一个路由划分多网段同时上网(vlan with dhcp)

scutlxb

想法：
      一个公司几个部门，想每个部门(行政、销售、技术、财务等)都不同的IP段，路由有4个lan口，可以分4个段，一起上网。
      一个路由器+几台交换机  就ok了。省了不少购买路由器的钱，呵呵，这可不是偷工减料哦。

规划：
行政部lan1 ： 192.168.1.0
销售部lan2 ： 192.168.2.0
技术部lan3 ： 192.168.3.0
财务部lan4 ： 192.168.4.0
路由器IP    ： 192.168.1.1

各部门之间相互独立，不能互访。
注：正在思考某些部门互访或者设立公共区域的事。大家有更好的想法可以提。

示意图：

                                                          Internet
                                                              |
                                                           DDWRT
      ________________________________|___________________________________
     |                               |                                             |                                       |                                 
行政                            销售                                        技术                                   财务
192.168.1.0              192.168.2.0                             192.168.3.0                        192.168.4.0

实现(Linux真是强大啊...)：      
路由               Wrt54g v2.2 (能刷ddwrt的路由器)
fireware：       DDwrt v-24 rc-4 std (其他ddwrt的版本应该也可以)
原理：            利用ddwrt里面的 dnsmasq和vlan功能 (提示：Dnsmasq a lightweight, caching DNS proxy with integrated DHCP server.)

[不明白本论坛搜索vlan之后得到的结果中，都是指划分vlan需要交换芯片支持。而且都指switch是adm6996l 的才行，bcm5325不行。
其实不是很清楚是不是只有adm6996l支持vlan，bcm5325就不支持？谁回答一下 ？
怎么我看到的BCM5325的datasheet说支持port-based vlan的。
wrt54g v2.2 的switch是bcm5325的，也可以按端口实现vlan啊，是ddwrt的功能强大，还是switch本身支持vlan？]

1.参考http://www.geek-pages.com/articl ... rt_4_with_dhcp.html

2.telnet 路由器IP ，然后修改和增加 vlan0ports,    vlan2ports,    vlan3ports,    vlan4ports
#nvram set vlan0ports="1 5*"
#nvram set vlan2ports="2 5*"
#nvram set vlan3ports="3 5*"
#nvram set vlan4ports="4 5*"
#nvram commit

注意：这里不是很明白，麻烦懂得朋友解析一下 “ 5* ” 是什么意思。
        虽然不明白，不过这样设置暂时未发现问题。     

3.web界面设置a. Services------------DNSMasq-----------------
   DNSMasq    启用
   本地DNS     启用
  附加的DNSMasq选项   
interface=vlan2
dhcp-range=192.168.2.2,192.168.2.254,255.255.255.0,8760h
interface=vlan3
dhcp-range=192.168.3.2,192.168.3.254,255.255.255.0,8760h
interface=vlan4
dhcp-range=192.168.4.2,192.168.4.254,255.255.255.0,8760h
   在框里输入上面的内容后“应用”。
  注意，8760h是时间一年，自己可以修改为几小时(h)，或分钟(m)。


b.管理-------------诊断
把下面的内容保存启动命令
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0;
ifconfig vlan2 up;
ifconfig vlan3 192.168.3.1 netmask 255.255.255.0;
ifconfig vlan3 up;
ifconfig vlan4 192.168.4.1 netmask 255.255.255.0;
ifconfig vlan4 up

把下面的内容保存防火墙命令
iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT;
iptables -I INPUT -i vlan3 -j ACCEPT;
iptables -I FORWARD -i vlan3 -o vlan1 -j ACCEPT;
iptables -I INPUT -i vlan4 -j ACCEPT;
iptables -I FORWARD -i vlan4 -o vlan1 -j ACCEPT


c.设置-----------VLANs  
   下图仅供参考

d.设置----------基本设置--------------网络地址服务器设置 (DHCP)
  下图仅供参考

4.修改完毕之后重启，reboot或者重新上电。

5.这样几个网段的IP都可以同时上网了。

[ 本帖最后由 scutlxb 于 2007-11-9 16:08 编辑 ]

scutlxb

保留

[ 本帖最后由 scutlxb 于 2007-11-7 21:18 编辑 ]

lion2002

“5”  是 不是指 WAN 口？

scutlxb

不知道有无人懂  各vlan互访  应该怎样设置..............

Wy2

5可能是设置端口为自适应方式，各Vlan互访还要增加Vlan间路由

scutlxb

参考连接http://www.dd-wrt.com/wiki/index.php/Switched_Ports 中指名了5和5*代表的意思。

A little extra explanation regarding port 5: the switch that is built in to the router is a 6 port switch. The sixth port (numbered 5) is the only port not connected to an outside connector. Instead, it is directly connected to the et0 interface on the motherboard. Port 5 must be included on any VLAN that must be visible to the CPU. The asterisk (*) signifies that the VLAN it is attached to is the default VLAN: if the switch receives a packet on port 5 that is not tagged it is put into the VLAN where the * is configured. Always make sure this is vlan0.

The WLAN interface does not support VLANs. It is, however, usually bridged to vlan0.

更多请看下面：
Switched Ports ，The Port Numbering Explained
The numbers mean the following:

WRT54G v4 & WRT54GS v3
0  = port 4
1  = port 3
2  = port 2
3  = port 1
4  = WAN
5  = CPU internal
5* = CPU internal default
WRT54G v2/v3 & WRT54GS v1/v2
0  = WAN
1  = port 1
2  = port 2
3  = port 3
4  = port 4
5  = CPU internal
5* = CPU internal default
WRT54GL v1.1
0  = port 4
1  = port 3
2  = port 2
3  = port 1
4  = WAN
5  = CPU internal
5* = CPU internal default

看了上面的解析和ifconfig命令之后的结果，得到自己的wrt54g v2.2各端口默认的意思。
The variable vlan0ports equals to the natted LAN side. Correspondently vlan1ports refers to the WAN side, outside the router's internal NAT addressing scheme.

vlan1ports 对应着 wan
vlan0ports 对应着 lan
运行下面的命令就知道
#nvram show | grep vlan0
回车之后，就看到vlan0ports=。。。。。那些端口就是lan 。
#nvram show|grep vlan1   
（wan 端口）

[ 本帖最后由 scutlxb 于 2007-11-9 13:35 编辑 ]

kasimir

这篇很不错 实用啊

scutlxb

上传一个附件，内容就是上面讲的差不多。

《DD-WRT - Detached Networks by Ethernet Ports》 通过网口分离网络。

DD-WRT - Detached Networks by Ethernet Ports:
This will separate the ports on the back of your router and allow you to create individual networks that can’t see each other but that can still browse the internet.
Note: Anything with < > around it needs supplemental information…
Note: Anything with “ “ around it needs to be typed exactly as stated, except items in < >…
Assumptions:
1.        You have DD-WRT v23 SP2 installed and working to your liking.
2.        You know the Login & Password for web administration.
3.        Your running a Microsoft based operating system.
How will this work?
1.        First it separates the ports from each other.
2.        It activates a DHCP server for each.
3.        We tell the DD-WRT that we have changed the VLANs.
Procedure:
1.        Open the “Command Prompt” and type “telnet <ip address of router>”
a.        Login =  “root” / Password = “<web admin password>”
2.        Copy the following script and paste on the command line
a.        Note: To paste in the command prompt… Right click on the Command Prompt background and go to “Paste”.
b.        Note: You don’t have to separate all of the ports, remove the sections that don’t apply to your needs and make sure to add that port in to the very first line of text to copy. Example: if you don’t want port 2 to be on its own network and would like to share that port with port 1 then the first line would read: “nvram set vlan0ports=”1 2 5*”, and just delete the sections that apply to vlan2.
c.        Text to copy:
nvram set vlan0ports="1 5*"
nvram set vlan2ports="2 5*"
nvram set vlan3ports="3 5*"
nvram set vlan4ports="4 5*"

nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin{PATH}"

ifconfig vlan2 <router address on vlan> netmask 255.255.255.0
ifconfig vlan3 <router address on vlan> netmask 255.255.255.0
ifconfig vlan4 <router address on vlan> netmask 255.255.255.0

ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up

'
nvram set rc_firewall='

iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop

iptables -I INPUT -i vlan3 -j ACCEPT
iptables -I FORWARD -i vlan3 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan3 -j logdrop

iptables -I INPUT -i vlan4 -j ACCEPT
iptables -I FORWARD -i vlan4 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan4 -j logdrop
'
nvram commit
3.        Open the Web Administration of the router by going to its IP address then:
a.        Administration Tab &#61664; Services Tab &#61664; Under DNSMasq paste the following:
interface=vlan2
dhcp-range=<start ip>,<end ip>,<net mask>,<lease time>
interface=vlan3
dhcp-range=<start ip>,<end ip>,<net mask>,<lease time>
interface=vlan4
dhcp-range=<start ip>,<end ip>,<net mask>,<lease time>
b.        Click on “Save Settings”
c.        Setup Tab &#61664; VLANs
i.        Set “Port 2” to “VLAN 2”
ii.        Set “Port 3” to “VLAN 3”
iii.        Set “Port 4” to “VLAN 4”
d.        Click on “Save Settings”
4.        Go Back to the “Command Prompt”
(Note: it may have lost connection, if so just log back in as described above)
a.        Type “reboot”
5.        Now test your networks…

Here is an example setup:
Telneting:
nvram set vlan0ports="1 5*"
nvram set vlan2ports="2 5*"
nvram set vlan3ports="3 5*"
nvram set vlan4ports="4 5*"

nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin{PATH}"

ifconfig vlan2 10.0.2.1 netmask 255.255.255.0
ifconfig vlan3 10.0.3.1 netmask 255.255.255.0
ifconfig vlan4 10.0.4.1 netmask 255.255.255.0

ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up

'
nvram set rc_firewall='

iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j logdrop

iptables -I INPUT -i vlan3 -j ACCEPT
iptables -I FORWARD -i vlan3 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan3 -j logdrop

iptables -I INPUT -i vlan4 -j ACCEPT
iptables -I FORWARD -i vlan4 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan4 -j logdrop
'
nvram commit
DNSMasq Box:
interface=vlan2
dhcp-range=10.0.2.51,10.0.2.254,255.255.255.0,1440m
interface=vlan3
dhcp-range=10.0.3.51,10.0.3.254,255.255.255.0,1440m
interface=vlan4
dhcp-range=10.0.4.51,10.0.4.254,255.255.255.0,1440m

fatxing

好高深，暂时看不明～谢谢LZ分享

server789

好东西,看了就要顶.

89crd2

不支持Vlan的交换机型片也可以实现以上功能？

marcolin

原帖由 89crd2 于 2008-1-10 13:24 发表
不支持Vlan的交换机型片也可以实现以上功能？

bcm5325这些芯片是不可能实现的

boy516

我就用5325芯片做的vlan  结合advance routing 并成功 看来5325是支持VLAN的

如果想VLAN访问开启RIP试试

hsyah

那個確定ok....我也成功的運作中 , vlan + dhcp


但linksys wrt54g 的trunk (802.1q)無法成功 , 我使用port 3 4 (trunk)再接cisco 3750 (trunk 802.1q) , 3750 上有vlan 1 vlan 2 vlan 3 vlan 4 , 但都無法正常取得dhcp

我使用cisco 1841 trunk +multi dhcp   配合3750 trunk (vlan1 -4 ) , 都可以正常使用vlan 及dhcp 取得各vlan 的dhcp ip


使用linksys  wrt54g v2  的trunk 功能
我參考  以下 , 成功
http://www.geek-pages.com/articl ... /l_with_dd-wrt.html

相關設定
https://www.right.com.cn/forum/v ... 6597&highlight=

[ 本帖最后由 hsyah 于 2008-12-4 19:42 编辑 ]