There are several solutions: VLAN, WLAN, double gateways... all both well covered by a fast google search.
What if you want it to be cabled (not WIFI) and you have one cable from your router to the location of the evil computer. Well that is just VLAN (take a WRT54GL or compatible, burn dd-wrt, and separate the physical port of that cable from your LAN). That was easy!
But what if you have more computers, that you trust and you want in your LAN at the same location of the evil computer and you still only have one cable? The solution (or at least the only solution I know) is tagged VLAN.
Ok, but tagged VLAN is definitely not rocket science. Why dedicate a post to it? Well, what about out of the box - from the GUI - tagged VLAN using dd-wrt in a Linksys WRT54GL router? What about a second WRT54GL router at the other end to separate these VIDs? If you surf the net you will see a lot of trials involving this end up in failure. These are my two cents back to the community on this topic!!
The firmware
The first thing you have to know is that you can not grab the latest recommended build from dd-wrt homepage and pretend a tagged VLAN to work properly. It simply won't!!
A short caution note here: You can not flash the stock rom with a dd-wrt rom directly. Follow the instructions to install a dd-wrt rom for the first time. Once you have a dd-wrt rom in the device you can upgrade to another dd-wrt rom without problems.
The image I have found to work in a WRT54GL is a contributed brainslayer rom - DD-WRT v24-sp2 (03/08/12) vpn (build 18687) - from the dd-wrt FTP.
Double-check that whatever you flash is compatible with your device. If you brick it, do not blame me.
So after the flashing, you should see this router information:
I recommend starting the configuration with a Factory reset. It may seem stupid, but the ways of the nvram are difficult to track. Do not say I did not warn you.
The tagged VLAN concept in dd-wrt
You can go and ask uncle Google what a tagged VLAN is, and probably is good to do so. However, the first thing you need to know is that in dd-wrt the VID is automatically set to the vlan "number".
Main router
Look at the screenshoot. My vlan tagged cable is the physical port 3. This cable goes to the location of the evil computer (and of the other trustworthy computers). This cable is "virtually two cables" each of which is "virtually connected" in the router to VID=3 and VID=4. VID=4 (VLAN4) is "virtually connected" to the LAN (see "assigned to bridge LAN"). VID=3 (VLAN3) is not connected to the LAN.
This VID is not the "tag number" that would appear in the "Tagging" section. There is no need to touch that for this tutorial.
"br0" is the LAN bridge (your LAN) and connects VID=4 to your trusted network (you will have to reboot your router so that the configuration takes effect. Do reboot before surfing the net for a solution to your weird problem). In my case 192.168.10.1 (as configured in the "Basic setup").
"br1" is the non-trusted bridge (you connect the all-evil to this bridge). We assign a separate IP address to it.
We also run a separate DHCP server for evil "br1" under "Services"->"Services".
So "all the evil" will get addresses in the 192.168.11.X range and "all the good" will get addresses in the 192.168.10.X range.
Firewall of main router
Well, we have to make sure good and evil get separated by fire walls, and also grant the evil access to the internet... Under "Administration"->"Commands" "save this firewall" configuration:
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT iptables -I FORWARD -i br1 -o vlan1 -j ACCEPT iptables -I FORWARD -i vlan1 -o br1 -j ACCEPT iptables -I FORWARD -i vlan3 -o br0 -j DROP iptables -I FORWARD -i br0 -o vlan3 -j DROP iptables -I FORWARD -i br1 -o br0 -j DROP iptables -I FORWARD -i br0 -o br1 -j DROP iptables -I INPUT -i vlan3 -j ACCEPT iptables -I INPUT -i br1 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o vlan1 -j SNAT --to-source $(nvram get wan_ipaddr)
It might be a little bit overdone, but it works for me. Do you see a mistake? my fortress is not as secure as I think? Tell me in the comments!!
Secondary router
Here you can use a VLAN enabled switch compatible with tagged VLANs. I simply love the WRT54GL and I have several spare ones (I will never be grateful enough to Linksys for making this opensource).
I have chosen to make this router run an own LAN on 192.168.9.X that is not connected to any of the physical ports (only to the WLAN, that is usually off and only used for administration of the router). I basically needed all the physical ports for evil and good computers.
I run exactly the same firmware as the main router.
The configuration is as follows:
Setup->Basic Setup:
WAN Connection type: Disabled
Router name: Enter your name
IP: 192.168.9.1
255.255.255.0
0.0.0.0
0.0.0.0
Assign WAN to switch: checked
DHCP server enabled.
"Setup"-> VLANs
VLAN0 "no physical port" Assigned to LAN
VLAN1 "no physical port" Assigned to LAN
VLAN3 "physical port 3 and 4" NONE
VLAN4 "physical ports W,1,2,3" NONE
of course physical port 3 is "tagged" (otherwise you can not assign it to both VLANs 3 and 4)
So, let's interpret it. Shared cable enters physical port3, and connects the "virtual cables" to VID=3 and VID=4. Port 4 is connected to VLAN3 (evil network).
Ports W,1,2 are connected to VLAN4 (trusted network)
The magic is done. The DHCP servers of the main router 192.168.10.x and 192.168.11.x will give addresses to the physical ports connected to VLAN4 and VLAN3 respectively in the secondary router.
Secondary router's Firewall
Put this firewall to separate good and evil in the second router.
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP iptables -I FORWARD -i vlan3 -o br0 -j DROP iptables -I FORWARD -i br0 -o vlan3 -j DROP
It should be all running now. In my example I run the evil computer in physical port 4. The other ports W,1,2 are connected to my trusted LAN network.
Of course you could leave a physical port in VLAN0, and use that physical port for configuration in 192.168.9.X..., or put more ports in VLAN3 for evil computers and less in VLAN4.
Bonus question: Why the VPN version? Yes, I also have VPN connections running, but that is a separate topic. This version just works very well for me.
I hope it works for you. Much luck!!
