Bridging VAP and VLAN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
dimaj
DD-WRT Novice


Joined: 10 Feb 2008
Posts: 17

PostPosted: Thu Jul 12, 2018 9:41    Post subject: Bridging VAP and VLAN Reply with quote
Hello,

I'm sorry if this has been answered before. I've been doing a lot of googling, but still can't get this to work.

What I am trying to accomplish is this to have 3 networks.
* Primary network (wl0)
* Guest network (Internet only access; no access to my primary network) (wl0.2)
* Private network (No internet access; access to a single host on primary network) (wl0.1)

After following several guides, I think I have finished my setup, but it is not working quite well.

I am not going to talk about primary network as I think it is obvious.

My guest network is setup as per Kong's tutorial here: http://tips.desipro.de/2013/12/06/guest-wifi-setup-dd-wrt/ and it seems to be working well.

I have followed the same guest network setup instructions for the private network. Then I went to Setup-> VLANs and switched port 2 to be VLAN15. After applying my changes, I went to Setup -> Networking and have created a new bridge br1 and I've added 2 bridge associations:
* br1 -> vlan15
* br1 -> wl0.1
As a result, I have configured 3 interfaces under Networking tab with the same set of information: 192.168.2.1/24
Finally, I've added a 2 DHCP servers. One is for guest network (wl0.2) and another for private network (br1).


To accommodate my private network requirements, I've added the following firewall commands:
Code:

iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o br0 -d 192.168.1.78 -m state --state NEW -j ACCEPT


The good news is that when I plug in a wired device into port 2, I am on my private network and everything is working the way I want it to. The bad news is that I cannot connect to my private network wirelessly.

Did I miss something in my setup?

Oh, almost forgot. my router is Netgear R7000 and my firmware is: DD-WRT v3.0-r34015M kongac (12/09/17)

Thank you very much for your help

[edit] I forgot to mention that Wireless Security is WPA2-Personal+AES
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4325
Location: Akershus, Norway

PostPosted: Thu Jul 12, 2018 16:15    Post subject: Reply with quote
Did you set the address 192.168.2.1/24 to br1.

All interfaces that are bridged, must be set to "Default/bridged" and the option to set an IP on the interface disappear.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Thu Jul 12, 2018 16:21    Post subject: Reply with quote
Let's step back a second and instead of adding the complexity of the VLAN, just add the second VAP, configure it just like the first VAP, and then tell me if things work correctly (i.e., wirelessly).

IOW, simplify the config, esp. by eliminating what is often problematic w/ dd-wrt; setting up VLANs. It only makes sense that if all you're doing w/ the second VAP is exactly what you did w/ the first VAP, it should work. Just so long as each VAP is using its own unique, non-overlapping local IP network, which I wasn't so sure was the case given the following statement.

"As a result, I have configured 3 interfaces under Networking tab with the same set of information: 192.168.2.1/24"

Again, the more you simplify the config, the easier it is to find the culprit. Be methodical. Start w/ the first VAP, then test it. Add the second VAP and test it. Add a bridge (br1) and add only the second VAP, then test it. Finally, add the VLAN to the bridge and test again. If anything fails to work properly along the way, STOP and correct it. I wouldn't even mess w/ network isolation initially either. The primary concern initially is routing, NOT the firewall. Only concern yourself w/ network isolation (firewall) once everything is otherwise working.
dimaj
DD-WRT Novice


Joined: 10 Feb 2008
Posts: 17

PostPosted: Thu Jul 12, 2018 19:54    Post subject: Reply with quote
Thanks for your replies, guys.

I'll try your suggestions out when I get home tonight and will post back with my findings / questions Smile
dimaj
DD-WRT Novice


Joined: 10 Feb 2008
Posts: 17

PostPosted: Fri Jul 13, 2018 7:21    Post subject: Reply with quote
Quote:

All interfaces that are bridged, must be set to "Default/bridged" and the option to set an IP on the interface disappear.


I tried that and it didn't work.

Quote:
Let's step back a second and instead of adding the complexity of the VLAN, just add the second VAP, configure it just like the first VAP, and then tell me if things work correctly (i.e., wirelessly).

So, I've decided to have a clean-ish start...
* deleted both VAPs
* commented out my firewall rules (by adding '#' in front of lines)
* deleted all my bridges
* I left my VLAN configuration intact as I thought it will not be a hindrance if I am not going to use it.

Then I've added 2 VAPs and configured them as per Kong's instructions. Make them unbridged; assign IP and create a DHCPD config for each VAP.
Result: Cannot connect to either one of them, even when I had only 1 VAP.

What are the odds that my nvram is corrupt someplace and I need to do a factory reset? I'd like to avoid that as I've made tons of configs and I would hate to restore it by hand all over again. I mean it's not the end of the world, but it would suck up good couple of hours and will piss off my wife something awful Smile

Quote:

Just so long as each VAP is using its own unique, non-overlapping local IP network, which I wasn't so sure was the case given the following statement.

"As a result, I have configured 3 interfaces under Networking tab with the same set of information: 192.168.2.1/24"

They were overlapping as I was joining them into a single interface via a bridge (or so I thought). At least that's what I've been reading in various places that describe how to join VLAN and VAP. The gist was:
Create a VAP and assign IP (192.168.2.1/24)
Create a VLAN and assign IP (192.168.2.1/24)
Create a bridge and associate VLAN and VAP with it

That being said, VAPs were NOT overlapping.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 3899
Location: Texas

PostPosted: Fri Jul 13, 2018 11:57    Post subject: Reply with quote
dimaj wrote:
They were overlapping as I was joining them into a single interface via a bridge (or so I thought). At least that's what I've been reading in various places that describe how to join VLAN and VAP. The gist was:
Create a VAP and assign IP (192.168.2.1/24)
Create a VLAN and assign IP (192.168.2.1/24)
Create a bridge and associate VLAN and VAP with it

That being said, VAPs were NOT overlapping.
To join a VAP with a VLAN (same network) you must leave as bridged. Create br1 then set it's (only the br1) network on the 'Networking' page. Then you would assign VLAN?? & wl0.1 to the br1.
Any firewall rules you may need would have br1 included, not the vlan or VAP.
dimaj
DD-WRT Novice


Joined: 10 Feb 2008
Posts: 17

PostPosted: Sat Jul 14, 2018 7:37    Post subject: Reply with quote
Alright... Got some news...

I was finally able to configure my wireless networks!!! As it turns out, a soft reboot is not enough for settings to take effect. I had to power down my router after every major change.

I did what @eibgrad suggested and performed a test after every change. Create a new VAP test; create second VAP test; bridge them together and test.

My final setup is as follows:
2 Guest VAPs (2.4 GHz and 5GHz) in bridge mode and they are joined by a new br1
I took a port on a router and moved it to a VLAN 15; I then have joined my private network VAP with that VLAN port via br2.
Assigned IPs to br1 and br2 and configured DHCP for both of them.

Result - I am able to connect to all of my VAPs and everything is working the way it should with an exception of my firewall rule... For some reason, when I am on a private network, I am still able to connect to the internet and I would like to prevent that behavior. Any guidance on how I should change my firewall rules?

Thanks again for the help!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Sat Jul 14, 2018 16:37    Post subject: Reply with quote
dimaj wrote:
For some reason, when I am on a private network, I am still able to connect to the internet and I would like to prevent that behavior.


Code:
iptables -I FORWARD -i wl0.1 -j DROP
iptables -I FORWARD -i wl0.1 -d 192.168.1.78 -m state --state NEW -j ACCEPT
dimaj
DD-WRT Novice


Joined: 10 Feb 2008
Posts: 17

PostPosted: Sat Jul 14, 2018 18:26    Post subject: Reply with quote
Quote:

iptables -I FORWARD -i wl0.1 -j DROP
iptables -I FORWARD -i wl0.1 -d 192.168.1.78 -m state --state NEW -j ACCEPT


Thanks for this!

If I understand it correctly, those commands do the following:
* prevent all connections from VAP 1 from going through
* Allow connection from VAP 1 to 192.168.1.78

While I am not able to access the internet anymore, I am not able to access the whitelisted host. I've altered your commands a little bit by changing the wl0.1 to br2 as this is my new bridge interface for both wl0.1 and physical port on the router.

also, safe to assume that if I were to restrict access to a certain port (say 8080) on that host, I'll need to issue:
Code:

iptables -I FORWARD -i br2 -d 192.168.1.78 --dport 8080 -m state --state NEW -j ACCEPT
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Sat Jul 14, 2018 18:41    Post subject: Reply with quote
Whenever you specify a port in iptables, you also need to specify the protocol (tcp, udp, etc.)

Code:
iptables -I FORWARD -i br2 -d 192.168.1.78 -p tcp --dport 8080 -m state --state NEW -j ACCEPT
dimaj
DD-WRT Novice


Joined: 10 Feb 2008
Posts: 17

PostPosted: Sun Jul 15, 2018 3:57    Post subject: Reply with quote
Excellent!

Thank you very much for your help! Really appreciate it!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum