Use LAN port 4 as private network

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

sinshiva

Very Senior Member
/jffs/scripts/nat-start

Code:
#!/bin/sh
#
# lan ports 1-3 assigned to vlan1
robocfg vlan 1 ports "1 2 3 8t"
# port 4 to vlan4
robocfg vlan 4 ports "4 8t"
#
vconfig add eth0 4
#
ifconfig vlan4 192.168.85.1 netmask 255.255.255.0 up
#
iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP
iptables -I INPUT -i vlan4 -j ACCEPT

/jffs/configs/dnsmasq.conf.add

Code:
interface=vlan4
dhcp-range=vlan4,192.168.85.100,192.168.85.200,255.255.255.0,86400s
dhcp-option=vlan4,3,192.168.85.1
dhcp-option=vlan4,6,192.168.85.1,0.0.0.0

chmod a+rx /jffs/scripts/*
 
Last edited:

sinshiva

Very Senior Member
bumpage :)

finally fixed it. it was so simple, too. just needed to add the INPUT chain rule you see above. the above all works now, perfectly. private guest vlan on port 4.

f*ck yea.
 

sinshiva

Very Senior Member
at least 50 views since i fixed this, any brave souls out there? lol
 

Symbiot

Regular Contributor
This is for setting up standard Vlans?

I'm just now looking into setting up a vlan for my synology so I can share folders from my synology with friends via vpn without them having access to the rest of my network..

any grand thoughts on how to do that?
 

sinshiva

Very Senior Member
maybe something like;

Code:
iptables -I FORWARD -i vlan4 -o br0 -d ! synIP -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP

replace the above lines with the matching ones in the example, replace synIP with the ip of the nas
 
Last edited:

Symbiot

Regular Contributor
maybe something like;

Code:
iptables -I FORWARD -i vlan4 -o br0 -d ! synIP -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP

replace the above lines with the matching ones in the example, replace synIP with the ip of the nas

Ok, i should've mrntioned that I'm dumb.. Where do I do this? I mean is it some conf file?
 

Symbiot

Regular Contributor
and apparently blind as well..

so after actually reading t h e w o r d s that you wrote.. I logged in via ssh and went to jffs folder..
which is empty..

shall I assume that I need to create the folder /scripts

and create the file nat-start

is this nat-start.sh or just nat-start ?

and how does the ac66u know that it should be using the script?
 

sinshiva

Very Senior Member
sorry, you have to use chmod a+rx /jffs/scripts/* after you create it; and no extension, just nat-start
 

Symbiot

Regular Contributor
/jffs/scripts/nat-start

Code:
#!/bin/sh
#
# lan ports 1-3 assigned to vlan1
robocfg vlan 1 ports "1 2 3 8t"
# port 4 to vlan4
robocfg vlan 4 ports "4 8t"
#
vconfig add eth0 4
#
ifconfig vlan4 192.168.85.1 netmask 255.255.255.0 up
#
iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP
iptables -I INPUT -i vlan4 -j ACCEPT

/jffs/configs/dnsmasq.conf.add

Code:
interface=vlan4
dhcp-range=vlan4,192.168.85.100,192.168.85.200,255.255.255.0,86400s
dhcp-option=vlan4,3,192.168.85.1
dhcp-option=vlan4,6,192.168.85.1,0.0.0.0

chmod a+rx /jffs/scripts/*

What's the difference between what you're doing here and what I asked about ?
 

L&LD

Part of the Furniture
I would love to do this, but don't know where to start.

So, with handholding baby steps...

How would the above be actually implemented on an RMerlin firmware equipped router?

Thanks in advance.
 

sinshiva

Very Senior Member
What's the difference between what you're doing here and what I asked about ?

this set's LAN port 4 to act as a separate gateway, on a separate vlan.

I would love to do this, but don't know where to start.

So, with handholding baby steps...

How would the above be actually implemented on an RMerlin firmware equipped router?

Thanks in advance.

well, for starters, i'm using 85.1 in the example as the separate network. the router needs to have jffs enabled; formatted the first time you enable it. then the nat-start script is added to /jffs/scripts/ and the dnsmasq.conf.add is added to /jffs/configs/

after that's done, use chmod a+rx /jffs/scripts/* to make the script executable and simply reboot the router. it will be preconfigured to be a new gateway and NAT'd network, with dns/dhcp on the separate vlan on the 4th LAN port, with a network of 192.168.85.0. with this configuration, the router webui is accessible via 192.168.85.1. if this bothers you, you could probably do something like drop requests to port 80 on the guest gateway IP via the INPUT chain in iptables
 

JRusso

Occasional Visitor
Would you be able to tag an interface (for example guest network wl0.1) to a separate VLAN?

Thanks.
 

sinshiva

Very Senior Member
Would you be able to tag an interface (for example guest network wl0.1) to a separate VLAN?

Thanks.

i intend to play with it more after i get another router, sorry
 

Symbiot

Regular Contributor
maybe something like;

Code:
iptables -I FORWARD -i vlan4 -o br0 -d ! synIP -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP

replace the above lines with the matching ones in the example, replace synIP with the ip of the nas

So.. if I do this.. would I still have access to syno webIF ? how are the vlans seperated by doing this?

I'm considering your original guide and using a specific lan port to do this.. but still considering which option is the best..
 

bgsmith

Occasional Visitor
private subnet and access point

Thank you for sharing information on this thread. I am looking at using this information to create a private network for a tenant to use. If I add a wireless access point on this private network would it be possible to connect to the access point from the primary network? I would like to update and manage the access point configuration without having to physically connect to the same subnet.

Thanks

Brad
 

Iceberg

Occasional Visitor
I'm trying to use the scripts in this thread to use LAN port 4 as private network with a wi-fi powerline, it's a TP-Link 4220 kit.

I copy and pasted the scripts, then put them in the correct jffs folders, made them executable but I cannot have it working properly.

I tried to execute manually in WinSCP nat-start but I get error 126.

My "best" result at the moment was to have clients unable to connect to the powerline and even powerline utilities were no more able to reach the powerline.

I'm for sure missing some steps. :confused:

Which parts of the scripts need to be edited?

Do I need also to modify something also on the RT-N66U?

I know that maybe these are stupid questions but a practical example could help me really a lot and I think that could be useful also for others that have little knowledge of scripts.

Thank you in advance.
 

cdikland

Regular Contributor
I'm for sure missing some steps. :confused:

Which parts of the scripts need to be edited?
.

The scripts worked the very first time I tried them. If I were a betting man I'd bet the line giving you grief is "vconfig add eth0 4" Under the WAN tab, what's your Wan Connection Type?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top