Break the Switch into separated ethernet ports / VLANs

Published
by
cyco
2 years, 10 months ago
in OpenWRT and WLan
. Tags: , , , .

At first … I’m not responsible, if you brick your router by using this documention. If your fear it would be possible, stop HERE!

The following NVRAM-Settings need to take place:

#!/bin/sh
#Port 0 into WAN, 5 Router themselv
nvram set vlan1hwname=et0
nvram set vlan1ports="0 5"
#Port 2, 3 and 4 into LAN, 5 Router themselv
nvram set vlan0hwname=et0
nvram set vlan0ports="2 3 4 5*"
# Port 1 into DMZ, 5 Router themselv
nvram set vlan2hwname=et0
nvram set vlan2ports="1 5*"
# Static IP-Address for DMZ-IF
nvram set dmz_ifname=vlan2
nvram set dmz_proto=static
nvram set dmz_ipaddr=172.18.20.5
nvram set dmz_netmask=255.255.255.0
# save all the stuff
nvram commit

To bring automaticaly up the dmz-if, you need to add “ifup dmz” with:

# sed “s/ifup lan/ifup lan@ ifup dmz/” \
/etc/init.d/S40network | tr ‘@’ ‘n’ > /etc/init.d/S40network

To allow traffic forwarded by the new if, you will maybe add for example the following into “/etc/firewall.users”:

#!/bin/sh
DMZ=$(nvram get dmz_ifname)
#Allow Forward from DMZ into WAN
iptables -A FORWARD -i $DMZ -o $WAN -j ACCEPT
#Allow Forward from DMZ into LAN
iptables -A FORWARD -i $DMZ -o $LAN -j ACCEPT
#Allow Forward from LAN into DMZ
iptables -A FORWARD -i $LAN -o $DMZ -j ACCEPT

But it will be better to specify exactly, what services are allowed from and into DMZ!

Creative Commons License
The Break the Switch into separated ethernet ports / VLANs by Cyconet Blog, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Terms and conditions beyond the scope of this license may be available at blog.waja.info.

0 Responses to “Break the Switch into separated ethernet ports / VLANs”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply

Too Cool for Internet Explorer