Posted: Sun Sep 22, 2019 13:29 Post subject: [SOLVED, BUG] Unable to get VLAN to wifi bridge working
Scenario:
I'm linking a friend onto my broadband connection (that is ridiculously faster than theirs) via a point-to-point wifi link. I've got a pfSense router doing the heavy lifting and a managed VLAN aware switch at my house. Unfortunately due to the nature of the point-to-point link, at present I can only pass tagged traffic to the other side, unless I run extra cables up a roof, which isn't ideal, but doable if needed. Router I'm using is a Netgear R7000, currently running Firmware: DD-WRT v3.0-r41075 (09/20/19), and have tried various builds, including the old Kong PTB test builds I had.
Current setup:
No untagged traffic
VLAN 4 - Backup WAN traffic
VLAN 5 - Main LAN
VLAN 6 - Kids LAN
VLAN 9 - Management LAN
VLAN 10 - My LAN over there
The setup I am aiming for is to do the following:
Route all tagged traffic into an ethernet port from the point to point wifi
Route one untagged port connected to VLAN 4 - they have a slow internet connection there that I'd like to set up as a backup in case all the others fail
Have two ethernet ports connected to VLAN 5
Have a wifi network connected to VLAN 5
Have a separate wifi network connected to VLAN 6
VLAN 9 is my general management VLAN for all my other devices - not the end of the world if I can't get an IP on the router on that, but it'd be nice to be able to get remote access to the web / SSH interfaces via the management LAN
An additional wifi network on VLAN 10 so I can access my own network over there would be nice.
I've spent the last week desperately trying to get even the most basic setup running. I can get the ethernet ports talking on VLAN 4 and 5 as desired, but any attempts to bridge any VAPs to the VLAN result don't work. I had the idea of bridging VLAN 5 with VLAN 1 or 2, which would mean I could simply the network somewhat, but any attempts to do so result in losing all contact with the router and it still doesn't route anything. I can customise VLAN numbers as needed, even tried routing over VLAN 2 at one point and using VLAN 2 tagged on the trunk port in the hope it'd actually reach the bridge, but no dice.
I've been using the instructions on https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports, trying pure SSH configuration and poking the web interface, to no real effect - I can get the physical ports to do exactly what I want, but the wifi connections thus far are eluding me. I will reproduce the commands I've been using to attempt to get this working if they're needed, but if anyone has any bright ideas before I tear my hair out, I'd much appreciate it!
Last edited by microchip on Mon Sep 23, 2019 22:11; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12909 Location: Netherlands
Posted: Sun Sep 22, 2019 16:24 Post subject:
If you are unbridging a VAP on broadcom then you will have to use one of the following tweaks (from my personal notes for what they are worth):
Quote:
From approximately mid 2018 VAP's on Broadcom units are problematic, you cannot connect or do not get an IP address. There are workarounds :
1) When VAP is not working at boot; workaround startup command Administration/Commands, Save as Startup:
sleep 10; stopservice nas; stopservice wlconf; startservice wlconf; startservice nas;
2) Alternative way to get VAP working: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317181
3) An other user reports the following workaround (save as startup):
sleep 4; stopservice cron; stopservice wlconf; wlconf eth1 up; wlconf eth2 up; startservice cron;
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319412
4)This one is from @Redhawk (guaranteed to work ):
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas; logger "VAP workaround executed";
If you are unbridging a VAP on broadcom then you will have to use one of the following tweaks (from my personal notes for what they are worth):
Quote:
From approximately mid 2018 VAP's on Broadcom units are problematic, you cannot connect or do not get an IP address. There are workarounds :
1) When VAP is not working at boot; workaround startup command Administration/Commands, Save as Startup:
sleep 10; stopservice nas; stopservice wlconf; startservice wlconf; startservice nas;
2) Alternative way to get VAP working: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317181
3) An other user reports the following workaround (save as startup):
sleep 4; stopservice cron; stopservice wlconf; wlconf eth1 up; wlconf eth2 up; startservice cron;
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319412
4)This one is from @Redhawk (guaranteed to work ):
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas; logger "VAP workaround executed";
I am no VLAN expert but tagging is not supported over wifi I think, but you can unbridge the wifi and bridge it to another VLAN
I'd forgotten about the stopservice/startservice trick - I had to use that with the VLAN setup I had at work on another R7000, with main and guest wifi. Thanks for that!
You are correct about not being able to tag the wifi - what I've been trying to do is connect a bridge to VLAN 5 and connect that to the wifi.
I'll try the last backup I took that had all the wired ports working and try the wifi with it. I've got painfully close with some of the configurations. I'll try unbridging the WLANs from br0 and try to bridge up onto a new one. Fingers crossed.
If that fails, I'll post up the configurations I've got from the CLI.
Got everything working perfectly on the hardware ports, along with commands used to reproduce it. Can't get the wifi to play ball at all as yet - I get a fairly rapid "can't connect to this network" thus far. Here's where I'm up to:
Existing hardware configuration:
DHCP server provided by pfSense and available on all VLANs except VLAN 4, where DHCP will be provided from port 4 back to the network
VLAN 4 - Uplink VLAN for backup broadband connection
VLAN 5 - Main LAN - pfSense 192.168.35.1/24
VLAN 6 - Kids LAN - pfSense 192.168.36.1/24
VLAN 10 - My LAN - pfSense 192.168.15.1/24
VLAN 15 - Guest LAN - pfSense 192.168.45.1/24
Setup sequence:
nvram erase, reboot
Set username and password
Disable WAN connection
Set router name and hostname
Assign WAN port to switch
Disable DHCP server
Set timezone to Europe/London
Add uk.pool.ntp.org as NTP server
Apply settings
Go to services
Disable Dnsmasq
Disable telnet
Enable SSHd with key
Enable Syslogd
Disable ttraff
Apply settings
Wireless -> Basic settings
Set regulatory domain to United Kingdom, set SSIDs, network modes, channels
Apply settings
SSH in to console:
Starting relevant configuration:
Code:
root@DD-WRT:~# nvram show | grep vlan.*ports | sort
nvram show | grep port.*vlans | sort
nvram show | grep vlan.*hwname | sort
size: 35549 bytes (29987 left)
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
root@DD-WRT:~# nvram show | grep port.*vlans | sort
size: 35549 bytes (29987 left)
port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 16
root@DD-WRT:~# nvram show | grep vlan.*hwname | sort
brctl show
size: 35549 bytes (29987 left)
vlan1hwname=et0
vlan2hwname=et0
root@DD-WRT:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.e4f4c614c923 no eth1
eth2
vlan1
vlan2
Configuring for tagged input VLANs on port 0 (WAN port), VLAN 5 accessible untagged on ports 2 and 3, VLAN 4 to port 4, leaving port 1 as default to continue accessing the web interface / SSH:
Code:
nvram set vlan4hwname=et0
nvram set vlan5hwname=et0
nvram set vlan6hwname=et0
nvram set vlan7hwname=et0
nvram set vlan9hwname=et0
nvram set vlan10hwname=et0
nvram set vlan15hwname=et0
nvram set vlan1ports="1 5*"
nvram set vlan4ports="0t 4"
nvram set vlan5ports="0t 2 3 5"
nvram set vlan6ports="0t 5"
nvram set vlan7ports="0t 5"
nvram set vlan9ports="0t 5"
nvram set vlan10ports="0t 5"
nvram set vlan15ports="0t 5"
nvram set port0vlans="4 5 6 7 9 10 15 16 18 19 21"
nvram set port1vlans="1 18 19 21"
nvram set port2vlans="5 18 19 21"
nvram set port3vlans="5 18 19 21"
nvram set port4vlans="4 18 19 21"
nvram set port5vlans="4 5 6 7 9 10 15 16 18 19 21"
nvram commit
reboot
I now have everything working from the ports port of view. What I need now, ideally, is to somehow get the primary WLAN bridged with VLAN 5, and get VAPs working on VLAN 6, 10 and 15. I'll update if I make further progress, but any assistance would be gratefully received.
Update: I've added one VAP and attempted to bridge it (as wl0.1 and wl1.1 to VLAN 6). Didn't work, even with the above workarounds, unfortunately. brctl output:
Update 2: Spotted that I haven't got port 5 in the vlanXports lines I'll try that tonight and see if it gets me any closer. Edit: Unfortunately it didn't. I've updated the above lines appropriately.
Managed to get further. Setting an IP address for the bridges under Setup->Networking allowed me to get the first VLAN functioning, and I bridged eth1 and eth2 with VLAN 5 (using br1), and I can log on successfully to the main LAN. On the CLI, I can ping the appropriate gateways specifying the correct bridge. Still can't log on to the VAPs though. Next step, trying a different build.
Edit: Still no dice with DD-WRT v3.0-r41113 (09/23/19) or an old favorite reconfiguring from scratch, DD-WRT v3.0-r35030M kongac.
The final issue, as I've seen a good few times around this forum, is that I can't get the VAPs talking to the VLANs. Going to try the modified wlconf next.
Reverted to DD-WRT v3.0-r41113, and uploaded the patched wlconf . It worked. Whatever the problem is, it's somewhere in that wlconf. I'll store it on jffs and set it up in the startup commands. Thank you, egc, for pointing me in the right direction - #2 on your list was the solution. It has been breaking my brain for some time.
Reverted to DD-WRT v3.0-r41113, and uploaded the patched wlconf . It worked. Whatever the problem is, it's somewhere in that wlconf. I'll store it on jffs and set it up in the startup commands. Thank you, egc, for pointing me in the right direction - #2 on your list was the solution. It has been breaking my brain for some time.
Hi,
Where did you get the patched wlconf? and how to activate it on dd-wrt (via GUI?)?
From the post titled above as "Alternative way to get VAP working" - link here.
Scroll down to the "Patched wlconf binary." and download it.
I suggest formatting and mounting JFFS in Administration->Management, so you can upload the binary to it using SSH/SFTP - I created the directory /jffs/bin and copied the patched wlconf into it, and added the following commands to the startup script:
sleep 10; stopservice nas; stopservice wlconf; /jffs/bin/wlconf eth1 up; /jffs/bin/wlconf eth2 up; startservice nas
Unfortunately there's no "pretty" / GUI only way to do it short of patching the image yourself so the GUI uses the alternate tools. Got to get your hands dirty on the command line somewhat.
Thanks a lot. Let me try. My Archer C9v1 VAP can't be connected (VLAN bridged with br1 & wl0.3). Will report back.
update 8 Nov 2019: The patched wlconf and startup script solved the VLAN associating with VAP (VLAN bridged with br1 & wl0.x). Thanks a lot. Now my Archer C9v1 (r3.0-r41027) has main LAN wifi, and IOT VAP working with VLAN tagging.
Last edited by bthoven on Fri Nov 08, 2019 4:37; edited 1 time in total
You have how many pfSense boxes and you're doing this on DD-WRT? I could explain how logically that is bankrupt, but I'd get yelled at.
Spare R7000 unit that I wanted with multiple VLAN->SSIDs, as a relatively dumb access point. My main network is all Ubiquiti gear, and works perfectly in this configuration. It's not illogical to use your old kit rather than spend more money out when it's unnecessary, especially for a side project to help a mate out. pfSense is a great router, but I wouldn't stick wifi on it. DD-WRT didn't exactly seem made to be malhandled into a multiple VLAN wifi AP configuration, but sometimes the challenge is part of the attraction
The frustrating part was that everything seemed to be there, but it just didn't work, due to the problem with the software on the router itself.
Posted: Thu Dec 12, 2019 16:58 Post subject: What's your final config?
Microchip,
I've got a VERY similar setup to yours. It's not clear what you ended up with...
* port.*vlans? (Does port 5 need all those extras?)
* brctl show ?
* You bridged some things that don't seem necessary for your config; presumably they are needed so the HW/FW works. I'm thinking vlan1, eth1, eth2...
* Any idea why vlan1 needs 5* as opposed to some other vlan?
The vlans on port 5 were needed in order to allow them to be transmitted to the WLAN bridge, from memory, as tagged traffic to the "CPU" port (see Switched Ports on the Wiki for details). From memory the asterisk indicated the CPU-connected port, and also was the default route for untagged traffic. Much of the information I gained was from the above link. There's an illustration at Default Configuration Overview that I used to help visualise the reasoning behind the VLAN setup.
I ended up with the following in NVRAM in the end:
bridge name bridge id STP enabled interfaces
br0 8000.e4f4c614c923 no vlan1
vlan2
br1 8000.e4f4c614c923 yes eth1
eth2
vlan5
br2 8000.e4f4c614c923 yes vlan6
wl0.1
wl1.1
br3 8000.e4f4c614c923 yes vlan10
VLAN 10 is the control interface for my devices. br0 is the default bridge with vlan1 and vlan2 in it. vlan5 connects to ports 1, 2 and 3 listed above (and tagged on 0 and 5). Port 4 connects to VLAN 4 (used for a backup internet connection, routes straight back to my pfSense box as a gateway). I moved the default wifi VLAN to be on vlan 5 (so bridged in to br1), and the secondary VAPs on 2.4/5GHz you can see directly on br2. vlan1 and vlan2 are built-in to the router, and messing with them just broke stuff. From memory, 5* was the default on vlan1.
Port 0 is the WAN port with all the incoming VLANs from memory. Port 5 is an internal port - not sure if hardware or physical.
Hope that helps... I know it's a bit of a complex setup. Unfortunately I've not got GUI access from here so I can't show details from that, but the above is what is actually in the working setup.
