Posted: Thu Sep 03, 2020 4:32 Post subject: DD-WRT AP & VLANs
I used DD-WRT for a long time and then I switched to using pfSense as my router and since then I have been using my Netgear WNR3500L with DD-WRT as an AP. I followed this guide to disable the routing features in DD-WRT and use it solely as an AP. I also set the WAN port as a switch port as per the guide.
I have the DD-WRT v24-sp2 (03/25/13) vpn - build 21061 firmware installed on it.
I currently use the AP for all my wireless devices. I wanted to now add some VLANs for Cameras, IOT and Guest networks. All these VLANs will also have atleast 1 wireless device. 2 wireless doorbell cameras on the Camera VLAN, Roku, Chromecast & TV on the IOT VLAN and of course Guest Wifi for visiting guests.
I have already created these VLANs in my pfSense router and my Cisco 3750X managed switch.
My DD-WRT AP is connected to the switch via switch port 7
Does my port 7 on the Cisco switch have to be a trunk port -- in order to transfer traffic from all VLANs to the AP?
Or can I keep the VLANs on physically separate ports by connecting AP ports 1-4 to 4 different switch ports?
Does DD-WRT only support 15 VLANs as I only see 15 rows on the Setup--> VLANs page
How would I set up VLAN10 (Camera), VLAN11 (IOT) & VLAN15 (Guest) on DD-WRT such that the VLANs cannot talk to each other but they can communicate with some servers on my main LAN? See below requirements for VLANs
should I create a separate wireless SSID for every VLAN? Or can the same SSID differentiate between traffic from the various VLANs?
How would it know to assign the correct IP address to the devices based on which VLAN they should belong to, when they connect to the AP?
Camera VLAN should only be able to save videos to NVR on main LAN and no access to any other network including the internet.
IOT VLAN should be able to access my media server on the main LAN and access the internet for Netflix etc.
Guest network should not be able to access any other network/VLAN except the internet.
Understand that dealing w/ vlans (and vlan tagging) can get complicated, depending on just how complex a scenario you intend to create. And vlans are hardware specific, which makes compatibility between different hardware sometimes an issue. So rather than get too deep into the specifics, let me answer your questions w/ the understanding that I'm providing a high level, conceptual view rather than offering specific details.
Quote:
Dooes my port 7 on the Cisco switch have to be a trunk port -- in order to transfer traffic from all VLANs to the AP?
Doesn't matter which port you use as the trunk port on either side, you just have to make sure that whichever port you use, you tag the port w/ all the vlan tags (IDs). That's what makes it a trunk port.
Quote:
Or can I keep the VLANs on physically separate ports by connecting AP ports 1-4 to 4 different switch ports?
I think what you meant to ask is if you can assign each vlan to its own port. Yes, but the point of using vlan tagging is to avoid this. Otherwise, you end up running multiple ethernet cables between the AP and the upstream switch. But yes, it can be done. And if vlan tagging doesn't work for some reason (e.g., hardware incompatibility), that may be your only option.
Quote:
How would I set up VLAN10 (Camera), VLAN11 (IOT) & VLAN15 (Guest) on DD-WRT such that the VLANs cannot talk to each other but they can communicate with some servers on my main LAN? See below requirements for VLANs
Remember, the underlying assumption here when the dd-wrt router is only acting as an AP, is that the upstream router and its switch are managing access between these vlans, NOT the AP! IOW, that's the responsibility of pfSense. All the AP is doing is ensuring separation from the point of the AP until it gets to pfSense. And that separation can be achieved in two ways; using vlan tagging, or associating each vlan w/ its own port and running multiple ethernet cables to the pfSense router, which also has the same vlans associated w/ their own ports (again, not usually desirable, but will work).
Quote:
should I create a separate wireless SSID for every VLAN? Or can the same SSID differentiate between traffic from the various VLANs?[
Wireless is a completely separate issue. Remember, vlans are *only* about wired connections and ports. If you also want wireless to be associated w/ these vlans, then you need to create a bridge for each vlan (br1, br2, br3, etc.), create a virtual wireless adapter for each vlan, and assign each vlan and its associated wireless network adapter (SSID) to its respective bridge.
Quote:
How would it know to assign the correct IP address to the devices based on which VLAN they should belong to, when they connect to the AP?
Because each bridge and its assigned pair of vlan and wireless adapters is configured w/ its own IP network, DHCP server, firewall, DNS servers, etc. But NOT by dd-wrt; by pfSense!
Again, because the dd-wrt router is only acting as an AP, it's only responsibility is to act as a "highway" that gets different "classes" of users (differentiated by their respective bridges) up to the pfSense. That's achieved either via vlan tagging, or running multiple ethernet cables between the switches. Your choice.
Doesn't matter which port you use as the trunk port on either side, you just have to make sure that whichever port you use, you tag the port w/ all the vlan tags (IDs). That's what makes it a trunk port.
I was going to make the port 7 as trunk in the switch. Currently, port 7 from switch connects to WAN port of the AP
eibgrad wrote:
I think what you meant to ask is if you can assign each vlan to its own port. Yes, but the point of using vlan tagging is to avoid this. Otherwise, you end up running multiple ethernet cables between the AP and the upstream switch. But yes, it can be done. And if vlan tagging doesn't work for some reason (e.g., hardware incompatibility), that may be your only option.
Yes, that is what I meant -- assign each vlan to its own port. Is there any advantage to either way other than less cables for the trunk method?
eibgrad wrote:
IOW, that's the responsibility of pfSense.
Yes, I understand that. I want the AP to simply forward on the VLAN packets as is and not do any type of routing/management. IOW, a dumb appliance that simply "knows" about the vlans.
eibgrad wrote:
If you also want wireless to be associated w/ these vlans,...
Yes I do. The whole point of the AP knowing about the vlans is so I can use the wireless capabilities and attach multiple devices across different VLANs using the same AP -- but still keep them on separate networks.
eibgrad wrote:
...then you need to create a bridge for each vlan (br1, br2, br3, etc.), create a virtual wireless adapter for each vlan, and assign each vlan and its associated wireless network adapter (SSID) to its respective bridge.
I will need to read up on this in a bit more detail as to how to create the said VLANs and also the associated bridge. Would you be able to point me to some articles that explain how to do this on DD-WRT?
eibgrad wrote:
That's achieved either via vlan tagging, or running multiple ethernet cables between the switches. Your choice.
Any pros and cons of either choice -- other than having more cables connected for individual vlans on each port?
eibgrad wrote:
But again, I can't stress this enough; it's *pfSense* that's responsible for providing services like DHCP, a firewall, DNS servers, etc.
Yes, I have already setup the VLANs on the pfSense router, assigned them to interfaces and enabled the DHCP on each interface. I have also created the firewall rules based on what I want that particular network to be able to do. I also have created the same VLANs on the Cisco 3750X switch.
I am at a point where I want to know how to make the AP aware of those VLANs and be able to allow devices across all 3 of those networks to connect to the WiFi AP and work seamlessly.
Now that I have successfully upgraded my device to v3.0-r44467 build, I thought I'd revisit creating VLANs and multiple SSIDs on the AP.
Would someone please help me create the VLANs and SSIDs on dd-wrt based on the following criteria. My device is being used as AP mode only and I have assigned the WAN port to be a switch port
WAN port -- trunk from pfSense router carrying all the VLAN tags. I want the following SSIDs to handle the following 4 VLANs
LAN -- SSID1
IOT -- SSID2
WORK -- SSID3
GUEST -- SSID4
@eibgrad indicated creating an associated bridge for each SSID. can someone point me to the documentation that I need to read up on in order to implement this?
But on older broadcom routers vlan0 was for the LAN and vlan1 for the WAN (could be reversed).
On newer routers/builds, vlan 1 is for the LAN and vlan2 is for the WAN
So it looks like your router is confused, did you do an:
But on older broadcom routers vlan0 was for the LAN and vlan1 for the WAN (could be reversed).
On newer routers/builds, vlan 1 is for the LAN and vlan2 is for the WAN
So it looks like your router is confused, did you do an:
Code:
nvram erase && reboot
(if that is applicable to your router, or other reset method like the reset button)
after you upgraded to a recent build?
Yeah, I think my router (Netgear WNR3500L v1) is confused as I don't know where the vlan2 comes from either.
I didn't do a nvram erase && reboot. I must have missed that part. However, I had done the 30-30-30 reset. If I perform a nvram erase -- will it wipe out all my changes for converting the router into an AP ?
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Sun Feb 21, 2021 22:38 Post subject:
If this is on a dual-band 802.11n or 802.11ac router, then the vlan0 is not required.
Why that is a carryover for Broadcom from WRT54* 802.11bg antiques, I have not a
@#$%^&*! clue, but that crap needs to be fixed. The vlans you should have on dual-
band or 802.11n single-band are vlan1 for LAN and vlan2 for WAN.
Your nvram settings are all crap and not sure that the switch config page will fix it properly
like it does on Linksys E-series. This is known problem now that I've seen what's going on
in nvram and folks having issues with the webUI. @egc: this is something that needs to be
looked at in the source code... *hint* *hint*
Need to figure out the proper port for CPU and then the rest can be figured out as to what
the nvram settings should be. Then you can save that information for later use if the router
decides to go haywire and get forgetful due to the default nvram configs.
This is a pretty old router and doesn't support dual band. It only has 2.4Ghz Wireless N. I am using it as AP with WAN port (port 0, i think) assigned to switch
I was wondering if I could start from where I am and just fix the nvram settings accordingly
I need:
vlan7 == IOT, wireless only
vlan 10 == WORK, wireless & port4
vlan 11 == GUEST, wireless only
vlan 0 == default, wireless & port 1(desktop), port 2(printer) port 3(free)
Can I do the following:
Code:
#remove port 4 from vlan0
nvram set vlan0ports="1 2 3 5*"
#add only the CPU port to vlan7
nvram set vlan7ports="5*"
#add port 4 (tagged?) and CPU port to vlan10
nvram set vlan10ports="4t 5*"
#add only the CPU port to vlan11
nvram set vlan11ports="5*"
#remove all ports from vlan1 (This is something I am unsure of)
nvram set vlan1ports=""
#remove all ports from vlan2
nvram set vlan2ports=""
#set the hwname for vlans to be used and remove from vlan1 and vlan2
nvram set vlan7hwname="et0"
nvram set vlan10hwname="et0"
nvram set vlan11hwname="et0"
nvram set vlan1hwname=""
nvram set vlan2hwname=""
#set the port*vlans accordingly
nvram set port0vlans="0 7 10 11"
nvram set port1vlans="0"
nvram set port2vlans="0"
nvram set port3vlans="0"
nvram set port4vlans="10"
nvram set port5vlans="0 7 10 11 16"
Is that at least on the correct path?
Questions:
Do I still need the WLAN VLAN(vlan1)?
If so, what would I change above in the commands to keep vlan1?
I am not sure how to set the untagged vs tagged port. is "4t" the right way to set tagged such that port4 is exclusively used for vlan 10 only?
Currently even though my nvram settings seem out of whack, I have functioning LAN ports. I have connected my main LAN to the WAN port of this device and I am able to connect my desktop & printer to any of the ports and still able to get network access.
I guess, VLANs are a bit too complicated for this old device with DD-WRT.
It's just that I don't like to throw away working devices and even though I have used this device for a better part of the decade, I thought I'd continue using it further instead of making it part of the landfill.
My $60 TP Link EAP225 covers my entire house pretty well and supports the VLANs etc as I want. I was just hoping to add a 2nd AP -- since I have it.
I am wondering if I should just go ahead and change the VLAN settings via nvram -- is there a risk of bricking the device when changing the nvram VLAN settings?
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Mon Feb 22, 2021 17:05 Post subject:
I wasn't trying to convolute anything, I was just trying to explain to you that the default vlan configuration is wrong and it should not be. You *should* be able to change to the correct configuration via the webUI, but if that doesn't work as expected, then you need to do it via ssh/telnet with command line. You *should* also be able to use the webUI for vlans 10 and 11, save and except for adding the wireless. That is the only situation where command line would likely need to be employed via startup script. Sorry frustrating and confusing you. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net