r8000 vLANs & Ports

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
Loophole
DD-WRT Novice


Joined: 02 Mar 2020
Posts: 8

PostPosted: Tue Dec 08, 2020 20:44    Post subject: r8000 vLANs & Ports Reply with quote
Hello everyone

EDITBuild: 44944
Router: Netgear r8000 Nighthawk

Problem: VAP bridge VLAN implementation and nvram confusion

vlan1ports=0 1 2 3 5 7 8* <-- where does port 5 and 7 come in for all of this? Is 6 not here because it's afraid of 7 who 8 9?
vlan2ports=4 8u

port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 16

vlan1hwname=et2
vlan2hwname=et2


To account for my VLAN setup I update to the following: (This is where my understanding breaks down)
EDIT 12/09/2020 New configuration is

vlan1ports=0 2 3 5 7 8*
vlan2ports=4 8u
vlan4ports=1t 8*

port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 4 16

vlan1hwname=et2
vlan2hwname=et2
vlan3hwname=et2

If my WAN port is actually 4 and not 0 why is port0vlans=2 and not port4vlans=2? Which am I referencing when trying to implement one vLAN for a VAP that traffics out the "WAN" port to my unifi switch as well?

Additionally, help with my configuration would be tremendously appreciated! I'm simply trying to create a vlan named vlan 4 that is able to pull from the vlan 4 ID network I've created 192.168.4.1 /28 in my unifi controller. Attached you will find my setup and 2 diagrams of the logical and physical connections of the ports.

I am able to get on the VAP if I statically assign my device 192.168.4.x/28 (example. 192.168.4.4 255.255.255.240) range and can ping the VAP br1 that's 192.168.4.2.

Switch Config | nvram
Port W = 0 ? | VLAN 2
Port 1 = 1 | (nvram = port 1 on router)
Port 2 = 2 | (nvram = port 2 on router)
Port 3 = 3 | (nvram = port 3 on router)
Port 4 = 4 | (nvram = port 4? on router)

but vlan2ports= 4 and 8?


I've referenced
https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs
https://wiki.dd-wrt.com/wiki/index.php/Default_Configuration_Overview#Illustration_of_port_and_vLAN_mappings


https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=431294#431294 <-- Has helped me visual my physical ports and vlan port numbers but I'm not really sure if it's correct.

I have also referenced the switch config wiki



r8000_port_diagram_123.png
 Description:
 Filesize:  347 KB
 Viewed:  6237 Time(s)

r8000_port_diagram_123.png



Screenshot 2020-12-08 154226.png
 Description:
 Filesize:  51.21 KB
 Viewed:  6237 Time(s)

Screenshot 2020-12-08 154226.png



ConceptDrawingr8000.png
 Description:
 Filesize:  16.75 KB
 Viewed:  6237 Time(s)

ConceptDrawingr8000.png




Last edited by Loophole on Thu Dec 10, 2020 0:46; edited 5 times in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8580
Location: Texas, USA

PostPosted: Tue Dec 08, 2020 21:17    Post subject: Reply with quote
https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports

Also, 40559 is not supported. Do not use the router database. Look in this forum for build release threads. For example, a build was released today:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327426

Previous build release:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327272

Downloads:

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Loophole
DD-WRT Novice


Joined: 02 Mar 2020
Posts: 8

PostPosted: Tue Dec 08, 2020 21:25    Post subject: Reply with quote
kernel-panic69 wrote:
https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports


I have viewed this as well.

kernel-panic69 wrote:

Also, 40559 is not supported. Do not use the router database. Look in this forum for build release threads. For example, a build was released today:


Completely overlooked this. The build is now 44944 with the issue still persisting.

with my new configuration as:

vlan1ports=3 2 1 0 5 7 8*
vlan2ports=4 8u
vlan4ports=4t 8*

port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 4 16

vlan1hwname=et2
vlan2hwname=et2
vlan3hwname=et2

Really all I want is a guest network VAP on vlan 4 that is 192.168.4.0/28 that receives the IPs from my unifi vlan 4 DHCP. I just can't understand what I'm missing here.
michilson
DD-WRT Novice


Joined: 06 Nov 2018
Posts: 12

PostPosted: Tue Dec 15, 2020 7:27    Post subject: Vlan / Switch Config. Reply with quote
Just purchased a R8000 getting the same thing on a 2020/12/11 build.

Also getting a 100mbit on ports 3 & 4

VLANS 4 & 5.

Both connected to 1gbit switches. Cant seem to figure out whats the deal with the lan speed.

Any updates on the VLan info?
Loophole
DD-WRT Novice


Joined: 02 Mar 2020
Posts: 8

PostPosted: Tue Dec 15, 2020 16:54    Post subject: Re: Vlan / Switch Config. Reply with quote
michilson wrote:
Just purchased a R8000 getting the same thing on a 2020/12/11 build.

Also getting a 100mbit on ports 3 & 4

VLANS 4 & 5.

Both connected to 1gbit switches. Cant seem to figure out whats the deal with the lan speed.

Any updates on the VLan info?


I managed to get my guest VAP working with internet with the below config; however, it made my main WLs inoperable from which I believe is from tagging vlan1 on port 0. If someone with more experience and knowledge could chime in that would be awesome.

vlan1ports=3 2 1 0 5 7 8*
vlan2ports=4 8u
vlan4ports=5 7 8*

port0vlans=2 4 16
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 4 16

vlan1hwname=et2
vlan2hwname=et2
vlan3hwname=et2

I've also tried

vlan1ports=4t 3 2 1 0 5 7 8*
vlan2ports=4t 8u
vlan4ports=4t 5 7 8*


port0vlans=2 4 16
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 4 16

vlan1hwname=et2
vlan2hwname=et2
vlan3hwname=et2

I'm honestly just confused at this point.
Loophole
DD-WRT Novice


Joined: 02 Mar 2020
Posts: 8

PostPosted: Thu Dec 17, 2020 5:31    Post subject: Reply with quote
Okay so it looks like I got it working now. I reset all my nvram variables and start from scratch.

Attached are the screenshots of my config.

I also used two iptable commands found in https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs#DHCP

Command
iptables -I FORWARD -i wl2.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

So the first command rejects wl2.1 from accessing the br0 subnet but passes the traffic through to br0 for internet.

Second command enables NAT for traffic being routed out br0 so that wl2.1 has connectivity.

What I'm having an issue with now is the amount of time it takes for my device via the VAP to be leased an IP address from my vlan 4 192.168.4.1/28 subnet DHCP pool upstream in my USG. It takes several minutes for this.



Screenshot 2020-12-16 230957.png
 Description:
 Filesize:  7.46 KB
 Viewed:  6025 Time(s)

Screenshot 2020-12-16 230957.png


Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4296
Location: UK, London, just across the river..

PostPosted: Thu Dec 17, 2020 20:07    Post subject: Reply with quote
to get a 1Gig on a ports have a look here:

Some sample attribute settings:

18 19 21 = Auto-negotiate Gigabit
18 19 = Auto-negotiate 100 MBit
17 19 = Force 100 MBit, half-duplex
17 = Force 10 MBit, full duplex (on a 100 MBit router)
17 18 = Force Gigabit full duplex (on a gigabit router)
16 = For some reason, the CPU port is generally given this "tagged" attribute

As noted in the quick example above, if we're assigning port 4 to VLAN 103, we would need to set two portNvlans variables. On a Gigabit router (with WAN port 0) it would look like this:

nvram set port5vlans="1 2 103 16"
nvram set port4vlans="103 18 19 21"

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 46446 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46446 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46446 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46604 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46604 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Loophole
DD-WRT Novice


Joined: 02 Mar 2020
Posts: 8

PostPosted: Thu Dec 17, 2020 21:02    Post subject: Reply with quote
Alozaros wrote:
to get a 1Gig on a ports have a look here:

Some sample attribute settings:

18 19 21 = Auto-negotiate Gigabit
18 19 = Auto-negotiate 100 MBit
17 19 = Force 100 MBit, half-duplex
17 = Force 10 MBit, full duplex (on a 100 MBit router)
17 18 = Force Gigabit full duplex (on a gigabit router)
16 = For some reason, the CPU port is generally given this "tagged" attribute

As noted in the quick example above, if we're assigning port 4 to VLAN 103, we would need to set two portNvlans variables. On a Gigabit router (with WAN port 0) it would look like this:

nvram set port5vlans="1 2 103 16"
nvram set port4vlans="103 18 19 21"


Understandable. My issue was that I was not using the WAN port traditionally. I am using my R8000 as an AP that is downstream from my USG.

My issue is the amount of time it takes for any device connecting to the VAP to get an IP. In fact, currently device has issued itself aan APIPA for a few minutes prior to receiving an 192.168.4.x/28 address.
Loophole
DD-WRT Novice


Joined: 02 Mar 2020
Posts: 8

PostPosted: Sat Dec 19, 2020 5:55    Post subject: Reply with quote
So I have finally resolved this issue.

How to configure DD-WRT as secondary router w/ DHCP upstream USG.

Please bear in mind that my firewall has been configured to disable interVLAN routing. Do so according to your preferences.

Upstream vlans created:

vlan10 = 192.168.10.1/28
vlan11 = 192.168.11.1/28


My configurations in CLI are as follows:

Setting the vlanNports variables: Only vlans 10 and 11 were configured for the moment

vlanNports nvram set command nvram set vlan10ports="5 7 8"

root@HyperFiBase:~# nvram show | grep vlan.*ports | sort

size: 42584 bytes (22952 left)
vlan10ports=4t 5 7 8
vlan11ports=4t 5 7 8
vlan1ports=3 2 1 0 5 7 8*
vlan2ports=4 8u

Setting the portNvlans variables: Port 5 was the only port additional vlans were assigned

portNvlans nvram set command nvram set port5vlans="1 2 10 11 12 16"

root@HyperFiBase:~#nvram show | grep port.*vlans | sort

size: 42584 bytes (22952 left)
port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 10 11 12 16

Setting the vlanNhwname variables: Only vlan10hwname used but 11 and 12 were set

vlanNhwname set command nvram set vlan10hwname="et2"

root@HyperFiBase:~#nvram show | grep vlan.*hwname | sort

size: 42584 bytes (22952 left)
vlan10hwname=et2
vlan11hwname=et2
vlan12hwname=et2
vlan1hwname=et2
vlan2hwname=et2

GUI configurations are as follows:

Setup > Basic Setup

Set WAN Connection Type to Disabled.
Set Local IP Address to 192.168.x.x (Whatever you want your router IP) and Gateway to 192.168.x.x (Host
router

Checked Assign WAN Port to Switch.
Disabled the DHCP Server.
Save

Wireless > Basic Settings > Virtual Interfaces

Set the Wireless Mode of the Wireless Physical Interface (wl0) to AP.
Set the SSID of wl0.1 to the same upstream router configured WLAN SSID.
Wireless Channel remains Auto
Setting up VAP
Add a new Virtual Interface.
Set the SSID to whatever SSID you desire from upstream router WLAN SSID. E.g. One of my wireless networks is
HomeIOT.
Left AP Isolation as Disabled (Optional and Network Configuration as Bridged.
[b]Save
.

Wireless > Wireless Security

Set the Security Mode of wl0.1 to WPA2-PSK
Set the WPA Shared Key as something different than physical interfaces
Set the Security Mode and WPA Shared Key of wl0.1.
Save.

Setup > Networking

Added a new Bridge named br1
Set the IP Address to 192.168.x.x[i]Make sure this IP is different than the upstream vlan gateway and Subnet. In my case it was 192.168.10.2/28 NOT 192.168.10.1
Mask to 255.255.255.240
Assigned the new br1 Bridge to wl0.1.
DHCP on DD-WRT is disabled because main router has configured vlan dhcp pool leasing IPs in 192.168.10.1/28 network
and according to the instructions in the tutorial link, I could not use the GUI to set up the DHCP for br1. Instead I followed the instructions to set up br1's DHCP via commands. This is below
Save.

Additional DNSMasq Options

# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.10.1

# Enables DHCP on br1
interface=br2
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.11.1

IPTABLES FIREWALL SCRIPT

iptables-restore < /opt/firewall/myipt/.ipt

iptables -I INPUT -p tcp -d 192.168.11.13 --dport 9100 -j ACCEPT
iptables -I INPUT -p udp -d 192.168.11.13 --dport 5350 -j ACCEPT
iptables -I INPUT -p udp -d 192.168.11.13 --dport 5351 -j ACCEPT
iptables -I INPUT -p udp -d 192.168.11.13 --dport 5353 -j ACCEPT

#Restrict br1 from accessing br0 and br2
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
#Restrict br2 from accessing br0 and br1
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP

#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

# Disallow access to the router on br1, br2 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i b2 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
iptables -I INPUT -i b1 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP



Screenshot 2020-12-16 230957.png
 Description:
 Filesize:  9.96 KB
 Viewed:  5920 Time(s)

Screenshot 2020-12-16 230957.png


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum