VLAN success on WRT1900ACSv2, WRT3200ACM, et al.

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page Previous  1, 2, 3
Author Message
TheDude1864
DD-WRT Novice


Joined: 26 Jan 2012
Posts: 6

PostPosted: Wed May 15, 2019 2:04    Post subject: updated my setup Reply with quote
I expanded on my idea for simplifying the WAN vlan, and i did the same thing on the LAN side. You can send tagged and untagged packets to a single port. If we apply this to the LAN cpu port you can continue to use eth1 for your main network.

My "swconfig dev switch0 show" now looks like this:
Code:

Global attributes:
   enable_vlan: 1
Port 0:
   mask: 0x0000: (0)
   qmode: 3
   pvid: 0
   link: port:0 link:up speed:1000baseT full-duplex
Port 1:
   mask: 0x0000: (1)
   qmode: 3
   pvid: 1
   link: port:1 link:up speed:1000baseT full-duplex
Port 2:
   mask: 0x0000: (2)
   qmode: 3
   pvid: 1
   link: port:2 link:up speed:100baseT full-duplex
Port 3:
   mask: 0x0000: (3)
   qmode: 3
   pvid: 1
   link: port:3 link:up speed:1000baseT full-duplex
Port 4:
   mask: 0x0000: (4)
   qmode: 3
   pvid: 2
   link: port:4 link:up speed:1000baseT full-duplex
Port 5:
   mask: 0x0000: (5)
   qmode: 3
   pvid: 2
   link: port:5 link:up speed:1000baseT full-duplex
Port 6:
   mask: 0x0000: (6)
   qmode: 3
   pvid: 1
   link: port:6 link:up speed:1000baseT full-duplex
VLAN 1:
   port_based: 0
   vid: 1
   ports: 0t 1 2 3 6
VLAN 2:
   port_based: 0
   vid: 2
   ports: 4 5
VLAN 3:
   port_based: 0
   vid: 3
   ports: 0t 6t
VLAN 4:
   port_based: 0
   vid: 4
   ports: 0t 6t


The main change here is with vlan1. Instead of sending tagged vlan1 packets to port 6, I send untagged. Untagged port 6 is eth1. Now, just like vlan2 with the WAN connection, vlan1 is not needed as an interface in the router. It's only needed in the switch to route traffic.

My bridge config now looks like this:

Bridge Name STP Interface
br0 no ath0 ath1 ath2 eth1
br1 no vlan3
br2 no vlan4

and my startup script:

Code:

swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6 0t 1 2 3"
swconfig dev switch0 vlan 2 set ports "5 4"
swconfig dev switch0 vlan 3 set ports "6t 0t"
swconfig dev switch0 vlan 4 set ports "6t 0t"
swconfig dev switch0 set apply

vconfig set_name_type VLAN_PLUS_VID_NO_PAD

vconfig add eth1 3
vconfig add eth1 4

ifconfig vlan3 up
ifconfig vlan4 up

brctl addif br1 vlan3
brctl addif br2 vlan4

(stopservice wan;startservice wan) 2>&1 | logger -t startup[$$]


These changes made the startup script much simpler, and basically set most settings back to default. Also, port 0 is still my trunk port that carries traffic for multiple vlans.

Everything seems to be working.
Sponsor
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Fri May 17, 2019 15:37    Post subject: Reply with quote
My last post incorporated TheDude1864's simpler approach to the WAN into my configuration. Here I go further and incorporate his simpler eth1 approach as well. The new editing steps for the Startup commands in Administration>Commands are

A. Change "6t 2 3" to "6 2 3" in the swconfig command.
B. Remove the vconfig and ifconfig lines for vlan 1.
C. Remove the brctl add line for vlan1
D. Remove the brctl del line for eth1

The changes from both posts leave the Startup code greatly simplified and looking like this:
Code:
#split the LAN on the port 6 cpu into eth1 (untagged) and vlan3 (tagged)
   swconfig dev switch0 set reset 1
   swconfig dev switch0 set enable_vlan 1
   #vlans 1 and 2 connect eth1 and eth0 to the correct ports
      swconfig dev switch0 vlan 1 set ports "6 2 3"
      swconfig dev switch0 vlan 2 set ports "5 4"
   #a new vlan 3 interface will handle the remaining ports
      swconfig dev switch0 vlan 3 set ports "6t 0 1"
   swconfig dev switch0 set apply
   vconfig set_name_type VLAN_PLUS_VID_NO_PAD
   vconfig add eth1 3
   ifconfig vlan3 up
   brctl addif br1 vlan3

Note that there is no need, at least on BS release 39144 for the WRT1900ACSv2, to restart the wan.

In Setup>Networking the WAN port is eth0, and the bridging table looks like this:

br0 no ath1 eth1
br1 no ath1.2 vlan3


Thanks again, TheDude1864, for the excellent upgrade to this thread's project!

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
delacosta456
DD-WRT Novice


Joined: 11 Mar 2010
Posts: 5

PostPosted: Wed Jul 03, 2019 12:55    Post subject: My physical port 4 on WRT3200 doesn' t receive ip from DHCP Reply with quote
hi
Very many thanks to all for their effort on work that have been done.

By the way after using @TheDude1864 simplified startup script i physical port4 doesn't receive ip from DHCP . Even when i set it manualy nothing happens, is that the expected behavior after the startup script..
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Thu Jul 04, 2019 18:28    Post subject: Re: My physical port 4 on WRT3200 doesn' t receive ip from D Reply with quote
delacosta456 wrote:
hi
Very many thanks to all for their effort on work that have been done.

By the way after using @TheDude1864 simplified startup script i physical port4 doesn't receive ip from DHCP . Even when i set it manualy nothing happens, is that the expected behavior after the startup script..


See TheDude1864's original post in this thread, dated Mon May 13, 2019 10:38 for this:

TheDude1864 wrote:
Also, just a side note. I connect all of my vlans to bridges. The reason for this is the DHCP service. Much like how the WAN service has to be restarted after configuration, so does a DHCP service on a vlan that wont exist until after the start up script has run. By assigning my vlans to a bridge and then setting up DCHP on the bridge there is no need for any service restarts in the script. The DHCP service starts and attaches to the bridge, and you're good to go.


(I also have each multi-LAN-port vlan associated with a bridge.)

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
delacosta456
DD-WRT Novice


Joined: 11 Mar 2010
Posts: 5

PostPosted: Tue Jul 30, 2019 1:46    Post subject: About new Switch Config TAB Reply with quote
hi
i just upgrade my firmware to the latest release and there is now a "Switch Config" Tab to configure Vlan

However i don't know where to start from

Can some body help please ?

Thanks
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Tue Sep 03, 2019 15:00    Post subject: Re: About new Switch Config TAB Reply with quote
delacosta456 wrote:
hi
i just upgrade my firmware to the latest release and there is now a "Switch Config" Tab to configure Vlan

However i don't know where to start from

Can some body help please ?

Thanks

Sorry about the slow response, but I only just now got onto a release new enough to have this new tab.

Based on what I'm seeing checked in that tab, it seems it has zero to do with a swconfig setup like we use and likely everything to do with the old, Broadcom-specific nvram setup I talk about briefly at the beginning of this thread. I don't think we can use this new tab in any way.

The good news is that the VLAN setup we've developed in this thread seems to have worked great for me in 36698, 37736, 38169, 39144, 40009, and 40784. I've never been forced by an upgrade to make any changes.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Dexterity06
DD-WRT User


Joined: 07 Apr 2016
Posts: 59

PostPosted: Sat Dec 07, 2019 9:32    Post subject: Is there a solution for a router set up as an access point? Reply with quote
Hey there. I am so glad to have found this thread, as I have this up and working as a router connected in double NAT on my LAN. However, I am wondering if there is a better way to set this up in access point mode. I am following the instructions below to successfully create the bridged access point with a guest wireless network, and when I paste the VLAN code in the startup commands, the "swconfig dev switch0 show" output is right, but I cannot connect to the internet from ports 1 and 2, which are on VLAN 3. What did I miss?
===========================

Guest Network on Bridge:

Configure AP + Guest
reset router to factory defaults
Setup / Basic Setup
Connection Type Disabled
Assign WAN Port to Switch >>>check
Local IP Address 192.168.1.3 (assuming your main network is on the 192.168.1.0 subnet and this IP isn't being used)
Subnet Mask >>> 255.255.255.0
Gateway >>> IP of router connected to internet
Local DNS >>> IP of router connected to internet
DHCP Server >>> disabled
Uncheck Use DNSMasq for DHCP
Uncheck Use DNSMasq for DNS
Save
wait 15 seconds click Apply

You can now connect by network cable to a LAN port within your network and access at its 192.168.1.3 IP.
Setup / Advanced Routing
Operating Mode >>> Router

Wireless / Basic Settings
add VAP
Save
wait 15 seconds click Apply (in this order or it won't show)

Setup / Networking
create bridge (br1)
Save
wait 15 seconds click Apply
put in IP address for br1 >>> 192.168.2.1
subnet mask for br1 >>> 255.255.255.0
Save
wait 15 seconds click Apply
wait 30 seconds
add Assign to Bridge ( br1 to wl0.1)
Save
wait 15 seconds click Apply

Services >>> under DNSMasq
disable all but DNSMasq
in Additional DNSMasq Options (copy/paste)

Code:
interface=br1
dhcp-option=br1,3,192.168.2.1
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h

or use DHCPD

Save
wait 15 seconds click Apply

Administration / Commands (copy/paste)

Code:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -d DDWRT_LAN_IP_ADDR -m state --state NEW -j DROP
iptables -I INPUT -i br1 -d BR1_IP_ADDR -m state --state NEW -j DROP
iptables -I INPUT -i br1 -d BR1_IP_ADDR -p udp --dport 53 -j ACCEPT


click Save Firewall

Anyone connected to the VAP (wl0.1) can access the internet but are restricted from anything on 192.168.1.0
You can add additional firewall rules if you want access to a specific device on main network from guest network.

_________________
WRT3200ACM x2 presently running LEDE.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sat Dec 07, 2019 17:46    Post subject: Re: Is there a solution for a router set up as an access poi Reply with quote
Dexterity06 wrote:
Hey there. I am so glad to have found this thread, as I have this up and working as a router connected in double NAT on my LAN. However, I am wondering if there is a better way to set this up in access point mode. I am following the instructions below to successfully create the bridged access point with a guest wireless network, and when I paste the VLAN code in the startup commands, the "swconfig dev switch0 show" output is right, but I cannot connect to the internet from ports 1 and 2, which are on VLAN 3. What did I miss?

I'm not 100% confident that I follow all the details in your setup, but I'm not sure that matters, since you say that other things are working.

What strikes me is that you haven't said what your purpose is in splitting off two of the lan ports into vlan3. You don't need a bridge for a VAP unless you plan to bridge something else to it, like say vlan3. So is that the intent? You don't indicate any assignment of vlan3 to a bridge. ((If you bridge vlan3 with your guest network, you can't fully isolate guests from each other, as vlan3 clients will be able to see each other and any guest-wifi client, and vice versa. AP isolation on the guest wifi will keep wifi guests from seeing each other, but that's the only inter-guest isolation you'll have.) What does the current bridging table under GUI>Setup>Networking look like?

You also don't say what dd-wrt build you are running.

It strikes me from your details that you may be working off very old instructions. If your build is not ancient (and maybe even if it is), you can go into GUI>Setup>Networking, find the br1 section near the bottom, check Net Isolation, and it will create firewall rules to isolate br0 and br1 from each other. You won't need to do that by hand in the Firewall section.

I'm also fuzzy on why you have the SNAT rule there for br0. Isn't that taken care of automatically? (I'm not sure... you tell me.) Did you check the current firewall rules to see what's there before adding new ones? Take a look at iptables -t nat -vnL POSTROUTING to hunt for nat rules and (iptables -vnL FORWARD) to hunt for isolation rules.

And have you checked the firewall after your iptables commands are executed to see if the corresponding rules were created? Generally if you format a nonsense rule, iptables will do nothing and give you no clue that it did nothing. Part of makes me wonder is seeing DDWRT_LAN_IP_ADDR and BR1_IP_ADDR in those rules. Are you substituting actual IP addresses there yourself? Those names will certainly not do it for you.

Forgive me if I mistarget your level of background here. I definitely haven't zeroed in on it yet! Confused

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
halastrion
DD-WRT Novice


Joined: 17 Jan 2010
Posts: 30
Location: Denver Colorado

PostPosted: Sat Dec 07, 2019 22:56    Post subject: Reply with quote
SurprisedItWorks wrote:
Hello Javier,

Don't worry about your English. Mi español es muy mal.

I don't know how I can help though. I'm not a networking expert and don't even know what "trunk mode" is. My little project in the first post here was really about splitting the LAN ports and nothing else.

I wish you luck though.


Surprised this works.

Thanks for the post, it's amazing the amount of detailed work you have done putting this together. I would like to use your design to create two vlan's on my WRT3200ACM (build 40559 flashed yesterday).

I ultimately want to bind one Vlan to OpenVPN and CyberGhost for VPN protection and leave the other open to the less filtered internet for my web server, Netflix and being able to VPN into customer sites.

- - - Relative to a Post you made in response to Javier

I'm not a networking expert either but do end up working with Cisco switches at work.

Not sure if it's still a question but a "Trunk" is when you bundle more than one vlan into a single port. Sometimes all of them are tagged, alternatively one of them in not tagged and the others are all tagged.

The untagged vlan in a "Trunk" is called the "Native Vlan" at least in Cisco speak. Trunks are typically used to make connections between swtiches or access points.

If you have multiple SSID's you can send a Trunk to the AP and map each VLan to a different SSID. If it's swtich to swtich by default it will send all Vlan's across in a trunk (1 to 4094) but you can limit that expressly if you want to to limit traffic across a link (typically a good idea).

The Cisco commands would look something like this.

Interface G1/1
Switchport mode Trunk
Switchport Trunk Native Vlan 3
Switchport Trunk Allowed Vlan 3,4,5,6

The above command would generate a trunk port bundling vlan's 3,4,5 & 6 leaving vlan 3 as untagged (Typically this would be the management VLan). Alternatively you could just issue the command.

Interface G1/2
Switchport mode Trunk

This would allow all tagged traffic to traverse the link (vlan's 1-4094) and would have a native vlan of 1 included implicitly.

Both sides of the switch have to have the same Native Vlan (It's Vlan 1 by default if you don't specify it, though Cisco best practice recommends that you change it an never use Vlan1 at all because it is the default for so many things). The switches use the Native Vlan to talk to each other and you can use it as well for management or other purposes.

If the native vlan's are different the switches still see each other because they are both using untagged traffic but it generates a "Native Vlan Mismatch error" and causes problems.

The other option would be to create an "Access Port." An access port is a port with only one untagged vlan on it. The command would look like this.

Interface g1/3
Switchport Mode Access
Switchport access Vlan 4



John.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 08, 2019 0:10    Post subject: Reply with quote
Hi John... Thanks for the education! And for the kind words re the VLAN effort. Yes indeed, it was a bit of a project!

I assume you looked at the Marvell new-build thread for 40559? My notes point to it needing two Apply steps sometimes on the OpenVPN page in order to get the VPN to start up. The one router I run on a build of similar vintage (40784) should have the same behavior, but I find I actually need a reboot if I change anything in OpenVPN. So just be aware.

Cheers...

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Dexterity06
DD-WRT User


Joined: 07 Apr 2016
Posts: 59

PostPosted: Sun Dec 08, 2019 14:26    Post subject: Re: Is there a solution for a router set up as an access poi Reply with quote
SurprisedItWorks wrote:
Dexterity06 wrote:
Hey there. I am so glad to have found this thread, as I have this up and working as a router connected in double NAT on my LAN. However, I am wondering if there is a better way to set this up in access point mode. I am following the instructions below to successfully create the bridged access point with a guest wireless network, and when I paste the VLAN code in the startup commands, the "swconfig dev switch0 show" output is right, but I cannot connect to the internet from ports 1 and 2, which are on VLAN 3. What did I miss?

I'm not 100% confident that I follow all the details in your setup, but I'm not sure that matters, since you say that other things are working.

What strikes me is that you haven't said what your purpose is in splitting off two of the lan ports into vlan3. You don't need a bridge for a VAP unless you plan to bridge something else to it, like say vlan3. So is that the intent? You don't indicate any assignment of vlan3 to a bridge. ((If you bridge vlan3 with your guest network, you can't fully isolate guests from each other, as vlan3 clients will be able to see each other and any guest-wifi client, and vice versa. AP isolation on the guest wifi will keep wifi guests from seeing each other, but that's the only inter-guest isolation you'll have.) What does the current bridging table under GUI>Setup>Networking look like?

You also don't say what dd-wrt build you are running.

It strikes me from your details that you may be working off very old instructions. If your build is not ancient (and maybe even if it is), you can go into GUI>Setup>Networking, find the br1 section near the bottom, check Net Isolation, and it will create firewall rules to isolate br0 and br1 from each other. You won't need to do that by hand in the Firewall section.

I'm also fuzzy on why you have the SNAT rule there for br0. Isn't that taken care of automatically? (I'm not sure... you tell me.) Did you check the current firewall rules to see what's there before adding new ones? Take a look at iptables -t nat -vnL POSTROUTING to hunt for nat rules and (iptables -vnL FORWARD) to hunt for isolation rules.

And have you checked the firewall after your iptables commands are executed to see if the corresponding rules were created? Generally if you format a nonsense rule, iptables will do nothing and give you no clue that it did nothing. Part of makes me wonder is seeing DDWRT_LAN_IP_ADDR and BR1_IP_ADDR in those rules. Are you substituting actual IP addresses there yourself? Those names will certainly not do it for you.

Forgive me if I mistarget your level of background here. I definitely haven't zeroed in on it yet! Confused


Thank you for this reply and for this thread. I also agree that this has given me a real chance to dig deeper into VLANs in a way I have not been able to before. I am certainly a novice, but I am learning through the process. A few clarifications:

1. I am running r40559 on WRT3200.
2. I am trying to create three separate subnets: 1 for wifi and wired computers and devices for general use, another for IOT devices and a third for guests/misc. I used your code in start-services, and the networking setup has br0 and br1, where I split off vlan3 and guest wireless onto br1 away from the rest.
3. You are right I am working off old instructions, as I am just returning to DD-WRT after a couple of years of using Asusmerlin with RT-AX88U.

The reason I am doing this is because for the life if me I cannot figure out how to do this on the AX88U but I like using it as a router. Because I don't really know how to create VLANS on that unit, I am back to trying to use the WRT3200 as the router for all my IOT devices, wired and wireless. That's why I am trying to use it in Access Point/Bridge mode. Thank you for the suggestions on the way to accomplish the isolation better. I will look into that.

More important, I am trying to decide if there is any advantage to going back to the WRT to use just as a wired router and letting the AX88U take care of the wireless across the house. I also like the increased power fo the 88U and the idea of using just one system across the house. I really like the more open source environment of DDWRT and frankly miss this community. So, with all that said, I have these questions.

1. Where is the best place to create VLANs? Is it only at the router/ISP connection, or is there a scenario where you should originate VLANS on the WRT in bridged/"router" mode?

2. If the answer to that question is, "must be at the router/isp" (sorry I don't know a better term to use), then is using the WRT as a wired router a better solution than going with something like a Ubiquiti Edgerouter 4?

3. Am I missing something in my thinking where you can push me to make this simpler? I don't want to spend any more money, especially if you think that there is a solution in my current hardware/software?

Thanks for your patience and for responding to all of us trying to figure this out. This is a really important function of this router and the reason I prefer DD-WRT over the rest. Thanks.

_________________
WRT3200ACM x2 presently running LEDE.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 08, 2019 18:50    Post subject: Re: Is there a solution for a router set up as an access poi Reply with quote
Dexterity06 wrote:
A few clarifications:

1. I am running r40559 on WRT3200.
2. I am trying to create three separate subnets: 1 for wifi and wired computers and devices for general use, another for IOT devices and a third for guests/misc. I used your code in start-services, and the networking setup has br0 and br1, where I split off vlan3 and guest wireless onto br1 away from the rest.
3. You are right I am working off old instructions, as I am just returning to DD-WRT after a couple of years of using Asusmerlin with RT-AX88U.

The reason I am doing this is because for the life if me I cannot figure out how to do this on the AX88U but I like using it as a router. Because I don't really know how to create VLANS on that unit, I am back to trying to use the WRT3200 as the router for all my IOT devices, wired and wireless. That's why I am trying to use it in Access Point/Bridge mode. Thank you for the suggestions on the way to accomplish the isolation better. I will look into that.

More important, I am trying to decide if there is any advantage to going back to the WRT to use just as a wired router and letting the AX88U take care of the wireless across the house. I also like the increased power fo the 88U and the idea of using just one system across the house. I really like the more open source environment of DDWRT and frankly miss this community. So, with all that said, I have these questions.

1. Where is the best place to create VLANs? Is it only at the router/ISP connection, or is there a scenario where you should originate VLANS on the WRT in bridged/"router" mode?

2. If the answer to that question is, "must be at the router/isp" (sorry I don't know a better term to use), then is using the WRT as a wired router a better solution than going with something like a Ubiquiti Edgerouter 4?

3. Am I missing something in my thinking where you can push me to make this simpler? I don't want to spend any more money, especially if you think that there is a solution in my current hardware/software?

Thanks for your patience and for responding to all of us trying to figure this out. This is a really important function of this router and the reason I prefer DD-WRT over the rest. Thanks.

Actually, you're working off old instructions because most of the posted dd-wrt instructions are old. Wink

Re two-router solutions... there are many discussions in the Advanced Networking forum on it, and I don't think it's terribly complicated once you realize what to do. Guru and frequent poster egc is the go-to guy on this, so watch for his contributions, esp on wired LAN-LAN connections. I'd say more, but I have never done it and so have only rudimentary knowledge. I'm a one-router (at a time) guy.

Do be sure that VLANs are part of the answer and not the question itself. Rather than "How can I hook up my VLANs?" perhaps "How can I do different things with different LAN ports?" But the real question is why you want to? I had wired home stuff and wired office stuff I wanted isolated from each other to lower the risk of malware contagion. That was my driving factor.

One important point that people miss -- I certainly did at first -- is that everything on a VLAN (or on the LAN system before we split it) can see each other. So if you want some LAN ports to be fully isolated from everything else, each will need to be a separate, one-port VLAN. To avoid the startup race issues mentioned earlier by another poster, you'll probably need a bridge for each one as well, and that makes it all a bit of a pain. And I'm not sure how you set up a bridge to have one IP rather than a DHCP server. I think I've seen single-IP VLANs discussed online though, and I expect it would be similar with a bridge involved.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
healthyboy
DD-WRT Novice


Joined: 09 Apr 2020
Posts: 1

PostPosted: Thu Apr 09, 2020 16:50    Post subject: Reply with quote
I just registered to Thank you very much on your detailed guide, I have been looking around for months now and I was about to give up and buy a new router to support multi Vlans when I found your thread.

You're a life saver!
Brum27
DD-WRT Novice


Joined: 28 Apr 2009
Posts: 1

PostPosted: Sun Apr 12, 2020 11:25    Post subject: Reply with quote
Thanks everyone for the fantastic info and instructions you're providing in this thread. Very Happy

It helped me assign VLAN ID to WAN port and connect my DD-WRT directly to my ISP's media converter, without having to use the ISP-provided router for VLAN tagging.

Here's my configuration in case it might help someone else.

Router: Linksys WRT3200ACM
DD-WRT build: 42872 (didn't work on older builds for me)
ISP internet VLAN: 100 (HT Croatian Telecom)


Startup commands:
Code:
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6 0 1 2 3"
swconfig dev switch0 vlan 2 set ports "5 4t"
swconfig dev switch0 vlan 2 set vid 100
swconfig dev switch0 set apply


Output for swconfig dev switch0 show:
Code:
Global attributes:
        enable_vlan: 1
Port 0:
        mask: 0x0000: (0)
        qmode: 3
        pvid: 1
        link: port:0 link:up speed:1000baseT full-duplex
Port 1:
        mask: 0x0000: (1)
        qmode: 3
        pvid: 1
        link: port:1 link:up speed:1000baseT full-duplex
Port 2:
        mask: 0x0000: (2)
        qmode: 3
        pvid: 1
        link: port:2 link:up speed:1000baseT full-duplex
Port 3:
        mask: 0x0000: (3)
        qmode: 3
        pvid: 1
        link: port:3 link:up speed:1000baseT full-duplex
Port 4:
        mask: 0x0000: (4)
        qmode: 3
        pvid: 0
        link: port:4 link:up speed:1000baseT full-duplex
Port 5:
        mask: 0x0000: (5)
        qmode: 3
        pvid: 100
        link: port:5 link:up speed:1000baseT full-duplex
Port 6:
        mask: 0x0000: (6)
        qmode: 3
        pvid: 1
        link: port:6 link:up speed:1000baseT full-duplex
VLAN 1:
        port_based: 0
        vid: 1
        ports: 0 1 2 3 6
VLAN 2:
        port_based: 0
        vid: 100
        ports: 4t 5
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Fri Sep 02, 2022 16:04    Post subject: Reply with quote
Retired to Marvell forum FAQ – README and unstuck
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum