Making a Router out of the WRT54G Switch

This page will provide you with the information to change the Switch into a Router.

The description is not complete and under construction. Since I am not an expert in the field I ask anybody who can help to help me to complete this project. Mail to [marco][dot][website][at][debooy][dot][eu].

Defining the result

The WRT54G has 6 ports. 1 port is the WAN and is connected to the modem. 1 port is wireless and the other 4 are wired. The IP address of the WAN port will be depending on the modem. The other ports will be defined by the network administrator. I propose the values in the table below. The ports on the WRT54G will get x.x.x.1 as network address. In the following table you will see an example:

Name Description Sub Net IF name
WAN Internet 10.0.0.x vlan0
DMZ DeMiliterized Zone 192.168.10.x vlan1
LAN Local network 192.168.20.x vlan2
VoIP Voice Over IP 192.168.30.x vlan3
FREE Local network 192.168.40.x vlan4
WiFi Wireless network 192.168.50.x vlan5

In the DMZ there is a server for DNS, DHCP and syslog. The WRT54G must be configured so that it uses this server instead of the ones available in the OpenWRT package.

That is the easiest part. The more difficult part is the definition of the firewall. The rules of the firewall are:

  • The LAN sub-net can contact the internet through a proxy server in the DMZ;
  • The LAN sub-net can contact the DMZ through the ports it really needs;
  • The DMZ sub-net can only contact the internet through the ports it really needs;
  • The VoIP sub-net can only contact the internet through the ports it really needs;
  • At this moment there is nothing connected on the FREE sub-net. It can be used for testing the security and backport in case you lock-out yourself;
  • The WiFi sub-net should get very strict access. This both for LAN and DMZ. This sub-net is very vulnerable for intruders and should also be secured with passwords and encryption.

The 'ports it really needs' should be opened when they block 'normal behaviour'. Check on the site from IANA for the ports and their usage.

Defining the sub-nets

The following script defines the necessary variables to make the separate sub-nets.

The first part defines 5 vlans.

nvram set vlan0hwname=et0
nvram set vlan0ports="0 5"
nvram set vlan1hwname=et0
nvram set vlan1ports="1 5"
nvram set vlan2hwname=et0
nvram set vlan2ports="2 5"
nvram set vlan3hwname=et0
nvram set vlan3ports="3 5"
nvram set vlan4hwname=et0
nvram set vlan4ports="4 5"

The second part maps these vlans to an interface. Each interface becomes a sub-net.

nvram set wan_device=eth0
nvram set wan_proto=dhcp

nvram set lan_ifname=vlan1
nvram set lan_proto=static
nvram set lan_ipaddr=
nvram set lan_netmask=

nvram set dmz_ifname=vlan2
nvram set dmz_proto=static
nvram set dmz_ipaddr=
nvram set dmz_netmask=

nvram set voip_ifname=vlan3
nvram set voip_proto=static
nvram set voip_ipaddr=
nvram set voip_netmask=

nvram set free_ifname=vlan4
nvram set free_proto=static
nvram set free_ipaddr=
nvram set free_netmask=

The third part sets the variable that is used in /etc/init.d/S40network to bring up the interfaces.

nvram set ifup_interfaces="wan lan dmz voip free"

The fourth part sets the variables for the LAN.

nvram set lan_dns=
nvram set lan_gateway=
nvram set lan_ifnames="vlan0 eth1 eth2"
nvram set log_ipaddr=

Defining the firewall

The firewall must block access from one subnet to another. The most basic definition should be that only the DMZ can access the internet. All other connections should be blocked or redirected to a server in the DMZ. No connections between any subnet.

The script can be found at here.

Check the configuration

The configuration can be checked with ifconfig, route, and nvram show.


The default script for NTP does not seem to work. I changed the script /etc/init.d/S60ntp. I replaced the line that executes the ntpclient with:

/usr/sbin/ntpclient -l -h $NTP_SERVER -c 1 -s 


Since the WRT54G has no USB there is no way to connect an external drive. The best way is to mount a directory from another server. The simplest way is to use shfs. Use it like:

insmod shfs
shfsmount user@host:/remote/dir /some/local/mountpoint

To Do

  • Complete the firewall.
  • Add WiFi as another subnet.
  • Run NTP as a service.


To get this working I used the OpenWRT Forum.