VLAN configuration in a Linksys router.

Hi all,
Today I am turning a simple Linksys router (running Tomato firmware) in to a device proud of being called Cisco, I've created a new VLAN and disabled the NAT for this interface,

Why ? First of all to separate the WLAN and the LAN interfaces of the router, secondly to use the VLAN 2 as a DMZ port using internet routable IP's.
so let's start .

Upgrading to the Tomato is very simple and free, latest version can be found HERE
Instructions on the process can be found in the FAQ section
First we enable SSH / Telnet access to the Linksys, it can be accomplished by logging in the device via the GUI,
Navigating to "Administration" then to "Admin Access",
I enabled the SSH, suggesting to change the port to something less obvious if it's done from Remote.

Pay attention that the SSH access is via the user "root", same password as the GUI.

From the CLI, we reconfigure the ports used by VLAN 1
0 is the WLAN
1 is port 3
2 is port 2
3 is port 1
4 is port 0
5 is the router itself so it's important to add it to all VLANS

#nvram set vlan0ports="0 5*"

now add the new VLAN
#nvram set vlan2hwname=et0
#nvram set vlan2ports="3 2 1 5*"
#nvram commit

this will only take affect after reboot, but before we reboot, we'll make few more changes,

adding an IP to the new VLAN:

from the GUI, navigate to "Administration" then "Scripts",
in the "Init" add the following ( x.x.x.x is the IP we wish to add )
sleep 10; ifconfig vlan2 X.X.X.X netmask up;
this will add the IP and bring the interface UP on each startup.

Now the Firewall rules,
I had a routable IP pool and a Firewall on the servers, so I wanted to allow all access and disable the NAT,
To accomplish this we add to "Firewall" section in the "Scripts" or the CLI

#iptables -I INPUT -i vlan2 -j ACCEPT

if we want traffic between the VLANs (if not just change the ACCEPT to DROP)

#iptables -I FORWARD -i vlan2 -o br0 -j ACCEPT

to disable the NAT feature add ( x.x.x.x is the network IP )

#iptables -I FORWARD 1 -d x.x.x.x/24 -j ACCEPT

#iptables -I FORWARD 1 -s x.x.x.x/24 -j ACCEPT

and if needed, add DHCP
from the GUI, navigate to "Advanced" then "DHCP / DNS"
and under Custom configuration add the following


(x.x.x.x = gateway's IP ,  x.x.x.y = start IP  , x.x.x.z = end IP)

Now just reboot the device and we're all done.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

1 comment: