www.rodneybeede.com "I would love to change the world, but they won't give me the source code" - unknown

Multiple VLAN NOT sharing Internet with DD-WRT - Last Modified 2011-07-15 16:29 UTC - Created 2011-07-15 16:29 UTC

I have a WRT54G (ver 2.0) with DD-WRT installed (VPN edition). Below are the steps to setup multiple VLANs where some of the VLAN do NOT share Internet NAT access:
  1. Install the VPN version of DD-WRT for your router. This method uses DD-WRT version v24 preSP2
  2. Setup tab
  3. VLAN sub-tab
  4. Move any ports out of the default VLAN0 to whichever VLANs you want
  5. Make sure each VLAN is set for Unbridged mode (not LAN)
  6. Networking sub-tab
  7. Change the VLANs you want separated from "Default" to "Unbridged"
  8. Give each VLAN an IP and netmask
  9. Leave "Masquerade / NAT" set to "Disabled"
    • (doesn't do actual blocking of NAT Internet for VLAN, this is only for special cases when loopback support is needed on the VLAN)
  10. Optionally add multiple DHCP servers on this screen for each VLAN
  11. Administration tab
  12. Commands sub-tab
  13. Enter in the following into the "Commands" text box:
    • iptables -I FORWARD -i br0 -o vlanX -j DROP
      • Stop vlan to vlan communication
      • Change vlanX to whatever vlan number
      • Repeat for each vlan
    • iptables -I FORWARD -i vlanX -o vlanW -j DROP
      • Stop vlan to wan (NAT/Internet) communication
      • Change vlanX to whatever vlan number
      • Change vlanW to whatever vlan number the WAN is on
      • Repeat for each vlan
  14. Click on Save Firewall
  15. Management sub-tab
  16. Reboot Router

Misc Notes