.

DD-WRT leading two separate networks (Asus RT-AC68)

This article shows how a $180 consumer class router can support two different networks.  Besides the usual primary network, it will create a secondary network supporting both wireless and wired connections.  The secondary network could  be used to provide internet access to customers or visitors.  The secondary network consists of a 2.4G and 5G radios and two LAN ports.  If you only need one radio, you should read Ric’s article instead.seperate-networks2

The router is assumed to be flashed with open source DD-Wrt firmware.  This firmware adds some business class features to your router.  The configuration will take advantage of two features that allow network traffic to be separated:

  • VLANs, allows wired LAN ports to be grouped and each group to be treated differently.
  • multiple SSIDs, allows multiple wireless network names (SSID) and security settings.  The traffic over each SSID can be treated differently.

Before we start

The router is assumed to be running open source DD-Wrt firmware and configured for a single wired and wireless network.  The router should also be configured for shell access (ssh) or telnet.  Further, the reader should have a basic understanding of

  • the web based user interface (WebGUI)
  • networking concepts such as IP addresses, sub nets, routing, bridging and network interfaces.  Some of the more specific terminology used in this article is:
    • A broadcast domain, is a network segment, in which all nodes can communicate directly by layer-2 broadcasts.  Examples are a wired GigE network, or a wireless network.
    • A switch, handles frames at the data link layer (layer 2).
    • A router, handles packets at the network layer (layer 3).  A router forms a boundary between broadcast domains.
    • A bridge, connects two or more network segments into a single broadcast domain (layer 2).
    • A virtual LAN (VLAN), creates distinct broadcast domains within one ore more physical networks.  A VLAN is a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users.

The configuration presented here has been tested on an Asus RT-AC68U router running DD-Wrt kongac build 23770M .  For the Asus RT-N16 refer to my older article.  The approach outlined might also apply to other routers or builds, albeit with minor changes.

Inside the router

To create a secondary network, we need to separate the four LAN ports and create an virtual wireless network.  The following section builds a basic understanding of the default data paths in the router.  The following section describes how the software configuration

Hardware block diagram

The Asus RT-AC68U router that is build around:

  • System-on-Chip BCM4708, provides the CPU, USB, WAN port and four LAN ports
  • Wireless NIC  BCM4360, provides the radio transceiver

This GigE routers has the port number assigned as illustrated below.

RT-AC68-block-before

The block diagram above shows the data paths within the router.  Note:

  • the LAN port numbers on the case may not correspond to the port numbers on the switch;
  • the WAN port connects to a special interface on the switch and can’t be reassigned;
  • port 5 connects the VLAN trunk from the switch to interface eth0 on the CPU.

The switch tags incoming frames with a VLAN identifier.  Frames arriving on the WAN port are tagged as VLAN2, while frames from the LAN ports are tagged as VLAN1.  The frames destined for the CPU are sent on CPU internal port 5.

The CPU receives the frames over port eth0.  Frames with a VLAN2 tag are treated as WAN traffic.  Frames with a VLAN1 tag are combined (bridged) with frames from the wireless module (eth1) and treated as LAN traffic.

Firmware mapping

The configuration for the DD-Wrt is stored in nonvolatile memory (nvram).  The configuration can be shown as described in the DD-Wrt document Switched Ports.  An excerpt:

The tagging configuration is stored in vlan#ports variables where ‘*’ symbolizes the default path.  Note that the vlan0ports variable is unused on GigE routers.  For the switch to move frames outside of any vlan, it needs to include port 5.  This allows the SoC to route the packet.  The vlan with the default is used for packets that do not have a vlan tag (see here).  SSH/Telnet into the router and:

nvram show | grep vlan.*ports | sort
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u

An other important variable is port5vlans.  It identifies every active VLAN plus the number 16 that indicates that tagging is enabled.  The other variables appear only for the WebGUI.

nvram show | grep port.*vlan | sort
port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 16

Every active VLAN needs to have its name set to et0.

nvram show | grep vlan.*hwname | sort
vlan1hwname=et0
vlan2hwname=et0

Creating to separate networks

To create a second network, we need to introduce an additional VLAN and an additional SSID for the wireless.  The two can then be bridged together and given an unique subnet address.  Before you start, I highly recommend making a backup of your current configuration.

 

RT-AC68-block-after

Create a virtual wireless network (wl0.1, wl1.1)

Using a web browser, connect to the router and bring up the WebGUI.

  1. Create the WiFi virtual interfaces
    • Wireless » wl0 » Virtual Interfaces
      • Click Add
        • Specify the basic wireless settings.
        • For the network configuration, choose bridged.
        • Do not select Network Isolation
        • Click Save.
    • Wireless » wl1 » Virtual Interfaces
      • Click Add
        • Specify the basic wireless settings.
        • For the network configuration, choose bridged.
        • Do not select Network Isolation
        • Click Save.
  2. Set the WiFi security for the virtual interfaces
    • Wireless » Wireless Security » Virtual Interface wl0.1
      • Specify the security settings
      • Click Apply Settings.
    • Wireless » Wireless Security » Virtual Interface wl1.1
      • Specify the security settings
      • Click Apply Settings.

Create a virtual local area network (vlan3)

We will use the shell (ssh) interface to configure the VLANs (because the GUI on Broadcom based routers  have some related bugs).  Login using SSH/Telnet, and run the following commands:

nvram set vlan3hwname=et0       # enable VLAN3

nvram set vlan1ports="1 2 5*"   # assign LAN1/LAN2 to VLAN1
nvram set vlan2ports="0 5u"     # assign WAN to VLAN2
nvram set vlan3ports="3 4 5*"   # assign LAN3/LAN4 to VLAN3

nvram set port0vlans="2"        # WAN is part of VLAN2
nvram set port1vlans="1"        # LAN1 is part of VLAN1 (for GUI only)
nvram set port2vlans="1"        # LAN2 is part of VLAN1 (for GUI only)
nvram set port3vlans="3"        # LAN3 is part of VLAN3 (for GUI only)
nvram set port4vlans="3"        # LAN4 is part of VLAN3 (for GUI only)
nvram set port5vlans="1 2 3 16" # CPU receives tagged VLAN1/VLAN2/VLAN3

nvram commit reboot

Bridge vlan3 and wl0.1 (br1)

To make the new wired and wireless network to behave as one, we logically combine interfaces vlan3 and wl0.1 using a new bridge interface br1:

  1. Bridge the vlan3, wl0.1 and wl1.1 interfaces together as br1
    • Setup » Networking » Bridging » Create Bridge
      • Click Add
        • enter br1 in the first field (optionally disable MSTP)
        • apply settings.
      • For br1 enter a
        • private IP address (e.g. 10.1.1.1), and
        • subnet mask (e.g. 255.255.255.0)
        • apply settings.
    • Setup » Networking » Bridging » Assign to bridge
      • Click Add twice.  You should now have 3 assignment entries.
        • br1, interface vlan3 (LAN3 and LAN4)
        • br1, interface wl0.1 (the virtual 2.4G  WiFi i/f)
        • br1, interface wl1.1 (the virtual 5G  WiFi i/f)
      • Click Apply Settings
  2. Verify that vlan3, wl0.1 and wl1.1 are set to default (we’ll enable NAT later on the bridge)
    • Setup » Networking » Port Setup
      • Network Configuration vlan3 = Default
      • Network Configuration wl0.1 = Default
      • Network Configuration wl1.1 = Default
  3. Enable DHCP server for bridge br1
    • Setup » Networking » DHCPD » Multiple DHCP Server
      • Click Add
        • Select br1 and fill in the first address, maximum number of DHCP addresses and lease time in minutes.  E.g. 200, 50 and 1440.
      • Click Apply Settings.

Separate the networks

Now that we have the two networks up and running, it is time to separate them.  The firewall rules listed below added to Administration > Commands > Save Firewall.  If you use an USB memory stick, the rules can also be stored in an executable /jffs/etc/config/*.wanup script.  Such a script runs automatically each time the WAN link and firewall are up (see Script Execution).

Enable NAT for br1 (use “iptables -nvL -t nat” to verify)

iptables -t nat -I POSTROUTING -o `get_wanface` \
--src `nvram get br1_ipaddr`/`nvram get br1_netmask` -j SNAT \
--to `nvram get wan_ipaddr`

To restrict br1 from accessing br0 and visa versa,

iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

Optionally, restrict br1 from accessing the management interface of the router.

iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

Test

To test the interfaces, configure a space computer interface for DHCP and connect it to each of the LAN ports.  Then verify that the assigned IP address matches the subnet of the network.  Do the same with the wireless networks.

Coert Vonk

Coert Vonk

Independent Firmware Engineer at Los Altos, CA
Welcome to the things that I couldn’t find.This blog shares some of the notes that I took while deep diving into various fields.Many such endeavors were triggered by curious inquiries from students. Even though the notes often cover a broader area, the key goal is to help the them adopt, flourish and inspire them to invent new technology.
Coert Vonk

Latest posts by Coert Vonk (see all)

4 comments to DD-WRT leading two separate networks (Asus RT-AC68)

  • Arun Gupta

    In Netgear WNDR3800 flashed with DD-WRT, there is no option to assign br1 to any VLAN. Maybe the Broadcom chips work differently from Atheros.

  • Ulli

    Great article. I learned a lot. But it doesn’t solve my “Problem”. Maybe you have a suggestion.

    In my case there is an VLAN6 which is tagged by an external switch and should be bridged on a seperate WLAN. No matter which port, all VLAN6 related stuff should be brougt to wl1.1. How to do that?

  • Rob C

    Would it be possible to create two separate networks on the LAN side of the router:
    ports 1 & 2 in VLAN 11 and ports 3 & 4 in VLAN 12
    Then have VLAN 11 & 12 use WAN 0 as their gateway

  • Andrew

    Thank you very much Mr Vonk for this guide. It was all very helpful.

    In my scenario, the DD-WRT device is an AP with virtualized radios to provide wireless access to internal networks with different layers of trust. The LAN ports of the DD-WRT device terminate to a switch that tag each to their respective VLANs on the network up to a firewall.

    VLAN1 (using your example) has its own network services (routing, DNS, DHCP) external to the DD-WRT device. VLAN 3 has its own router (not the DD-WRT device) as well but DD-WRT should act as a DHCP Server and point clients to the network router and an external DNS.

    Using dnsmasq (DHCPd disabled) as a DHCP server for just VLAN3 was a bit of a bumpy road. DDWRT appends its own dnsmasq configurations to the file in /tmp/ which for br1/vlan3 specify the AP address for default gateway and DNS. When you add the DHCP options to the dnsmasq additional parameters box in DD-WRT (Kong v3) it appends those entries to the configuration file after what DD-WRT auto-populates. This did eventually work for DNS but not for default gateway.

    For the time being I have a static default route for br1 to the VLAN3 network router, and that is working. But it’s a suboptimal design – I’d rather them hit my network router directly over Layer2 than hopping through the DD-WRT device.

    That all said – IT WORKS! Thank you. This helped me consolidate wireless services for my internal home networks. (IoT and kids’ Chromebooks are NOT allowed on my trusted network :) )

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

Protected with IP Blacklist CloudIP Blacklist Cloud