dual router configuration with shared private network

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Fri Jun 05, 2020 4:02    Post subject: dual router configuration with shared private network Reply with quote
I'd like to configure my home network with 2 routers (1 upstairs/1downstairs), connected via ethernet, such that:

1) there are two networks:
(192.168.1.x) with less trusted devices (IoT)
(192.168.2.x) with more trusted devices

2) both routers have at least 1 ethernet port for each network.

3) both routers provides AP service for both networks:
- 2.4ghz/5ghz >> 192.168.1.x
- 2.4ghz/5ghz >> 192.168.2.x
and they share the same SSIDs so that devices can wander between routers, but stay on the same subnet.

4) isolate all traffic between networks

I've been testing with iptables, and while I feel like I can tackle this, It would be great to get some feedback on the plan.

I have been able to setup second guest network (VAP), but when isolating the VAP to a second bridge with 2nd DHCP no device will connect due to "incorrect password" issue. I have tried multiple devices, android/iOS, next to router, etc. researched all related posts. I suspect It could be due to DNSmasq settings, but I've tried what I could find.
If you have a good workflow for that setup, that would be a good starting place. I've debugged for days Smile. Maybe I'm trying to do something im not supposed to ?

thanks!


Last edited by sneakypete on Fri Jul 03, 2020 20:17; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5907
Location: Netherlands

PostPosted: Fri Jun 05, 2020 10:56    Post subject: Reply with quote
Unfortunately you did not come across the forum guidelines.
If you use them we can give you better advice.
A lot of things are device specific (like VLANS) thus it is really useful if you state router model and the build number.
See my signature at the bottom for the forum guidelines Smile

There is no one size fits all, you are mentioning also wanting to use ethernet ports in your isolated network, in that case I would setup router 2 as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point
Then using VLANS to make two separate networks across both routers, but like I said there are many approaches possible.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Fri Jun 05, 2020 18:42; edited 1 time in total
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Fri Jun 05, 2020 18:37    Post subject: Reply with quote
Thanks for responding.

Mea culpa - I did read the rules, but was afraid my post was getting too long, and thought this was more of a design issue than hardware/firmware issue. but, I get it. sorry for not including in the first place.

Can I get partial credit for the picture?

I have an ASUS RT-AC66U running 43290.
I also have a tp-link A7 v5. I don't believe dd-wrt will run on it, but openwrt is apparently supported. I haven't flashed it yet.

My plan was to figure out my plan, and then verify that I have the necessary features to accomplish my plan, before rendering my kids internet-less. I'm not tied to which router I use where, and hoped that there'd be enough features between the two of them to pull it off.

The WAP article is really clear. Thanks for the link.

I have tried the "secondary router on a separate subnet", but that just segments traffic to each router. I am trying to get both router/ap to support both networks for improved coverage, AND have the networks isolated.

I ran "nvram get wl0_corerev" on the ASUS - it was in the teens, so I apparently have support for WLANs.

I have been attempting to configure the VLAN/VAP on the ASUS, but it was it was operating in "gateway" mode. I think that may be what was causing the headaches. I will follow these AP instructions.

If router A (connected to WAN) is operating in gateway mode, and router B is operating in router mode, and A provides DHCP services to the LAN "192.168.1.x" (including router B), which router provides DHCP for the VLAN (192168.2.x)?

thank you!
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6903
Location: Texas, USA

PostPosted: Fri Jun 05, 2020 18:57    Post subject: Reply with quote
TP-Link Archer A7 v5 is supported by DD-WRT. It's not in the database or supported devices wiki yet, perhaps, but it is a fairly recently fixed new device support, just ask msoengineer...
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5698
Location: Akershus, Norway

PostPosted: Fri Jun 05, 2020 19:08    Post subject: Reply with quote
You have to connect the two routers with a tagged VLAN trunk that contains both sub-nets.

Here is dd-wrt fw for both of your routers.

ftp://ftp.dd-wrt.com/betas/2020/06-04-2020-r43334/tplink_archer-a7-v5/
ftp://ftp.dd-wrt.com/betas/2020/06-04-2020-r43334/asus-rt-ac66u/

VLAN is configured in the Switch Config Tab.
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Fri Jun 05, 2020 23:08    Post subject: Reply with quote
Per Yngve Berg wrote:
connect the two routers with a tagged VLAN trunk that contains both sub-nets


yeah, that's exactly what I was thinking Wink

Thanks, and excellent that both routers are supported. I'll research before installing/upgrading.

I now understand how the VLAN ui works... and wondered about tagging, and found a bunch of relevant posts. Time for more research.

Thank you!
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Wed Jul 01, 2020 19:43    Post subject: Reply with quote
Per Yngve Berg wrote:
connect the two routers with a tagged VLAN trunk that contains both sub-nets


I have the ASUS configured as the gateway, and the Archer configured as a router.
I am setting up 3 vlans on both, using bridges (br0, br1, br2) to assign ap/vaps to the vlans.

question1: Should the archer "router" be a DHCP forwarder? (assumed yes)

question2: I have DHCPD servers setup for the 2nd and 3rd vlans on the ASUS. Will br1 and br2 (for the 2nd/3rd vlans) on the archer also get DHCP forwarded? or do I need to setup multiple DHCPD servers on the archer, too?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5698
Location: Akershus, Norway

PostPosted: Wed Jul 01, 2020 20:07    Post subject: Reply with quote
You need one DHCP server for each sub-net.

DHCP forearder is used when the server is not directly connected to the sub-net. I doubt you ned this scenario.
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Wed Jul 01, 2020 22:45    Post subject: Reply with quote
I found that out. I expected that I only needed one DHCP per subnet, but wasn't sure how to configure that. It's "not" configuring that. Smile

In networking-port setup, is the IP address in "Network Configuration br1 (and br2)" where the bridge gets "self assigned" to the subnet (for all the interfaces assigned to the bridge)? I just need to make that something out of the DHCP range, but in that subnet, correct?

Also, when connecting the two routers with a tagged VLAN trunk that contains both sub-nets, I was planing to use the wan port of router#2 for the trunk. should I also disable the WAN connection type and assign the WAN port to switch?

Thank you!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5907
Location: Netherlands

PostPosted: Thu Jul 02, 2020 5:54    Post subject: Reply with quote
This is a setup I once made maybe it is helpful

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1185512

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Thu Jul 02, 2020 20:17    Post subject: Reply with quote
Thank you!

I've reviewed your page, and Mache's, and a few others. I have a much better understanding of the process/config and am going to implement it this weekend.

I would greatly appreciate a review of my design/config?

The attached image depicts my design for separating ports/wifi into 3 vlans (1, 5 & 6).
Following are my GUI Settings and NVRAM settings.
Also, Please verify that my tags should be assigned to the 3 vlans, not the bridges. thank you!

*******************

1) GUI Settings:
GATEWAY:
Switch Config/VLAN
vlan 1 - 4/tagged
vlan 2 - port W & 4/tagged
vlan 5 - ports 1, 2, 3, 4/tagged
vlan 6 - 4/tagged

VLAN Tagging
VLAN 0: vlan1 Tag: 1
VLAN 1: vlan5 Tag: 5
VLAN 2: vlan6 Tag: 6

Bridge assignments:
br0 vlan1 wl0.1 wl1.1
br1 vlan5 eth1 (wl0)
br2 vlan6 eth2 (wl1)

ROUTER:
Switch Config/VLAN
vlan 1 - port W/tagged
vlan 5 - port W/tagged & ports 1&2
vlan 6 - port W/tagged & ports 3&4

VLAN Tagging
VLAN 0: vlan1 Tag: 1
VLAN 1: vlan5 Tag: 5
VLAN 2: vlan6 Tag: 6

Bridge assignments:
br0 vlan1 ath0.1 ath1.1
br1 vlan5 ath0
br2 vlan6 ath1

2) NVRAM Settings

#*********************************
# NVRAM SETTINGS FOR GATEWAY (ASUS)
#*********************************

# set VLAN hw names
nvram set vlan1hwname=et0
nvram set vlan5hwname=et0
nvram set vlan6hwname=et0

# set vLANs
nvram set vlan1ports="4t 8*"
nvram set vlan2ports= "0 8"
nvram set vlan5ports="1 2 3 4t 8"
nvram set vlan6ports="4t 8"

# set ports
nvram set port1vlans="5"
nvram set port2vlans="5"
nvram set port3vlans="5"
nvram set port4vlans="1 5 6 16"
nvram set port5vlans="1 2 5 6 16"

# commit changes
nvram commit && reboot


#*********************************
# NVRAM SETTINGS FOR ROUTER/WAP (ARCHER)
#*********************************

# set VLAN hw names
nvram set vlan1hwname=et0
nvram set vlan5hwname=et0
nvram set vlan6hwname=et0

# set vLANs
nvram set vlan1ports="0t 3 4 5*"
nvram unset vlan2ports
nvram set vlan5ports="0t 1 2 5"
nvram set vlan6ports=0t 5"

# set ports
nvram set port1vlans="5"
nvram set port2vlans="5"
nvram set port3vlans="1"
nvram set port4vlans="1"
nvram set port5vlans="1 2 5 6 16"

# commit changes
nvram commit && reboot
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5698
Location: Akershus, Norway

PostPosted: Fri Jul 03, 2020 3:33    Post subject: Reply with quote
Nice, exept that the Archer C7 is an Atheros, not Broadcom. On Atheros vlan id set using the swconfig utility instead of nvram variables.

See examples in the Atheros forum.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6903
Location: Texas, USA

PostPosted: Fri Jul 03, 2020 4:03    Post subject: Reply with quote
Please familiarize yourself with the rules about image sizes. I fixed it for you... this time.

Here's the thread about doing VLANs on the R7800 that might be helpful:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313472

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Fri Jul 03, 2020 4:12    Post subject: Reply with quote
kernel-panic69 wrote:
Please familiarize yourself with the rules about image sizes. I fixed it for you... this time.


sorry - I should have checked that. thanks.
sneakypete
DD-WRT Novice


Joined: 31 May 2020
Posts: 32

PostPosted: Fri Jul 03, 2020 6:29    Post subject: Reply with quote
Per Yngve Berg wrote:
On Atheros vlan id set using the swconfig utility instead of nvram variables.


found a few examples. swconfig looks similar to the vlan/ports nvram setting. does It also handle the other nvram settings (i.e. nvram vlanXhwname and portXvlans)?

when I ran:
nvram show | grep vlan.*ports | sort
nvram show | grep vlan.*hwname | sort >>
nvram show | grep port*.vlans | sort >>

I got similar "initial" output for both routers. Does Atheros just use swconfig to set the values but the final result should be as listed?

Also, I only have bridges configured with ip addresses on the Asus gateway (the vlans are not configured with an IPAddress). Is this the same on the Atheros router? Does this line "ifconfig vlan7 192.168.7.1 /24" set a specific IPAddress for the vlan, or is it assigning the vlan to the 192.168.7 subnet?
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum