At FlashRouters, our primary goal is to inform users of what they can do if they decide to take control back of their network and learn more about what their router does. From VPN (Virtual Private Network) integration to QoS (Quality of Service) to DNSMasq & Bandwidth Monitoring/Access controls, DD-WRT is a feature laden firmware alternative ready to maximize your router capabilities and performance.
In this post, we will explore a very popular feature most commonly found in alternative firmwares like DD-WRT called VLAN or VLAN tagging.
What is VLAN (Virutal LAN)?
According to Wikipedia,”In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN… More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs…”
Basically a VLAN is a method of created separate networks on the same router for security and segmentation purposes. VLAN setup is a useful procedure if you have some devices on your network that you want to isolate from other devices like multiple guest networks for family friends or office visitors. Provide Internet access with a VLAN without giving them access to your entire network. The settings can easily be changed and adapted to however you want the network to be setup.
A VLAN has the same attributes as a physical local area network (LAN), but it allows for devices to be grouped together more easily even if they are not on the same network switch. Most enterprise-level networks today use the virtual LANs.
Without VLAN functionality, this setup would require a separate, a collection of network cables and equipment separate from the primary network that would be costly and create the need for wiring an entire home or office again. Unlike physically separate networks, VLANs share bandwidth, so VLAN trunks may require aggregated links and/or quality of service prioritization for maximizing the capability.
For many users, VLAN alone is a enough of a reason to switch to third-party alternative firmware, but you can read the Intro to DD-WRT for more.
How to Setup VLAN in DD-WRT
Now on to the fun!
In this DD-WRT tutorial, we will setup VLANs for each Ethernet port. This will create a network on each port that is isolated from all the other ports. An Asus RT-AC66U has been used for this tutorial but this same interface is pretty constant throughout any popular DD-WRT enhanced router like the Netgear Nighthawk R7000 AC1900.
VLAN Configuration of Ports 1-4
Go to http://192.168.1.1/ (or your router management IP address) in your web browser.
Select Setup -> VLANs.
Uncheck ports 1, 2, 3, and 4. Place port 1 into VLAN1, port 2 into VLAN2, and port 3 into VLAN3, port 4 into VLAN4. Set the WAN port to VLAN0.
When this is done, the VLAN configuration page should look like this.
Click Save, then Apply Settings.
VLAN Configuration on Each Port
- Next, plug an Ethernet cable into port 1 on the router from your computer.
- Unplug the router power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
- Go to Setup -> Networking.
In this tutorial, we will create a subnet for each VLAN.
VLAN1 will have the subnet 192.168.1.0. VLAN2 will have the subnet 192.168.2.0. VLAN3 will have the subnet 192.168.3.0. VLAN4 will have the subnet 192.168.4.0.
That means devices on VLAN1 will be assigned addresses such as 192.168.1.15 and for VLAN2 192.168.2.50
Under Port Setup set VLAN1 to Unbridged.
Set the IP Address to 192.168.1.1. Set the Subnet Mask to 255.555.255.0
Change VLAN2 to Unbridged.
Set the IP Address to 192.168.2.1. Set the Subnet Mask to 255.555.255.0
Change VLAN3 to Unbridged.
Set the IP Address to 192.168.3.1. Set the Subnet Mask to 255.555.255.0
Change set VLAN4 to Unbridged.
Set the IP Address to 192.168.4.1. Set the Subnet Mask to 255.555.255.0
Save your changes by clicking Save. When the interface responds, the Port Setup section should look like this.
Below the Port Setup area you will see a section titled DHCPD.
What this area does is allow you to create multiple automatic assignment addresses for IP addresses in a network. So whenever someone authenticates into this section, this VLAN will assign it a user address in your network. This is create 4 sets of automatic assignments within the 4 new segments of your network to be handled by the router automatically in the future.
Under DHCPD click Add. Set DHCP 0 to vlan0 with a Leasetime of 1440 (24 hours). Click Save.
Click Add again. Set DHCP 1 to vlan1 with a Leasetime of 1440 (24 hours). Click Save.
Under DHCPD Click Add. Set DHCP 2 to vlan2 with a Leasetime of 1440 (24 hours). Click Save.
Once again, Once again,Set DHCP 3 to vlan3 with a Leasetime of 1440 (24 hours). Click Save.
And a final time, click Add. Set DHCP 4 to vlan4 with a Leasetime of 1440 (24 hours).
Click Save. Let it save. Then, click Apply Settings.
Once completed, the DHCPD -> Mutliple DHCP Server section should look like this:
Plug your Ethernet cable into any port on the router aside from port 4 or the WAN port. Unplug the power for 30 seconds and then plug it back in. Wait for the lights to return to normal.
Adding Firewall Rules to Isolate the VLANs.
Now we have created 4 network segments but we need to use a firewall to fully isolate them from each other. These commands block all VLANs from communication with each other.
Browse to Administration -> Commands.
Copy and paste the following commands into the Commands text box:
iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.3.0/255.255.255.0 -j DROP
iptables -I FORWARD -s 192.168.4.0/255.255.255.0 -j DROP
Click “Save Firewall”.
Your DD-WRT VLAN basic configuration is now complete.
Testing the VLAN DD-WRT Setup
To test each VLAN, connect to that wireless network and port. Take note of your IP address and seeing if your local IP address changes in your network. If it changes you have correctly setup VLANs, great job!