DD-WRT leading two separate networks (Asus RT-N16)

Shows how you can use a $75 consumer class router and dd-wrt to support 2 networks. It will create a secondary network for guests and visitors. Besides the usual primary network, it will create a secondary network supporting both wireless and wired connections. The secondary network could be used to provide internet access to customers or visitors.

The router is assumed to be flashed with open source DD-Wrt firmware. This firmware adds some business class features to your router. The router will be configured by taking advantage of two features that allow network traffic to be separated:

• VLANs, allows wired LAN ports to be grouped and each group to be treated differently.
• multiple SSIDs, allows multiple wireless network names (SSID) and security settings. The traffic over each SSID can be treated differently.

Before we start

The router is assumed to be running open source DD-Wrt firmware and configured for a single wired and wireless network. The router should also be configured for shell access (ssh) or telnet. Further, the reader should have a basic understanding of

• the web based user interface (WebGUI)
• networking concepts such as IP addresses, sub nets, routing, bridging and network interfaces. Some of the more specific terminology used in this article is:
  • A broadcast domain, is a network segment, in which all nodes can communicate directly by layer-2 broadcasts. Examples are a wired GigE network, or a wireless network.
  • A switch, handles frames at the data link layer (layer 2).
  • A router, handles packets at the network layer (layer 3). A router forms a boundary between broadcast domains.
  • A bridge, connects two or more network segments into a single broadcast domain (layer 2).
  • A virtual LAN (VLAN), creates distinct broadcast domains within one ore more physical networks. A VLAN is a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users.

The configuration presented here has been tested on an Asus RT-N16 router running DD-Wrt mega build 15943. The approach outlined might also apply to other routers or builds, albeit with minor changes.

Inside the router

To create a secondary network, we need to separate the four LAN ports and create an virtual wireless network. The following section builds a basic understanding of the default data paths in the router. The following section describes how the software configuration

Hardware block diagram

Many consumer class routers are based on a chipset consisting of a IP switch and System-on-Chip. For example, the Asus RT-N16 router that is build around:

• System-on-Chip BCM4718, provides the CPU, WiFi and USB.
• Switch Fabric BCM53115, provides the WAN and four LAN ports

Other GigE routers such as the Cisco/Linksys E2000 or E3000 are very similar. I you have an Asus RT-AC68, refer to my updated post.

The block diagram above shows the data paths within the router. Note:

• the LAN port numbers on the case do not correspond to the port numbers on the switch;
• the WAN port connects to a special interface on the switch and can’t be reassigned;
• port 8 connects the VLAN trunk from the switch to interface eth0 on the CPU.

The switch tags incoming frames with a VLAN identifier. Frames arriving on the WAN port are tagged as VLAN2, while frames from the LAN ports are tagged as VLAN1. The frames destined for the CPU are sent on port 8.

The CPU receives the frames over port eth0. Frames with a VLAN2 tag are treated as WAN traffic. Frames with a VLAN1 tag are combined (bridged) with frames from the wireless module (eth1) and treated as LAN traffic.

Firmware mapping

The configuration for the DD-Wrt is stored in nonvolatile memory (nvram). The configuration can be shown as described in the DD-Wrt document Switched Ports. An excerpt:

The tagging configuration is stored in vlan#ports variables where ‘*’ symbolizes the default path. Note that the vlan0ports variable appears to be unused on GigE routers. For the switch to move frames outside of any vlan, it needs to include port 8. This allows the SoC to route the packet. The vlan with the default is used for packets that do not have a vlan tag (see here).

nvram show | grep vlan.*ports | sort
vlan0ports="1 2 3 4 5*"
vlan1ports="4 3 2 1 8*"
vlan2ports="0 8

An other important variable is port5vlans. It identifies every active VLAN plus the number 16 that indicates that tagging is enabled. The other variables appear only for the WebGUI.

nvram show | grep port.*vlan | sort
port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 16

Every active VLAN needs to have its name set to et0.

nvram show | grep vlan.*hwname | sort
vlan0hwname=et0
vlan1hwname=et0
vlan2hwname=et0

Creating to separate networks

To create a second network, we need to introduce an additional VLAN and an additional SSID for the wireless. The two can then be bridged together and given an unique subnet address. Before you start, I highly recommend making a backup of your current configuration.

Create a virtual wireless network (wl0.1)

Using a web browser, connect to the router and bring up the WebGUI.

1. Wireless > Virtual Interfaces > Add. Specify the basic wireless settings. For the network configuration, choose bridged. Click Save.
2. Wireless > Wireless Security > Virtual Interface wl0.1. Specify the security settings. Click Apply Settings, to save and apply the changes.

Create a virtual local area network (vlan3)

We will use the shell (ssh) interface to configure the VLANs (because the GUI on Broadcom based routers have some related bugs). Login using ssh, and run the following commands:

nvram set vlan3hwname=et0       # VLAN3 is enabled
nvram set vlan1ports="3 4 8*"   # assign LAN1/LAN2 to VLAN1
nvram set vlan3ports="1 2 8*"   # assign LAN3/LAN4 to VLAN3
nvram set port4vlans="1 18 19"  # LAN1 is part of VLAN1 (GUI only)
nvram set port3vlans="1 18 19"  # LAN2 is part of VLAN1 (GUI only)
nvram set port2vlans="3 18 19"  # LAN3 is part of VLAN3 (GUI only)
nvram set port1vlans="3 18 19"  # LAN4 is part of VLAN3 (GUI only)
nvram commit
reboot

Bridge vlan3 and wl0.1 (br1)

To make the new wired and wireless network to behave as one, we logically combine interfaces vlan3 and wl0.1 using a new bridge interface br1:

1. Bridge the vlan3 and wl0.1 interfaces together as br1
   • Setup > Networking > Bridging > Create Bridge > Add. Enter br1 in the first field and click Apply Settings.
   • Setup > Networking > Bridging > Create Bridge > For br1 enter a private IP address and subnet mask. E.g. 10.0.4.1 and 255.255.255.0. Click Apply Settings.
   • Setup > Networking > Assign to bridge > Add. Select br1, interface vlan3 (LAN3 and LAN4) and click Apply Settings.
   • Setup > Networking > Assign to bridge > Add. Select br1, interface wl0.1 (the virtual wireless interface) and click Apply Settings.
2. Configure the DHCP server for br1
   • Setup > Networking > DHCPD > Multiple DHCP Server > Add. Select br1 and fill in the first m maximum number of DHCP addresses and lease time in minutes. E.g. 200, 50 and 1440. Click Apply Settings.

Separate the networks

Now that we have the two networks up and running, it is time to separate them. The firewall rules listed below added to Administration > Commands > Save Firewall. If you use an USB memory stick, the rules can also be stored in an executable /jffs/etc/config/*.wanup script. Such a script runs automatically each time the WAN link and firewall are up (see Script Execution).

To restrict br1 from accessing br0 and visa versa,

iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

Optionally, to restrict br1 from accessing the management interface of the router.

iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

Test

To test the interfaces, configure a space computer interface for DHCP and connect it to each of the LAN ports. Then verify that the assigned IP address matches the subnet of the network. Do the same with the wireless networks.