April 10th, 2007


I win over the Linksys

So, we have a number of public IPs, 8 of them in fact, but they are still on a /24. We have a network internally that is just switched into the ADSL port, and all machines in there have public IPs. (printers and airports and so on have private ips, and the machines that needed access are multihomed).

I wanted a way to see our outbound and inbound network streams, so I started looking around for a smart switch that could give me the data using snmp ( I wasn't at all hoping for netflow ). I couldn't find one for less than a few hundred bucks which didn't seem worth it, however I recalled that Brian Aker (krow) had raved about the DD-WRT Linksys WRT54GL, so since I had one for the public net, i figured i might try. From the UI it wasn't possible, but with some linux work and a few hours I could get it to do so. I do agree that it would be nice to get this kind of flexibility on something with more than 5 switch ports.

I bridged a port to be the same as the WAN port, I routed it through the CPU, i enabled rflow (netflow) and I did some shenanigans as seen below to make it work.

# 0 = port 4
# 1 = port 3
# 2 = port 2
# 3 = port 1
# 4 = WAN port
# 5 = CPU port (* means it is sending all trafic there I think)
# this configures the switch so that tagged stuf
nvram set vlan0ports='0 1 2 5*'
nvram set vlan1ports='4 5'
# note the * is needed here because the CPU needs to see the traffic ( I think)
nvram set vlan2ports='3 5*'

# vlan1 is going to map the the WAN port
# vlan2 is going to map to switch port 1

# set the startup script
nvram set rc_startup='
# you need to remove the IP from the public port
ip a del dev vlan1

#create a new bridge and add vlan1 vlan 2 on it
brctl addbr public
brctl addif public vlan1
brctl addif public vlan2

# add the public address to the bridge
ip a add dev public
# in our case we have a airport express management network that i want to route as well
ip a add dev public

# turn them up
ip link set vlan2 up
ip link set vlan2 multicast on
ip link set public up
# tell the machine about our default gateway
# this is for the natted people on the vlan0 and wifi (together bridges as br0)
ip r add default via

nvram set rc_firewall='

# delete the standard DD-WRT nat rule
iptables -v -v -t nat -D POSTROUTING 1
# set up a NAT rule from your source ips that you want to nat
# ignoring where they came from
# in our case is from the open wifi
# and is airport management network
iptables -t nat -I POSTROUTING 1 -j SNAT -s --to-source=
iptables -t nat -I POSTROUTING 1 -j SNAT -s --to-source=

And now it works, all traffic passes through the box and the CPU (no load problems as I can see) which means the rflow collector works and reports on all our network traffic that is leaving the building (or transiting between the machines). Since it turns out the Linksys is a smart switch and a CPU, you can get the monitoring I wanted from a $50 device instead of a $500 device! (Thanks again for the inspiration krow)