Guest VLAN w/ Linksys E3000 & TomatoUSB

I decided to upgrade my router to dual-band N, mainly so my backups could be done quicker. I settled on the E3000, and loaded TomatoUSB on it. It was a mostly seamless transition, with only a couple caveats:

• It consumes considerably more power than the WRT54G-TM it replaced, so much so that I could no longer use with my Cyberpower Phonesaver (a kind of mini-UPS that only outputs DC, designed for cordless phones) to back it up. I’ve since settled on a standard, albeit small, UPS.
• It runs a bit warm, so I placed standoffs underneath it to improve ventilation

So, the WRT54G-TM sat unused for a few months, until the rediculous requirement came about that, for a particular Nintendo DS game (Animal Crossing Wild World), I had to setup a WEP access point! Therefore, a secure and isolated guest network was necessary. A similar setup exists at my parent’s house to support the same game.

I used the following guide, along with this, with the following changes would be required to support the E3000:

• vlan2 is used as the WAN, so this guest network has to be created on vlan3
• The port assignments start with the WAN as port 0 (backwards from the WRT54G), therefore, the port furthest away from the WAN port, which will be used as the guest network port vlan3, is port 4
• The CPU on the E3000 is port8, not port 5 as it is on the WRT54G
• The init script needs to refer to vlan3, not vlan2
• The firewall script needs to refer to vlan3, not vlan2, and on the 2nd line where vlan1 is mentioned it needs to read vlan2
• The DHCP configuration needs to refer to vlan3
• The first QoS rule is anything from the vlan3 subnet is defined as the lowest priority
• Assign a static DHCP address on the main router for the guest router’s WAN address
• Forward an arbitrary range (I’m trying a mere 10) of UDP ports to guest router so said game would work.

The guest router is setup relatively close to the main, but they are separated by a couple meters in an effort to reduce interference. I used the following settings:

• Low TX power (10mW, may be reduced further)
• Ch11 (my main is channel 1, so there shouldn’t be any interference)
• It is also set to be B only (no G, no mixed)
• Basic Rate of 1-2Mbps
• Transmission Rate of 1Mbps
• No telnet, ssh, and wireless web admin access
• remote admin access with https enabled
• MAC filtering to only allow the Nintendo 3DS in question
• Static DHCP address assigned to 3DS
• 3DS’ IP address is setup as the DMZ

You will note that several settings on the guest router (in addition to the QoS on the main) are specifically to reduce available bandwidth. This particular game consumes very little, and the limitations serve to discourage anyone who took the small amount of trouble of hacking WEP & MAC filters from sticking around to leech bandwidth. These days it could be cracked in under a minute. The reduced bandwidth may also aid in reducing the TX power level even further, since the smaller the footprint one broadcasts the less likely you’ll be seen to begin with. In the same spirit of reduced footprint, the router is off most of the time, and only turned on for the game via those convenient remote power outlets that run on 433.92MHz.

With the NAT rules presently on the main router, the guest router can only be reconfigured with some SSH port forwarding via the router or by physically plugging in a laptop to the guest lan.

This “animal crossing” router can easily become a more generic “guest” router by disabling the MAC filtering, boosting the TX power, removing the bandwidth limitations, and changing the security to anything-but-WEP since 26 character hex strings are extremely unpopular.

Advertisement

Explore posts in the same categories: E3000, WRT54G