Posted: Mon Apr 04, 2016 17:23 Post subject: VLAN setup using the GUI
I am trying to find information on setting up and separating VLans using build 29218 in a RT-AC66U. For one I am trying to find some kind of help menu for what all the setting fields under the VLANs tab and the NETWORK tab mean. Currently the help menu for both those tabs is blank. Perhaps if knew some detail on each item might make all the difference.
If not that how to create a Vlans, that are separated and bride them to Wans or Wlans using the GUI. Currently if I create them they can all talk to each other. I don't know how to break this connection. Anything I try crashes the router and I cannot log back pull up the webpage without resetting the router to factory defaults.
I found some older how to's on this but they all involve scripts and using Telnet. From what I understand after build 26000 something you don't want to do that no more and only use the GUI to do this.
Lastly if no other knowledge is available if anyone knows a page elsewhere on the web they know about that might give me an idea on how to set up Vlans would be great.
I have done and tried the www.coertvonk.com walkthrough but I am still having problems.
Can someone please help walk me through this using the GUI only. I have been instructed NOT to use telnet commands with my build of 29218 and that is true for any build after 26000 and something. I follow many of these walkthroughs and they explain it in a script "nvram set something something" but then follow it with "this can also be done in the GUI" but no one that I have seen as screen caps showing what the GUI should look like so I can follow it as the GUI has more settings then are described in the instructions that I think are causing me problems.
Anyway after completing the walkthrough from the www.coertvonk.com link my nvram show looks like this...
nvram show | grep vlan.*hwname | sort
vlan1hwname=et0
vlan2hwname=et0
vlan3hwname=et0
I had also created the wl0.1 interface, created br1 with a DHCP as described. And my firewall script is as follows..
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
I can connect to ports 3 or 4 and I get internet, and IP and can ping the router at 192.168.1.1. If I connect to ports 1 or 2 I do not get a DHCP assignment. If I set the IP manually, I cannot ping the router, and of course this means I have no internet.
The problem has gotten worse, as I could not get the vlans to work I used the GUI interface to reset to factory defaults then rebooted. I no longer have ports 1 or 2 as you can see from the Telnet log.
how do I get ports 1 and 2 back now? How can I reset everything back to square one so I don't have something lingering in the router that might mess with me later?
The factory reset did not reset my vlan ports so this has me concerned that it might not reset my DHCP assignments, or any other configuration I mistakingly typed in. If I get my self locked out to bad such as turned off all the ports the factory reset would no longer let me in. I am thinking if this was all done in the GUI it would reset with a restore to defaults.
Well i am somewhat closer to my goal. I apologies as this will be long but I want to give you all the information available.
What I am trying to do is create 3 different LANs
Main LAN = main network with security cameras, nas, computer, ECT
Shared LAN = shared devices i.e. printers, and media devices
Guest Lan = network for guest and visitors
The goal is to allow both the main and guest network talk to the shared network
All three networks to access the internet
Block all comms from guest getting to main LAN
Was planning on vlan 1 = main LAN
Vlan 3 = shared LAN
Vlan 6 = guest LAN
If i makes sense to switch shared LAN to 1 and main LAN to 3 let because of reasons let me know please
Using the GUI
In Setup/VLANs I have Port W on Vlan 2
I have port 1 on vlan 6
I have port 2 on vlan 3
I have port 3 on vlan 1
I have port 4 on vlan 1
Assigned to Bridge i have Vlan 1 assigned to LAN the rest to none
In Setup/Networking i currently have br0 assigned to vlan1 eth1 eth2 (this was default)
DHCPD Configuration
DHCP 0= vlan6 start 100 max 50 lease 3600
DHCP 1= vlan3 start 100 max 50 lease 3600
In Setup/Basic Setup
Router IP Address= 192.168.1.1
Subnet Mask= 255.255.255.0
Network Address Server Settings
DHCP Server
Enable
Start Address= 192.168.1.100
Maximum= 50
Lease= 3600
If i plug into ports 1, 2 i get an ip of 192.168.1.x and internet access
If i plug into port 3 i get an ip of 192.168.3.x and internet access
If i plug into port 4 i get an ip of 192.168.6.x and internet access
However from any network i can successfully ping a device on any other network.
In Administration/Commands/Firewall i have tried both
At some point I also want wl0 and wl1 on vlan 1 with wl0.1 on vlan 3 and wl0.2 on vlan 6
Can someone please help me with my bridge setups and firewall tables to achieve what I said i was trying for in the beginning?
Maybe once I see what the settings are supposed to be it will all make sense and I won’t ask questions no more.
Lastly can someone explain why I have eth0 eth1 and eth2 instead of just eth0 like all the examples I see.
Where 2 represents the rule # after established, related. new connections from br0 & br1 are permitted and subsequent packets + replies fall under established, related. otherwise replies from shared will be dropped.
Additionally you would want to limit br1/2 connectivity to router. Accept dhcp/dns drop the rest
I followed both your advices and looked like I was making progress. But as soon as I assign br1 to vlan3 and br2 to vlan6 I loose the ability to obtain a IP address from DHCP. If I remove one or the other or both assinments I get that ability back. Hopefully you can look at it an see what I missed. If I set a static ip on the network manual with 8.8.8.8 as my dns I am able to then get internet from that vlan, however I cannot ping 192.168.1.1 or 192.168.3.1 or 192.168.6.1. If I set back to DHCP and plug into vlan 1 I do get a address, internet and the ability to ping all three. To simply things I did not create wl0.1 or wl0.2 yet, only used the wired ports to test the VLans. I have attached some screen shots below so you can see my settings.
I have tried it both with and without these scripts. Along with varients script wise and GUI wise with no avalile.
