I’ve been wanting to develop a more secure and robust home network for a while and this past weekend I took my first step towards that. A few months ago I replaced my WRT300N with a Linksys E4200. My reasons for upgrading were I wanted something faster and had the 5GHz spectrum support. For some reason in my area there is often interference throughout the 2.4 range. I haven’t implemented the 5GHz for any of my devices but that will hopefully come soon.
So, my 300N has been sitting around collecting dust and I wanted to re-purpose it with dd-wrt. I love the expanded capabilities and the open source nature of the software. My chief reasons for choosing to flash dd-wrt instead of retaining the stock firmware were: 1) To see if I could do it 🙂 2) A more secure system, and 3) VLAN support. I did a little investigating and some of the recommended reading before starting the process. It wasn’t clear as to whether the 300N actually supported VLANs and there were no confirmations. But for me, having an additional router to add another layer in my network was worth it anyway. So here is how I got it working with my 300N, along with successfully setting up a restricted VLAN.
The initial flashing process was as easy as it is described in the manual. I used the Web-GUI method. I’m not sure how important it is to go through the 30-30-30 reset method (I didn’t read the lengthy explanation) but it’s 90 seconds out of my life, done twice. It’s not a big deal and well worth taking the time to avoid bricking the router. So that’s what I did.
After flashing I set my secure password and dove in to figuring out how to setup my restricted VLAN. To do that:
After the router boots back up (it might take around 30 seconds or so) it’s time to log back into the web gui. Now, under the “Setup” option you’ll see an additonal tab for “VLAN.” The two tabs we’ll be using are VLAN and Networking.
The configuration of the port assignments and the separate is now done. All that is left is create the restriction. The one I opted for is, using my example subnets above, to have the 192.168 be able to access the 10.200 but not the other way around. Before you commit any iptables or other rule changes to the router permanently (setting them to auto execute in a startup script) I suggest just passing them via a telnet connection to test them. If you end up creating a rule that blocks you out of the router all you have to do is reset it and the configuration is gone. One you know the rules you want, you’ll want to set them to a startup script so that you don’t have to set them again after each router reboot!
My restriction requires one rule, set to the rc_firewall startup script: nvram set rc_firewall=”iptables -I FORWARD -i br2 -o br0 -j logdrop”
And that was it. I just did a simple ping test to verify. I could ping from one vlan to the other, but not the other way. This is far from the final configuration of my router but this was the main goal. I’ll also be looking into setting up PFSense on an old machine. If you’re wondering why I want two manufactured routers in addition to an x86, the routers will eventually be more like switches, enabling a broader wireless range (in coverage and number of) and providing additional hardware ports. The whole thing is an experiment chiefly for hands on learning. The byproduct being a more secure home network in the end.
References and Resources (without whom my efforts may have been fruitless or taken much longer):
Here are the pages I used to assit me (in addition to the manual linked above):
Basic information for the family of chip in the WRT300N
Here’s another link to an article with an extensive write-up on separating your WLAN from your LAN. I haven’t read it, though.
You must be logged in to post a comment.