12 January 2012

I’ve been wanting to develop a more secure and robust home network for a while and this past weekend I took my first step towards that.  A few months ago I replaced my WRT300N with a Linksys E4200.  My reasons for upgrading were I wanted something faster and had the 5GHz spectrum support.  For some reason in my area there is often interference throughout the 2.4 range.  I haven’t implemented the 5GHz for any of my devices but that will hopefully come soon.

So, my 300N has been sitting around collecting dust and I wanted to re-purpose it with dd-wrt.  I love the expanded capabilities and the open source nature of the software.  My chief reasons for choosing to flash dd-wrt instead of retaining the stock firmware were:  1) To see if I could do it 🙂  2)  A more secure system,  and 3)  VLAN support.  I did a little investigating and some of the recommended reading before starting the process.  It wasn’t clear as to whether the 300N actually supported VLANs and there were no confirmations.  But for me, having an additional router to add another layer in my network was worth it anyway.  So here is how I got it working with my 300N, along with successfully setting up a restricted VLAN.

The initial flashing process was as easy as it is described in the manual.  I used the Web-GUI method.  I’m not sure how important it is to go through the 30-30-30 reset method (I didn’t read the lengthy explanation) but it’s 90 seconds out of my life, done twice.  It’s not a big deal and well worth taking the time to avoid bricking the router.  So that’s what I did.

After flashing I set my secure password and dove in to figuring out how to setup my restricted VLAN.  To do that:

  1. I chose to use telnet, so I connected to the router’s default gateway IP and logged in (when using telnet, the username is root and the password is the secure password you set when logging in)
  2. I then passed the command:  nvram set boardflags=”0x0110″
    1. The default value is 0x0010.  To know why I set it to what I did, see the links at the bottom of the post.
  3. I then passed the command:  nvram commit   (this commits any changes you just made)
  4. I then passed the command:  reboot

After the router boots back up (it might take around 30 seconds or so) it’s time to log back into the web gui.  Now, under the “Setup” option you’ll see an additonal tab for “VLAN.”  The two tabs we’ll be using are VLAN and Networking.

  1. Go to the VLANS tab and check the box under which port number you want to be under which vlan.  I left “W” on vlan0, the default vlan.
    1. The ports numbers in the GUI are backwards to what is labeled on the back of the router.  Port 1 in the GUI actually corresponds to the port labeled 4 on the back of the router.  2 in the GUI to port 3 on the router, etc.  If this bothers you, in the telnet session see what the order of the ports are by passing:  nvram show | grep vlan1ports    What you then want to do is pass the same value back into that setting but in reversed order.  So if it was vlan1ports=0 1 2 3 5* then you want to pass:  nvram set vlan1ports=”3 2 1 0 5*”   Note the use of quotes when setting the variable value.  Also note I left 5* at the end.  Port 5 isn’t a physically accessible port, it’s used internally so leave it at the end.
  2. Next I went to the Networking tab and created a second bridge, br2.  I created another bridge because I’m controlling my restrictions that way.  I have more than one vlan I want to restrict, and if I add more in the future I just tell it to use bridge 2 and then I don’t have to setup the restrictions all over again for the new vlan.
  3. To create the separation I assigned it a different subnet from the rest of my network.
    1. For example, if my “main” network is under the 192.168 subnet, I would set my restricted to the 10.200.1.0 and give it the 255.255.255.0 subnet mask
  4. I created another DHCP server for that second subnet (otherwise connected devices wouldn’t get an IP!).  That is at the bottom of the Networking page.  Give it the same subnet and mask as you set for the bridge.
  5. Last, I created new bridge connection for the vlan’s I want to be on the second bridge.  I added eth2 to this network, which is the wireless controller.  So, I have one physical port and all wireless connections going through bridge 2.
    1. If you plan on offering open wifi or making it available to guests, this is probably a good idea

The configuration of the port assignments and the separate is now done.  All that is left is create the restriction.  The one I opted for is, using my example subnets above, to have the 192.168 be able to access the 10.200 but not the other way around.  Before you commit any iptables or other rule changes to the router permanently (setting them to auto execute in a startup script) I suggest just passing them via a telnet connection to test them.  If you end up creating a rule that blocks you out of the router all you have to do is reset it and the configuration is gone.  One you know the rules you want, you’ll want to set them to a startup script so that you don’t have to set them again after each router reboot!

My restriction requires one rule, set to the rc_firewall startup script:  nvram set rc_firewall=”iptables -I FORWARD -i br2 -o br0 -j logdrop”

And that was it.  I just did a simple ping test to verify.  I could ping from one vlan to the other, but not the other way.  This is far from the final configuration of my router but this was the main goal.  I’ll also be looking into setting up PFSense on an old machine.  If you’re wondering why I want two manufactured routers in addition to an x86, the routers will eventually be more like switches, enabling a broader wireless range (in coverage and number of) and providing additional hardware ports.  The whole thing is an experiment chiefly for hands on learning.  The byproduct being a more secure home network in the end.

References and Resources (without whom my efforts may have been fruitless or taken much longer):

Here are the pages I used to assit me (in addition to the manual linked above):
Basic information for the family of chip in the WRT300N
IPTables configuration

Here’s another link to an article with an extensive write-up on separating your WLAN from your LAN.  I haven’t read it, though.


2 Responses to “Setting Up DD-WRT on a Linksys WRT300N v1.0”

  • kris
    July 3rd, 2012 at 2:10 pm     

    I followed your instruction with my wrt300n v1, but as soon as I enable VLAN support, I lose my ethernet ports. I can connect wirelessly, but I can’t get an IP address from the ethernet ports. Did you experience this?

  • thegeek
    July 4th, 2012 at 7:35 am     

    I didn’t, no. But I didn’t try to connect until after I had the whole thing configured. Are the ports assigned to a bridge? I think by default they should all be assigned to the same bridge but if not they don’t have a subnet. But without being able to see the configuration I can’t tell what the problem might be. Did you do the whole configuration? Can you still telnet in? If not, you may need to do the 30-30-30 and try again.

You must be logged in to post a comment.