Create VLAN on TP-Link WDR4300 wireless router with isolation

Broadband, Computer, Fedora, Information, Internet, Linux, Network, Risk, Security, Ubuntu, Windows 3 Minutes

The TP-Link WDR4300 wireless router has an Atheros Chip. Due to this, it is not easy to set up VLANs (Virtual Local Area Networks) on it. Below explains how this can be done with the kind of problem that was overcome.

Problem:
I had a guest computer on my home wireless network that kept sending probes to other computers on my home network every 10 minutes or so.

The guest computer was also visible on other computers in the home network. Therefore, I decided to do something about this.

Our TP-Link router has an IP address of 192.168.1.3. The ADSL router is on 192.168.1.1. It is the gateway to the internet too.

We want to set up a VLAN with an IP address 192.169.1.1. The 192.168.1.x network will remain as is, however, 192.169.1.1 must connect to the internet through the same ADSL router.

TP-Link Router hardware
The TP-Link router has 4 ethernet ports at the back and 1 ethernet port for Internet. The ethernet ports are labelled as follows:
Port 1, Port 2, Port 3, Port 4 and Internet.

DD-WRT firmware
If you do not have DD-WRT firmware on the TP-Link WDR4300 router, install it. You can get directions from here.

In the DD-WRT firmware installed on the router, Port 1, 2, 3 and 4 are all in one network. The Internet port is on VLAN2.

We want to use Port 4 for VLAN3. Any computer connected to Port 4 would be isolated and only restricted to access whatever is permitted using VLAN3.

The Setup
In our home network, there are about 17 devices that connect to the wireless router. These devices run a plethora of operating systems like Windows, Android, Linux and more. They are all on the same network and can see each other. Some of them even exchange files with each other. The wireless router in turn is connected to an ADSL device supplied by the ISP.

The wireless router runs DD-WRT firmware. Thanks to this post http://www.dd-wrt.com/phpBB2/viewtopic.php?t=173131&view=previous&sid=81ca233413486a25daec23602aca7c91
it became real easy to set up an isolated VLAN on Port 4 for the guest computer. The VLAN uses the same internet gateway to connect to web sites. Now, any packets from the guest computer do not reach other computers in the network.

Once you have understood what is to be done, use the below steps to set up VLAN3 and isolate it from the other parts of the network.

1 Login to the TP-Link Router http://192.168.1.3 using your web browser.
2 Go to page at Admin->Command and enter the following lines (colored in Red) in the Script box.

swconfig dev eth0 vlan 1 set ports "0t 2 3 4"
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 vlan 3 set ports "0t 5"
swconfig dev eth0 set apply
vconfig add eth0 3
ifconfig vlan3 192.168.12.1 netmask 255.255.255.0
ifconfig vlan3 up

Save as StartUp Script.
Reboot.
3 After reboot, login again to the router at http://192.168.1.3
Go to the menu under Networking. Check the Port Setup section and you will find a vlan3 in it.
Set the vlan3 to Unbridged and enter the IP address
192.169.1.1 and mask as 255.255.255.0
Save and Reboot the router
4 After reboot, login again to the router at http://192.168.1.3
Go to the menu under Networking.
Under DHCP server add select vlan3
Save and Reboot the router
5 After reboot, login again to the router at http://192.168.1.3
Go to page Admin->Command and in the Firewall box, enter the following:

iptables -I FORWARD -i vlan3 -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT

Click on the button to save the Firewall Script.Ports 1-3 uses 192.168.1.x and Port4 uses 192.169.1.x. Both VLANs have access to internet via the same interface. The internet is at VLAN2.

Now there are 2 virtual LANs on the TP-Link WDR4300 router that are isolated from each othe

Published by Geetu R. Vaswani

Published