Hi all,
Today I am turning a simple Linksys router (running Tomato firmware) in to a device proud of being called Cisco, I've created a new VLAN and disabled the NAT for this interface,
Why ? First of all to separate the WLAN and the LAN interfaces of the router, secondly to use the VLAN 2 as a DMZ port using internet routable IP's.
so let's start .
Upgrading to the Tomato is very simple and free, latest version can be found HERE
Instructions on the process can be found in the FAQ section
First we enable SSH / Telnet access to the Linksys, it can be accomplished by logging in the device via the GUI,
Navigating to "Administration" then to "Admin Access",
I enabled the SSH, suggesting to change the port to something less obvious if it's done from Remote.
Pay attention that the SSH access is via the user "root", same password as the GUI.
From the CLI, we reconfigure the ports used by VLAN 1
0 is the WLAN
1 is port 3
2 is port 2
3 is port 1
4 is port 0
5 is the router itself so it's important to add it to all VLANS
#nvram set vlan0ports="0 5*"
Today I am turning a simple Linksys router (running Tomato firmware) in to a device proud of being called Cisco, I've created a new VLAN and disabled the NAT for this interface,
Why ? First of all to separate the WLAN and the LAN interfaces of the router, secondly to use the VLAN 2 as a DMZ port using internet routable IP's.
so let's start .
Upgrading to the Tomato is very simple and free, latest version can be found HERE
Instructions on the process can be found in the FAQ section
First we enable SSH / Telnet access to the Linksys, it can be accomplished by logging in the device via the GUI,
Navigating to "Administration" then to "Admin Access",
I enabled the SSH, suggesting to change the port to something less obvious if it's done from Remote.
Pay attention that the SSH access is via the user "root", same password as the GUI.
From the CLI, we reconfigure the ports used by VLAN 1
0 is the WLAN
1 is port 3
2 is port 2
3 is port 1
4 is port 0
5 is the router itself so it's important to add it to all VLANS
#nvram set vlan0ports="0 5*"
now add the new VLAN
#nvram set vlan2hwname=et0
#nvram set vlan2ports="3 2 1 5*"
#nvram commit
this will only take affect after reboot, but before we reboot, we'll make few more changes,
adding an IP to the new VLAN:
from the GUI, navigate to "Administration" then "Scripts",
in the "Init" add the following ( x.x.x.x is the IP we wish to add )
#nvram set vlan2ports="3 2 1 5*"
#nvram commit
this will only take affect after reboot, but before we reboot, we'll make few more changes,
adding an IP to the new VLAN:
from the GUI, navigate to "Administration" then "Scripts",
in the "Init" add the following ( x.x.x.x is the IP we wish to add )
sleep 10; ifconfig vlan2 X.X.X.X netmask 255.255.255.0 up;
this will add the IP and bring the interface UP on each startup.
Now the Firewall rules,
I had a routable IP pool and a Firewall on the servers, so I wanted to allow all access and disable the NAT,
To accomplish this we add to "Firewall" section in the "Scripts" or the CLI
#iptables -I INPUT -i vlan2 -j ACCEPT
if we want traffic between the VLANs (if not just change the ACCEPT to DROP)
#iptables -I FORWARD -i vlan2 -o br0 -j ACCEPT
to disable the NAT feature add ( x.x.x.x is the network IP )
#iptables -I FORWARD 1 -d x.x.x.x/24 -j ACCEPT
#iptables -I FORWARD 1 -s x.x.x.x/24 -j ACCEPT
and if needed, add DHCP
from the GUI, navigate to "Advanced" then "DHCP / DNS"
and under Custom configuration add the following
interface=vlan2
dhcp-range=net:vlan2,x.x.x.y,x.x.x.z,255.255.255.0,1440m
dhcp-option=vlan2,3,x.x.x.x
dhcp-option=vlan2,6,8.8.8.8
dhcp-range=net:vlan2,x.x.x.y,x.x.x.z,255.255.255.0,1440m
dhcp-option=vlan2,3,x.x.x.x
dhcp-option=vlan2,6,8.8.8.8
(x.x.x.x = gateway's IP , x.x.x.y = start IP , x.x.x.z = end IP)
Now just reboot the device and we're all done.
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
Great!
ReplyDeleteHi all,
ReplyDeleteToday I am turning a simple Linksys router (running Tomato firmware) in to a device proud of being called Cisco, I've created a new VLAN and disabled the NAT for this interface,
router ip
Thanks For sharing this Superb article.I use this Article to show my assignment in college.it is useful For me Great Work. https://192-168-i-i.com
ReplyDeleteQuality stuff may be the key to invite the users to visit begin to see the blog site, that’s what this site provides.
ReplyDeleteux nyc