Somebody help me before I hang myself!
Here is what I am trying to accomplish. There are two existing wired networks, Network1 and Network2. As well as my own network, which we'll call… Network3
Network1 is configured as 172.24.24.0/24
Network2 is configured as 172.24.201.0/24
Network3 is configured as 10.255.254.0/24
There are several other networks available via Network1's gateway (172.24.24.254) as well…
You get the idea.. Anyhow, let's continue
Network2 has internet access
Currently I have a Windows RRAS box that serves as my router which allows me to access all of the machines on Network1 and Network2, as well as the internet via Network2's connection. I allow a very specific set of ports in from Network1 to 1 host on Network3; but we can get into that later. I want to get rid of the RRAS box and replace it with a WRT54GL running Tomato, which from everything I've read should be possible… Just not possible for ME to pull off apparently.
WAN Port: Connected to Network2
Switch Port 1: Connected to Network1
Switch Ports 2-4: Available for Network3 devices
I began by plugging the WAN port into Network2, and my laptop into switch port 1
I then flashed my WRT54GL v1.1 with tomato-WRT54G_WRT54GL_1.28.0025Teaman-VLAN-PPTPD-VPN.bin
Of course I was then off and running with full access to Network2 out the gate. Thinking it surely won't be difficult to assign port 4 to a different VLAN and create a few routing rules, I set to work. And so begins my madness…
Of course I began my work with the GUI on the Network page (Basic->Network), and added a new Bridge (br1) and defined an IP address of 172.24.24.242 and a mask of 255.255.255.0; I left DHCP disabled as Network1 already provides those services [220.127.116.11 and higher are not part of the DHCP scope for Network1]. Heck yes, this seems easy as pie so far!
Next I accessed the VLAN page (Advanced->VLAN) and unchecked Port 1 from vlan0 (LAN) and created a new VLAN (vlan2) with VID 2 and checked the box for Port 1. I assigned the Bridge for vlan2 as my newly created bridge: br1. This step did not work properly. After rebooting the router the VLAN page indicated that Port 1 was in both vlan0 and vlan2.. I ended up solving this by setting manual_boot_nv to 1 via nvram commands.
nvram set vlan0ports="2 1 0 5*" <- to remove port "3" (physical port 1) from vlan0 so it would only be in vlan2 nvram set manual_boot_nv=1 nvram commit
After rebooting, now the GUI shows Port 1 as only being a part of vlan2. Hooray!
At this point I connected physical port 1 of the router to Network1 and verified connectivity by pinging a host on Network1 from the router, success! I also added some routing rules (Advanced->Routing) to specify which other subnets were available via Network1 and verified connectivity to them by pinging various hosts from the router. Great success!
Now, fire up a command prompt on my laptop and see if I can ping a Network1 host and… not a chance. OK, no big deal right? We just need to give br0 access to br1, right? So I head to the LAN Access page (Advanced->Lan Access) and create a rule to allow br0 to access br1 (no src/dst addresses specified), still nothing. hrm… I muck with this screen for awhile creating rules for specific hosts, or from br1 to br0 instead.. all to no avail. Well crap. I can only assume that what the GUI is actually applying to the router is incorrect (much like the VLAN port allocation).
At this point I've reset the router and only done the most basic configuration, and I'm hoping that someone here who is much smarter than I can come to my rescue! All I have done is set up br1 and vlan2 just as I described above. I have not added the static routes for the other subnets available for Network1, nor have I configured the LAN Access page. I figure if we can get routing working between br0 and br1 I can revisit the other subnets once that is done.
The router itself is able to currently access Network1 (just the 172.24.24.0/24 subnet) as well as Network2 and the internet without issue.
For any help they may offer, here are the current iptables.
iptables -L -v
Chain INPUT (policy DROP 98 packets, 6346 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- br0 any anywhere wan-ip 0 0 DROP all -- br1 any anywhere wan-ip 0 0 DROP all -- any any anywhere anywhere state INVALID 262 34665 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1 73 ACCEPT all -- lo any anywhere anywhere 167 12041 ACCEPT all -- br0 any anywhere anywhere 0 0 ACCEPT all -- br1 any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0 br0 anywhere anywhere 0 0 ACCEPT all -- br1 br1 anywhere anywhere 0 0 DROP all -- any any anywhere anywhere state INVALID 22 1136 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 1141 364K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 DROP all -- br0 br1 anywhere anywhere 0 0 DROP all -- br1 br0 anywhere anywhere 0 0 wanin all -- vlan1 any anywhere anywhere 54 8230 wanout all -- any vlan1 anywhere anywhere 54 8230 ACCEPT all -- br0 any anywhere anywhere 0 0 ACCEPT all -- br1 any anywhere anywhere Chain OUTPUT (policy ACCEPT 475 packets, 392K bytes) pkts bytes target prot opt in out source destination Chain wanin (1 references) pkts bytes target prot opt in out source destination Chain wanout (1 references) pkts bytes target prot opt in out source destination
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 424 packets, 30364 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- vlan1 any anywhere 10.255.254.0/24 0 0 DROP all -- vlan1 any anywhere 172.24.24.0/24 62 3318 WANPREROUTING all -- any any anywhere wan-ip Chain POSTROUTING (policy ACCEPT 4 packets, 522 bytes) pkts bytes target prot opt in out source destination 77 8824 MASQUERADE all -- any vlan1 anywhere anywhere Chain OUTPUT (policy ACCEPT 24 packets, 1921 bytes) pkts bytes target prot opt in out source destination Chain WANPREROUTING (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT icmp -- any any anywhere anywhere to:10.255.254.1
If there is any other information that might be useful, let me know and I'll post it.