I have a WRT54G (ver 2.0) with DD-WRT installed (VPN edition). Below are the steps to setup multiple VLANs where some of the VLAN do NOT share Internet NAT access:
- Install the VPN version of DD-WRT for your router. This method uses DD-WRT version v24 preSP2
- Setup tab
- VLAN sub-tab
- Move any ports out of the default VLAN0 to whichever VLANs you want
- Make sure each VLAN is set for Unbridged mode (not LAN)
- Networking sub-tab
- Change the VLANs you want separated from "Default" to "Unbridged"
- Give each VLAN an IP and netmask
-
Leave "Masquerade / NAT" set to "Disabled"
- (doesn't do actual blocking of NAT Internet for VLAN, this is only for special cases when loopback support is needed on the VLAN)
- Optionally add multiple DHCP servers on this screen for each VLAN
- Administration tab
- Commands sub-tab
-
Enter in the following into the "Commands" text box:
-
iptables -I FORWARD -i br0 -o vlanX -j DROP
- Stop vlan to vlan communication
- Change vlanX to whatever vlan number
- Repeat for each vlan
-
iptables -I FORWARD -i vlanX -o vlanW -j DROP
- Stop vlan to wan (NAT/Internet) communication
- Change vlanX to whatever vlan number
- Change vlanW to whatever vlan number the WAN is on
- Repeat for each vlan
- Click on Save Firewall
- Management sub-tab
- Reboot Router
Misc Notes
- DD-WRT sets WLAN public IP for SNAT mode which by default is set to do any network/vlan hence why you need extra iptables rules
|