What's new

Use LAN port 4 as private network

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sinshiva

Very Senior Member
/jffs/scripts/nat-start

Code:
#!/bin/sh
#
# lan ports 1-3 assigned to vlan1
robocfg vlan 1 ports "1 2 3 8t"
# port 4 to vlan4
robocfg vlan 4 ports "4 8t"
#
vconfig add eth0 4
#
ifconfig vlan4 192.168.85.1 netmask 255.255.255.0 up
#
iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP
iptables -I INPUT -i vlan4 -j ACCEPT

/jffs/configs/dnsmasq.conf.add

Code:
interface=vlan4
dhcp-range=vlan4,192.168.85.100,192.168.85.200,255.255.255.0,86400s
dhcp-option=vlan4,3,192.168.85.1
dhcp-option=vlan4,6,192.168.85.1,0.0.0.0

chmod a+rx /jffs/scripts/*
 
Last edited:
bumpage :)

finally fixed it. it was so simple, too. just needed to add the INPUT chain rule you see above. the above all works now, perfectly. private guest vlan on port 4.

f*ck yea.
 
at least 50 views since i fixed this, any brave souls out there? lol
 
This is for setting up standard Vlans?

I'm just now looking into setting up a vlan for my synology so I can share folders from my synology with friends via vpn without them having access to the rest of my network..

any grand thoughts on how to do that?
 
maybe something like;

Code:
iptables -I FORWARD -i vlan4 -o br0 -d ! synIP -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP

replace the above lines with the matching ones in the example, replace synIP with the ip of the nas
 
Last edited:
maybe something like;

Code:
iptables -I FORWARD -i vlan4 -o br0 -d ! synIP -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP

replace the above lines with the matching ones in the example, replace synIP with the ip of the nas

Ok, i should've mrntioned that I'm dumb.. Where do I do this? I mean is it some conf file?
 
and apparently blind as well..

so after actually reading t h e w o r d s that you wrote.. I logged in via ssh and went to jffs folder..
which is empty..

shall I assume that I need to create the folder /scripts

and create the file nat-start

is this nat-start.sh or just nat-start ?

and how does the ac66u know that it should be using the script?
 
sorry, you have to use chmod a+rx /jffs/scripts/* after you create it; and no extension, just nat-start
 
/jffs/scripts/nat-start

Code:
#!/bin/sh
#
# lan ports 1-3 assigned to vlan1
robocfg vlan 1 ports "1 2 3 8t"
# port 4 to vlan4
robocfg vlan 4 ports "4 8t"
#
vconfig add eth0 4
#
ifconfig vlan4 192.168.85.1 netmask 255.255.255.0 up
#
iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP
iptables -I INPUT -i vlan4 -j ACCEPT

/jffs/configs/dnsmasq.conf.add

Code:
interface=vlan4
dhcp-range=vlan4,192.168.85.100,192.168.85.200,255.255.255.0,86400s
dhcp-option=vlan4,3,192.168.85.1
dhcp-option=vlan4,6,192.168.85.1,0.0.0.0

chmod a+rx /jffs/scripts/*

What's the difference between what you're doing here and what I asked about ?
 
I would love to do this, but don't know where to start.

So, with handholding baby steps...

How would the above be actually implemented on an RMerlin firmware equipped router?

Thanks in advance.
 
What's the difference between what you're doing here and what I asked about ?

this set's LAN port 4 to act as a separate gateway, on a separate vlan.

I would love to do this, but don't know where to start.

So, with handholding baby steps...

How would the above be actually implemented on an RMerlin firmware equipped router?

Thanks in advance.

well, for starters, i'm using 85.1 in the example as the separate network. the router needs to have jffs enabled; formatted the first time you enable it. then the nat-start script is added to /jffs/scripts/ and the dnsmasq.conf.add is added to /jffs/configs/

after that's done, use chmod a+rx /jffs/scripts/* to make the script executable and simply reboot the router. it will be preconfigured to be a new gateway and NAT'd network, with dns/dhcp on the separate vlan on the 4th LAN port, with a network of 192.168.85.0. with this configuration, the router webui is accessible via 192.168.85.1. if this bothers you, you could probably do something like drop requests to port 80 on the guest gateway IP via the INPUT chain in iptables
 
Would you be able to tag an interface (for example guest network wl0.1) to a separate VLAN?

Thanks.
 
Would you be able to tag an interface (for example guest network wl0.1) to a separate VLAN?

Thanks.

i intend to play with it more after i get another router, sorry
 
maybe something like;

Code:
iptables -I FORWARD -i vlan4 -o br0 -d ! synIP -j DROP
iptables -I FORWARD -i br0 -o vlan4 -m state --state NEW -j DROP

replace the above lines with the matching ones in the example, replace synIP with the ip of the nas

So.. if I do this.. would I still have access to syno webIF ? how are the vlans seperated by doing this?

I'm considering your original guide and using a specific lan port to do this.. but still considering which option is the best..
 
private subnet and access point

Thank you for sharing information on this thread. I am looking at using this information to create a private network for a tenant to use. If I add a wireless access point on this private network would it be possible to connect to the access point from the primary network? I would like to update and manage the access point configuration without having to physically connect to the same subnet.

Thanks

Brad
 
I'm trying to use the scripts in this thread to use LAN port 4 as private network with a wi-fi powerline, it's a TP-Link 4220 kit.

I copy and pasted the scripts, then put them in the correct jffs folders, made them executable but I cannot have it working properly.

I tried to execute manually in WinSCP nat-start but I get error 126.

My "best" result at the moment was to have clients unable to connect to the powerline and even powerline utilities were no more able to reach the powerline.

I'm for sure missing some steps. :confused:

Which parts of the scripts need to be edited?

Do I need also to modify something also on the RT-N66U?

I know that maybe these are stupid questions but a practical example could help me really a lot and I think that could be useful also for others that have little knowledge of scripts.

Thank you in advance.
 
I'm for sure missing some steps. :confused:

Which parts of the scripts need to be edited?
.

The scripts worked the very first time I tried them. If I were a betting man I'd bet the line giving you grief is "vconfig add eth0 4" Under the WAN tab, what's your Wan Connection Type?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top