Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User danielowenuk
(fountain of knowledge) Wed 28-May-14 11:31:48
Print Post

Tomato Firmware VLAN question


[link to this post]
 
I have two Wireless SSID that use separate VLANs, one for adults that uses ISPs DNS on for kids that uses OpenDNS.

All works fine for the kids iPads etc.

Problem is they both have XBMC in their bedrooms and control these via their iPads, the XBMC are on adult VLAN.

How can I link one VLAN to the other?

Text
1
23
Bridge  STP     IP Address      Netmask DHCP    IP Range (first/last)   Lease Time (mins)
br0     Disabled        192.168.1.1     255.255.255.0   Enabled 192.168.1.2 - 51        1440br1     Disabled        192.168.2.1     255.255.255.0   Enabled 192.168.2.2 - 254       1440
Standard User prlzx
(experienced) Wed 28-May-14 13:53:41
Print Post

Re: Tomato Firmware VLAN question


[re: danielowenuk] [link to this post]
 
(link the VLANs together) in the literal sense of allowing any traffic to pass between them, then this ends up as not really 2 separate networks at all.

However, if you want to just want the iPads (or other IP remotes) can control XBMC you have a couple of other choices.

(a) move the XBMCs that are in their bedrooms into the kids' VLAN
(this sounds like the logical option given how you divided the networks and will apply the OpenDNS filtering to the media centres' internet access)

(b) look at the TCP/UDP ports needed to control XBMC (depending what iPad apps are being used)
and add firewall rules to allow from the kids' VLAN to the XBMC IPs with those destination ports.

For example on XBMC Gotham you could start with 3 TCP ports - 80 (http), 8080 (http) and 9090 (json-rtc-api).
You can test by browsing to the XBMC web server address (as per settings) and check you see the remote control interface.
For Android users, Yatse would be a good remote and would show if you have the right settings.

This should work for just remote control but if it is for streaming or DLNA that is more likely to work with option (a) as it can be dynamically assigned UDP ports.



prompt $P - Invalid drive specification - Abort, Retry, Fail? $G
prlzx on iDNET: ADSL2+ / 21CN at ~4Mbps / 700kbps with IP4/6

Edited by prlzx (Wed 28-May-14 13:54:41)

Standard User danielowenuk
(fountain of knowledge) Wed 28-May-14 21:47:50
Print Post

Re: Tomato Firmware VLAN question


[re: prlzx] [link to this post]
 
Option a isn't possible. I have a NAS on the adult VLAN that provides content, this would mean even if I did move them to the kids VLAN I would need to get the XBMC to talk across VLANs anyway.

Option B however I think will solve it. I tested early port forwarding with a source of 192.168.2.2 (child a's iPad, forwarding port 80 to 192.168.1.2 (child a's xbmc) all worked fine.

This will mean having custom ports for control per xbmc and setting reservations in DHCP but that's not too much drama.

Thanks for the advice.


Register (or login) on our website and you will not see this ad.

Standard User prlzx
(experienced) Thu 29-May-14 03:03:46
Print Post

Re: Tomato Firmware VLAN question


[re: danielowenuk] [link to this post]
 
Shouldn't need "port forwarding" as you aren't doing NAT between the two VLANs, only between the VLANs and the internet (WAN to LAN would be a port forward also known as a DNAT).

In other words, you should not need to use different ports for each XBMC. That is for when you only have 1 WAN IP and need to forward the internet to more than one device.

You just need to allow (a pass rule) the children's LAN IPs to reach the destination ports (80 etc) on XBMC LAN IPs, which are firewall rules but not NAT.

I've not seen what Tomato firmware to see what it calls this. Smoothwall used to talk about pinholes.

But yes absolutely DHCP reservations are the way to go for devices providing services to the network (NAS too).



prompt $P - Invalid drive specification - Abort, Retry, Fail? $G
prlzx on iDNET: ADSL2+ / 21CN at ~4Mbps / 700kbps with IP4/6

Edited by prlzx (Thu 29-May-14 03:08:11)

Standard User danielowenuk
(fountain of knowledge) Thu 29-May-14 23:39:08
Print Post

Re: Tomato Firmware VLAN question


[re: prlzx] [link to this post]
 
I was understanding that this would be required as this was one network to another, but happy to be wrong smile

I have had a quick read up on firewall rules and set

IPTABLES -I FORWARD -i br1 -p tcp ódport 80 -s 192.168.2.3 -d 192.168.1.3 -j ACCEPT

which I think should allow traffic from br1 (kids VLAN), where the protocol is TCP port is 80 source is kids iPad destination is kids xbmc to be accepted.

doesn't work, but looks fancy smile

will have another read when I have had more sleep and can figure it, but thanks for steering me in the right direction, it's helping me google the right things.
Standard User danielowenuk
(fountain of knowledge) Fri 30-May-14 14:19:41
Print Post

Re: Tomato Firmware VLAN question


[re: danielowenuk] [link to this post]
 
Hmm now it's fully confusing me. IPTables look like below, can connect from kids Vlan to 192.168.1.2 but not 192.168.1.3 etc. can't see a logical reason why .2 works but nothing else does!

Text
1
23
45
67
89
1011
1213
1415
1617
1819
2021
22
Chain INPUT (policy DROP 19 packets, 2433 bytes) 
 pkts bytes target     prot opt in     out     source               destination              8   401 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID  
 1495  372K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED      1    40 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW  
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0              219 14981 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            
   10   560 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0             
Chain FORWARD (policy DROP 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination          
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0                0     0 ACCEPT     all  --  br1    br1     0.0.0.0/0            0.0.0.0/0            
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID   1205 72164 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU  
 107K   46M monitor    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0             246K  203M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED  
    0     0 DROP       all  --  br0    br1     0.0.0.0/0            0.0.0.0/0                0     0 wanin      all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            
 1829  161K wanout     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0             1438  136K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            
  480 30840 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0

Edited by danielowenuk (Fri 30-May-14 14:58:31)

Standard User danielowenuk
(fountain of knowledge) Wed 11-Jun-14 17:34:49
Print Post

Re: Tomato Firmware VLAN question


[re: danielowenuk] [link to this post]
 
Not that this will affect many people but I did eventually find the solution.

Whilst the router IPTables were allowing the connection, the XBMC iptables only allowed incoming connections from the same subnet, adding a rule on those to allow 192.168.2.X fixed the problem, all working fantastically now.
  Print Thread

Jump to