Bekijk de volledige versie : 3 wan for 1 lan, 1 dmz and 1 wifi

18-05-2008, 20:59
I'm trying to have this kind of network :

| |
| .________________________________. .--|-----|- W-Public
| | .___________________. | | |
| | | | | | |X| | | | | | |

That is :
- 3 virtual WAN interfaces (my ISP gives me 4 public IP via dhcp)

- the first one (aka wan_1) is bridged on DMZ directly, without firewall or dhcp server (there's only ONE computer in DMZ, and this one should have wan_1 IP directly.)

- the second one (aka wan_2) is bridged on LOCAL directly, without any firewall or dhcp (there will be a server just behind it, which will provide DNS, dhcp and other services for my LAN)

- the third one (aka wan_3) is linked on wifi. wifi interface will have a dhcp, QoS and so on as it's a public access (and therefor NO link between this interface and dmz/lan will be provided)

The MONIT interface should be the only one to provide a direct access through SSH on the asus... but it's a "bonus", if only LOCAL can access it it's nice too :->

I tried to find doc, howto, forum threads, but no luck. After having flashed my asus-wl500gp 5 times having lost it, I think I can maybe ask for help :)

So if anyone among you has an idea on how to do this.... or a doc link...

Thanks in advance !

19-05-2008, 23:12
Well, you are talking about several virtual wan interfaces, but nothing how they look like - e.g. one line or 4 lines.
According to your drawing, I'm assuming you have 3 ethernet lines (wan), maybe to a switch and 1 line to your provider. You told us nothing about your kind of connection - dial in, bridge or something else.....

-wan1: is just nothing, connect your device/pc directly to wan1, using dhcp
-wan2: is just behind a nat (network address translation), usually your server should handle this (Local 192.168.x.y), if not possible use a simple router and connect to wan2 (dhcp)
-wan3: is just a simple asus router or any other wireless device (dhcp)
-MONIT: does'nt make any sense to me - access to what? Your network or any device or asus, what do you wanna do with ssh?

hint: flashing firmware, doesn't mean to get a full configuration for a network. But to read something should solve any problem shortly.
Have fun....

20-05-2008, 08:33
hi again!
sorry, my schema wasn't really clear....

I have only one wlan physical interface -> wan_1 wan_2 and wan_3 will be virtual interfaces.

In fact, lan->wan is ok, I have a connection on it.
I tried to put a dmz, but no luck : no internet on it.

Here's what I have :

#### VLAN configuration
config switch eth0
#option vlan0 "1 2 3 4 5*"
#option vlan1 "0 5"
option vlan0 "1 2 3 5*"
option vlan1 "0 5"
option vlan2 "4 5"

#### Loopback configuration
config interface loopback
option ifname "lo"
option proto static
option ipaddr
option netmask

#### LAN configuration
config interface lan
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr
option netmask

#### WAN configuration
config interface wan
option type bridge
option ifname "eth0.1"
option proto dhcp

#### DMZ configuration
config interface dmz
option type bridge
option ifname "eth0.2"
option proto static
option ipaddr
option netmask

config dhcp
option interface lan
option start 100
option limit 150
option leasetime 12h

config dhcp
option interface dmz
option start 10
option limit 15
option leasetime 12h

config dhcp
option interface wan
option ignore 1

My computer in dmz has an ip, in correct range.

(final aim is that computers connected to my asus will have ISP IPs.)

MONIT interface is to access asus, as I want it to be transparent and to be accessed only by this port. it's a physical ethernet port. but for now, it's a bonus, I want the rest to work first ^^'



20-05-2008, 22:38
Anyway your network config is not a usual and maybe a very danger config.
Use a switch and connect everything as written above.
Consider, that you can get up to 4 ips from your isp, hence it means you should have up to 4 devices requesting dhcp (clients).
SSH on Asus is simple use dropbear and any tutorial how to install everything.
Further consider anytime, that such an "open" config is a party for any hacker. And you must install firewalls, nats and more for each network or device. Why do you wanna have everything separated? Use portforwarding instead of an "open" network.