Creating VLANs in DD-WRT (Part 2)

In the first part of this post I created some VLANs on my NetGear WNR3500L router that I've flashed with DD-WRT firmware. In this second part of the post I will be assigning IP address ranges to those VLANs and configuring the router's firewall.

I want the VLANs that I setup previously to use separate IP Address ranges. To do this it’s back into to the telnet session and enter the following command:

[text]nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan6 192.168.6.254 netmask 255.255.255.0
ifconfig vlan7 192.168.7.254 netmask 255.255.255.0
ifconfig vlan8 192.168.8.254 netmask 255.255.255.0
ifconfig vlan9 192.168.9.254 netmask 255.255.255.0
ifconfig vlan10 192.168.10.254 netmask 255.255.255.0
ifconfig vlan11 192.168.11.254 netmask 255.255.255.0
ifconfig vlan12 192.168.12.254 netmask 255.255.255.0
ifconfig vlan13 192.168.13.254 netmask 255.255.255.0
ifconfig vlan14 192.168.14.254 netmask 255.255.255.0
ifconfig vlan15 192.168.15.254 netmask 255.255.255.0

ifconfig vlan6 up
ifconfig vlan7 up
ifconfig vlan8 up
ifconfig vlan9 up
ifconfig vlan10 up
ifconfig vlan11 up
ifconfig vlan12 up
ifconfig vlan13 up
ifconfig vlan14 up
ifconfig vlan15 up
‘[/text]

(There is actually a way to do this step through the router’s GUI too.)

Reboot the router again for the changes to take effect.

The final configuration that needs to be made is to the internal firewall of the router. With all of these new interfaces created, we need to define some rules to permit (or deny) traffic between them.

Now I could have just turned the firewall off but that wouldn’t be a very good idea. Instead I modified the rules. For a single VLAN (VLAN 6 for example) the following commands were required:

[text]iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state –state NEW -j ACCEPT[/text]

The first line allows traffic from VLAN6 to talk to the router. The second line allows VLAN6 to talk to the default LAN network (VLAN1). The final line allows VLAN6 to access the WAN interface (internet).

There are two ways of applying these rules. The first is by executing the following on the router’s telnet interface:

[text]nvram set rc_firewall='
iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state –state NEW -j ACCEPT'[/text]

The other method is to use the GUI. Under Administration >> Commands there is a text are to enter the commands. Then all you need to do is click the “Save Firewall” button to have the commands take effect at the next reboot of the router. Additionally you can click the “Run Commands” button to execute them immediately. (Bear in mind though that commands run immediately are not persistent across a reboot.)

I thought that would sort everything out so I made the same changes for all of the VLANs. However, when it came to using those VLANs I discovered that although the could “talk” to the internet and to wireless clients, they could not “talk” to each other. This meant a revision to the firewall rules that I set out above was required.

Whilst working out what I needed, I discovered that a wildcard character exists and that what I wanted to achieve could be done in just 4 lines:

[text]iptables -I INPUT -i vlan+ -j ACCEPT
iptables -I FORWARD -i vlan+ -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan+ -o vlan+ -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan+ -o ppp0 -m state –state NEW -j ACCEPT[/text]

Line 1 accepts input from any of the VLAN interfaces into the router.

Line 2 allows any traffic coming from the VLAN interfaces to access the bridge (this is connected to the RJ45 ports and the wireless)

Line 3 allows traffic to come from any VLAN and go to any VLAN (this was the rule I was missing the first time around)

Line 4 allows traffic coming from any of the VLANs to go to the internet.

However, a quick word on the internet (WAN) interface, ppp0, and security in general. The WNR3500L router does not have an ADSL modem in it. (I have a separate one of those (Draytek Vigor 120)). Configuration of the WAN for my environment is therefore completed using the PPPoE protocol and hence the WAN interface gets called ppp0. If you use this router with cable broadband (e.g. Virgin Media) you may end up with a different WAN interface name. Not only will you have to adjust the rules above accordingly, you need to make sure that you don't inadvertently open up a gaping security hole!

Which is why it might be best to stick the following rules into the router instead of the ones above:

[text]iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan7 -j ACCEPT
iptables -I FORWARD -i vlan7 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan7 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan8 -j ACCEPT
iptables -I FORWARD -i vlan8 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan8 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan9 -j ACCEPT
iptables -I FORWARD -i vlan9 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan9 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan10 -j ACCEPT
iptables -I FORWARD -i vlan10 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan10 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan11 -j ACCEPT
iptables -I FORWARD -i vlan11 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan11 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan12 -j ACCEPT
iptables -I FORWARD -i vlan12 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan12 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan13 -j ACCEPT
iptables -I FORWARD -i vlan13 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan13 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan14 -j ACCEPT
iptables -I FORWARD -i vlan14 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan14 -o vlan+ -m state –state NEW -j ACCEPT
iptables -I INPUT -i vlan15 -j ACCEPT
iptables -I FORWARD -i vlan15 -o br0 -m state –state NEW -j ACCEPT
iptables -I FORWARD -i vlan15 -o vlan+ -m state –state NEW -j ACCEPT[/text]

Whilst it's not as elegant a solution as the one with the wildcards, it is more specific and hence more secure and I'm not an iptables expert so I'm going for the safer option. Also note that in the above example, I've only given VLAN6 access to the ppp0 (internet / WAN) interface.

That’s just the simple firewall changes that can be made. More complex setups can be achieved but you need to know what you’re doing. There’s an introduction to IPTABLES that can be found on the DD-WRT site.

That’s it for the router's configuration. In the third and final part of the post I describe how the VLANs are defined on the Cisco SLM2008 switches that I have connected to the router.