DD-WRT is really amazing in all that it can do. I have grown much more fond of it overtime. Recently, I decided that I wanted to completely segment my home network. I wanted to have multiple networks (some trusted, others completely untrusted) that could be configured through a single device. At first, one would assume that this might take multiple firewalls to block incoming traffic from another firewall. DD-WRT can do it in one device segmented by port.
Since I decided it was time to give my home network and overhaul, I decided that it was time to upgrade to gigabit ethernet as well. I started looking for a device that would do all of this and could handle all the rules and traffic that I could possibly throw at it. I came across the ASUS RT-N16: Wireless N Router with a 4 port gigabit switch, 32 MB ROM, 128 MB RAM, and… installing DD-WRT is a breeze (instructions). NOTE: This howto uses DD-WRT v24-sp2 mini
Now, it took me a couple tries to get the segmentation working right. I wanted to switch the WAN to vlan0, but everytime I tried doing that, something went wrong, so I ended up keeping it on vlan2 (which is where it was by default). Also, I decided to keep the trusted network on vlan1 and the rest of the networks on vlan12, vlan13, and vlan14 respectively. The wireless adapter is eth1. Now, you need to discover which port numbers in DD-WRT correspond to which “physical” port numbers on the router itself. Here is the mapping:
DD-WRT = Physical Port
0 = WAN
1 = 4
2 = 3
3 = 2
4 = 1
This actually corresponds to the order that you see the ports if looking at the back of the router and reading the ports from left to right.
Anyway, now that you have this mapping, you are ready to begin setting up your VLANs.
1.) Connect your computer to Physical LAN port 1 on the router. Log into the router via telnet and run these commands:
nvram set vlan0ports=”0 8″
nvram set vlan1ports=”4 8*”
nvram set vlan2ports=”3 8*”
nvram set vlan3ports=”2 8*”
nvram set vlan4ports=”1 8*”
nvram set rc_startup=’
ifconfig vlan2 192.168.12.1 netmask 255.255.255.0
ifconfig vlan3 192.168.13.1 netmask 255.255.255.0
ifconfig vlan4 192.168.14.1 netmask 255.255.255.0
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up
nvram set rc_firewall=’
# Accept traffic into vlan12
iptables -I INPUT -i vlan12 -j ACCEPT
# Allow traffic outbound to forward from vlan12 to vlan2 (WAN)
iptables -I FORWARD -i vlan12 -o vlan2 -m state –state NEW -j ACCEPT
# Disallow access to the router on vlan12 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan12 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
# Disallow anything on .12 (vlan12) to communicate to the other networks
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.13.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.14.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.15.0/255.255.255.0 -j DROP
# Disallow anything on the bridge interface to communicate to vlan12
iptables -I FORWARD -i br0 -o vlan12 -j logdrop
iptables -I INPUT -i vlan13 -j ACCEPT
iptables -I FORWARD -i vlan13 -o vlan2 -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan13 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.12.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.14.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.15.0/255.255.255.0 -j DROP
iptables -I FORWARD -i br0 -o vlan13 -j logdrop
iptables -I INPUT -i vlan14 -j ACCEPT
iptables -I FORWARD -i vlan14 -o vlan2 -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan14 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.12.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.13.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.15.0/255.255.255.0 -j DROP
iptables -I FORWARD -i br0 -o vlan14 -j logdrop
2.) Login to the web interface for DD-WRT. Go to Setup –>VLANs. Setup the ports in this manner:
VLAN 1 = 1 checked, LAN
VLAN 2 = W checked, None
VLAN 12 = 2 checked, None
VLAN 13 = 3 checked, None
VLAN 14 = 4 checked, None
3.) Go to Setup –> Networking. Verify WAN port set to vlan2.
4.) Go to Services –> Services. Copy the below in “Additional DNSMasq Options”:
5.) Go to Setup –> Basic Setup
Change Local IP Address to 192.168.11.1
Click Save. Apply the Settings (this should reboot the router).
How To Setup Unbridged Wireless
This was a bit tricky. I followed several HOWTOs until I found one that actually worked. Here’s what I did:
1.) In the Web Interface, go to Wireless –> Basic Settings. Make sure Network Configuration is set to Bridged.
2.) Go to Setup –> VLANs. Make sure Wireless is set to LAN.
3.) Setup a new Bridge for Wireless. Go to Setup –> Networking. Add a Bridge called br1. IP Address: 192.168.15.1, Subnet Mask: 255.255.255.
Click Save and Apply Settings.
Assign the new bridge br1 to interface eth1. Apply Settings.
4.) Go to Services –> Services.
Add the following under DNSMasq to setup DHCP:
Save and Apply Settings.
5.) Now you need to setup the iptables rules to prevent it from talking to the other networks.
iptables -I INPUT -i br1 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.12.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.13.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.14.0/255.255.255.0 -j DROP
Now you have a router that segments each port (and WIFI) into it’s own network. Enjoy!
NOTES: I used A LOT of resources to construct this HOWTO, most of which were on DD-WRT’s Wiki (which is just an absolutely awesome site with almost anything you could want to know about DD-WRT). However, A LOT of this was still trial by fire.
1.) V24: WLAN separate from LAN, with independent DHCP
2.) Multiple WLANs
3.) VLAN Detached Networks (Separate Networks With Internet)
4.) Iptables command – Deny access to a specific Subnet
5.) Preventing Brute Force Attacks
6.) DD-WRT – Setting up a separate / isolated VLAN on Port 4 with DHCP
7.) Routers that will and won’t support VLAN
8 thoughts on “Segmenting your network on an ASUS RT-N16 using DD-WRT”
Amazing! I was just about to order one of these units for a business with about 20 computers. They wanted to seperate the computers up front onto their own network, but not allow them to touch the computers in the back office. They also wanted to setup the QoS so that the front computers dont hog all the bandwidth. This is the EXACT tutorial I was looking for!!!
Thanks for the help!
This doesn’t work on recent models. The router comes up but can be accessed. IP address is assigned to the computer of 169.254.48.43. No idea what it’s doing. BTW, haven’t even touched the wireless stuff yet.
Looks like I’m going to have to reset it an try something else.
First, thank you Christopher K. for this blog!
Secondly, I wonder if remo, above, hit the same wall as me. All if Christopher’s steps worked well on my new ASUS RT-N16 router today, Dec 11, 2012, until I attempted to implement the “How to setup unbridged wireless” portion. Had to reset (30 secs press of Reset with power on…seems like I had to disconnect from the WAN router first or was it that I had to power off/on the WAN router, not certain which but there was some trick I pulled to get back to square one).
To setup wireless portion just follow instructions at http://www.dd-wrt.com/wiki/index.php/Separate_Lan_and_WLan
Some tips for the newbies:
1) Do an Administration | Backup often. Particularly before you start playing around! You’ll appreciate having these after a reset if you have to do one.
2) You can copy/paste the commands from these pages into Telnet on a Windows system. The iptables commands use 2 dashes prior to “state” and “dports” options, which did not copy well and had to fix manually in Telnet before execution.
Been meaning to come back to this blog and update. I did run into some other issues. Can’t recall what. However, there are now nice HowTos at the dd-wrt wiki (and noted in the Resources links above) which show you how to segment both wired and wireless (as in an additional virtual wireless Vlan) via the GUI in v24 and above.
This is a great how to but I’m having the same issue with pulling a 169.XX.XX.XX IP address from the VLAN ports. My thought is that it has to with the build of DD-WRT you used. What is the exact build? I know you used DD-WRT v24-sp2 mini but I’d like to know the Build number (i.e. 18024, 14929, etc.) I think if we used the same exact build as you did it may work. Thanks!
I can’t remember the exact build. I actually don’t even have this router anymore. I sold it awhile back. Sorry.