Setting up DMZ with static public Sub-Net using DD-WRT
This article borrows heavily from the procedure written Oded Arbel at:
The assumption for this follow-up is that you already know how to flash your WRT54G* with DD-WRT. I began the procedure with the WRT54G loaded with dd-wrt.v24_mega_generic.bin .
The starting pieces:
1.1.1.1 WAN – dynamic or static IP, tested both ways
5.5.5.5/28 routed over WAN to bridge
WRT54G-TM Linksys/T-mobile router
Desired configuration on completion
1.1.1.1
|
V
******************
* *
* WRT54G DD-WRT *
* *
* DMZ ****** LAN *
| |
V V
5.5.5.0/28 192.168.1.0/24
This particular configuration has a static or dynamic IP address on the WAN side that is not in the same range as the routed subnet. This is a common provision in the US for AT&T and Sonic.net (probably others as well). Other providers may use similar methods of delivering service using PPOE.
Hardware Description before we begin
The labeling of ports on various flavors of WRT54G is different, however the physical position of the ports remains the same. In this document I will refer to the PHYSICAL ports as seen by the operating system.
See: http://voidmain.is-a-geek.net/i/WRT54_sw1_internal_architecture.png
and: http://voidmain.is-a-geek.net/i/WRT54_sw2_internal_architecture.png
and note that the case labeling is different on the two variants however the internal structure and labeling of the ports remains the same. Likewise, the LED’s may be numbered the reverse of what you expect.
Some clarification…. Ports are numbered internally as 0 – 5 with port 0 being the one next to the power connection. This is the port that used by default for connection using TFTP. This port MUST remain on vlan0.
Make sure to get the port numbering scheme straight, ideally labeling the ports so you don’t screw up. If port 0 somehow gets disconnected from vlan0, if you BRICK YOUR ROUTER you will be unable to re-flash it.
Setting up VLAN for DMZ
Start by checking out your current VLAN configuration – telnet to the router, which should have the IP address of 192.168.1.1 (if you haven’t changed it) – type ‘root’ as the username and whatever you put in the web interface as the password. Then type at the command prompt:
nvram show | grep vlan.ports
You should get a response something like this:
vlan0ports=0 1 2 3 5* or vlan0ports=3 2 1 0 5*
vlan1ports=4 5 vlan1ports=4 5
Before attempting to change the VLAN setup I recommend that you disable port 2 as follows and use that information to confirm where each port is physically on your device and which LED corresponds to each port. Then LABEL everything.
nvram set vlan0ports=”0 1 2 5*”
nvram commit
reboot
Use a single cable and ping the LAN side interface to determine which of the ports is no longer operational. This will be physical device number 2 and will also allow you to identify which LED’s correspond to each physical port.
Now to create our new vlan – we will split the output ports and put physical ports 2 and 3 (the right most 2 ports, looking at the front of the router, the onee closest to the WAN port on the back of the router) and make them into our DMZ VLAN. Execute the following commands:
nvram set vlan0ports=”1 0 5*”
nvram set vlan2ports=”3 2 5″
nvram set vlan2hwname=et0
nvram commit
With this complete, we must tell the DD-WRT software about the change. Open the web interface to the router.
Sigh….. note that the numbering of this section is again out of whack.
• Physical port 5 = WAN (W)
• Physical port 4 = not used
• Physical port 3 = 4 on menu
• Physical port 2 = 3 on menu
• Physical port 1 = 2 on menu
• Physical port 0 = 1 on menu
• Click SETUP — on the sub-menu
• Click VLANs
• VLAN 0 – assign labeled ports 1, 2 to LAN
• VLAN 1 – assign labeled port (W) to None
• VLAN 2 – assign labeled ports 3, 4 to LAN
• Auto-Negotiate – all checked
• Enabled – all checked
• Wireless LAN
• Link Aggregation on Ports 3 & 4 – No
Save this configuration.
Notes on IPTABLES
The default operating mode for DD-WRT is for the router to act as a GATEWAY. In this mode, the OS inserts a number of default rules into IPTABLES. The difference between GATEWAY and ROUTER modes really boil down only to the NAT rules applied to the LAN ports. Telnet to the router and execute the following command to view the IPTABLES rule-set.
iptables –nvL |less
and for the NAT rules
iptabes –t nat –nvL
Go to the SETUP web page and Click – Advanced Routing. Select – Router mode and then save the selection. This will eliminate most of the unneeded rules in iptables. You can add back in those the are needed for your specific installation.
Setting up the DMZ and NAT for LAN
The first step is to set up an INIT script to apply an IP address for the DMZ vlan. Go to the web interface and:
• Click – Administration
• On the sub-menu Click – Commands
Paste this script (altered for your static sub-net address) into the Command Shell box.
#!/bin/sh
PATH=”/sbin:/usr/sbin:/bin:/usr/bin:${PATH}”
ifconfig br0:1 5.5.5.1 netmask 255.255.255.240 up
• Click – Save Startup
The above example sets up the first host IP (after the network address) of a 16 IPs block, and its netmask. As a reminder, the IP block assigned to us is 5.5.5.0 to 5.5.5.7, with 5.5.5.0 as the network address and 5.5.5.7 as the broadcast address, with the valid host addresses between them – this results in a netmask of 255.255.255.240 (or 28 network bits). If you get a different number of P addresses, you’d have to compute your netmask yourself. The GNU command line utility ipcalc is very useful, but if you don’t have a Linux computer handy then there are lots of web based tools to address the problem.
Now we must fix the firewall. Paste this script (altered for your static sub-net address) into the Command Shell box.
#!/bin/sh
# allow established traffic
iptables -A INPUT -s 5.5.5.0/28 -m state –state ESTABLISHED,RELATED -j ACCEPT
# drop DMZ access to LAN
iptables -A INPUT -s 5.5.5.0/28 -d 192.168.1.0/24 -j DROP
# allow bridge access from bastion host (OPTIONAL)
# iptables -A INPUT -s 5.5.5.2 -j ACCEPT
# allow ping and icmp
iptables -A INPUT -p icmp -j ACCEPT
# drop all other access to bridge from everywhere
iptables -A INPUT -d 5.5.5.1 -j DROP
# allow packets from the network, destined to the DMZ
iptables -A INPUT -d 5.5.5.0/28 -m state –state NEW -j ACCEPT
# allow access from everywhere else to DMZ
iptables -I FORWARD 4 -d 5.5.5.0/28 -j ACCEPT
# nat for LAN (to DMZ interface address)
# first rule NAT’s to DMZ interface, if the rule is commented out,
# then third rule NAT’s to WAN interface
iptables -t nat -A POSTROUTING -o vlan1 -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o br0 -m pkttype –pkt-type broadcast -j RETURN
iptables -t nat -A POSTROUTING -o br0 -s 192.168.1.0/24 -j MASQUERADE
• Click – Save Firewall
The first section allows established traffic to the DMZ from anywhere. The second section drops attempts by DMZ to reach the LAN side of the router. The third section allows OPTIONAL access to the bridge (web interface, etc…) from the bastion host in the DMZ. This is not recommended but can be useful (note that it is commented out). The fourth section allows only ICMP traffic from anywhere to the router’s DMZ interface and passes NEW connections to the DMZ sub-net. The fifth section forwards traffic from anywhere to the DMZ. The sixth and last section NAT’s the LAN range to the router DMZ interface.