Hi, I am looking to configure an AR-150 as a wired-only router, using just the LAN and WAN ports. There is no need for Wi-Fi in this application.
One network port would connect to a private local area network (gateway is 192.168.1.254) for internet access and management of the AR-150, while the second port passes internet traffic only (must be isolated from the private network) on a separate subnet (e.g. 10.20.30.x) with DHCP. In this way, the isolated port may be connected to a remotely-sited switch for ‘guest’ wired and Wi-Fi AP distribution.
Any pointers to achieve this would be much appreciated. Thank you.
question: you said you don’t need wifi, only two Lan port. But as your two LAN port is connecting to two different networks, how do you use the devices then? Seems you still need to use wireless in order to let the router works.
This can be done using vlan. You can make two vlan, each vlan binds one port.
Thank you for your reply. Hopefully I can explain what I am trying to achieve. The AR-150 is being used to create an isolated barrier between two LANs. The private LAN (subnet 192.168.1.xxx) must not be accessible by the public LAN (subnet 10.20.30.xxx). Only internet traffic provided by the private gateway (192.168.1.254) can pass through the router (HTTP, HTTPS, email, selected ports, etc…). All other traffic must be blocked. The public LAN will include a DHCP server, offering for example, an address range of 10.20.30.100 to 10.20.30.200
There is no need to enable the internal Wi-Fi, as this isn’t going to be used. Wi-Fi and cabled connectivity will be provided separately on the public LAN side via an 8-port switch. In this application, it doesn’t matter which ethernet port is assigned to which duty, as long as the functionality is achieved. To manage the AR-150 via SSH or Luci web interface, it would be more secure to have this access available via the private LAN side.
I will investigate the use of VLAN to achieve this. This will be defined in the interfaces section, I presume. I will also need to configure the firewall. Should I be using bridging or NAT?
This is possible. If you want to isolate the guest network, you need to set a firewall rule in AR150 to drop all the packages to 192.168.1.x address except for the gateway. This can be done using iptables.
I don’t know if there is any other easy solutions.
After a long delay in getting back to this project, I tried your WAN/LAN connection and iptables suggestion. However, it didn’t block the 192.168.1.xxx subnet. I can still access the Private LAN servers from the Guest LAN side.
To make the iptables persistent, I placed the following at the top of /etc/firewall.user:
iptables -A OUTPUT -p all -d 192.168.1.0/24 -j DROP
also tried:
iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
Following a reboot:
root@GL-AR150:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
delegate_input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
delegate_forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
delegate_output all -- anywhere anywhere
DROP all -- anywhere 192.168.1.0/24
Chain MINIUPNPD (1 references)
target prot opt source destination
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
reject all -- anywhere anywhere
etc…
While I cannot browse the private LAN, I can for example, access a private server directly by typing ‘\192.168.1.12’ (in Windows Explorer) and gain full access.