dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6109
share rss forum feed

xyzzytest

join:2004-08-06
Collegeville, PA

MI424WR rev E Port Based VLAN Configuration

I would like to isolate one port on my MI424WR to connect to a "public" network that would provide a connection to the Internet but be totally isolated from my network connected to the remaining ports on the router. My intent is to connect a secondary router configured as a WAP on this port to provide isolated wired and wireless connectivity to the Internet.

I don't have any VLAN compatible switches, so I'm assuming I would be wanting strictly a port isolated with no VLAN tagging enabled. I have tried this setting port 1 to VLAN 1 and all the other ports to VLAN 2, but it seems to have no effect, all the ports still had full connectivity.

Is there any way to accomplish this with my existing equipment?



More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:30

There are two ways to do this:

Method 1
-----------
Use a LAN-to-WAN connection from the Actiontec to your second router. Configure the second router to use a separate subnet. i.e. The Actiontec subnet is 192.168.1.1. The second router's subnet is 192.168.2.x.
PCs on the second router will have internet access, but will not see devices on the Actiontec subnet.

ONT---Actiontec+---PC1
               +---PC2
               +-----2nd router+---PC3
                               +---PC4
 
PCs on the second router will be double NAT'ed, meaning that if you need to open any ports for port forwading, you will need to open those ports on both routers.

Method 2
-----------
Obtain a business account with static IPs and assign a static IP to each router.

ONT---switch+---Actiontec (WAN IP1)
            +---2nd router (WAN IP2)
 

xyzzytest

join:2004-08-06
Collegeville, PA
reply to xyzzytest

Actually, option one doesn't work.

While the other PC's indeed can't see anything on the secondary router, the secondary router does have access to the machines on the primary router.

Try it, I've already been there.

Option two isn't really an option, I clearly don't want to pay for a business class account.

I'm looking for realistic options that don't involved large sums of monthly account fees for what should be obvious reasons


JohnA
Premium
join:2003-09-16
Pittsburgh, PA


Use 2 routers behind the AT, 1 for each isolated LAN


xyzzytest

join:2004-08-06
Collegeville, PA

Actually, for a time, I did use use two routers behind the MI424WR. There are issues with that approach. First off, only one of the routers can be enabled to do port forwarding, since the only practical way is to put one router's WAN address in the DMZ of the MI424WR, then the other just connects normally.

Second, now I have three routers running, not just one.

If I could get the VLAN option working, I should be able to put a simple switch on the second VLAN and connect one or more computers there that would be totally isolated. Since the capability already exists in the MI424WR, I'd obviously like to get that working.



More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:30
reply to xyzzytest

In order to do what you are trying to do, you need to assign an IP address to the VLAN. You have two choices:

1) Assign the VLAN a LAN IP address, which would accomplish nothing. Even if you were to assign the VLAN to a separate subnet, you would still need to bridge the new subnet to your WAN IP since you have a single WAN IP address.

2) Assign the VLAN a WAN IP address, which would require a static IP address, which you have already indicated in not a viable solution.


xyzzytest

join:2004-08-06
Collegeville, PA

1 edit

So basically, the VLAN accomplishes nothing it would seem.

I know that some routers have the capability of isolating one port from the LAN and still connecting to the WAN, I was hoping that I could accomplish this with the VLAN capability of the MI424WR.

I didn't actually see a way to link an IP address to a VLAN, probably buried in that cryptic interface somewhere.

I could do this with DD-WRT and a compatible router, but since I have the FiOS TV, I need the MI424WR in the picture.

I guess my option is to use the MI424WR for my isolated connection(s) and put a secondary router in the DMZ of the MI424WR and use it for the secure network connections. I was trying to avoid having to have two routers, since I usually just want isolated connections on my workbench for unknown machines that may have infections of various kinds.



More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:30

You can configure your DD-WRT router as primary and place the Actiontec behind the DD-WRT router to handle only the STBs.

See the options in this FAQ:
»Verizon Online FiOS FAQ »What are the tradeoffs between the various router configurations


xyzzytest

join:2004-08-06
Collegeville, PA

I did know about that option, I'm trying to avoid two routers, but maybe that's not going to happen.

If I go with two routers, I can just stick any router in the secondary location and put it in the DMZ for the MI424WR. That may be the way I end up going.


bbtech6650
Premium
join:2004-10-28
Pittsburgh, PA
Reviews:
·Verizon FiOS

I'm trying to do a similar thing with my new setup at my fire company. I want to use 1 actiontec for company ops, and the other for public use.

I'll let you know what I find out how to get it to work. I was going to do it earlier today, but forgot my laptop at my house.


xyzzytest

join:2004-08-06
Collegeville, PA

I'll look forward to the results of your efforts.


bbtech6650
Premium
join:2004-10-28
Pittsburgh, PA
Reviews:
·Verizon FiOS

After racking my brain all day... I finally sent an email to tech support. Their features are not completely documented or documented well.

he reponse to this issue is below:
=================================================================
Not sure I understand, are you trying to create a VLAN having the wireless systems in a different subnet?
Its a SOHO class router, you can't write routing rules in its programming.
You can create a virtual network or VLAN though and I'll include those instructions.
Creating a VLAN using the BHR (4.0.16.1.15.2.9)

1. Creating a VLAN
a. Select Network Connections/Advanced Connection/VLAN Interface
b. Make the Underlying Device the LAN Bridge
c. The VLAN ID can be any number from 1-4094, this will be the VLAN PVID
2. Changing the IP Subnet
a. Select the VLAN/Settings/Internet Protocol/Use the Following IP Address
b. An example would be: 10.0.0.1 / 255.255.255.0
c. Under DNS Server enter the Primary and Secondary servers
d. From IP Address Distribution select DHCP Server
e. The range would be 10.0.0.2-254 / 255.255.255.0
3. Configuring the VLAN on the Switch
a. Select Network Connections/Advanced/LAN Hardware Ethernet Switch/Settings
b. From 4 Port Ethernet Switch select Show
c. Assign the VLAN PVID number to the port desired (0-3)
i. Select Action for Port 0
ii. From Ingress select Tagged (Add VLAN Header)
iii. Leave the Egress set to Untagged
d. Be sure to connect the Ethernet cable to the port assigned the VLAN PVID
e. Your NIC should get an appropriate IP, like 10.0.0.2
f. Test by PINGing other addresses connected to the BHR
4. Advanced Filtering (Blocking the VLAN from the LAN)
a. Select Security/Advanced Filtering
b. Under Incoming Packets find the VLAN
c. Make a New Entry, Under Matching select Source IP Address as ANY
d. For the Destination Address select Specify Address and click Add
e. Name the rule and click New Entry
f. Select IP Subnet to define the subnet you want to block
i. This will be (the LAN), 192.168.1.0 / 255.255.255.0
g. Repeat for the Outgoing Packets
5. Test
a. You should no longer be able to PING between the 2 networks


zerog

join:2002-02-10
Carrollton, TX
kudos:1
reply to xyzzytest

not that i've done this before, but what about putting each net in their own vlan the way you wanted, and then putting a black hole route to each of the other networks, so that traffic cannot be routed between them?


xyzzytest

join:2004-08-06
Collegeville, PA

I'm going to give that a try when I get a chance, that looks like it might have the chance of working. I got as far as the VLAN, but didn't do some of the other stuff, which is obviously required.


xyzzytest

join:2004-08-06
Collegeville, PA
reply to xyzzytest

Well, I started down the path of that configuration, but my MI424WR apparently is quite different.

Firmware Version: 20.8.0
Model Name: MI424WR-GEN2
Hardware Version: E



floepie

join:2005-12-01

2 edits
reply to xyzzytest

I have my own DD-WRT router's WAN connected to a VLAN ethernet port and have setup the AT to bridge the WAN with the specific LAN port in order to pass through a second public IP address to my router. So, I have two public IP's - one to each router. Is this not possible on the Rev E? FWIW, I am running firmware 4.0.16.1.56.0.10.11.6. Note, I'm quite sure this only works if you grab a public IP with PPPoE, but I haven't tried it if you are a DHCP customer.

This allows me to run OpenVPN on the DD-WRT router without needing to forward any ports on the AT.


xyzzytest

join:2004-08-06
Collegeville, PA

This is not an option with FiOS, you are stuck with the single public IP address. In addition, my router also handles the TV On Demand and Program Guides, so I can't totally replace it. Of course, I can add a router, and accomplish the privacy I'm looking for, I just figured I could do it with the router I have. I'm sure you only get one public IP address with FiOS, if not I could just put a switch in front of the router and connect the "public" LAN to that port.

I'm about to give up on the single router solution and add the secondary router.



floepie

join:2005-12-01

@xyzzytest, Sure you can.

Each of my routers receives a unique public IP using PPPoE. I simply established a new broadband connection bridge (no IP and no firewall), which needs to bridge the ethernet broadband connection and a VLAN, which exists in the Home Network. Once you do that, you simply change the VLAN from the Home Network to a Broadband Connection to complete the WAN bridge. The last step is the key, or your router will balk that more than one WAN connection is bridged.


xyzzytest

join:2004-08-06
Collegeville, PA
reply to xyzzytest

Well, I guess I have no idea exactly how you are configuring or what equipment you're using.



More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:30
reply to floepie

said by floepie:

@xyzzytest, Sure you can.

Each of my routers receives a unique public IP using PPPoE.
No he can't if he is on DHCP (as most FIOS users are).

DHCP binds the MAC address to the WAN IP address so that it is not possible to pull more than one DHCP address.

bbtech6650
Premium
join:2004-10-28
Pittsburgh, PA
reply to xyzzytest

I also just received a Gen2, and got the above to work.

Also, they told me that routing/acl support is limited because its a SOHO box.

I'm used to playing with enterprise grade stuff all day, and its all highly configurable.


xyzzytest

join:2004-08-06
Collegeville, PA
reply to xyzzytest

I have no PPPoE option, and I have tried to obtain a second IP address using a switch and two routers. As predicted, and I had no reason to doubt it, only the first router connected could obtain an IP address.

IMO, this is not possible with any FiOS account that I'm aware of.


xyzzytest

join:2004-08-06
Collegeville, PA
reply to xyzzytest

bbtech6650, please explain exactly HOW you got it to work, because the instructions don't work for me.