Posted: Wed May 15, 2019 2:04 Post subject: updated my setup
I expanded on my idea for simplifying the WAN vlan, and i did the same thing on the LAN side. You can send tagged and untagged packets to a single port. If we apply this to the LAN cpu port you can continue to use eth1 for your main network.
My "swconfig dev switch0 show" now looks like this:
The main change here is with vlan1. Instead of sending tagged vlan1 packets to port 6, I send untagged. Untagged port 6 is eth1. Now, just like vlan2 with the WAN connection, vlan1 is not needed as an interface in the router. It's only needed in the switch to route traffic.
My bridge config now looks like this:
Bridge NameSTPInterface
br0 no ath0 ath1 ath2 eth1
br1 no vlan3
br2 no vlan4
and my startup script:
Code:
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6 0t 1 2 3"
swconfig dev switch0 vlan 2 set ports "5 4"
swconfig dev switch0 vlan 3 set ports "6t 0t"
swconfig dev switch0 vlan 4 set ports "6t 0t"
swconfig dev switch0 set apply
These changes made the startup script much simpler, and basically set most settings back to default. Also, port 0 is still my trunk port that carries traffic for multiple vlans.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri May 17, 2019 15:37 Post subject:
My last post incorporated TheDude1864's simpler approach to the WAN into my configuration. Here I go further and incorporate his simpler eth1 approach as well. The new editing steps for the Startup commands in Administration>Commands are
A. Change "6t 2 3" to "6 2 3" in the swconfig command.
B. Remove the vconfig and ifconfig lines for vlan 1.
C. Remove the brctl add line for vlan1
D. Remove the brctl del line for eth1
The changes from both posts leave the Startup code greatly simplified and looking like this:
Code:
#split the LAN on the port 6 cpu into eth1 (untagged) and vlan3 (tagged)
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
#vlans 1 and 2 connect eth1 and eth0 to the correct ports
swconfig dev switch0 vlan 1 set ports "6 2 3"
swconfig dev switch0 vlan 2 set ports "5 4"
#a new vlan 3 interface will handle the remaining ports
swconfig dev switch0 vlan 3 set ports "6t 0 1"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 3
ifconfig vlan3 up
brctl addif br1 vlan3
Note that there is no need, at least on BS release 39144 for the WRT1900ACSv2, to restart the wan.
In Setup>Networking the WAN port is eth0, and the bridging table looks like this:
br0 no ath1 eth1
br1 no ath1.2 vlan3
Thanks again, TheDude1864, for the excellent upgrade to this thread's project! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Posted: Wed Jul 03, 2019 12:55 Post subject: My physical port 4 on WRT3200 doesn' t receive ip from DHCP
hi
Very many thanks to all for their effort on work that have been done.
By the way after using @TheDude1864 simplified startup script i physical port4 doesn't receive ip from DHCP . Even when i set it manualy nothing happens, is that the expected behavior after the startup script..
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Jul 04, 2019 18:28 Post subject: Re: My physical port 4 on WRT3200 doesn' t receive ip from D
delacosta456 wrote:
hi
Very many thanks to all for their effort on work that have been done.
By the way after using @TheDude1864 simplified startup script i physical port4 doesn't receive ip from DHCP . Even when i set it manualy nothing happens, is that the expected behavior after the startup script..
See TheDude1864's original post in this thread, dated Mon May 13, 2019 10:38 for this:
TheDude1864 wrote:
Also, just a side note. I connect all of my vlans to bridges. The reason for this is the DHCP service. Much like how the WAN service has to be restarted after configuration, so does a DHCP service on a vlan that wont exist until after the start up script has run. By assigning my vlans to a bridge and then setting up DCHP on the bridge there is no need for any service restarts in the script. The DHCP service starts and attaches to the bridge, and you're good to go.
(I also have each multi-LAN-port vlan associated with a bridge.) _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Sep 03, 2019 15:00 Post subject: Re: About new Switch Config TAB
delacosta456 wrote:
hi
i just upgrade my firmware to the latest release and there is now a "Switch Config" Tab to configure Vlan
However i don't know where to start from
Can some body help please ?
Thanks
Sorry about the slow response, but I only just now got onto a release new enough to have this new tab.
Based on what I'm seeing checked in that tab, it seems it has zero to do with a swconfig setup like we use and likely everything to do with the old, Broadcom-specific nvram setup I talk about briefly at the beginning of this thread. I don't think we can use this new tab in any way.
The good news is that the VLAN setup we've developed in this thread seems to have worked great for me in 36698, 37736, 38169, 39144, 40009, and 40784. I've never been forced by an upgrade to make any changes. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Posted: Sat Dec 07, 2019 9:32 Post subject: Is there a solution for a router set up as an access point?
Hey there. I am so glad to have found this thread, as I have this up and working as a router connected in double NAT on my LAN. However, I am wondering if there is a better way to set this up in access point mode. I am following the instructions below to successfully create the bridged access point with a guest wireless network, and when I paste the VLAN code in the startup commands, the "swconfig dev switch0 show" output is right, but I cannot connect to the internet from ports 1 and 2, which are on VLAN 3. What did I miss?
===========================
Guest Network on Bridge:
Configure AP + Guest
reset router to factory defaults
Setup / Basic Setup
Connection Type Disabled
Assign WAN Port to Switch >>>check
Local IP Address 192.168.1.3 (assuming your main network is on the 192.168.1.0 subnet and this IP isn't being used)
Subnet Mask >>> 255.255.255.0
Gateway >>> IP of router connected to internet
Local DNS >>> IP of router connected to internet
DHCP Server >>> disabled
Uncheck Use DNSMasq for DHCP
Uncheck Use DNSMasq for DNS
Save
wait 15 seconds click Apply
You can now connect by network cable to a LAN port within your network and access at its 192.168.1.3 IP.
Setup / Advanced Routing
Operating Mode >>> Router
Wireless / Basic Settings
add VAP
Save
wait 15 seconds click Apply (in this order or it won't show)
Setup / Networking
create bridge (br1)
Save
wait 15 seconds click Apply
put in IP address for br1 >>> 192.168.2.1
subnet mask for br1 >>> 255.255.255.0
Save
wait 15 seconds click Apply
wait 30 seconds
add Assign to Bridge ( br1 to wl0.1)
Save
wait 15 seconds click Apply
Services >>> under DNSMasq
disable all but DNSMasq
in Additional DNSMasq Options (copy/paste)
Code:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -d DDWRT_LAN_IP_ADDR -m state --state NEW -j DROP
iptables -I INPUT -i br1 -d BR1_IP_ADDR -m state --state NEW -j DROP
iptables -I INPUT -i br1 -d BR1_IP_ADDR -p udp --dport 53 -j ACCEPT
click Save Firewall
Anyone connected to the VAP (wl0.1) can access the internet but are restricted from anything on 192.168.1.0
You can add additional firewall rules if you want access to a specific device on main network from guest network. _________________ WRT3200ACM x2 presently running LEDE.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sat Dec 07, 2019 17:46 Post subject: Re: Is there a solution for a router set up as an access poi
Dexterity06 wrote:
Hey there. I am so glad to have found this thread, as I have this up and working as a router connected in double NAT on my LAN. However, I am wondering if there is a better way to set this up in access point mode. I am following the instructions below to successfully create the bridged access point with a guest wireless network, and when I paste the VLAN code in the startup commands, the "swconfig dev switch0 show" output is right, but I cannot connect to the internet from ports 1 and 2, which are on VLAN 3. What did I miss?
I'm not 100% confident that I follow all the details in your setup, but I'm not sure that matters, since you say that other things are working.
What strikes me is that you haven't said what your purpose is in splitting off two of the lan ports into vlan3. You don't need a bridge for a VAP unless you plan to bridge something else to it, like say vlan3. So is that the intent? You don't indicate any assignment of vlan3 to a bridge. ((If you bridge vlan3 with your guest network, you can't fully isolate guests from each other, as vlan3 clients will be able to see each other and any guest-wifi client, and vice versa. AP isolation on the guest wifi will keep wifi guests from seeing each other, but that's the only inter-guest isolation you'll have.) What does the current bridging table under GUI>Setup>Networking look like?
You also don't say what dd-wrt build you are running.
It strikes me from your details that you may be working off very old instructions. If your build is not ancient (and maybe even if it is), you can go into GUI>Setup>Networking, find the br1 section near the bottom, check Net Isolation, and it will create firewall rules to isolate br0 and br1 from each other. You won't need to do that by hand in the Firewall section.
I'm also fuzzy on why you have the SNAT rule there for br0. Isn't that taken care of automatically? (I'm not sure... you tell me.) Did you check the current firewall rules to see what's there before adding new ones? Take a look at iptables -t nat -vnL POSTROUTING to hunt for nat rules and (iptables -vnL FORWARD) to hunt for isolation rules.
And have you checked the firewall after your iptables commands are executed to see if the corresponding rules were created? Generally if you format a nonsense rule, iptables will do nothing and give you no clue that it did nothing. Part of makes me wonder is seeing DDWRT_LAN_IP_ADDR and BR1_IP_ADDR in those rules. Are you substituting actual IP addresses there yourself? Those names will certainly not do it for you.
Forgive me if I mistarget your level of background here. I definitely haven't zeroed in on it yet! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 17 Jan 2010 Posts: 30 Location: Denver Colorado
Posted: Sat Dec 07, 2019 22:56 Post subject:
SurprisedItWorks wrote:
Hello Javier,
Don't worry about your English. Mi español es muy mal.
I don't know how I can help though. I'm not a networking expert and don't even know what "trunk mode" is. My little project in the first post here was really about splitting the LAN ports and nothing else.
I wish you luck though.
Surprised this works.
Thanks for the post, it's amazing the amount of detailed work you have done putting this together. I would like to use your design to create two vlan's on my WRT3200ACM (build 40559 flashed yesterday).
I ultimately want to bind one Vlan to OpenVPN and CyberGhost for VPN protection and leave the other open to the less filtered internet for my web server, Netflix and being able to VPN into customer sites.
- - - Relative to a Post you made in response to Javier
I'm not a networking expert either but do end up working with Cisco switches at work.
Not sure if it's still a question but a "Trunk" is when you bundle more than one vlan into a single port. Sometimes all of them are tagged, alternatively one of them in not tagged and the others are all tagged.
The untagged vlan in a "Trunk" is called the "Native Vlan" at least in Cisco speak. Trunks are typically used to make connections between swtiches or access points.
If you have multiple SSID's you can send a Trunk to the AP and map each VLan to a different SSID. If it's swtich to swtich by default it will send all Vlan's across in a trunk (1 to 4094) but you can limit that expressly if you want to to limit traffic across a link (typically a good idea).
The Cisco commands would look something like this.
The above command would generate a trunk port bundling vlan's 3,4,5 & 6 leaving vlan 3 as untagged (Typically this would be the management VLan). Alternatively you could just issue the command.
Interface G1/2
Switchport mode Trunk
This would allow all tagged traffic to traverse the link (vlan's 1-4094) and would have a native vlan of 1 included implicitly.
Both sides of the switch have to have the same Native Vlan (It's Vlan 1 by default if you don't specify it, though Cisco best practice recommends that you change it an never use Vlan1 at all because it is the default for so many things). The switches use the Native Vlan to talk to each other and you can use it as well for management or other purposes.
If the native vlan's are different the switches still see each other because they are both using untagged traffic but it generates a "Native Vlan Mismatch error" and causes problems.
The other option would be to create an "Access Port." An access port is a port with only one untagged vlan on it. The command would look like this.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 08, 2019 0:10 Post subject:
Hi John... Thanks for the education! And for the kind words re the VLAN effort. Yes indeed, it was a bit of a project!
I assume you looked at the Marvell new-build thread for 40559? My notes point to it needing two Apply steps sometimes on the OpenVPN page in order to get the VPN to start up. The one router I run on a build of similar vintage (40784) should have the same behavior, but I find I actually need a reboot if I change anything in OpenVPN. So just be aware.
Cheers... _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Posted: Sun Dec 08, 2019 14:26 Post subject: Re: Is there a solution for a router set up as an access poi
SurprisedItWorks wrote:
Dexterity06 wrote:
Hey there. I am so glad to have found this thread, as I have this up and working as a router connected in double NAT on my LAN. However, I am wondering if there is a better way to set this up in access point mode. I am following the instructions below to successfully create the bridged access point with a guest wireless network, and when I paste the VLAN code in the startup commands, the "swconfig dev switch0 show" output is right, but I cannot connect to the internet from ports 1 and 2, which are on VLAN 3. What did I miss?
I'm not 100% confident that I follow all the details in your setup, but I'm not sure that matters, since you say that other things are working.
What strikes me is that you haven't said what your purpose is in splitting off two of the lan ports into vlan3. You don't need a bridge for a VAP unless you plan to bridge something else to it, like say vlan3. So is that the intent? You don't indicate any assignment of vlan3 to a bridge. ((If you bridge vlan3 with your guest network, you can't fully isolate guests from each other, as vlan3 clients will be able to see each other and any guest-wifi client, and vice versa. AP isolation on the guest wifi will keep wifi guests from seeing each other, but that's the only inter-guest isolation you'll have.) What does the current bridging table under GUI>Setup>Networking look like?
You also don't say what dd-wrt build you are running.
It strikes me from your details that you may be working off very old instructions. If your build is not ancient (and maybe even if it is), you can go into GUI>Setup>Networking, find the br1 section near the bottom, check Net Isolation, and it will create firewall rules to isolate br0 and br1 from each other. You won't need to do that by hand in the Firewall section.
I'm also fuzzy on why you have the SNAT rule there for br0. Isn't that taken care of automatically? (I'm not sure... you tell me.) Did you check the current firewall rules to see what's there before adding new ones? Take a look at iptables -t nat -vnL POSTROUTING to hunt for nat rules and (iptables -vnL FORWARD) to hunt for isolation rules.
And have you checked the firewall after your iptables commands are executed to see if the corresponding rules were created? Generally if you format a nonsense rule, iptables will do nothing and give you no clue that it did nothing. Part of makes me wonder is seeing DDWRT_LAN_IP_ADDR and BR1_IP_ADDR in those rules. Are you substituting actual IP addresses there yourself? Those names will certainly not do it for you.
Forgive me if I mistarget your level of background here. I definitely haven't zeroed in on it yet!
Thank you for this reply and for this thread. I also agree that this has given me a real chance to dig deeper into VLANs in a way I have not been able to before. I am certainly a novice, but I am learning through the process. A few clarifications:
1. I am running r40559 on WRT3200.
2. I am trying to create three separate subnets: 1 for wifi and wired computers and devices for general use, another for IOT devices and a third for guests/misc. I used your code in start-services, and the networking setup has br0 and br1, where I split off vlan3 and guest wireless onto br1 away from the rest.
3. You are right I am working off old instructions, as I am just returning to DD-WRT after a couple of years of using Asusmerlin with RT-AX88U.
The reason I am doing this is because for the life if me I cannot figure out how to do this on the AX88U but I like using it as a router. Because I don't really know how to create VLANS on that unit, I am back to trying to use the WRT3200 as the router for all my IOT devices, wired and wireless. That's why I am trying to use it in Access Point/Bridge mode. Thank you for the suggestions on the way to accomplish the isolation better. I will look into that.
More important, I am trying to decide if there is any advantage to going back to the WRT to use just as a wired router and letting the AX88U take care of the wireless across the house. I also like the increased power fo the 88U and the idea of using just one system across the house. I really like the more open source environment of DDWRT and frankly miss this community. So, with all that said, I have these questions.
1. Where is the best place to create VLANs? Is it only at the router/ISP connection, or is there a scenario where you should originate VLANS on the WRT in bridged/"router" mode?
2. If the answer to that question is, "must be at the router/isp" (sorry I don't know a better term to use), then is using the WRT as a wired router a better solution than going with something like a Ubiquiti Edgerouter 4?
3. Am I missing something in my thinking where you can push me to make this simpler? I don't want to spend any more money, especially if you think that there is a solution in my current hardware/software?
Thanks for your patience and for responding to all of us trying to figure this out. This is a really important function of this router and the reason I prefer DD-WRT over the rest. Thanks. _________________ WRT3200ACM x2 presently running LEDE.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 08, 2019 18:50 Post subject: Re: Is there a solution for a router set up as an access poi
Dexterity06 wrote:
A few clarifications:
1. I am running r40559 on WRT3200.
2. I am trying to create three separate subnets: 1 for wifi and wired computers and devices for general use, another for IOT devices and a third for guests/misc. I used your code in start-services, and the networking setup has br0 and br1, where I split off vlan3 and guest wireless onto br1 away from the rest.
3. You are right I am working off old instructions, as I am just returning to DD-WRT after a couple of years of using Asusmerlin with RT-AX88U.
The reason I am doing this is because for the life if me I cannot figure out how to do this on the AX88U but I like using it as a router. Because I don't really know how to create VLANS on that unit, I am back to trying to use the WRT3200 as the router for all my IOT devices, wired and wireless. That's why I am trying to use it in Access Point/Bridge mode. Thank you for the suggestions on the way to accomplish the isolation better. I will look into that.
More important, I am trying to decide if there is any advantage to going back to the WRT to use just as a wired router and letting the AX88U take care of the wireless across the house. I also like the increased power fo the 88U and the idea of using just one system across the house. I really like the more open source environment of DDWRT and frankly miss this community. So, with all that said, I have these questions.
1. Where is the best place to create VLANs? Is it only at the router/ISP connection, or is there a scenario where you should originate VLANS on the WRT in bridged/"router" mode?
2. If the answer to that question is, "must be at the router/isp" (sorry I don't know a better term to use), then is using the WRT as a wired router a better solution than going with something like a Ubiquiti Edgerouter 4?
3. Am I missing something in my thinking where you can push me to make this simpler? I don't want to spend any more money, especially if you think that there is a solution in my current hardware/software?
Thanks for your patience and for responding to all of us trying to figure this out. This is a really important function of this router and the reason I prefer DD-WRT over the rest. Thanks.
Actually, you're working off old instructions because most of the posted dd-wrt instructions are old.
Re two-router solutions... there are many discussions in the Advanced Networking forum on it, and I don't think it's terribly complicated once you realize what to do. Guru and frequent poster egc is the go-to guy on this, so watch for his contributions, esp on wired LAN-LAN connections. I'd say more, but I have never done it and so have only rudimentary knowledge. I'm a one-router (at a time) guy.
Do be sure that VLANs are part of the answer and not the question itself. Rather than "How can I hook up my VLANs?" perhaps "How can I do different things with different LAN ports?" But the real question is why you want to? I had wired home stuff and wired office stuff I wanted isolated from each other to lower the risk of malware contagion. That was my driving factor.
One important point that people miss -- I certainly did at first -- is that everything on a VLAN (or on the LAN system before we split it) can see each other. So if you want some LAN ports to be fully isolated from everything else, each will need to be a separate, one-port VLAN. To avoid the startup race issues mentioned earlier by another poster, you'll probably need a bridge for each one as well, and that makes it all a bit of a pain. And I'm not sure how you set up a bridge to have one IP rather than a DHCP server. I think I've seen single-IP VLANs discussed online though, and I expect it would be similar with a bridge involved. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
I just registered to Thank you very much on your detailed guide, I have been looking around for months now and I was about to give up and buy a new router to support multi Vlans when I found your thread.
Thanks everyone for the fantastic info and instructions you're providing in this thread.
It helped me assign VLAN ID to WAN port and connect my DD-WRT directly to my ISP's media converter, without having to use the ISP-provided router for VLAN tagging.
Here's my configuration in case it might help someone else.
Router: Linksys WRT3200ACM
DD-WRT build: 42872 (didn't work on older builds for me)
ISP internet VLAN: 100 (HT Croatian Telecom)
Startup commands:
Code:
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6 0 1 2 3"
swconfig dev switch0 vlan 2 set ports "5 4t"
swconfig dev switch0 vlan 2 set vid 100
swconfig dev switch0 set apply