DD-WRT is really amazing in all that it can do. I have grown much more fond of it overtime. Recently, I decided that I wanted to completely segment my home network. I wanted to have multiple networks (some trusted, others completely untrusted) that could be configured through a single device. At first, one would assume that this might take multiple firewalls to block incoming traffic from another firewall. DD-WRT can do it in one device segmented by port.
Since I decided it was time to give my home network and overhaul, I decided that it was time to upgrade to gigabit ethernet as well. I started looking for a device that would do all of this and could handle all the rules and traffic that I could possibly throw at it. I came across the ASUS RT-N16: Wireless N Router with a 4 port gigabit switch, 32 MB ROM, 128 MB RAM, and… installing DD-WRT is a breeze (instructions). NOTE: This howto uses DD-WRT v24-sp2 mini
Now, it took me a couple tries to get the segmentation working right. I wanted to switch the WAN to vlan0, but everytime I tried doing that, something went wrong, so I ended up keeping it on vlan2 (which is where it was by default). Also, I decided to keep the trusted network on vlan1 and the rest of the networks on vlan12, vlan13, and vlan14 respectively. The wireless adapter is eth1. Now, you need to discover which port numbers in DD-WRT correspond to which “physical” port numbers on the router itself. Here is the mapping:
DD-WRT = Physical Port
0 = WAN
1 = 4
2 = 3
3 = 2
4 = 1
This actually corresponds to the order that you see the ports if looking at the back of the router and reading the ports from left to right.
Anyway, now that you have this mapping, you are ready to begin setting up your VLANs.
1.) Connect your computer to Physical LAN port 1 on the router. Log into the router via telnet and run these commands:
nvram set vlan0ports=”0 8″
nvram set vlan1ports=”4 8*”
nvram set vlan2ports=”3 8*”
nvram set vlan3ports=”2 8*”
nvram set vlan4ports=”1 8*”
nvram set rc_startup=’
ifconfig vlan2 192.168.12.1 netmask 255.255.255.0
ifconfig vlan3 192.168.13.1 netmask 255.255.255.0
ifconfig vlan4 192.168.14.1 netmask 255.255.255.0
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up
nvram set rc_firewall=’
# Accept traffic into vlan12
iptables -I INPUT -i vlan12 -j ACCEPT
# Allow traffic outbound to forward from vlan12 to vlan2 (WAN)
iptables -I FORWARD -i vlan12 -o vlan2 -m state –state NEW -j ACCEPT
# Disallow access to the router on vlan12 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i vlan12 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
# Disallow anything on .12 (vlan12) to communicate to the other networks
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.13.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.14.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.12.0/255.255.255.0 -d 192.168.15.0/255.255.255.0 -j DROP
# Disallow anything on the bridge interface to communicate to vlan12
iptables -I FORWARD -i br0 -o vlan12 -j logdrop
iptables -I INPUT -i vlan13 -j ACCEPT
iptables -I FORWARD -i vlan13 -o vlan2 -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan13 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.12.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.14.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.13.0/255.255.255.0 -d 192.168.15.0/255.255.255.0 -j DROP
iptables -I FORWARD -i br0 -o vlan13 -j logdrop
iptables -I INPUT -i vlan14 -j ACCEPT
iptables -I FORWARD -i vlan14 -o vlan2 -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan14 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.12.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.13.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.14.0/255.255.255.0 -d 192.168.15.0/255.255.255.0 -j DROP
iptables -I FORWARD -i br0 -o vlan14 -j logdrop
2.) Login to the web interface for DD-WRT. Go to Setup –>VLANs. Setup the ports in this manner:
VLAN 1 = 1 checked, LAN
VLAN 2 = W checked, None
VLAN 12 = 2 checked, None
VLAN 13 = 3 checked, None
VLAN 14 = 4 checked, None
3.) Go to Setup –> Networking. Verify WAN port set to vlan2.
4.) Go to Services –> Services. Copy the below in “Additional DNSMasq Options”:
5.) Go to Setup –> Basic Setup
Change Local IP Address to 192.168.11.1
Click Save. Apply the Settings (this should reboot the router).
How To Setup Unbridged Wireless
This was a bit tricky. I followed several HOWTOs until I found one that actually worked. Here’s what I did:
1.) In the Web Interface, go to Wireless –> Basic Settings. Make sure Network Configuration is set to Bridged.
2.) Go to Setup –> VLANs. Make sure Wireless is set to LAN.
3.) Setup a new Bridge for Wireless. Go to Setup –> Networking. Add a Bridge called br1. IP Address: 192.168.15.1, Subnet Mask: 255.255.255.
Click Save and Apply Settings.
Assign the new bridge br1 to interface eth1. Apply Settings.
4.) Go to Services –> Services.
Add the following under DNSMasq to setup DHCP:
Save and Apply Settings.
5.) Now you need to setup the iptables rules to prevent it from talking to the other networks.
iptables -I INPUT -i br1 -p tcp -m multiport –dports 21,22,23,80,443 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.11.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.12.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.13.0/255.255.255.0 -j DROP
iptables -I INPUT -s 192.168.15.0/255.255.255.0 -d 192.168.14.0/255.255.255.0 -j DROP
Now you have a router that segments each port (and WIFI) into it’s own network. Enjoy!
NOTES: I used A LOT of resources to construct this HOWTO, most of which were on DD-WRT’s Wiki (which is just an absolutely awesome site with almost anything you could want to know about DD-WRT). However, A LOT of this was still trial by fire.
1.) V24: WLAN separate from LAN, with independent DHCP
2.) Multiple WLANs
3.) VLAN Detached Networks (Separate Networks With Internet)
4.) Iptables command – Deny access to a specific Subnet
5.) Preventing Brute Force Attacks
6.) DD-WRT – Setting up a separate / isolated VLAN on Port 4 with DHCP
7.) Routers that will and won’t support VLAN