Creating VLANs in DD-WRT (Part 1)

I’m breaking this post up into 3 parts because it does go on a bit.

  • Part 1 – An overview of what I’m trying to do and creating VLANs on the router
  • Part 2 – Configuring IP ranges and the router’s firewall
  • Part 3 – Configuring VLANs on the SLM2008 switches

Recently I have flashed my home router (a NetGear WNR3500L) with DD-WRT firmware and performed some basic and intermediate configuration to connect it to the internet and direct DNS queries for my lab domain to the correct DNS server.

Now though I want to setup some VLANs. I want to be able to make use of some of the more advanced networking features in vSphere in my lab and this was one of the primary drivers for me selecting the router that I did.

I already have two Cisco SLM2008 smart switches in my lab. They are 8-port network switches that provide a number of useful features for the price. Simon Seagrave has a good description and review of the switches on his site, SLM2008 review. Upgrading and configuring my router to make better use of those features is what this post is about.

The standard DD-WRT interface allows you to assign single VLANs to individual ports but I want to go a step further than that and create 802.1q trunk ports. DD-WRT is capable of doing this but the configuration isn’t a point-and-click affair in the present build (so I understand).

Firstly, it might help to show the network topology that I’m aiming for here:

The rear of the NetGear router then looks like this:

The goal here is to create a small number of VLANs on the router and enable the two ports connected to the SLM2008 switches to carry 802.1q tagged packets. To do this we have to access the router via a telnet connection.

Enabling telnet on the router is fairly straightforward. On the Administration >> Management page, under Remote Access, it is simply a matter of enabling Telnet Management.

With that done you can use your favourite command line or terminal program to telnet to the router:

It’s worth noting that you have to login as “root” regardless of what you set the router’s username to be. The password will be whatever you set it to though.

The remainder of this article is based on the Switched Ports WIKI page on the DD-WRT site.

The first step is to examine the default VLAN configuration settings that are stored in NVRAM before we change them.

[text]nvram show | grep vlan.*ports[/text]

On the model of router that I’m using (WNR3500L in case you’d forgotten) you should get the following back:

[text]vlan2ports=0 8
vlan1ports=4 3 2 1 8*[/text]

(The results that you get back might vary if you have a different router.)

What this shows is that there are two VLANs in use by default. VLAN2 is assigned to the WAN port (port 0) and the internal CPU port (port 8). VLAN1 is assigned to all four LAN ports and the internal CPU port. The asterisk denotes that this is the default VLAN.

You’ll also want to run this command:

[text]nvram show | grep port.*vlans[/text]

That will return the following default settings:

[text]port5vlans=1 2 16

This shows that the LAN ports (1-4) are joined to VLAN1, the WAN port (0) is joined to VLAN2 and the internal CPU port (5 now and not 8 for some bizarre reason) is joined to VLANs 1 and 2 and is also Tagged (that’s what the 16 means).

And also this one:

[text]nvram show | grep vlan.*hwname[/text]



Some of these settings might need some further explaining. The switched ports page on the DD-WRT WIKI explains them fairly well.

In order to configure / change these settings though we need to “set” them and not just “show” them.

[text]nvram set vlan6ports="2t 1t 8"
nvram set vlan7ports="2t 1t 8"
nvram set vlan8ports="2t 1t 8"
nvram set vlan9ports="2t 1t 8"
nvram set vlan10ports="2t 1t 8"
nvram set vlan11ports="2t 1t 8"
nvram set vlan12ports="2t 1t 8"
nvram set vlan13ports="2t 1t 8"
nvram set vlan14ports="2t 1t 8"
nvram set vlan15ports="2t 1t 8"[/text]

These lines associate the VLANs 6 to 15 with ports 1 and 2 (as well as the internal CPU port) and, more importantly, adds the VLAN tags to packets on these ports.

[text]nvram set port1vlans="1 6 7 8 9 10 11 12 13 14 15 16"
nvram set port2vlans="1 6 7 8 9 10 11 12 13 14 15 16"
nvram set port5vlans="1 2 6 7 8 9 10 11 12 13 14 15 16"[/text]

These lines associate all of the VLANs (except VLAN2 – the WAN) with ports 1 and 2. All VLANS (including the WAN) are associated with the internal CPU port. All three ports are tagged.

[text]nvram set vlan6hwname=et0
nvram set vlan7hwname=et0
nvram set vlan8hwname=et0
nvram set vlan9hwname=et0
nvram set vlan10hwname=et0
nvram set vlan11hwname=et0
nvram set vlan12hwname=et0
nvram set vlan13hwname=et0
nvram set vlan14hwname=et0
nvram set vlan15hwname=et0[/text]

These lines simply associate the VLANs with the right hardware.

[text]nvram commit

Finally the changes are committed and the router rebooted.

(Note that unless specifically overwritten, the original settings that we saw earlier will remain in force. So ports 3 and 4 remain unchanged from their original configuration.)

In summary, what the commands above did is:

  • Created VLANs 6 to 15 inclusive
  • Tagged VLANs 1 and 6 to 15 on ports 1, 2 and 8 (the internal CPU port)

(I expected at that point to lose contact with my lab servers but it didn’t happen. It seems that DD-WRT enumerates the port numbers in reverse order to how they are labelled on the router. So the commands that I entered actually ran on ports 3 and 4! This I verified by re-patching my cables and losing connectivity.)

In the second part of this post I’m going to assign address ranges to my VLANs and configure the router’s firewall.

  1. After i tried to disable vlan2 in the webinterface, i have just tried to disable vlan2 from the console with the unest command. But no chance to disable vlan2. Is there a possibility to disable this vlan ?

    Greets from germany 🙂

    • Sascha,

      It seems to depend on the version of DD-WRT you’re using but I experienced some inconsistencies with the GUI when I ran through my configuration. I’d suggest using the command line for the most part.
      I’m curious to know why you’d want to disable VLAN2 as it’s the WAN interface. It’s even possible that you may not be able to. As an alternative, could you use iptables to disable access to it instead of disabling it?

  2. As stated on the Switched Port page, the following does not work on my DD-WRT (Dlink DIR-825)

    nvram set vlan0ports=”1 2 3 5*”
    nvram set vlan1ports=”0 4 5″
    nvram commit

    When grepping port.*vlans it appears that port 4 still has vlan0. Why is that?

  3. Pingback: router wifi 3G

Add Comment

Required fields are marked *. Your email address will not be published.