Everything looks correct. Does the Pfsense have a configuration that match?
I managed to track it down to ngix on the pfsense box. i setup wpad on the two lan segments, but it only passed "DIRECT" as a proxy. Even though the vlan dhcp wasn't configured to use wpad, it was throwing up an authorization error. Once i added all the vlan segments to the ngix conf, it fired up.
I got it working with the following config. For some reason, it didn't like have vlan3 config on vlan1.
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 1 5"
swconfig dev switch0 set enable_vlan 2
swconfig dev switch0 vlan 2 set ports "0t 1t"
swconfig dev switch0 set enable_vlan 3
swconfig dev switch0 vlan 3 set ports "0t 1t 2 3 4"
swconfig dev switch0 vlan 3 set vid "27"
swconfig dev switch0 port 2 set vlan_prio "4"
swconfig dev switch0 port 3 set vlan_prio "4"
swconfig dev switch0 port 4 set vlan_prio "4"
swconfig dev switch0 port 5 set vlan_prio "4"
lan and vlan are both working with dnsmasq relaying DHCP from pfsense.
so both port 5 and 2-4 obtain correct IP and can browse internet, etc.
I have one remaining issue, before i start the wifi
The dd-wrt host does not see the dns, so the box doesn't receive ntp and can't do lookups from the console.
i tried adding the settings to dnsmasq for vlan2 but it is not used.
The issue seems to be the resolv.conf nameserver is pointing to itself rather than the pfsense box, which i need.
I hope this helps someone else, it took me ages to get this working.
I have the 4 switch ports on a separate VLAN, and created two WAPs for home and guests.
The unit acts as a WAP/Switch connected to pfsense supplying (routing/dns/dhcp/firewall)
Startup Script
Code:
# enable vlan support
swconfig dev switch0 set enable_vlan 1
# set 8.02q port priorities for video streaming
swconfig dev switch0 port 2 set vlan_prio "4"
swconfig dev switch0 port 3 set vlan_prio "4"
swconfig dev switch0 port 4 set vlan_prio "4"
swconfig dev switch0 port 5 set vlan_prio "4"
# assign switch ports to VLAN27
swconfig dev switch0 vlan 1 set ports "0t 1t 2 3 4 5"
swconfig dev switch0 vlan 1 set vid "27"
# retain specific ports on LAN
swconfig dev switch0 vlan 2 set ports "0t 1"
swconfig dev switch0 vlan 2 set vid "1"
# create VLAN41 WLAN
swconfig dev switch0 vlan 4 set ports "0t 1t"
swconfig dev switch0 vlan 4 set vid "41"
# create VLAN51 WLAN-GUEST
swconfig dev switch0 vlan 5 set ports "0t 1t"
swconfig dev switch0 vlan 5 set vid "51"
swconfig dev switch0 set apply
Firewall Script
Code:
# Restrict VLANs from accessing br0's subnet but pass traffic through br0 to the internet
iptables -I FORWARD -i vlan1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
# Pass VLAN27 (switch ports) to WAN Port
iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
Local IP (address of dd-wrt device)
Gateway/DNS (address of pfsense)
WAN Port - assign WAN port to switch
DHCP Server - disabled
Use DNSMasq for DNS
Forced DNS Redirection
Time Server - pfsense device
Advanced Routing
operating mode - Router
Switch Config
** don't touch anything **
Networking
VLAN Tagging
VLAN 0 eth0 Tag Number 51 ** my guest wifi vlan
VLAN 1 eth0 Tag Number 41 ** my home wifi vlan
Create Bridge
br0 STP off IGMP Off
br1 STP off IGMP On
br2 STP off IGMP On
** you need to create, save and apply (a couple of times to create and save the config)
** save and apply the bridge assignments - as above, sometimes couple of times needed.
reboot to get the eth0.41 and eth0.51 visible
Port Setup
WAN Port - Vlan2
eth0, eth0.41, eth0.51, vlan1, vlan2, ath0, ath0.1, ath1, ath1.1 - leave bridge as Default
br1
leave multicast/isolation/force dns as disabled
add ip of dd-wrt you want for home wlan
br2
leave multicast/isolation/force dns as disabled
add ip of dd-wrt you want for guest wlan
Services - Dnsmasq
dnsmasq - enable
all others - disable
additional dnsmasq options
# set DNS server to pfsense
dhcp-option=br0,6,192.168.21.5
# Enables DHCP and forward to pfsense
interface=br1
dhcp-relay=192.168.41.10,192.168.41.5,br1
# Enables DHCP and forward to pfsense
interface=br2
dhcp-relay=192.168.51.10,192.168.51.5,br2
wan traffic - disable
i recommend to do a factory reset and nvram erase, to ensure you have clean nvram.
I found the unit to be very sensitive to changes i.e. saving one thing, screwed with something else.
also, there was a lot of junk still in nvram after experiementing with the tagging, bridges, etc.
even these were deleted, there was still junk in nvram.
very important not to touch anything on the switch config tab as it directly interferes with the startup settings.
trying to repeat the exercise on a wr-1043nd v1. not having much luck.
- have separated wifi into separate nets.
- dd-wrt box resolves dns and can connect over internet via lan address. but clients can't
-
there is no vid value. and filters doesn't seem to direct traffic via vlan2
Here is my config for TL-WR1043ND v1. My box has Atheros AR9132 rev 2 (0xb9).
Here is the config i used to get it working.
Startup Script
Code:
# enable vlan support
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 set enable_vlan4k 1
# retain cascade connection
swconfig dev switch0 vlan 1 set ports "0 1 5t"
# assign switch ports to VLAN27
swconfig dev switch0 vlan 27 set ports "0t 2 3 4 5t"
# create VLAN41 WLAN
swconfig dev switch0 vlan 41 set ports "0t 5t"
# create VLAN51 WLAN-GUEST
swconfig dev switch0 vlan 51 set ports "0t 5t"
swconfig dev switch0 set apply
# Restrict VLANs from accessing br0's subnet but pass traffic through br0 to the internet
iptables -I FORWARD -i br0 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
# Pass VLAN27 (switch ports) to WAN Port
iptables -I FORWARD -i br0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o br0 -j ACCEPT
Local IP (address of dd-wrt device)
Gateway/DNS (address of pfsense)
WAN Port - assign WAN port to switch
DHCP Server - disabled
Use DNSMasq for DNS
Forced DNS Redirection
Time Server - pfsense device
Advanced Routing
operating mode - Router
Networking
VLAN Tagging
VLAN 0 eth0 Tag Number 51 ** my guest wifi vlan
VLAN 1 eth0 Tag Number 41 ** my home wifi vlan
Create Bridge
br0 STP off IGMP Off
br1 STP off IGMP On
br2 STP off IGMP On
** you need to create, save and apply (a couple of times to create and save the config)
not so perfect yet. Each one works independently, but when i want to connect the wan port of the wdr3600 to the lan port of the wr1034nd. (or vis-versa) the downstream unit wifi (vlan41 and 51) don't work.
The LAN and VLAN27 do work on both devices.
so seems something to do with the downstream bridge.