RT-N66 - Script for separate VLANS and Subnets with DHCP and wireless

[C Nee]

Before I implemented the following script and have a router that has a nuclear meltdown I wanted to run this by the community after viewing several other threads and creating a melting pot of my own. This is my first post here and apologize in advance but I believe this is posted in the right place.

Current Hardware: RT-N66u
FW Version: 380.57_0
Current Network Setup: 4 port LAN with WIFI and a Guest WIFI all setup via GUI
Current Scripts: None besides 'profile.add'
Goal: To have 4 separate VLANs, each on their own Subnet with their own DHCP server, 3 of them with their own WIFI, none of the VLANS are to communicate with each other. I want a "Home Net"; "Guest"; "Games"; "Expansion (No-WIFI)". The "Home" is to be the only one with GUI and SSH access
Future Plans: To do without the DHCP servers, with the exception of the Guest network, and all others will be static. Not worried about this at the moment...
Retrieved Hardware Info via CLI (MAC's and IP's were changed to protect the innocent):
# nvram show | grep vlan1
lan_ifnames=vlan1 eth1 eth2 wl0.1 wl1.1
vlan1hwname=et0
vlan1ports=1 2 3 4 8*
size: 49735 bytes (15801 left)
landevs=vlan1 wl0 wl1

# nvram show | grep vlan2
vlan2ports=0 8u
vlan2hwname=et0

# robocfg show
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 100FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8u

# brctl show
bridge name bridge id STP enabled interfaces
br0 0000.000000000000 yes vlan1
eth1
eth2
wl0.1
wl1.1
-----------------------------------------------MY PAGE BREAK---------------------------------------------------------

Ok, so after I create the additional WIFI networks via GUI in the Guest Network area here is my proposed script which I believe will be "services-start":

## services-start script

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

## create vlans and separate lan ports
robocfg vlan 1 ports "1 8t"
robocfg vlan 2 ports "2 8t"
robocfg vlan 3 ports "3 8t"
robocfg vlan 4 ports "4 8t"

## give vlans wan access
vconfig add et0 2
vconfig add et0 3
vconfig add et0 4

## activate vlans
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up

## bring down bridges(if up from before), delete(if existing from before), and recreate bridges
ifconfig br2 down
brctl delbr br2
brctl addbr br2

ifconfig br30 down
brctl delbr br3
brctl addbr br3

ifconfig br4 down
brctl delbr br4
brctl addbr br4

## remove non 'home' wireless networks from lan and into bridged vlans
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br2 wl0.1
brctl addif br2 wl1.1
brctl addif br2 vlan2

brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl addif br3 wl0.2
brctl addif br3 wl1.2
brctl addif br3 vlan3

## assign ip addresses to bridges and activate them
ifconfig br2 192.168.20.1 netmask 255.255.255.0
ifconfig br2 up

ifconfig br3 192.168.30.1 netmask 255.255.255.0
ifconfig br3 up

brctl addif br40 vlan40
ifconfig br4 192.168.40.1 netmask 255.255.255.0
ifconfig br4 up

## set interface groups/names into nvram
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan2_ifnames="vlan2 wl0.1 wl1.1"
nvram set lan2_ifname="br2"

nvram set lan3_ifnames="vlan3 wl0.2 wl1.2"
nvram set lan3_ifname="br3"

nvram set lan4_ifnames="vlan4"
nvram set lan4_ifname="br4"

nvram commit
killall eapd
eapd

And here is the proposed "dnsmasq.conf.add":

## dnsmasq.conf.add

#!/bin/sh

interface=br2
dhcp-range=br2,192.168.20.100,192.168.20.110,255.255.255.0,86400s
dhcp-option=br2,3,192.168.10.1

#interface=br3
#dhcp-range=br3,192.168.30.100,192.168.30.110,255.255.255.0,86400s
#dhcp-option=br3,3,192.168.10.1

#interface=br4
#dhcp-range=br4,192.168.40.100,192.168.40.110,255.255.255.0,86400s
#dhcp-option=br4,3,192.168.10.1

And I assume to ensure there is no communication between the VLANS and to Enable/Disable GUI/SSH access will be done with a "firewall-start" script, which I will work on next.

I guess my question is, Do my scripts look complete/incomplete, messy and disorganized, should I group them differently, look like they will work?
I mainly wanted to run this by you guys and get an opinion, given most of my research was done here. Thank you in advance for reading, helping out, and/or sharing your opinion. Constructive criticism I don't mind and I have thick skin so no worries. Hopefully this helps out others in the future and will be sure to post any completed/changed work or new findings.



cheers

 

[C Nee]

Before I implemented the following script and have a router that has a nuclear meltdown I wanted to run this by the community after viewing several other threads and creating a melting pot of my own. This is my first post here and apologize in advance but I believe this is posted in the right place.

Current Hardware: RT-N66u
FW Version: 380.57_0
Current Network Setup: 4 port LAN with WIFI and a Guest WIFI all setup via GUI
Current Scripts: None besides 'profile.add'
Goal: To have 4 separate VLANs, each on their own Subnet with their own DHCP server, 3 of them with their own WIFI, none of the VLANS are to communicate with each other. I want a "Home Net"; "Guest"; "Games"; "Expansion (No-WIFI)". The "Home" is to be the only one with GUI and SSH access
Future Plans: To do without the DHCP servers, with the exception of the Guest network, and all others will be static. Not worried about this at the moment...
Retrieved Hardware Info via CLI (MAC's and IP's were changed to protect the innocent):
# nvram show | grep vlan1
lan_ifnames=vlan1 eth1 eth2 wl0.1 wl1.1
vlan1hwname=et0
vlan1ports=1 2 3 4 8*
size: 49735 bytes (15801 left)
landevs=vlan1 wl0 wl1

# nvram show | grep vlan2
vlan2ports=0 8u
vlan2hwname=et0

# robocfg show
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 100FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8u

# brctl show
bridge name bridge id STP enabled interfaces
br0 0000.000000000000 yes vlan1
eth1
eth2
wl0.1
wl1.1
-----------------------------------------------MY PAGE BREAK---------------------------------------------------------

Ok, so after I create the additional WIFI networks via GUI in the Guest Network area here is my proposed script which I believe will be "services-start":

## services-start script

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

## create vlans and separate lan ports
robocfg vlan 1 ports "1 8t"
robocfg vlan 2 ports "2 8t"
robocfg vlan 3 ports "3 8t"
robocfg vlan 4 ports "4 8t"

## give vlans wan access
vconfig add et0 2
vconfig add et0 3
vconfig add et0 4

## activate vlans
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up

## bring down bridges(if up from before), delete(if existing from before), and recreate bridges
ifconfig br2 down
brctl delbr br2
brctl addbr br2

ifconfig br30 down
brctl delbr br3
brctl addbr br3

ifconfig br4 down
brctl delbr br4
brctl addbr br4

## remove non 'home' wireless networks from lan and into bridged vlans
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br2 wl0.1
brctl addif br2 wl1.1
brctl addif br2 vlan2

brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl addif br3 wl0.2
brctl addif br3 wl1.2
brctl addif br3 vlan3

## assign ip addresses to bridges and activate them
ifconfig br2 192.168.20.1 netmask 255.255.255.0
ifconfig br2 up

ifconfig br3 192.168.30.1 netmask 255.255.255.0
ifconfig br3 up

brctl addif br40 vlan40
ifconfig br4 192.168.40.1 netmask 255.255.255.0
ifconfig br4 up

## set interface groups/names into nvram
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan2_ifnames="vlan2 wl0.1 wl1.1"
nvram set lan2_ifname="br2"

nvram set lan3_ifnames="vlan3 wl0.2 wl1.2"
nvram set lan3_ifname="br3"

nvram set lan4_ifnames="vlan4"
nvram set lan4_ifname="br4"

nvram commit
killall eapd
eapd

And here is the proposed "dnsmasq.conf.add":

## dnsmasq.conf.add

#!/bin/sh

interface=br2
dhcp-range=br2,192.168.20.100,192.168.20.110,255.255.255.0,86400s
dhcp-option=br2,3,192.168.10.1

#interface=br3
#dhcp-range=br3,192.168.30.100,192.168.30.110,255.255.255.0,86400s
#dhcp-option=br3,3,192.168.10.1

#interface=br4
#dhcp-range=br4,192.168.40.100,192.168.40.110,255.255.255.0,86400s
#dhcp-option=br4,3,192.168.10.1

And I assume to ensure there is no communication between the VLANS and to Enable/Disable GUI/SSH access will be done with a "firewall-start" script, which I will work on next.

I guess my question is, Do my scripts look complete/incomplete, messy and disorganized, should I group them differently, look like they will work?
I mainly wanted to run this by you guys and get an opinion, given most of my research was done here. Thank you in advance for reading, helping out, and/or sharing your opinion. Constructive criticism I don't mind and I have thick skin so no worries. Hopefully this helps out others in the future and will be sure to post any completed/changed work or new findings.



cheers

Actually I am having a little confusion with my 'dnsmasq.conf.add'. Do I need to add all the different options for each interface? Such as 'bogus-priv', 'expand_hosts', domain=', etc...? Also, are the specified interfaces named correctly after 'dhcp-range=' and 'dhcp-option='? I'm a little confused if, in my case, they should be 'dhcp-range=lan2...' versus the way I currently have them as 'dhcp-range=br2...'.

 

[ParanoiA]

In section ## bring down bridges, --ifconfig br30 down-- maybe just a mistake in this post or in the code itself

 

[barzot]

Am not an expert, and am planning a similar scheme after reading many discussions on the subject at snb, but here are a few remarks:

• be careful with vlan2, since by default it contains the WAN port (see your initial "robocfg show" results). You redefine it as containing ports 2 and 8 (router CPU?), but you have no vlan with the WAN port (0).
  
• in "## give vlans wan access" section, shouldn't it be "vconfig add eth0 2", etc., instead of et0 ?
• by "brctl addif br40 vlan40" you surely meant "brctl addif br4 vlan4"