Sunday, December 12, 2010

How to Isolate a port in Linksys WRT54G/GL/GS

Introduction

Linksys routers can be enhanced by great firmwares that enable a lot of interesting/never ending features. So then what are you waiting for for upgrading your linksys box?
There are plenty of documentation on how to do it, this brief tutorial is based on dd-wrt firmware but I’m sure you can achieve similar results in others as well:
What I will explain next is how to isolate a port in the Linksys device, so that a computer connecting to that port will be able to access to the Internet but not see the machines in the rest of ports.

Usefull commands

nvram show #show all config
nvram get <variable> #gets variable content
nvram set <variable>=<value> #sets variable content
nvram set <variable>= #blanks a variable
nvram unset <variable> #erases the variable completely
nvram commit #saves the changes to nvram so they are kept after reseting the router

The architecture

Here you can see how is this type of Linksys device internally:
WRT54_sw2_internal_architecture.png
What we see is that case labels (port numbers that we see in the rear view of the linksys device) do not match with the port numbers that dd-wrt firmware uses internally for them. This means that port 4 (externally) matches with port 0 (internally).
  • port 5 (internal) leads to the cpu of dd-wrt.
  • port 4 (internal) connects to the internet.
  • port 0 (internal) is where we will create the new vlan (vlan2) and will be isolated from the rest of user ports (1-3) and wifi.
  • port 0 (internal) will indeed need to see port 5 so that the CPU can route the packets to the internet through port 4.

Don't trust me! save your current config

Before changing any configuration following this tutorial I will be nice to you and strongly recommend to backup your config. I guess all firmwares (the original linksys one included) have the facility to backup you current configuration.
so do so!!!

The configuration

The first step is based on the premise that you already have installed dd-wrt in your Linksys/Other router.
Bearing all said before in mind we log into the router by means of telnet or ssh and do the following:
nvram set vlan0ports="3 2 1 5*"
nvram set vlan2ports="0 5"
With this our isolated port "0" will now belong to a new vlan called "vlan2".
The asterisk (*) signifies that the VLAN it is attached to is the default VLAN: if the switch receives a packet on port 5 that is not tagged it is put into the VLAN where the * is configured.
Now its time to define that we want to assign an IP to that vlan so that any computer that connects to that port can define its default gateway as 192.168.2.1 and be able to connect to the internet.
nvram set rc_startup='
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0
ifconfig vlan2 up
'
On some other tutorials similar to this one, they tell you to log into de http configuration menu and configure the ports like this but i think its not required. Do this as well just in case the configuration doesn't work.
ddwrtsepvlan.gif

Securing/Allowing things a bit

To isolate the port but to the internet we define the following rule in the internal linksys firewall
nvram set rc_firewall='
/usr/sbin/iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
'
The next step is rebooting the device and cross fingers
reboot

Roll back changes/fucking device!!

If you happen to get desperate and you feel you have broken/bricked the router just do the following that will reset your nvram to the default settings
Locate a small button in the rear side of the router and press it with a pen or something similar for at least 10 seconds.

Next steps

If you wanted you could assign the new port/net a dhcp server, but that was not my need.

Troubleshooting

During some test I have been doing I lost connectivity with the web interface, this is when accessing with a web browser the page looked like it was not loading. The solution is the following:
  • Access the router by means of telnet or ssh.
  • Restart the http daemon
ps  #look for the pid of the httpd process in order to kill it
kill -9 <httpd_pid>
httpd -h /www #start the proccess again
  • Try to access now through your browser

Links

No comments:

Post a Comment