DD-WRT leading two separate networks (Asus RT-AC68)

This post shows how a $180 consumer class router can support two different networks. Besides the usual primary network, it will create a secondary network supporting both wireless and wired connections. The secondary network could be used to provide internet access to customers or visitors. The secondary network consists of a 2.4G and 5G radios and two LAN ports. If you only need one radio, you should read Ric’s article instead.seperate-networks2

The router is assumed to be flashed with open source DD-Wrt firmware. This firmware adds some business class features to your router. The configuration will take advantage of two features that allow network traffic to be separated:

  • VLANs, allows wired LAN ports to be grouped and each group to be treated differently.
  • multiple SSIDs, allows multiple wireless network names (SSID) and security settings. The traffic over each SSID can be treated differently.

Before we start

The router is assumed to be running open source DD-Wrt firmware and configured for a single wired and wireless network. The router should also be configured for shell access (ssh) or telnet. Further, the reader should have a basic understanding of

  • the web based user interface (WebGUI)
  • networking concepts such as IP addresses, sub nets, routing, bridging and network interfaces. Some of the more specific terminology used in this article is:
    • A broadcast domain, is a network segment, in which all nodes can communicate directly by layer-2 broadcasts. Examples are a wired GigE network, or a wireless network.
    • A switch, handles frames at the data link layer (layer 2).
    • A router, handles packets at the network layer (layer 3). A router forms a boundary between broadcast domains.
    • A bridge, connects two or more network segments into a single broadcast domain (layer 2).
    • A virtual LAN (VLAN), creates distinct broadcast domains within one ore more physical networks. A VLAN is a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users.

The configuration presented here has been tested on an Asus RT-AC68U router running DD-Wrt kongac build 23770M . For the Asus RT-N16 refer to my older article. The approach outlined might also apply to other routers or builds, albeit with minor changes.

Inside the router

To create a secondary network, we need to separate the four LAN ports and create an virtual wireless network. The following section builds a basic understanding of the default data paths in the router. The following section describes how the software configuration

Hardware block diagram

The Asus RT-AC68U router that is build around:

  • System-on-Chip BCM4708, provides the CPU, USB, WAN port and four LAN ports
  • Wireless NIC BCM4360, provides the radio transceiver

This GigE routers has the port number assigned as illustrated below.

RT-AC68-block-before
RT-AC58 block before

The block diagram above shows the data paths within the router. Note:

  • the LAN port numbers on the case may not correspond to the port numbers on the switch;
  • the WAN port connects to a special interface on the switch and can’t be reassigned;
  • port 5 connects the VLAN trunk from the switch to interface eth0 on the CPU.

The switch tags incoming frames with a VLAN identifier. Frames arriving on the WAN port are tagged as VLAN2, while frames from the LAN ports are tagged as VLAN1. The frames destined for the CPU are sent on CPU internal port 5.

The CPU receives the frames over port eth0. Frames with a VLAN2 tag are treated as WAN traffic. Frames with a VLAN1 tag are combined (bridged) with frames from the wireless module (eth1) and treated as LAN traffic.

Firmware mapping

The configuration for the DD-Wrt is stored in nonvolatile memory (nvram). The configuration can be shown as described in the DD-Wrt document Switched Ports. An excerpt:

The tagging configuration is stored in vlan#ports variables where ‘*’ symbolizes the default path. Note that the vlan0ports variable is unused on GigE routers. For the switch to move frames outside of any vlan, it needs to include port 5. This allows the SoC to route the packet. The vlan with the default is used for packets that do not have a vlan tag (see here). SSH/Telnet into the router and: nvram show | grep vlan.*ports | sort vlan1ports=1 2 3 4 5* vlan2ports=0 5

An other important variable is port5vlans. It identifies every active VLAN plus the number 16 that indicates that tagging is enabled. The other variables appear only for the WebGUI. nvram show | grep port.*vlan | sort port0vlans=2 port1vlans=1 port2vlans=1 port3vlans=1 port4vlans=1 port5vlans=1 2 16

Every active VLAN needs to have its name set to et0. nvram show | grep vlan.*hwname | sort vlan1hwname=et0 vlan2hwname=et0

Creating to separate networks

To create a second network, we need to introduce an additional VLAN and an additional SSID for the wireless. The two can then be bridged together and given an unique subnet address. Before you start, I highly recommend making a backup of your current configuration.

RT-AC68-block-after
RT-AC68 block after

Create a virtual wireless network (wl0.1, wl1.1)

Using a web browser, connect to the router and bring up the WebGUI.

  1. Create the WiFi virtual interfaces
    • Wireless » wl0 » Virtual Interfaces
      • Click Add
        • Specify the basic wireless settings.
        • For the network configuration, choose bridged.
        • Do not select Network Isolation
        • Click Save.
    • Wireless » wl1 » Virtual Interfaces
      • Click Add
        • Specify the basic wireless settings.
        • For the network configuration, choose bridged.
        • Do not select Network Isolation
        • Click Save.
  2. Set the WiFi security for the virtual interfaces
    • Wireless » Wireless Security » Virtual Interface wl0.1
      • Specify the security settings
      • Click Apply Settings.
    • Wireless » Wireless Security » Virtual Interface wl1.1
      • Specify the security settings
      • Click Apply Settings.

Create a virtual local area network (vlan3)

We will use the shell (ssh) interface to configure the VLANs (because the GUI on Broadcom based routers have some related bugs). Login using SSH/Telnet, and run the following commands: nvram set vlan3hwname=et0 # enable VLAN3 nvram set vlan1ports=’1 2 5*’ # assign LAN1/LAN2 to VLAN1 nvram set vlan2ports=’0 5u’ # assign WAN to VLAN2 nvram set vlan3ports=’3 4 5*’ # assign LAN3/LAN4 to VLAN3 nvram set port0vlans=2 # WAN is part of VLAN2 nvram set port1vlans=1 # LAN1 is part of VLAN1 (for GUI only) nvram set port2vlans=1 # LAN2 is part of VLAN1 (for GUI only) nvram set port3vlans=3 # LAN3 is part of VLAN3 (for GUI only) nvram set port4vlans=3 # LAN4 is part of VLAN3 (for GUI only) nvram set port5vlans=’1 2 3 16′ # CPU receives tagged VLAN1/VLAN2/VLAN3 nvram commit reboot

Bridge vlan3 and wl0.1 (br1)

To make the new wired and wireless network to behave as one, we logically combine interfaces vlan3 and wl0.1 using a new bridge interface br1:

  1. Bridge the vlan3, wl0.1 and wl1.1 interfaces together as br1
    • Setup » Networking » Bridging » Create Bridge
      • Click Add
        • enter br1 in the first field (optionally disable MSTP)
        • apply settings.
      • For br1 enter a
        • private IP address (e.g. 10.1.1.1), and
        • subnet mask (e.g. 255.255.255.0)
        • apply settings.
    • Setup » Networking » Bridging » Assign to bridge
      • Click Add twice. You should now have 3 assignment entries.
        • br1, interface vlan3 (LAN3 and LAN4)
        • br1, interface wl0.1 (the virtual 2.4G WiFi i/f)
        • br1, interface wl1.1 (the virtual 5G WiFi i/f)
      • Click Apply Settings
  2. Verify that vlan3, wl0.1 and wl1.1 are set to default (we’ll enable NAT later on the bridge)
    • Setup » Networking » Port Setup
      • Network Configuration vlan3 = Default
      • Network Configuration wl0.1 = Default
      • Network Configuration wl1.1 = Default
  3. Enable DHCP server for bridge br1
    • Setup » Networking » DHCPD » Multiple DHCP Server
      • Click Add
        • Select br1 and fill in the first address, maximum number of DHCP addresses and lease time in minutes. E.g. 200, 50 and 1440.
      • Click Apply Settings.

Separate the networks

Now that we have the two networks up and running, it is time to separate them. The firewall rules listed below added to Administration > Commands > Save Firewall. If you use an USB memory stick, the rules can also be stored in an executable /jffs/etc/config/*.wanup script. Such a script runs automatically each time the WAN link and firewall are up (see Script Execution).

Enable NAT for br1 (use “iptables -nvL -t nat” to verify) iptables -t nat -I POSTROUTING -o `get_wanface` \ –src `nvram get br1_ipaddr`/`nvram get br1_netmask` -j SNAT \ –to `nvram get wan_ipaddr`

To restrict br1 from accessing br0 and visa versa, iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP iptables -I FORWARD -i br1 -o br0 -m state –state NEW -j DROP

Optionally, restrict br1 from accessing the management interface of the router. iptables -I INPUT -i br1 -m state –state NEW -j DROP iptables -I INPUT -i br1 -p udp –dport 67 -j ACCEPT iptables -I INPUT -i br1 -p udp –dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp –dport 53 -j ACCEPT

Test

To test the interfaces, configure a space computer interface for DHCP and connect it to each of the LAN ports. Then verify that the assigned IP address matches the subnet of the network. Do the same with the wireless networks.