I’d like to isolate the single physical port (port 4) on my router to WAN access only while leaving ports 1-3 and wireless so they can communicate together. If possible I’d also like to limit the 4th port to 2Mbps . I’ve tried getting help on google but it’s mostly targeted for an older version of dd-wrt while I’m running DD-WRT v3.0-r32170 (06/01/17) on a Linksys WRT 1900AC*
I’ve tried messing with this a bit myself for a while but I’m a bit scared to break something and not be able to access the router control panel. I’m also confused by some of the terms used: Under port setup i have eth1, eth0, ath0 and ath1. I’m fairly certain ath0 and ath1 are the 2 wireless bands and from looking at the settings eth1 seems to be the wan port which leaves only eth0… for 4 ports…? can I separate them?
Could someone help me in the right direction on what I should do here? My end goal here is to have an old secondary router running as an access point for guests to use without hindering my own tasks or priority. Additionally, I have a TP-Link Managed Switch that supports VLAN tagging if there’s any way we could work that into a solution instead. Any help is greatly appreciated!
*Eventually I plan on replacing this router with a pfsense box which should be better or maybe even a Ubiquiti USG but I don’t currently have the money for that. My other idea is just running pfsense in either hyperV or ESXi since it would be basically free with my current hardware but I’m not sure about it just yet… so if you have input on if this would be a bad idea or not…
Nope. You can sort of think of that eth0 as a connection to a fifth internal port on what is effectively a 5-port unmanaged switch integrated into your device.
On a side note I found out that my switch actually has bandwidth control which solved that problem and I’m not sure if this is a joke or not but with this tp-link managed switch (TL-SG1024DE)… when i set the ingress and egress rate to 2000Kbps… it seems to save it as “1984”… same with 2001 and 1999… I’m wondering if this is some sort of joke from the tp-link devs hinting at our Orwellian future… o_o lol…
Anyways… I didn’t really want to do this but after much fiddling with dd-wrt with mac addresses, ip-addresses and some QOS tinkering I couldn’t get it to filter/cripple any of the methods as if that configuration screen is just for looks…
Instead I turned what I wanted to be just an AP into another full blown router making my main one it’s host (which i don’t like doing… but oh well) and all the things connected to it are now on a completely different subnet. (For some reason it defaulted into the 10.6.x.x space rather than the usual 192.168.x.x which i find interesting… i guess it’s because it was given a 192.168 address to the internet)
While this disables automatic detection of network devices… anyone with an IP address can still get into my private network
I’m currently looking into vlan tagging the port from the managed switch and trying to see if I can isolate it in dd-wrt from that… so far no luck.
If your second router has a firewall feature, it would be easiest to use that to block connections to the other subnet.
I can’t really tell if this is what you’re trying to do, but for completeness, you’re not going to be able to control any traffic that goes in one switch port and out another switch port. You can only control traffic that goes in one of the interfaces (eth0, eth1, etc.) and out another.
I would expect the only interface that you’ll be able to handle VLAN tags with is the standalone eth1 port. Assuming you also need to use this port for your internet connection, and want to have only a single router, here’s a way to do it, but it’s a little strange.
You need to handle three different networks (let’s call them home, guest, internet), so you will need to create three different VLAN interfaces on the eth1 port (for example, 10, 20, 30, respectively). Each one will have a different subnet, with home and guest having static IPs, and internet presumably getting DHCP. On your managed switch you will need to trunk all three of these VLANs to a port where you plug in the WRT1900. Then, on your managed switch, you’ll need a port set to VLAN 30 untagged to plug in your modem. Put your guest router in bridge mode and then connect one of its switch ports to a port set to VLAN 20 untagged on your managed switch. Then add the VLAN 10 interface on eth1 to the bridge with eth0, ath0, and ath1. Configure the other ports on your managed switch to access VLAN 10 or 20 as desired.
This all should be within the capabilities of DD-WRT, but I’m not an expert on it so I can’t really give instructions on how to do it in the GUI. I have a WRT3200ACM with DD-WRT, but I’m just using it as a dumb AP, and I do all of the more complex stuff on a separate OPNsense box. Just looking at the options in DD-WRT, I’m not really sure where to start, and this kind of setup is not something that I would really want to do on this platform if I had a choice.