via WAN (vs LAN), it would send all traffic out that port, and the Linksys would route to the destination (as it would for any internet address). As a solution, I found instructions on how to configure tomato to create a vlan on a LAN port, then I connected that port (port 4 on router 1) to the LAN port of router 3, and it worked the way I wanted. In discovering the solution, I realized I didn't need a third router, since I could have used the wireless on the existing router as the vlan, but having separate routers seemed like the "right" solution.
Here's how to set up a separate vlan in tomato:
Do not attempt this unless you are comfortable with the commands, and are willing to void your warranty. This worked for me, but it might cause your router to burst into flames or something. I am not responsible for that. :)
Telnet to the device (yeah, there's no way to do this in the GUI):
Example uses port 4 as the new vlan (vlan2):
nvram set vlan0ports="3 2 1 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5*"
nvram commit
*Note: Port 5 is the cpu, and should be included in every vlan. Port 0 is your wlan. You can choose to configure your ports differently. Here's a map of the physical ports to their logical (cli) assignment:
Physical port : Logical port.
1 : 3
2 : 2
3 : 1
4 : 0
Following this, you just need to add a few bits to the Administration>Init area of the Tomato GUI.
sleep 10; ifconfig vlan2 192.168.XX.1 netmask 255.255.255.0 up;
*XX=whatever subnet you choose
Now we have a vlan setup, but we don't have firewall rules. To set these up we add the following to the Administration>Scripts>Firewall section of the Tomato GUI:
iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -j DROP;
This now restricts traffic from port 4 of the device (vlan2) to all other ports of the lan (access to WAN only from port 4).
Now we need to setup DHCP on vlan2:
interface=vlan2
dhcp-range=net:vlan2,192.168.XX.200,192.168.XX.249,255.255.255.0,1440m
dhcp-option=vlan2,3,192.168.XX.1
dhcp-option=vlan2,6,8.8.8.8
Here you'll want to substitute your subnet info for the "XX" values, as well as possibly adjust the DHCP address pool to your needs. In my example it begins at .200 and ends at .249. You can also adjust the "8.8.8.8" value in the final line to whatever DNS server you prefer.
Once that is done, all that is left is to verify the vlans were not reachable from each other, and appropriately QOS the guest network to Low priority. Both of these are easy tasks within the Tomato UI. Visit the QOS area and make a rule to set 192.168.XX.0/24 (or whatever you chose) to be appropriately prioritized.
There you have it! A separate guest subnet which allows you some security, and prioritization. This is also good for sharing your home internet connection with a neighbor, if your ISP allows.
• A private LAN for me to access share drives, media centers, etc. I used 192.168.0.0/24
• A guest LAN with wifi for guest access, and no access to share drives, etc. I used 192.168.10.0/24
• A caching DNS server with internal dns (so I can type r to get to my router, for instance).
How I did it:
I used a total of 3 routers and the Comcast gateway. Here's the details:
Router 1: Cisco/Linksys WRT54GL running tomato. Used as the gateway for both vlans/networks, as well as the DNS server and DHCP server. Wireless is off.
Router 2: Netgear WNDR3700 running OEM firmware. Used solely as a wireless G and N access point for my private network
Router 3: Buffalo WHR-HP-G54 running Tomato. This is used as a guest AP for the public network.
Diagram:
I originally thought that by simply double NATing the Buffalo and connecting it's WAN port to my Linksys' LAN port, I would have two independent networks. This was not the case. Because the Buffalo was connected via WAN (vs LAN), it would send all traffic out that port, and the Linksys would route to the destination (as it would for any internet address). As a solution, I found instructions on how to configure tomato to create a vlan on a LAN port, then I connected that port (port 4 on router 1) to the LAN port of router 3, and it worked the way I wanted. In discovering the solution, I realized I didn't need a third router, since I could have used the wireless on the existing router as the vlan, but having separate routers seemed like the "right" solution.
Here's how to set up a separate vlan in tomato:
Do not attempt this unless you are comfortable with the commands, and are willing to void your warranty. This worked for me, but it might cause your router to burst into flames or something. I am not responsible for that. :)
Telnet to the device (yeah, there's no way to do this in the GUI):
Example uses port 4 as the new vlan (vlan2):
nvram set vlan0ports="3 2 1 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5*"
nvram commit
*Note: Port 5 is the cpu, and should be included in every vlan. Port 0 is your wlan. You can choose to configure your ports differently. Here's a map of the physical ports to their logical (cli) assignment:
Physical port : Logical port.
1 : 3
2 : 2
3 : 1
4 : 0
Following this, you just need to add a few bits to the Administration>Init area of the Tomato GUI.
sleep 10; ifconfig vlan2 192.168.XX.1 netmask 255.255.255.0 up;
*XX=whatever subnet you choose
Now we have a vlan setup, but we don't have firewall rules. To set these up we add the following to the Administration>Scripts>Firewall section of the Tomato GUI:
iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -j DROP;
This now restricts traffic from port 4 of the device (vlan2) to all other ports of the lan (access to WAN only from port 4).
Now we need to setup DHCP on vlan2:
interface=vlan2
dhcp-range=net:vlan2,192.168.XX.200,192.168.XX.249,255.255.255.0,1440m
dhcp-option=vlan2,3,192.168.XX.1
dhcp-option=vlan2,6,8.8.8.8
Here you'll want to substitute your subnet info for the "XX" values, as well as possibly adjust the DHCP address pool to your needs. In my example it begins at .200 and ends at .249. You can also adjust the "8.8.8.8" value in the final line to whatever DNS server you prefer.
Once that is done, all that is left is to verify the vlans were not reachable from each other, and appropriately QOS the guest network to Low priority. Both of these are easy tasks within the Tomato UI. Visit the QOS area and make a rule to set 192.168.XX.0/24 (or whatever you chose) to be appropriately prioritized.
There you have it! A separate guest subnet which allows you some security, and prioritization. This is also good for sharing your home internet connection with a neighbor, if your ISP allows.
Comments
http://woot.com (Linksys Wireless-G 4 Port Broadband Router with SpeedBooster).
Tomato is pretty and stable.
Are the port assignments the same on the Buffalo when setting nvram up?
First a question for you: Why do you want separate VLANs? The purpose of a VLAN, and the reason I set one up, was to segment my networks, and prevent communication from one to the other. If you're not looking for that, a VLAN might not be what you want. Depending on your goals, you might want do explore subnetting instead.
If you have a more complicated setup, there is a solution. The VLAN is a layer 2 concept (at the MAC address level), so if you add a layer 3 switch or router (IP level), you'll be able to allow and intelligently control (via a firewall) access between your VLANs.
More general info is here: https://en.wikipedia.org/wiki/Virtual_LAN. I hope this is helpful.