Seperate network for public web server on home network

[cranberryporcupine]

I have a web server on my network that is available to the public.
I want to put this web server in the DMZ to separate it from the rest of my devices on my LAN.

I have been reading that I can do this with VLAN using Merlin on my DSL-AC68u.

I am trying to understand my current modem configuration to know what I need to change.
I found this diagram which is what I think my hardware is BCM470x

Create a guest network on DD-WRT for Asus RT-AC68 - Coert Vonk

Shows how you can use a $75 router and DD-WRT to support 2 networks. Use it to create a guest network on DD-WRT for Asus RT-AC68.

coertvonk.com

brctl show
bridge name     bridge id               STP enabled     interfaces
br101           8000.000000000000       no
br0             8000.ac9e176b1b99       yes             vlan1
                                                        eth1
                                                        eth2

VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 5t
   2: vlan2: 0 5t
   4: vlan4: 4 5t
  56: vlan56: 0t 1 4t
  57: vlan57: 2t 3t 4t 5t 7t 8t
  58: vlan58: 0 3 5
  59: vlan59: 0 1t 2t 3t 8t
  60: vlan60: 0 1t 2 7 8t
  61: vlan61: 0 1 3t 5 7t 8t
  62: vlan62: 0t 4t 7 8t

I know br0 is my main bridge and the interfaces are as follows

• vlan1 (Ethernet ports 1, 2 and 3)
• eth1 - 2.4Ghz wireless
• eth2 - 5Ghz wireless

I have no idea what br101 is. Should I delete it?

vlan1 is my lan
vlan2 would be the DSL but it is not in use
vlan4 is connected to my WAN.

What is vlan56 to vlan62? Should I delete these?

#!/bin/sh

# force LAN port 3 to another VLAN
robocfg vlan 1 ports "1 2 5t"
robocfg vlan 10 ports "3 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10

brctl addbr br1
brctl addif br1 vlan10
ifconfig br1 192.168.10.1 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan10"
nvram set lan1_ifname="br1"

killall eapd
eapd

This is what I have so far.
Is this correct?

 

[eibgrad]

Why are you adding vlan10 to *both* br1 and br0?? Shouldn't it be just br1?

Remember, you'll want to NAT br1 (192.168.10.0/24) over the WAN as well.

 

[cranberryporcupine]

Thanks for the reply. Still learning about networks.

I want to create 2 subnets to isolate the web servers from the lan.

• 192.168.1.x
• 192.168.10.x

But I will still want to manage web servers on the 192.168.10.x from machines from 192.168.1.x.
For example I will want to connect to be able to SSH to the webserver 192.168.10.5 on port 22 from my PC on 192.168.1.9.

From what I understand a VLAN is a way to group physical ports on a switch, even on multiple hardware that supports vlan tagging.
A bridge is a way to create a network segment.
Then I can assign physical interfaces and vlans to bridge.

The next thing I need to do is use iptables to create NAT rules which allows everything to talk to one another. I haven't researched this yet.

So I shouldn't need to include VLAN10 in br0 because I will use iptables to route traffic between the bridges?

 

[eibgrad]

VLANs and VLAN tagging are separate issues. You can have the former w/o necessarily the latter.

The pre-defined, default vlan is usually vlan1. It has all the LAN ports assigned by default. And that VLAN along w/ the wireless network adapters (eth1 and eth2) are assigned to the default bridge (br0).

If you want to create a *new* VLAN, then you create vlan10, rearrange the ports so vlan10 has at least one from vlan1, create a *new* bridge (br1), and assign the new VLAN to the new bridge. And if you want for br1 to have a DHCP server, define that as well in DNSMasq. And if you want to manage access between br1 and br0, use iptables and the FORWARD chain. And if you want br1 to have internet access, use iptables to NAT its network over the WAN. Etc. etc.

What you had indicated so far seemed like it was on the right track UNTIL you ended up assigning vlan10 to *both* br0 and br1, which makes no sense.

 

[eibgrad]

P.S. Technically, the use of a new bridge (br1) in your case isn't strictly necessary. You could work w/ just the new network interface (vlan10) as it is, since it's the only other network interface at play. But imo it's still good practice to use a new bridge even when you only have the one network interface to assign to it. It makes it that much easier to add another network interface later (e.g., one of the physical wireless adapters, or even a VAP) w/o having to change its DHCP server, firewall rules, etc.

 

[eibgrad]

Also, you might find the following helpful.

Tutorial - Adding IP Networks to the ASUS RT-AC68U (et al.)

Overview The following script adds support for the creation of additional IP networks for the ASUS RT-AC68U running Asuswrt-Merlin firmware. https://pastebin.com/hvHHic1V The impetus for the script came from another forum member. The original intent was to simply add a single VLAN to the...

www.snbforums.com

My tutorial is much broader in scope, but it at least it demonstrates the pieces needed to bring it all together, from the definition of the VLANs, bridges, DHCP server, firewall rules, etc. And it's basically the same router as yours, just no DSL modem.

 

[cranberryporcupine]

Thanks for the quick reply. I was following someone else script and I thought it was required.