Tag Multiple VLANs with Trunk Port on DD-WRT Router
I was running an ESXi host in my home network and I wanted to dedicate on NIC of the ESXi for VM traffic. Since I was planning on having different networks, I decide to plug this NIC into a trunk port of the dd-wrt router. This way, I can just assign the VM to an appropriate virtual network and it will have access to it’s corresponding network.
Add another VLAN to dd-wrt
So I decided to allow vlans 1 and 3 to go through port 4 of the dd-wrt router. First let’s add vlan 3 to the dd-wrt configuration and assign a 10.0.0.0/24 network range to this vlan. This is done in the management UI. Point your browser to the dd-wrt router, after you login you should see the following:
Now let’s add vlan3 to port 4:
- Go to Setup -> VLANs.
- Uncheck port 4.
- Place port 4 into VLAN3.
- Click Save, then Apply Settings.
Next let’s configure vlan 3’s network:
- Go to Setup -> Networking -> Port Setup
- Set Vlan3 to unbridged
- Set the IP address to 10.0.0.1
- Set the Subnet Mask to 255.255.255.0
- Save the configuration
Let’s also enable DHCP for VLAN3:
- Go to Setup -> Networking -> DHCPD
- Set DHCP 0 to vlan3 with a Leasetime of 3600.
- Click Save and Apply Settings
Now let’s bring up the vlan3 interface on boot. To do this:
- Go to Administration -> Commands
-
Enter the following in the commands text field
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" ifconfig vlan3 10.0.0.1 netmask 255.255.255.0 ifconfig vlan3 up - Click Save Startup
After it’s done you should see the following under the Start up section:
If you have SSH enabled on the router you can run the following to assign vlan3 to port 4:
nvram set vlan1ports="3 2 1 8*"
nvram set vlan3ports="4 8"
nvram set vlan3hwname="et0"
Since I was enabling DHCP and defining the network range, I just did that in the UI.
Enabling Trunk VLANs on port 4
These commands have to be run from the command line. To enable SSH on the dd-wrt, follow the instruction laid out here. Before making any changes, I checked out my vlan configuration and here is what I saw:
root@DD-WRT:~# nvram show | grep "vlan.ports"
vlan2ports=0 8
vlan3ports=4 8
vlan1ports=3 2 1 8*
root@DD-WRT:~# nvram show | grep "port.vlans"
port5vlans=1 2 3 16
port3vlans=1 18 19
port1vlans=1 18 19
port4vlans=3 18 19
port2vlans=1 18 19
port0vlans=2 18 19
The ports are described here. From that page:
0 = WAN 1 = port 1 2 = port 2 3 = port 3 4 = port 4
Gigabit routers
[0-4] = Can be forward or reverse like above 8 = CPU internal 8* = CPU internal default
Here are the other numbers mean:
16 = Tagged is checked 17 = Auto-Negotiate is unchecked 18 = 100 Mbit is unchecked or greyed because Auto-Negotiate is checked 19 = Full-Duplex is unchecked or greyed because Auto-Negotiate is checked 20 = Enabled is unchecked.
So from the above we can see port 4 allows vlan3, which is perfect. Now let’s set up vlan1 and vlan3 to come in tagged on port 4 and then enable both VLANS on that port. This can be accomplished with the following:
nvram set vlan1ports="4t 3 2 1 8*"
nvram set vlan3ports="4t 8"
nvram set port4vlans="1 3 18 19"
Then apply the change and reboot the router:
nvram commit
reboot
Allow Vlan3 to talk to the internet
The following commands will allow access to the WAN for vlan3:
iptables -I FORWARD -i vlan2 -o vlan3 -j ACCEPT
iptables -I FORWARD -i vlan3 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan3 -j ACCEPT
iptables -I FORWARD -i vlan3 -o br00 -j ACCEPT
iptables -I INPUT -i vlan3 -j ACCEPT
I was using fwbuilder, so I had to add the vlan3 interface to the configuration and allow access to and from it.
Now I can configure two Virtual PortGroups on my Virtual Switch and tag vlans 1 and 3 on them. Then I can put any VM on any of those networks just by assigning their nics to the appropriate port group.