sdc-dd-wrt

Setup vlans on router ASUS RT-AC68U with DD-WRT v24-sp2 

This is a guide to setup 2 additional VLANS on port 1 and 4 of the RT-AC68U router using DD-WRT v24-sp2 (09/13/14) kongac. 
This configuration is for my home SmartDataCenter Admin and External networks, with the RT-AC68U WAN connected behind NAT on another router.
SDC setup with ASUS router


The RT-AC68U router is a dual core ARMv7 800MHz Home Router that can be configured with advanced networking features using the dd-wrt firmware. This router is robust and hard to brick, thanks to built-in Asus tools that allow firmware flashes even after things go bad. This is my 5th dd-wrt enabled router, each time I configure a new one I figure out something new about dd-wrt and networking. Generally speaking, it is a PITA to configure any dd-wrt router owing to the mix of Web UI and command line commands, but this particular router seems to work much better than previous ones I have used.  Under dd-wrt, the router supports 96 Mb of jffs filespace for local writable storage which seems plenty for this config.

In this guide
  • external LAN port 1 of the router is set to a new untagged vlan3 with no DHCP support.
    • SDC Admin Network, with local DNS from the router, additional hostnames in the router's jffs enabled filesystem /jffs/etc/hosts.home and fake Domain name blueprint.home
  • external LAN port 4 is set to a new untagged vlan4 with no DHCP support.
    • SDC External Network, with local DNS from the router, additional hostnames in the router's jffs enabled filesystem /jffs/etc/hosts.home and fake Domain name blueprint.home
  • external LAN ports 2,3 and WiFi are left on DD-WRT Web Interface configured  vlan1(br0)/vlan2 with DHCP support.
 The IP ranges are as follows:
vlan3:10.0.1.1 netmask 255.255.255.0 DHCP OFF, firewalled, routed, with Local DNS
vlan4:10.0.10.1 netmask 255.255.255.0 DHCP OFF, routed, with Local DNS
vlan1:10.0.11.1 netmask 255.255.255.0 DHCP ON, firewalled, routed, with Local DNS

Flashing the Router with dd-wrt

Flashing is a 2 step process.

First dd-wrt firmware flash from the ASUS firmware (http://192.168.1.1) Web UI
on the Administration | Firmware Upgrade page
with this BrainSlayer dd-wrt build:
ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2014/06-23-2014-r24461/asus-rt-ac68u/asus_rt-ac68u-firmware.trx

Reboot the router
Second dd-wrt firmware flash from the above dd-wrt firmware (http://192.168.1.1) Web UI
on the Administration | Firmware Upgrade page with:
dd-wrt.v24-K3_AC_ARM_STD.bin 
This is a Kong Build [DD-WRT v24-sp2 (09/13/14) kongac] - originally at: http://www.desipro.de/ddwrt-ren/K3-AC-Arm/25015M/dd-wrt.v24-K3_AC_ARM_STD.bin  
More recent builds are listed at http://www.desipro.de/ddwrt-ren/K3-AC-Arm/

Note: The RT-AC68U firmware recovery mode can be entered by booting with the reset button down and holding it until a very slow power button flash happens. Firmware can be uploaded from a Windows machine (via the CD-ROM firmware update utility) or from the web browser version at 192.168.1.1 while in recovery mode (very slow power blink).

(Adapted from instructions here: http://elatov.github.io/2014/11/dd-wrt-on-asus-rt-ac68u-router/)

Passwords, Wireless Security, and Initial Router Setup

Connect via cable to LAN port 2, Power Up,  Login via browser to http://192.168.1.1
Set initial page Username [root] and Password [************]
dd-wrt default login screenshot

Wireless | Basic Settings tab, Edit Both Sections!
Wireless Physical Interface wl0 [2.4 GHz TurboQAM]
  1. Wireless Network Name (SSID) [asus-dd-wrt]
Wireless Physical Interface wl1 [5GHz/802.11ac]
  2. Wireless Network Name (SSID) [asus-dd-wrt]
  3. Click Save.
dd-wrt wireless basic setup page

Wireless | Wireless Security tab, Edit Both Sections!
Wireless Security wl0
  1. Security Mode [WPA2 Personal]
  2. WPA Shared Key [**********]
Wireless Security wl1
  3. Security Mode [WPA2 Personal]
  4. WPA Shared Key [**********]
  5. Click Save, then Apply Settings.
dd-wrt wireless security page

Setup | Basic Setup tab, Edit:
  1. Router Name [ASUS-DD-WRT]
  2. Hostname [sdc]
  3. Domain Name [blueprint.home]  (I use this as a local domain name - as its WAN is connected to another NAT router)
  4. Local IP  [10.0.11.1]
  5. Subnet [255.255.255.0]
  6. Gateway - leave set to 0.0.0.0 (for DNSMasq to work)
  7. Local DNS - leave set to 0.0.0.0 (for DNSMasq to work)
  8. Static DNS 1 [10.0.11.1]  (Router itself, for DNSMasq Local DNS)
  9. Static DNS 2 [8.8.8.8]  (Google DNS)
  10. Static DNS 3 [8.8.4.4]
  11. Use DNSMasq for DHCP [checked]
  12. Use DNSMasq for DNS [checked]
  13. DHCP-Authoritative [checked]
  14. Time Zone Location Pull down to your location
  15. Click Save, Check Over Your Local IP Again -  then Apply Settings
  16. Reset your browser's computer's IP address from 192.168.1.x to 10.0.11.x using a fixed IP (.e.g.  10.0.11.5) or via a DHCP on/off cycle, then connect using browser pointing to http://10.0.11.1

Set up SSH Key

Services | Services tab, Secure Shell Section, Edit:
  1. SSHd: Enable
  2. SSH TCP Forwarding: Enable
  3. Password Login: Enable
  4. Authorized Keys: [provide your ~/.ssh/id_rsa.pub pasted in box]
  5. Telnet: Disable
  6. Click Save, then Apply Settings.

Disallow Remote Access to the Router (Through the WAN).

Administration | Management tab, Remote Access Section, Edit:
  1. Web GUI Management: Disable
  2. SSH Management: Disable
  3. Telnet Management: Disable
  4. Allow any Remote IP: Enable
  5. Click Save, then Apply Settings.
dd-wrt remote access

Turn on the router's jffs filesystem and format it:

Administration | Management tab, JFFS2 Support section, Edit:.
  1. JFFS2: Enable.
  2. Click Save at the bottom. Wait a few seconds.
  3. Once the screen refreshes, click Apply at the bottom and wait again.
  4. Find the same JFFS2 Support section again, click the Clean JFFS2 Enable Button (this is temporary)
  5. Click Apply to format the available space.
  6. Find the same JFFS2 Support section again, click the Clean JFFS2 Disable Button (done formatting).
  7. Click Save at page bottom.
  8. Now you can SSH into the machine and find a writeable filesystem under /jffs/
  9. For DNS, make a /jffs/etc directory:

cd /jffs
mkdir etc

When you are done, issue a reboot command from ssh or the Web Interface.
(JFFS configuration adapted from: http://unfinishedbitness.info/2013/02/24/enabling-jffs-on-dd-wrt/)
dd-wrt jffs config page


Configure VLANS
Make sure you are connected to router physical port 3 or 2 (middle ports) through the process to stay on vlan1 while configuring.

Using the DD-WRT Web Interface, add vlan4 to port 4, vlan3 to port 1

Setup | VLAN tab - Edit:

  1. Uncheck port 4.
  2. Place port 4 into VLAN4.
  3. Uncheck port 1
  4. Place port 1 into VLAN3.
  5. Click Save, then Apply Settings.
dd-wrt VLAN page

Configure vlan3 and vlan4 network

Setup | Networking tab, Port Setup section - Edit:

  1. Set Vlan3 to unbridged
  2. Set the IP address to 10.0.1.1
  3. Set the Subnet Mask to 255.255.255.0
  4. Set Vlan4 to unbridged
  5. Set the IP addess to 10.0.10.1
  6. Set the Subnet Mask to 255.255.255.0
  7. Click Save, then Apply Settings
dd-wrt networking page - top part
dd-wrt networking page - bottom part

Add script to bring up the vlan3 & vlan4 interfaces on boot

Administration | Commands tab

  1. Enter the following in the commands text box:

#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan3 10.0.1.1 netmask 255.255.255.0
ifconfig vlan4 10.0.10.1 netmask 255.255.255.0
ifconfig vlan3 up
ifconfig vlan4 up

  2. Click Save Startup
dd-wrt Administration Commands page part 1
dd-wrt Administration Commands page part 2

Use an SSH session into the router to enter these additional commands:

nvram set vlan3hwname="et0"
nvram set vlan4hwname="et0"
nvram set vlan1ports="3 2 5*"
nvram set vlan3ports="1 5"
nvram set vlan4ports="4 5"
nvram commit
reboot
ssh session

(adapted from: http://virtuallyhyper.com/2014/04/tag-multiple-vlans-on-trunk-port-on-dd-wrt-router/ )

Reconnect to the Router Web UI, then set up the firewall rules for vlan3 and vlan4

Administration | Commands tab

  1. Enter the following in the commands text box:

iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan+ -j ACCEPT
iptables -I FORWARD -i vlan+ -o br0 -j ACCEPT
iptables -I INPUT -i vlan+ -j ACCEPT


Note - Allows connections between br0 (WiFi, Lan Ports 2,3) to/from vlan4 and vlan3 machines,
this is a Minimal, Permissive Firewall state.  You may want to firewall off vlan3 (Admin Network).
The SDC system attached to vlan3 and vlan4 is behind NAT.  The important security keeping
people out is at the WiFi settings.  If you want to allow guests access to the SDC External Network via
WiFi connection or Lan ports 2 & 3, then you may want to firewall off vlan3.

  2. Click on Save Firewall - the router will reset its firewall, give it a moment.

dd-wrt Administration Commands Firewall

Enable Local DNS with DNSMasq

Services | Services tab, Services Management section - Edit:
Under DHCP Server heading:
  1. Use JFFS2 for client lease DB: [checked]
  2. Used Domain: [LAN & WLAN LAN]
  3. LAN Domain: [blueprint.home]
  4. Under DNSMasq heading:
  5. DNSMasq: [Enable]
  6. Local DNS: [Enable]
  7. No DNS Rebind: [Enable]
  8. Additional DNSMasq Options: [Paste the following commands into the box]

interface=vlan4
dhcp-option=net:vlan4,3,10.0.10.1
dhcp-option=net:vlan4,6,10.0.10.1,8.8.8.8,8.8.4.4
interface=vlan3
dhcp-option=net:vlan3,3,10.0.1.1
dhcp-option=net:vlan3,6,10.0.1.1,8.8.8.8,8.8.4.4
local=/blueprint.home/
expand-hosts
domain-needed
addn-hosts=/jffs/etc/hosts.home
strict-order

dd-wrt DNSMasq local DNS

     9. Click Save, then Apply Settings then Reboot Router.

You can test local DNS by using an SSH connection to the Router, and vi to create an appended hosts file:

/jffs/etc/hosts.home
10.0.10.5    ubuntubox.blueprint.home ubuntubox

When you make changes to this, use the DD-WRT Web UI  Setup | Basic Setup  - Apply Settings button to reset the hosts file to include the new changes.

(adapted from: http://unfinishedbitness.info/2013/03/26/using-dd-wrt-for-local-dns-and-dhcp/)

DONE

Troubleshooting

PING TO WINDOWS?
If you are testing across vlans with PING - and using a Windows machine, note that Windows Firewall blocks ping by default.
Follow these instructions to enable Windows ICMPv4 PING echo: http://www.sysprobs.com/enable-ping-reply-windows-7

APPLY Button, Rebooting the Router and RECONNECTING
Often a browser will leave you at http://10.0.11.1/apply.cgi  (I'm looking at you Safari) and show only 10.0.11.1 in the top url window.  Click on this and delete the /apply.cgi (or other stuff) to reset to http://10.0.11.1 and the dd-wrt system should reappear.  If you still don't reconnect, wait a bit longer (the router may be rebooting still) or turn off the network connection and turn it back on again to reset your computer's IP address via DHCP.  If you still can't reconnect, you may need to reset the Router's NVRAM:

Resetting Router NVRAM
To reset the RT-AC68U nvram externally, power off, hold down the WPS button (side of router), power on while holding the button until the power button flashes rapidly.  This resets to factory DD-WRT installation settings, and the IP address will again be reset to 192.168.1.1   NOTE: This procedure does not affect the /jffs filesystem, which will persist through this process.


To probe the original VLAN settings:
For RT-AC68U the default vlan is vlan1 (lan), vlan2 is (Wan).
root@sdc:~# nvram show | grep vlan.hwname
vlan2hwname=et0
vlan1hwname=et0
root@sdc:~# nvram show | grep vlan.ports
size: 34245 bytes (31291 left)
vlan2ports=0 5u
vlan1ports=1 2 3 4 5*
root@sdc:~# nvram show | grep port.vlan
port5vlans=1 2 16
port3vlans=1
port1vlans=1
port4vlans=1
port2vlans=1
port0vlans=2


FINAL router CONFIG after following the above procedure:

root@sdc:~# nvram show | grep vlan.hwname
vlan3hwname=et0
size: 35498 bytes (30038 left)
vlan2hwname=et0
vlan1hwname=et0
vlan4hwname=et0
root@sdc:~# nvram show | grep vlan.ports
size: 35485 bytes (30051 left)
vlan4ports=4 5
vlan2ports=0 5u
vlan3ports=1 5
vlan1ports=3 2 5*
root@sdc:~# nvram show | grep port.vlan
size: 35485 bytes (30051 left)
port5vlans=1 2 3 4 16
port3vlans=1 18 19 21
port1vlans=3 18 19 21
port4vlans=4 18 19 21
port2vlans=1 18 19 21
port0vlans=2 18 19 21
root@sdc:~# nvram show | grep vlan3
vlan3_netmask=255.255.255.0
size: 35485 bytes (30051 left)
vlan3hwname=et0
vlan3_txq=0
vlan3_ipaddr=10.0.1.1
vlan3_mtu=1500
vlan3ports=1 5
vlan3_multicast=0
ifconfig vlan3 10.0.1.1 netmask 255.255.255.0
ifconfig vlan3 up
interface=vlan3
dhcp-option=net:vlan3,3,10.0.1.1
dhcp-option=net:vlan3,6,10.0.1.1,8.8.8.8,8.8.4.4
vlan3_nat=1
vlan3_bridged=0
root@sdc:~# nvram show | grep vlan4
size: 35485 bytes (30051 left)
vlan4ports=4 5
vlan4_bridged=0
vlan4_netmask=255.255.255.0
vlan4_nat=1
vlan4_ipaddr=10.0.10.1
vlan4_txq=0
ifconfig vlan4 10.0.10.1 netmask 255.255.255.0
ifconfig vlan4 up
vlan4hwname=et0
dnsmasq_options=interface=vlan4
dhcp-option=net:vlan4,3,10.0.10.1
dhcp-option=net:vlan4,6,10.0.10.1,8.8.8.8,8.8.4.4
vlan4_mtu=1500
vlan4_multicast=0
root@sdc:~#

root@sdc:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
  456 53640 ACCEPT     0    --  vlan+  *       0.0.0.0/0            0.0.0.0/0          
19241 1222K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 DROP       udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
 1354  143K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 DROP       icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0          
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0          
    4   296 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 ACCEPT     0    --  vlan3  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     0    --  vlan4  *       0.0.0.0/0            0.0.0.0/0          
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 2918  468K ACCEPT     0    --  vlan+  br0     0.0.0.0/0            0.0.0.0/0          
 3635 1878K ACCEPT     0    --  br0    vlan+   0.0.0.0/0            0.0.0.0/0          
  471 69622 ACCEPT     0    --  vlan+  vlan2   0.0.0.0/0            0.0.0.0/0          
  610  443K ACCEPT     0    --  vlan2  vlan+   0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      vlan2   10.0.11.0/24         0.0.0.0/0          
    0     0 ACCEPT     tcp  --  *      vlan2   10.0.11.0/24         0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  vlan3  *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     0    --  vlan4  *       0.0.0.0/0            0.0.0.0/0          
    0     0 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     0    --  br0    vlan2   0.0.0.0/0            0.0.0.0/0          
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 332 packets, 25633 bytes)
 pkts bytes target     prot opt in     out     source               destination        
19659 4244K ACCEPT     0    --  *      br0     0.0.0.0/0            0.0.0.0/0   
Comments