Creating a separate Guest Network with Tomato
A neighboor recently asked me if he could get access to my wireless network for internet access (with paying me some Euro/month for it). Problem with this was in my current setup giving access to the wireless would mean to give complete access to my network and so to all my machines smb-shares and so on. So I needed a solution to have a seperate network with the neighboors PCs that only has access to internet but not to my LAN. In the following I will explain how I did this with a Linksys WRT54GL router running the latest version of the Tomato firmware.
Prequisites
At first lets see what we need:
- basic knowledge about networks, routers, firewalls and WLAN
- a WRT54GL Router running Tomato (version 1.25 at the time of this writing, other routers capable of running Tomato may or may not work)
- a seperate Wireless Access Point for the Guest WLAN
- some time to configure and set it all up
Configuring the Router
First step is to set up the router like normal for your internal network. I will not show how this is done here since there are many guides and stuff around the net. Make sure to configure telnet or SSH on the router so you have access to the CLI. Also give the router a strong password, or your neighboor will be able to mess with your routers settings.
The first step is to setup a separate network on the router. The easiest way to do this is to create a separate VLAN. Since Tomato has no GUI for VLAN-Management this has to be done from the CLI. Once logged in perform the following steps to create a separate VLAN for the routers LAN-Port 4:
nvram set vlan0ports="3 2 1 5*" nvram set vlan2hwname=et0 nvram set vlan2ports="0 5*" nvram commit
With this we now have port 4 separated form the rest of the switch. Note that you can also have more than one port in the second vlan. just set the according port numbers in vlan0ports and vlan2ports. On the WRT54GL the ports are named internally like this:
External Port | WAN | 1 | 2 | 3 | 4 |
Port Number | 4 | 3 | 2 | 1 | 0 |
Thats all for the VLAN setup, we now can leave the CLI and continue with configuring IPs, DHCP and Firewall through the GUI.
First lets give our new VLAN an IP. This is done with the startup scripts, which can be edited inside the Web-GUI. Go to Administration → Scripts → Init an put the following code in the text-field:
sleep 10; ifconfig vlan2 192.168.11.1 netmask 255.255.255.0 up;
Adjust the IP and Netmask according to your need, and make sure the IP is not in the same subnet as your internal LAN (e.g. if your internal LAN is at the default 192.168.1.x IP-Range you can put the second one on anything other than 192.168.1.x). Of course don't forget to hit Save afterwards
Next lets setup some firewall rules to allow internet access but block access to the internal LAN. go to Firewall in the Administation → Scripts section and put the following code there:
iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o br0 -j DROP;
With this the VLAN2 now has access to the internet but not to the internal LAN. Again hit Save when done.
Last thing to do is to setup dnsmasq to give out IPs for the Guest Network. Go to Advanced → DHCP / DNS and put the following code into the Custom Configuration field:
interface=vlan2 dhcp-range=net:vlan2,192.168.11.200,192.168.11.249,255.255.255.0,1440m dhcp-option=vlan2,3,192.168.11.1 dhcp-option=vlan2,6,208.67.222.222
This will give out IPs from in the Range 192.168.11.200 - 192.168.11.249 with a lease time of 24 hours. It will also set the default gateway announced via DHCP to 192.168.11.1 (the Router) and the DNS server to 208.67.222.222 (openDNS server). Again you will have to change th IPs so they match the IP you gave to vlan2 earlier. Now hit Save again and finally reboot your router.
After reboot, you can now connect a PC to your routers port 4 (or whatever port your separate vlan is on) and see if it gets an IP from the range you configured in DHCP. Also test if you can reach the internet but not your lokal network. If it works like expected the configuration of the router is finished.
Configuring the Wireless Access Point
Next thing is to configure the Separate Access Point. the most important setting here is the IP of the Access Point. It has to be in the same subnet as the vlan2 IPs set on the router. In my example you can use anything from 192.168.11.x, for example 192.168.11.2. The even easier method is to set it to use DHCP, so it will autmoatically get an IP from the routers configured IP-range. The other settings like SSID, encryption and so on depend on your Access Point and how you want your WLAN to be configured. If you are done configuring the AP connect it to your routers port 4 and start it up. If you connect to this WLAN now you should be able to access the internet but not the LAN.
Advanced Stuff: QoS and Access Restriction
If you want some control over what is done with your bandwith you can setup some QoS rules or block access to specific services or sites with Tomatos QoS and Access Restriction settings. I won't go into detail here, just use 192.168.11.0/24 as the Source address for the rules. Also for QoS make sure to put the rule restricting the Guest Network first since the first matching rule will be used (so if you for example have a rule priorising HTTP-Traffic before the Guest-Rule it Tomato will also priorise HTTP-Traffic from the Guest Network).
Thats it, I hope this works as well for you as it did for me. If you have questions or suggestions leave a note below.
Comments
Yes, thats what the steps up to there do. They setup a separate network on the used port (port 4 in my example) that has only access to the internet but is blocked out from the network on the other ports/the routers wlan. The “save” network has no access to the one on port4, and the net on port4 has no access to the rest. So it should work well for your case.
Good article! I think this is a great way to have a true DMZ for servers with tomato. Use the following firewall code: (Untested, should work)
iptables -I INPUT -i vlan2 -j ACCEPT;
# forward traffic between DMZ and LAN
iptables -I FORWARD -i br0 -o vlan2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i vlan2 -o br0 -m state –state ESTABLISHED,RELATED -j ACCEPT
# forward traffic between DMZ and WAN
iptables -I FORWARD -i vlan2 -o vlan1 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
Thank you for your relpy.
My setup is a bit different, but not fully thinking about the implementation I went ahead and did it anyway.
I have a WRT54GL downstairs that acts as a router and connects through PPPoE to the internet. A single cable (have no way of dragging another…there's no place) goes upstairs into my second WRT54GL that acts as an AP/switch:
WAN—WRT54GL router—————–WRT54GL AP/switch——–my PC
| | I want one of the ports here to be in the 2nd VLAN
Both are running Tomato.
The reason I'm saying I didn't think it through is since I did exactly what you posted (apart from changing my vlan2 IP to 192.168.2.1….vlan0 is 192.168.1.1) on my upstairs AP/switch.
Now I'm still able to access the internet, the rest of the LAN from ports 3 2 1 (vlan0), but have no internet access on port 0 (I get the 192.168.2.x IP from DHCP, gateway, DNS that was configured by following your tutorial).
Since this was meant to be done on a router, not a switch is it still possible to do what I want, and how? Should my router be configured differently (made “aware” of the VLANs), please keep in mind that wireless doesn't reach upstairs and I have no way of getting two cables up as well.
Any assistance would be greatly appreciated.
If I understand correctly, the second router works as a switch/AP only? Meaning you only have your 192.168.1.x for vlan1 and also to the router and vlan2 with the 192.168.2.x? For this to work you will have to modify the ipables rules on the switch/ap.
If that is the setup you will have to make a rule that allows traffic to/from your router IP in and out of the VLAN. So you have to insert a rule before the last “DROP” one in my example that allows all traffic coming from the routers IP into the second VLAN. it should be something like this:
iptables -I FORWARD -i br0 -o vlan2 -s <router IP> -j ACCEPT;
(can't test this since I don't have your setup)
Yes, the WRT54GL upstairs only acts as an AP/switch and has an IP of 192.168.1.2, the router downstairs has an IP of 192.168.1.1 All the configuration I've done has been performed on the AP (the router downstairs was untouched).
The nvram show | grep vlan.ports command outputs my switch configuration:
vlan0ports=3 2 1 0 5* vlan1ports=4 5 vlan2ports=0 5*
ipconfig/all on a client hooked up to port 4 (vlan2) shows:
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller Physical Address. . . . . . . . . : 00-1F-53-24-29-72 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::592b:ec7:bc62:73d3%8(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.2.216(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : 29. september 2009 15:31:03 Lease Expires . . . . . . . . . . : 30. september 2009 15:31:03 Default Gateway . . . . . . . . . : 192.168.2.1 DHCP Server . . . . . . . . . . . : 192.168.2.1 DHCPv6 IAID . . . . . . . . . . . : 201333795 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-69-A1-2C-00-1C-23-2C-29-72 DNS Servers . . . . . . . . . . . : 193.189.160.13 NetBIOS over Tcpip. . . . . . . . : Enabled
route print on a client hooked up to port 4 (vlan2) shows:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.216 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.2.0 255.255.255.0 On-link 192.168.2.216 276 192.168.2.216 255.255.255.255 On-link 192.168.2.216 276 192.168.2.255 255.255.255.255 On-link 192.168.2.216 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.216 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.216 276 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 8 276 fe80::/64 On-link 8 276 fe80::592b:ec7:bc62:73d3/128 On-link 1 306 ff00::/8 On-link 8 276 ff00::/8 On-link =========================================================================== Persistent Routes: None
I'm unable to ping anything on the LAN (other vlan) or internet be it by IP or host.
Windows diagnostics came up with this: http://www.shrani.si/f/1w/c9/10p8LrQQ/fw.png
Here are additional screenshots as to how the AP/switch is configured:
http://www.shrani.si/f/1g/fP/2k6T0eem/basicnetwork.png
http://www.shrani.si/f/3N/Qw/1VjGOYpa/advanceddhcp.png
http://www.shrani.si/f/20/10C/2OZmpnvn/scriptsinit.png
http://www.shrani.si/f/1V/DD/Q1DG00o/scriptsfirewall.png
Please let me know if my config, anything else would benefit you in assisting me.
Ok, can you ping the primary router 192.168.1.1 from vlan2? Also you will have to change the line
dhcp-option=vlan2,3,192.168.2.1
in advanced dhcp options to
dhcp-option=vlan2,3,192.168.1.1
This is because router 2 is not really a router and therefore can't be a gateway for the internet. If you can't ping the primary router from vlan2 there is still something wrong with the iptables rules
I've made the correction in advanced DHCP and still can't ping my router from vlan2.
ipconfig /all output is now (I'm only pasting the relevant part):
IPv4 Address. . . . . . . . . . . : 192.168.2.216(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.2.1
Since the Default gateway is now in 192.168.1.x and the IP I get from the DHCP is 192.168.2.x is that OK? I don't have the slightest idea what to change in the iptables rules…but am more then willing to follow any advice you have to offer.
Seiichiro, can you offer any suggestions as to what to try next, I'd really like to have this working, but am lacking the knowledge.
It doesn't work fo me after those commands. I have always the 0 port in VLAN 0 when I reboot even I commit the NVRAM. I don't know why. I have an WRT54GL with Tomato 1.25.
<pre>vlan0hwname=et0
vlan0ports=3 2 1 0 5 vlan1hwname=et0 vlan1ports=4 5 vlan2hwname=et0 vlan2ports=0 5* wan_iface=vlan1 wan_ifname=vlan1 wan_ifnameX=vlan1 wan_ifnames=vlan1
Could you help me ?
Well, I just checked how this is on my own router, and actually the “0” port is also listed in vlan0ports after reboot. but the setup is working fine regardless of that…
Sorry for the delay, but I switched internet providers at home and also my Laptop broke… Well I just read through our conversation again and somehow I think my last advice wasn't right. So you should set the dhcp-options back to dhcp-option=vlan2,3,192.168.2.1 . Also after this corretion can you try to ping the 192.168.1.1 router from the PC in VLAN2? Furthermore can you post the output of the command “route” on the router (the one with the vlan2) itself?
Seiichiro, many thanks for your tuto. That was exactly what I looking for It' work like perfectly
BR Miki
Good stuff, exactly what I needed. Thanks!
While this does work on an older model (WRT54G version 1-4 in my case), the ports have different names internally; the slightly more logical 1 2 3 4 instead of 3 2 1 0. Keep this in mind while performing the first step.
Hopefully this will help somebody else with older routers.
(According to Wikipedia the numbering scheme changed with the WRT54GL)
Thanks again for the guide :)
Not a problem, just don't give up on me
I've changed it back to dhcp-option=vlan2,3,192.168.2.1 and am unable to ping the router (192.168.1.1).
Here's the output of route on the AP:
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 * 255.255.255.0 U 0 0 0 vlan2 192.168.1.0 * 255.255.255.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
Ok, the routing looks about right, so it seems to be some iptables problem. You could try to add the following rule to the iptables:
iptables -I FORWARD -i vlan2 -o br0 -d 192.168.1.1 -j ACCEPT;
EDIT: typo corrected!
I now have these iptables:
iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -s 192.168.1.1 -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP iptables -I FORWARD -i vlan0 -o br0 -d 192.168.1.1 -j ACCEPT;
and am still unable to ping the 192.168.1.1 router and naturally connect to any website.
try changing the order like this, and also correct my typo, it should have been vlan2:
iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -s 192.168.1.1 -j ACCEPT; iptables -I FORWARD -i vlan2 -o br0 -d 192.168.1.1 -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP
Seiichiro, thank you so much for trying to assist me, unfortunately I'm still unable to ping my 192.168.1.1 router even after the last change.
…please don't give up on me, I'll continue to test whatever you throw at me.
“vlan0ports=3 2 1 0 5* vlan1ports=4 5 vlan2ports=0 5* ”
Is that correct? You have port 0 assigned to both vlan0 and vlan2. Could that be your problem?
I'm trying to do the same thing. It'd be nice to see your setup working.
Oops. Just read the comment below. I guess port 0 being in both vlan def isn't the problem.
I was thinking you have to set the route between the .2.1 vlan IP to the WAN port on the 1st router (the one connected to the internet). And maybe pinging .1.1 isn't working because ping is disabled on the 1st router?
Simon, I wish that was the case, but I'm able to ping the router from all other machines. Also I have no internet connectivity when on the 192.168.2..x VLAN.
Seiichiro, would you be so kind to provide the easiest way to get my AP back to the default settings…it appears this won't happen.
Many thanks for all your effort.
Thank you so much for these instructions.
It's working for me on my Asus WL-520gu. I just used 4 instead of 0 for my port numbers.
Now tomato does everything I need it to so I don't have to get it from dd-wrt.
It's great that even the bandwidth and qos tools continue to work with this change.
Perhaps some comments on each of the iptables entries would be useful.
I'm not really sure what the output interface ppp0 is for. Is it for PPPoE?
I'm using a DHCP address from my ISP so do I still need this entry?
# nvram show | grep ifname lan_ifname=br0 lan_ifnames=vlan0 eth1 eth2 eth3 pppoe_ifname= wan_ifname=vlan1 wan_ifnameX=vlan1 wan_ifnames=vlan1 wl0_ifname=eth1 wl_ifname=eth1
sorry it didn't work for you. normaly pressing the reset button at the back of the router should be enough to reset it to standard settings.
Thats right, the ppp0 interface is for PPPoE. Since you seem to have vlan1 as your internet interface and no PPP it should work without the ppp0 line. Also the other way round it should work without the “vlan1” line for people on PPPoE.
What about separating the built-in wifi and the lan? Any easy way to do this?
Thanks so much for this post, it has been very helpful and works flawlessly. I do have one question though - what would be the steps to REMOVE a vlan in Tomato?
By following your guide I was able to set up a second subnet 10.0.0.0/24 I am using Asus rt-n16. I have named the vlan as vlan3, because vlan1 and vlan2 are already used by default. The setup is working well, and there no issues about connectivity. But I noticed that the QOS rules that I had assigned from tomato GUI QOS page don't work. Can this be solved.
hi,
i have set this up and seems to be working ok.
but people on vlan2 are reporting problems.
one example is that i cannot access free.fr on vlan2.
ping free.fr does work though, but the website doesn't display.
any ideas?
so, on vlan1, everything works cool.
on vlan2, i have to manually set MTU to 1492 on the clients in order for everything to work OK.
on vlan1, everything works OK with the clients on manual, how can i make this the same on vlan2?
fixed this problem.
reference here:
https://ftp.dd-wrt.com/phpBB2/viewtopic.php?t=69491
for the firewall scripts, instead of:
iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP;
should be this:
iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP; iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu;
oops.
instead of:
iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -j DROP;
try this:
iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -j DROP;
iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu;
well i can't make it look like code, but you get the idea.
Great Tutorial! Instead of completely isolating the guest network I would like to offer the guest network access to two networked printers on the first vlan. I have removed all the firewalls but still cannot seem to ping accross the two networks. Once I figure this I was going to re-write the firewall rules to block all access from vlan2 (new) to vlan1 (old) except the specific IP's of the two printers.
How would I do this? Any help is appreciated.
Sorry for my ignorance. I have a question. The connection to se second router from router 1 should be: port 4 to wan?
thanks.
So I have this setup now.
Some machines on one VLAN can see machines on the other VLAN in the 'SHARED' list that comes up in the sidebar in Finder in Mac OS 10.5 or 10.6.
This is not good, no?
I wanted to do the same thing, I tried the following and it seemed to work:
In Tools → System, paste the following:
nvram set vlan0ports="3 2 1 0 5*" nvram unset vlan2hwname nvram unset vlan2ports nvram commit
Click Execute
Remove the scripts that were added to Administration → Scripts → Firewall and Administration → Scripts →Init, and remove the text add to the Advanced → DHCP / DNS.
Reboot the router.
A bit late for the poster, but others may find handy.
Hello,
Great tutorial ! My WRT54GL DMZ is running!
But after a reboot, any time I
# nvram show | grep vlan.ports vlan0ports=3 2 1 0 5* vlan1ports=4 5 vlan2ports=0 5
I see the port 0 both in vlan0 and vlan2. I nvram set vlan0ports=“3 2 1 5*” and nvram commit but after reboot the same result. Any idea why the port 0 is splitted like this ?
Thx, Lau
Hello!
Thanks for this tutorial! But i got another problem, i didn't want to disconnect a lan port trough vlan. I wan't to disconnect the wlan port. Because im Sharing my Internet Connection with my Neighbour and he is connectet via WLan. I didn't need wlan, so i want to set him in a own subnet.
I already tried this with DD-WRT and it works, but is there any way to fix this with tomato? Still wanna use tomato, because i love the great Qos and the Traffic Monitor.
Thanks for help!
Best regards
Thanks for the tutorial. I setup QoS on vlan2 and see is in the QoS Details view that the Source and Destination are reversed. Also the Destination is showing as my external IP only instead of the client on vlan2.
Proto Source S Port Destination D Port Class TCP 63.245.209.115 443 24.85.xx.xx 2016 Class C TCP 67.195.9.75 80 24.85.xx.xx 2007 Class C
Anyone else experience that? Any explanation?
After long time with trying i found the solution to seperate the WLAN from LAN using tomato firmware. Especually anybody need the same, so i attach the answer for you.
Have a nice day!
Hi!
Has anyone tried the guide provided by muffin/Tweek (comment #43)?
Seems simple enough but just wanted to confirm it wasn't some kind of exploit that would open my firewall to everyone on the Internet ;)
Thanks
the last line of the iptables entry: iptables -I FORWARD -i br0 -o vlan2 -j DROP;
should be: iptables -I FORWARD -i vlan2 -o br0 -j DROP;
for our goal to work.
@dcbanaynal: actually both does work, since with my version we block responses from the br0 to vlan2. But the better approach indeed is to block out traffic from entering the “normal” LAN like your version does. I updated the page accordingly.
fwiw i have implemented muffin/Tweek (comment #43) and appears to work well for what i want - simply to have the one existing wifi guest subnet separate from the wired subnet (no need for a second private wifi network or AP). i can also confirm that devices connected to the guest wifi subnet appear on tomato's device list, and that the ability to schedule the wifi to turn on/off thru tomato's UI still works … if anyone knows of any security issues with this approach, i'd like to know - otherwise it works for me … also would anyone know if tomato's QoS settings still manage the guest wifi devices using these mods? thanks!
re: my comment #47 above (using muffin/Tweek mod) … turning wifi on/off via the tomato UI doesn't work - it turns back on using the SSID that is in the UI (not the SSID in the script) and is all confused … sigh.
Thanks, was just looking for this. New routers have this kind of functionality onboard, but i want to use as long as possible my WRT54GL Tomato firmware router. The limited WAN Bandwith (30MBPS) isn't an issue for me until now.
With this setup the guests are able to acces the Routers webpage from within the new network. In my example (normal router adress 192.168.39.1, 2nd router adress 192.168.139.1). I want to block this page from the 192.168.139.x side. Tomato's normal acces restriction page don't work with ip-adress. Any suggestions how to add this to the firewall rules with iptables?
@Jodur:
a rule like this as first iptables rule (above iptables -I INPUT -i vlan2 -j ACCEPT;) should do the trick:
iptables -I INPUT -i vlan2 -d 192.168.139.1 -p tcp --dport 80 -j DROP;
you may need a second rule if you also have https-access enabled (same as above but with 443 for dport). If you have changed the ports for the web interface you will have to adjust the port numbers for dport according to your setup.
(This isn't tested since I don't have the setup running anymore)
[…] Creating a separate guest network […]
Hi,
i would like to use this setup to connect my LAN to my Neigbours LAN. Same setup as in the tutorial, but Switchport 4 should not access the internet, but my internal LAN. So i have a 192.168.1.0 LAN on my Side, and a 10.10.10.0 LAN on Port 4, with full access of Port 4 to my internal LAN. My only problem is i have no idea of iptables, so could someone help me out?
Thanks, Sven
The longer i look at Comment No 3 i think that would be what i want, besides i should insert the state NEW to the third line:
iptables -I INPUT -i vlan2 -j ACCEPT; # forward traffic between DMZ and LAN iptables -I FORWARD -i br0 -o vlan2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -i vlan2 -o br0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
Anyone can confirm this?
Ok folks, just wanted to let you know it workes.
Created the vlan2 just like stated above, added port 4.
Added IP to vlan2
Firewall, accept all Traffic between the 2 LANs.
iptables -I INPUT -i vlan2 -j ACCEPT;
# forward traffic between LAN 1 and LAN 2
iptables -I FORWARD -i br0 -o vlan2 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o br0 -m state –state NEW -j ACCEPT
Skipted the DHCP part, as this is my neighbours job. Seems to work fine.
Thanks!
Seiichiro/Anyone,
Could you better explain how to set up the wireless access point that connects to port 4?
I set port 4 to 192.168.2.1 on the Tomato router. I set the AP to 192.168.2.2, and turned off DHCP as I assume port 4 is handling this. I then connected from a LAN port on the AP to port 4. If I connect a PC to another LAN port on the AP, everything works. I have internet access but cannot connect to the LAN of the first router. However, if try to connect to the wireless, it takes a few minutes and then says 'Limited or no connectivity' and I have no internet access. At first I set the wireless channels of the two routers to 10 and 11, but seeing the limited connectivity I changed this to channel 1 and 11. I have no idea why it is not working.
Please help, I can't connect wirelessly to my Guest Account.
Thanks.
This is Bob, ignore my previous post #55.
Sorry, everything works even wireless. I tried using WEP security for an easier password and I guess I don't know how to use. I switched to WPA2 with a longer password and the wireless works, I can access the internet but not the LAN.
Thanks for the tutorial!
[…] following guide […]
[…] David asks…Max transmit power for Linksys WRT54GL wireless-G router running Tomato firmware?I have Tomato 1.28 firmware installed on my Linksys WRT54GL router. The transmit power is set to its default: 42mW, but I want a better range for signal strength and want to increase it. What is the best mW […]
I would turn it up bit by bit, untill you're happy with the signal strength. Just setting it to max could end in reflections, would be like shouting very loud in a small room: It would be very loud, but that doesn't mean you can hear everything just fine.
Now Tomato does have a GUI for setting up guest wireless networks:
http://code.google.com/p/tomato-sdhc-vlan/wiki/MultiSSIDHOWTOForWRT54GL
Have fun!
[…] Creating a separate Guest Network with Tomato [Seiichiros HP] […]
[…] Creating a separate Guest Network with Tomato [Seiichiros HP] […]
so to all my machines smb-shares
Just because I allow someone to connect… I'm forced to give them all access to all my machine's shares?
Awesome write up and works like a champ for me.
Could you please confirm that following the steps up to the “Configuring the Wireless Access Point” heading will separate just a single port into a different VLAN so I end up with a configuration where I can hook up infected machines to the internet without worrying the malware will spread to the rest of my network.