Posted: Thu Jul 12, 2018 9:41 Post subject: [SOLVED]Bridging VAP and VLAN
Hello,
I'm sorry if this has been answered before. I've been doing a lot of googling, but still can't get this to work.
What I am trying to accomplish is this to have 3 networks.
* Primary network (wl0)
* Guest network (Internet only access; no access to my primary network) (wl0.2)
* Private network (No internet access; access to a single host on primary network) (wl0.1)
After following several guides, I think I have finished my setup, but it is not working quite well.
I am not going to talk about primary network as I think it is obvious.
I have followed the same guest network setup instructions for the private network. Then I went to Setup-> VLANs and switched port 2 to be VLAN15. After applying my changes, I went to Setup -> Networking and have created a new bridge br1 and I've added 2 bridge associations:
* br1 -> vlan15
* br1 -> wl0.1
As a result, I have configured 3 interfaces under Networking tab with the same set of information: 192.168.2.1/24
Finally, I've added a 2 DHCP servers. One is for guest network (wl0.2) and another for private network (br1).
To accommodate my private network requirements, I've added the following firewall commands:
Code:
iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o br0 -d 192.168.1.78 -m state --state NEW -j ACCEPT
The good news is that when I plug in a wired device into port 2, I am on my private network and everything is working the way I want it to. The bad news is that I cannot connect to my private network wirelessly.
Did I miss something in my setup?
Oh, almost forgot. my router is Netgear R7000 and my firmware is: DD-WRT v3.0-r34015M kongac (12/09/17)
Thank you very much for your help
[edit] I forgot to mention that Wireless Security is WPA2-Personal+AES
All interfaces that are bridged, must be set to "Default/bridged" and the option to set an IP on the interface disappear.
I tried that and it didn't work.
Quote:
Let's step back a second and instead of adding the complexity of the VLAN, just add the second VAP, configure it just like the first VAP, and then tell me if things work correctly (i.e., wirelessly).
So, I've decided to have a clean-ish start...
* deleted both VAPs
* commented out my firewall rules (by adding '#' in front of lines)
* deleted all my bridges
* I left my VLAN configuration intact as I thought it will not be a hindrance if I am not going to use it.
Then I've added 2 VAPs and configured them as per Kong's instructions. Make them unbridged; assign IP and create a DHCPD config for each VAP.
Result: Cannot connect to either one of them, even when I had only 1 VAP.
What are the odds that my nvram is corrupt someplace and I need to do a factory reset? I'd like to avoid that as I've made tons of configs and I would hate to restore it by hand all over again. I mean it's not the end of the world, but it would suck up good couple of hours and will piss off my wife something awful
Quote:
Just so long as each VAP is using its own unique, non-overlapping local IP network, which I wasn't so sure was the case given the following statement.
"As a result, I have configured 3 interfaces under Networking tab with the same set of information: 192.168.2.1/24"
They were overlapping as I was joining them into a single interface via a bridge (or so I thought). At least that's what I've been reading in various places that describe how to join VLAN and VAP. The gist was:
Create a VAP and assign IP (192.168.2.1/24)
Create a VLAN and assign IP (192.168.2.1/24)
Create a bridge and associate VLAN and VAP with it
They were overlapping as I was joining them into a single interface via a bridge (or so I thought). At least that's what I've been reading in various places that describe how to join VLAN and VAP. The gist was:
Create a VAP and assign IP (192.168.2.1/24)
Create a VLAN and assign IP (192.168.2.1/24)
Create a bridge and associate VLAN and VAP with it
That being said, VAPs were NOT overlapping.
To join a VAP with a VLAN (same network) you must leave as bridged. Create br1 then set it's (only the br1) network on the 'Networking' page. Then you would assign VLAN?? & wl0.1 to the br1.
Any firewall rules you may need would have br1 included, not the vlan or VAP.
I was finally able to configure my wireless networks!!! As it turns out, a soft reboot is not enough for settings to take effect. I had to power down my router after every major change.
I did what @eibgrad suggested and performed a test after every change. Create a new VAP test; create second VAP test; bridge them together and test.
My final setup is as follows:
2 Guest VAPs (2.4 GHz and 5GHz) in bridge mode and they are joined by a new br1
I took a port on a router and moved it to a VLAN 15; I then have joined my private network VAP with that VLAN port via br2.
Assigned IPs to br1 and br2 and configured DHCP for both of them.
Result - I am able to connect to all of my VAPs and everything is working the way it should with an exception of my firewall rule... For some reason, when I am on a private network, I am still able to connect to the internet and I would like to prevent that behavior. Any guidance on how I should change my firewall rules?
iptables -I FORWARD -i wl0.1 -j DROP
iptables -I FORWARD -i wl0.1 -d 192.168.1.78 -m state --state NEW -j ACCEPT
Thanks for this!
If I understand it correctly, those commands do the following:
* prevent all connections from VAP 1 from going through
* Allow connection from VAP 1 to 192.168.1.78
While I am not able to access the internet anymore, I am not able to access the whitelisted host. I've altered your commands a little bit by changing the wl0.1 to br2 as this is my new bridge interface for both wl0.1 and physical port on the router.
also, safe to assume that if I were to restrict access to a certain port (say 8080) on that host, I'll need to issue:
Code:
iptables -I FORWARD -i br2 -d 192.168.1.78 --dport 8080 -m state --state NEW -j ACCEPT
Posted: Tue Jan 28, 2020 11:56 Post subject: Bridging VAP fails to connect
Hi all
This thread has been quiet for some 18 months however thought to reply here rather than start a new post because I would like to know dimaj how you went about assigning a VAP to your br1 – it’s given me nothing but problems trying to recreate a similar network to you.
My first post so hope I include enough detail.
Currently I use an Asus RT-AC68U C1 with the below setup:
• Firmware: DD-WRT v3.0-r42054 std (01/21/20)
• Linux 4.4.210 #736 SMP Mon Jan 20 10:27:54 +04 2020 armv7l
• The AC68U is in gateway mode, WAN interface has static 192.168.4.2 IP, DHCP 192.168.200.0/24 (the .1 is GUI management) and gateway 192.168.4.1 linking to my DrayTek via Ethernet that has a PPoE connection. DrayTek VLAN 192.168.4.0/24 configured for NAT
• telnet to AC68U and running “nvram get wl0_corerev” = 42
To give some context why I prefer bridging to work, it will allow me to halve the number of DHCP scopes I have, at present I have two DHCP scopes (Eth, WIFI) for each IOT, VPN & Trusted networks.
Note: I have other active wireless interfaces in addition to what I’m configuring below (see above comment) however my testing below should not be impacted from my current network. No other bridges are configured/used aside from the default br0 (eth1, eth2, vlan1). No firewall rules, SPI is OFF till I get things working and all WIFI SSID’s and the local network 192.168.200.* function fine within their IP ranges with working internet.
I skimmed over the peacock post, came upon this page https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs which I followed amongst viewing other posts, youtube vids to no avail. I have taken onboard eibgrad’s suggestion testing each step and this is what I have so far.
1- Create new VAP network, call it Guest-AP using wl1.1 (5Ghz radio) and place it in un-bridge mode 192.168.80.1/255.255.255.0
2- Apply AES + CCMP128 security
3- Configure DHCPD for the VAP wl1.1 also set net isolation OFF, NOT forcing DNS, multicast fwd OFF, Masquerade NAT ON with L2Mesh unticked and default br0
4- Connect a client to the Guest-AP the internet functions – tick, moving on to bridging
5- With a successful test now, I remove the DHCPD for the Guest-AP
6- I create a bridge called br5, STP ON with rest on default values
7- I assign wl1.1 (the Guest-AP) to br5
8- I create a DHCP for br5, I re-used the 192.168.80.1/255.255.255.0
9- Connecting a client to the Guest-AP = “can’t connect to this network” in Win10, my phone tries for 30s before failing without error. I was expecting a connection with a .80.* address and yes I’ve rebooted the router from the power switch.
I also tested the above bridging but using VLAN5 (configured as the 2nd eth port on the 68U) rather than the wl1.1 I can successfully connect via ethernet and receive a 192.168.80.* address and browse the internet fine so I’m assuming my bridging technique is ok?
So why do the above steps work fine for ethernet but not wireless? I don’t believe (but could be wrong) that I need to apply some commands for DHCP per the above wiki? And firewall rules? However the wiki did state I should be able to connect to the newly configured wireless AP and get an address before going further and applying code.
I also tried setting the WIFI adapter with a static IP such as 192.168.80.5 and connecting but this too failed.
Any help is much appreciated because I have wasted numerous hours (although learnt a lot) on this and I’m concerned the router will stop rebooting! God only knows how many times I hit the power button.
For anyone coming by this post in future, to save you significant time (I have lost many many hours) and frustration this is what I have found.
Originally (prior to my above post), I used DD-wrt v3.0 R31980M Kongac 5-11-17 and updated to R42174 figuring I would re-create the setup with some tweaks such as the bridging and this is where I encountered issues with bridging.
Giving up on R42174, I updated to R42054 only to have exactly the same issues. Before throwing the towel in and giving up altogether I thought why not try the original R31980M that I have successfully used for the last two years – it worked!
So employing the ‘same’ process to configure a bridge on R31980M does not work on R42174 nor R42054. Why? No idea and I no longer care having lost too many hours resetting, re-powering, flashing..
“if she ain’t broke, don’t upgrade” – I would like to think upgrades bring benefits but in my most recent experience it just burnt hours of effort.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Feb 11, 2020 12:04 Post subject:
From approximately mid 2018 VAP's on Broadcom units are problematic, you cannot connect or do not get an IP address. There are workarounds:
1) When VAP is not working at boot; workaround startup command Administration/Commands, Save as Startup:
sleep 10; stopservice nas; stopservice wlconf; startservice wlconf; startservice nas;
2) Alternative way to get VAP working: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317181
3) An other user reports the following workaround (save as startup):
sleep 4; stopservice cron; stopservice wlconf; wlconf eth1 up; wlconf eth2 up; startservice cron;
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319412
4)This one is from @Redhawk (guaranteed to work ):
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas; logger "VAP workaround executed"; _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
4)This one is from @Redhawk (guaranteed to work ):
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas; logger "VAP workaround executed";
After much (much) research to create vlans, VAPs and bridge them, and accounting for editing nvram (Netgear R7000) [1], switched ports [2], GUI settings [3] and firewall changes [4], the above quote finally stitched everything together and helped me hit my latest use case goal; 2.4Ghz and 5Ghz for guests with one subnet (used a vlan - I don't recall seeing another method).
By the time I found the 4 workarounds outlined by egc, I went straight to #4 since it said "guaranteed to work." At that point, I was tired of experimenting and didn't try any other workaround.
I hope this pays it forward for the next person who's attempting to do the same thing on a Netgear R7000.
None of that applies anymore on current releases. Bridged VAPs have been fixed for a long time on Broadcom. You are obviously using an old, outdated, and no longer supported release. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
That's good to know. I knew I was using an older version, DD-WRT v3.0-r44715 std (11/03/20), but was also having difficulty getting vlans+VAPs to work with 12-14-2022-r51024.
I guess you are referring to the workaround that is now obsolete. My journey to this point gives me confidence that I could upgrade and get it working with relative ease.
Would you recommend easyddup or just reconfigure everything from scratch when doing that upgrade?
Reset after any large build jump this being over two years. If upgrading from webUI ignore the dropdown option.
After successful upgrade: webUI administration to factory defaults or nvram erase && reboot from Telnet as root.
