Posted: Fri Feb 05, 2016 5:23 Post subject: Connect multiple network to a single NIC (VLAN?)
Hi everyone, I'm opening this topic because I would say I am kind of stuck with a certain problem on my hands. So here it is:
We have a computer with multiple network connections (4 of them) and we only have 3 cards. So to simplefy networking and settings ( because we have to plug, unplug each time we try to acces a device and change IP parameters ) I came up with the idea to use a router with DDWRT (since I know for a long time it's capabilities and it's features)
As of now the two networks are connected in lan ports of our WRT54GL and one of the NIC into the wan port (assigned to switch) of the latter
Now my problem is that it connects the two LAN together witch is really not good. So I tried to set up VLAN rules and firewall (IPTABLES) rules so that each LAN port can connect to the wan port ( it's a lan now but to differantiate it shall be easier ) but still isolated from one another.
Just to add insult to injury, I also have to make sure that lan port will be accesible from the WLAN side (just as the computer on the WAN side)
Now as for DHCP or Internet connections, as you figured out, none of them are required and they are deactivated, the router is really there to act as a switch box but without merging the multiple lans together, just passing them to Tower A (host) or WLAN Laptop B (host).
I've been breaking my teeth on this for quite a couple of time now and I think it's time that I ask the community for help
Many many thanks in advance and hopefully we will come up with some kind of solution!
Have a good night !
Edit ( you will see in the diagram that I will need to connect the laptop via wire to the lan port 4 so it as to act as the WAN one ) plus throught the WLAN when not around our desk.
pictures of my set-up of parameters will follow
Edit 2 : here are the two Iptables set-up i've tried without great succes :
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan3 -j ACCEPT
iptables -I FORWARD -i vlan1 -o vlan4 -j ACCEPT
iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT
iptables -I FORWARD -i wl0 -o vlan+ -j ACCEPT
iptables -I FORWARD -i vlan+ -o wl0 -j ACCEPT
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
and then:
iptables -I FORWARD -i vlan2 -o vlan3 -j DROP
iptables -I FORWARD -i vlan2 -o vlan4 -j DROP
iptables -I FORWARD -i vlan3 -o vlan2 -j DROP
iptables -I FORWARD -i vlan3 -o vlan4 -j DROP
iptables -I FORWARD -i vlan4 -o vlan2 -j DROP
iptables -I FORWARD -i vlan4 -o vlan3 -j DROP
i told myself that if I were to cancel directly any connection between them my problem would be solved but I can still ping between the networks
Okay so to clarify, the two hosts NIC are setted with mupltiple IP adress, so i'll go on only with the tower host since I use this one the most
( IP : 192.168.1.25, 10.0.5.254, 200.200.200.254 and they have 192.168.1.1 and 200.200.200.1 as Gateway)
The point is, we want the computers to be able to connect to any of the three given network but one of my three networks is a controller link network I want to make sure at the switch level that packets can't go from LAN 1 to LAN 2, LAN 1 to LAN 3, LAN 2 to LAN 1, LAN 2 to LAN 3, LAN3 to LAN 1, LAN 3 to LAN 2
to make sure that unwanted packets are not going on the wrong network and cause some packets loss
In principle, what I'm trying to achieve is a bit like AP isolation ( a bit like ) but at the wired level so that whatever host I have can acces any of the 3 networks but packets emitted from any networks won't go throught the router to any other network.
Many thanks
Edit : when I wrote this, I was at home, now, back at work I draw a little diagram in a 5 mins. spare time to Idealise a little bit what I mean, black lines a bidirectional, as red is where I mean I don't want to have any or minimal traffic leak.
edit 2: I will say again, WAN port is now part of the switchbox within the router ( assign port to switch fonction )
I've just been reading Routing 101,102,103 and the more I read the more I came to realise that, The fear of lost packet and packet annihilation is really over the top.
Then again I might need confirmation by ( as Sir Griffin would say ) Top Men but since my three different network are: 1(router and switch based) 2(smartswitch and switch based) 3(router and switch based). So ! the router I added to my NIC basicly stops ''wandering packets'' from the networks so ''noise'' wont go from lan 1 to lan 2 or 3 and vice vice versa ?
Data is still able to roam example from lan 1 to lan 2 if required but broadcasted data should not . . . (in simpler words)
if in this I am right, then it is a start. I would still like to get them isolated from one another but it is a start
So to you my internet friends I shout Prost!
Many thanks again!
P.S. It's not over yet, the whole point of this exercise is to transform a one port NIC into a 4 port NIC with multinetworks but isolated from one another. As of now, I don't have packets problem but I want to make sure this doesn't happen in the future.
P.P.S. This is kinda required because of the architecture here ( one mega network of Computers and servers and VPN ) ( one network of PLC's ) ( one network of IPC's and PC witch the company who sold them to us require their network to be noise free )
So again, Prost! Viel liebe vom Quebec, Canada.
And i'm looking forward to some help, then I'd make a tutorial on my whole project.
alrighty so here is what it gives me after all the exchange of knowlage.
I made 3 bridges with their IP being the network IP (ending in 0), I tried to assign the Vlan to a bridge but I'm not able, is it because I have a bad build ... I don't know ... only br0 show up and now, the router keeps buggin asking me the password 10000 times .... so more on that later ... btw on the vlan page, the only bridge I can assign is LAN ( I don't know if this is supposed too also )
Edit: I just saw I had build 13064 .... wich was swapped for the 14929 since i guess 13064 was one of the reason It Was So Buggy God Damn It
edit2 : So here to complete I tried again in the assign to bridge thingy to assign my interface (vlan11,vlan12,vlan13) to the 3 bridges I made but the only one that show up is br0, is I'd like to know wich step I am missing or do I have to assign it by tftp because the interface doesn't allow me to ?
edit: I hope I'm not too harsh on you guys, but in the end I don't know if i'll make a PDF or just a word document but this DIY should be nice (since I have a lot of detailled INFO
Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Sun Feb 07, 2016 11:01 Post subject:
1)You don't set a static routing for sub-nets connected to the router. Only for sub-nets behind remote routers.
2)It's unclear where you want your wifi interfaces. Bridged to a vlan or as a separate sub-net?
3) for the vlans you have two choices.
3 a)Bridge it with a brX and with other interfaces like wifi. The ip address is set on the bridge. The interface is set to "Default" on the Networking Page.
3 b) Unbridge the vlan on the Networking Page and give it an ip address.
i'm not working until monday night but I still can answer can I? so WLAN as to be with the WAN port ( wich is assign to switch ) and lan port number 4.
And when I showed the assigned to brX picture... When I try to assign to a bridge it only let me assign to bridge br0.. Oddly.. Either I bridge none or br0... But if you look a bit lower, br0 as three interface ( vlan0,eth1,vlan1 ) wich are (nothing,WLAN,Wanport and Lanport#4)
And as for unbridging--->assigning à IP to the bridge
I need to set a IP within thé network IP range ? I.e. For the red network I can have any IP between (230-245)( they are free ) and then assign it to the bridge for the red network?
And I just have to use a method or the other ? So monday night i'll try again, because where are my assignments I can choose a wide list of interface (all actives VLAN plus a couple of other interface ) but on the bridge button I only have acces to none or br0 ... Is there any way to change that , lets say by tftp?
On that good night!
So back at work, I just changed back a couple of settings, and kept all parameters under port setup at defaults, and gave an ip adress (that's free to my interfaces) but here is my problem.
I do not know if its because the networking page as some refreshing problem but I can not assign an interface to a bridge as showed in the next picture.
BTW I have ddwrt v2.4-sp2 build 14929
So this is why I'm asking if there's not a way to set the assignment via TFTP
Here's a picture symbolising a bit what I really want to do physicly, in case I'm a bit unclear.
Since English is not my mothertongue, I do not doubt it could happen ! thx again
all oranges have to be on the same lan ( so that any of these connection can connect to the three networks ) and on the right the 3 networks connected to my router and since the beginning I keep the same color for my three networks.
Now all the networks ( RED, GREEN, BLUE ) cannot talk to each other but they can all talk with orange and orange can talk talk to whomever he wants
Edit: I now master a little Putty, enoughe to be able to have this vlan setup :
vlan12ports=2
vlan0ports=0 5*
vlan13ports=1
vlan11ports=3
vlan1ports=4 5
still my problem is, even though I make bridges on the interface, I can't seem to assign the bridges to any vlan and I tried to look how to create and assign bridge over SSH but nothing is to be found yet ( and I've look as over ddwrt and elsewhere on the net, even thought what I need is DDWRT nomenclature)
here a couple of devellopement: I read like 10 times EIBGRAD's post to make sure I understoop what he meant and changed a little parameters in concequence so joining my 10 000 pictures rally here are 2 more and since I wasn't sure if routes were both ways I made 6 routes, now I should only have to ipconfig up some laws.
Edit: I tried with this setup and I cannot connect to my red network so since the night is going away, I reverted back vlan11 to 13 assigned to lan so it works while i'm gone but I think my bridge don't work if my setup of bridges ring you a bell feel free to share
thx again