If my WAN port is actually 4 and not 0 why is port0vlans=2 and not port4vlans=2? Which am I referencing when trying to implement one vLAN for a VAP that traffics out the "WAN" port to my unifi switch as well?
Additionally, help with my configuration would be tremendously appreciated! I'm simply trying to create a vlan named vlan 4 that is able to pull from the vlan 4 ID network I've created 192.168.4.1 /28 in my unifi controller. Attached you will find my setup and 2 diagrams of the logical and physical connections of the ports.
I am able to get on the VAP if I statically assign my device 192.168.4.x/28 (example. 192.168.4.4 255.255.255.240) range and can ping the VAP br1 that's 192.168.4.2.
Switch Config | nvram
Port W = 0 ? | VLAN 2
Port 1 = 1 | (nvram = port 1 on router)
Port 2 = 2 | (nvram = port 2 on router)
Port 3 = 3 | (nvram = port 3 on router)
Port 4 = 4 | (nvram = port 4? on router)
Really all I want is a guest network VAP on vlan 4 that is 192.168.4.0/28 that receives the IPs from my unifi vlan 4 DHCP. I just can't understand what I'm missing here.
Posted: Tue Dec 15, 2020 16:54 Post subject: Re: Vlan / Switch Config.
michilson wrote:
Just purchased a R8000 getting the same thing on a 2020/12/11 build.
Also getting a 100mbit on ports 3 & 4
VLANS 4 & 5.
Both connected to 1gbit switches. Cant seem to figure out whats the deal with the lan speed.
Any updates on the VLan info?
I managed to get my guest VAP working with internet with the below config; however, it made my main WLs inoperable from which I believe is from tagging vlan1 on port 0. If someone with more experience and knowledge could chime in that would be awesome.
Command
iptables -I FORWARD -i wl2.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
So the first command rejects wl2.1 from accessing the br0 subnet but passes the traffic through to br0 for internet.
Second command enables NAT for traffic being routed out br0 so that wl2.1 has connectivity.
What I'm having an issue with now is the amount of time it takes for my device via the VAP to be leased an IP address from my vlan 4 192.168.4.1/28 subnet DHCP pool upstream in my USG. It takes several minutes for this.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Dec 17, 2020 20:07 Post subject:
to get a 1Gig on a ports have a look here:
Some sample attribute settings:
18 19 21 = Auto-negotiate Gigabit
18 19 = Auto-negotiate 100 MBit
17 19 = Force 100 MBit, half-duplex
17 = Force 10 MBit, full duplex (on a 100 MBit router)
17 18 = Force Gigabit full duplex (on a gigabit router)
16 = For some reason, the CPU port is generally given this "tagged" attribute
As noted in the quick example above, if we're assigning port 4 to VLAN 103, we would need to set two portNvlans variables. On a Gigabit router (with WAN port 0) it would look like this:
nvram set port5vlans="1 2 103 16"
nvram set port4vlans="103 18 19 21" _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
18 19 21 = Auto-negotiate Gigabit
18 19 = Auto-negotiate 100 MBit
17 19 = Force 100 MBit, half-duplex
17 = Force 10 MBit, full duplex (on a 100 MBit router)
17 18 = Force Gigabit full duplex (on a gigabit router)
16 = For some reason, the CPU port is generally given this "tagged" attribute
As noted in the quick example above, if we're assigning port 4 to VLAN 103, we would need to set two portNvlans variables. On a Gigabit router (with WAN port 0) it would look like this:
nvram set port5vlans="1 2 103 16"
nvram set port4vlans="103 18 19 21"
Understandable. My issue was that I was not using the WAN port traditionally. I am using my R8000 as an AP that is downstream from my USG.
My issue is the amount of time it takes for any device connecting to the VAP to get an IP. In fact, currently device has issued itself aan APIPA for a few minutes prior to receiving an 192.168.4.x/28 address.
Set WAN Connection Type to Disabled.
Set Local IP Address to 192.168.x.x (Whatever you want your router IP) and Gateway to 192.168.x.x (Host
router Checked Assign WAN Port to Switch.
Disabled the DHCP Server.
Save
Wireless > Basic Settings > Virtual Interfaces
Set the Wireless Mode of the Wireless Physical Interface (wl0) to AP.
Set the SSID of wl0.1 to the same upstream router configured WLAN SSID.
Wireless Channel remains Auto
Setting up VAP
Add a new Virtual Interface.
Set the SSID to whatever SSID you desire from upstream router WLAN SSID. E.g. One of my wireless networks is
HomeIOT.
Left AP Isolation as Disabled (Optional and Network Configuration as Bridged.
[b]Save.
Wireless > Wireless Security
Set the Security Mode of wl0.1 to WPA2-PSK
Set the WPA Shared Key as something different than physical interfaces
Set the Security Mode and WPA Shared Key of wl0.1.
Save.
Setup > Networking
Added a new Bridge named br1
Set the IP Address to 192.168.x.x[i]Make sure this IP is different than the upstream vlan gateway and Subnet. In my case it was 192.168.10.2/28 NOT 192.168.10.1
Mask to 255.255.255.240
Assigned the new br1 Bridge to wl0.1.
DHCP on DD-WRT is disabled because main router has configured vlan dhcp pool leasing IPs in 192.168.10.1/28 network
and according to the instructions in the tutorial link, I could not use the GUI to set up the DHCP for br1. Instead I followed the instructions to set up br1's DHCP via commands. This is below
Save.
Additional DNSMasq Options
# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.10.1
# Enables DHCP on br1
interface=br2
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.11.1
#Restrict br1 from accessing br0 and br2
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
#Restrict br2 from accessing br0 and br1
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
# Disallow access to the router on br1, br2 through the typical ports for management (telnet,ftp,ssh,http,https)
iptables -I INPUT -i b2 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
iptables -I INPUT -i b1 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
