Posted: Tue Feb 02, 2021 21:12 Post subject: XR500 VLAN
Hi dd-wrt community, desperately looking for help!
I have XR500 under DD-WRT v3.0-r45563 connected to the Netgear GS716Tv2 switch and gwn7630 access point.
What I want to achieve:
I want to have a trunk:(
vlan1(192.168.168.1/24),
valn5(192.168.5.1/24),
vlan6(192.168.6.1/24)
)
on the router's port 1 which will be connected to the trunk on the switch and create a tagged SSID's on the access point. I read probably every topic on the forum, but unfortunately, I didn't manage VLANs to work even on the router.
I started with creating VLANs on the router to test that it actually works, but unfortunately, it doesn't matter to which port on the router I connect my laptop, every time I receive 192.168.168.* IP like nothing was done at all.
What I have:
1) startup section:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1t 2 3 4 5t 6"
swconfig dev switch0 vlan 5 set ports "2t 5t"
swconfig dev switch0 vlan 6 set ports "3t 5t"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 set apply
vconfig add eth1 5
vconfig add eth1 6
ifconfig eth1.5 192.168.5.1 netmask 255.255.255.0
ifconfig eth1.6 192.168.6.1 netmask 255.255.255.0
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1t 2 3 4 5t 6"
swconfig dev switch0 vlan 5 set ports "1t 2t 5t 6t"
swconfig dev switch0 vlan 6 set ports "1t 3t 5t 6t"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 set apply
vconfig add eth1 5
vconfig add eth1 6
ifconfig eth1.5 192.168.5.1 netmask 255.255.255.0
ifconfig eth1.6 192.168.6.1 netmask 255.255.255.0
The behavior was the same like nothing was changed
Per Yngve Berg wrote:
Working example for the R7800:
Code:
wconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "3 4t 6"
swconfig dev switch0 vlan 3 set ports "1 2 4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 3
ifconfig eth1.3 192.168.3.1 netmask 255.255.255.0
Note that the processor port for LAN is 6, but 5 for the WAN
Port 6 is not tagged for VLAN1, but tagged for the other VLANs.
I have a managed switch on port 4, that's why it's tagged.
as I understand I can remove t from port 5 as it is the WAN port
so the config should be?
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1t 2 3 4 5 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 5 set ports "1t 2t 6t"
swconfig dev switch0 vlan 6 set ports "1t 3t 6t"
swconfig dev switch0 set apply
vconfig add eth1 5
ifconfig eth1.5 192.168.5.1 netmask 255.255.255.0
vconfig add eth1 6
ifconfig eth1.6 192.168.6.1 netmask 255.255.255.0
Physical port 1(switch 4) operates as a trunk for vlan1, vlan5, vlan6
Physical port 2(switch 3) for vlan5
Physical port 3(switch 2) for vlan6
port 3 and 2 just for testing purposes, as port 1 should be connected to the managed switch. This is the first time when I'm trying to do something like that, that why I add 2 and 3 ports for testing, that DHCP actually works.
Will this command help
swconfig dev switch0 VLAN 1 set vid 10
if I want vlan1 to have tag 10 or I can leave it as it is?
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Feb 03, 2021 17:57 Post subject:
XR500 is baically reboxed R7800 running duma OS,
very likely the swhitch could have a different layout, but creating VLAN for Atheros routers the basics are the same..
have a good read and look here, it may seem messy thread, but all info is there...
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313472 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
so I managed to make it work front to back with this config after I did the router reset.
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4t 5 6"
swconfig dev switch0 vlan 1 set vid 10
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 20 set ports "4t 6t"
swconfig dev switch0 vlan 30 set ports "4t 6t"
swconfig dev switch0 vlan 40 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 20
ifconfig eth1.20 192.168.20.1 netmask 255.255.255.0
vconfig add eth1 30
ifconfig eth1.30 192.168.30.1 netmask 255.255.255.0
vconfig add eth1 40
ifconfig eth1.40 192.168.40.1 netmask 255.255.255.0
I changed the vid of vlan1 from 1 to 10 because GWN7630 AP doesn't allow me to put 1 in the VLAN field, the minimum number is 2 it says. Without the VLAN specified for the default network, I just can't connect to the WIFI, other VLANs over wifi are working.
The last question hopefully, when I connected to the VLAN 10(over WIFI or over the cable) I can ping and access everything except devices connected to the trunk, like a switch and the Access point, could someone point me in the right direction, please!
P.S. router is accessible
looks like I solved it
I returned back vid 1 for vlan1 and made the 4th port untagged for vlan1. Now I can access every device on my main network which is vlan1 and I don't need to specify VLAN id for the wifi which is supposed to work with VLAN 1(I guess it is 1 by default that is why I was not allowed to put 1 there)
swconfig dev switch0 vlan 1 set ports "1 2 3 4u 5 6"
swconfig dev switch0 vlan 1 set vid 1
now I got another two issues.
When I enable VPN client I can't connect to my VLANs anymore except the eth1 which is vlan1.
The second issue is that my VLANs are on different subnets. Is it possible to make them see the DNS server which is on the main network? Example: the main network is 192.168.168.1/24, vlan20 is 192.168.20.1/24
DNS server is 192.168.168.5
I have this in the firewall section
iptables -t nat -I POSTROUTING -s 10.20.30.0/24 -o $(get_wanface) -j MASQUERADE
iptables -I FORWARD -s 10.20.30.1/24 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.2/31 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.4/30 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.8/29 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.16/28 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.32/27 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.128/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.192/29 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.200/32 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.201 -o $(get_wanface) -m state --state NEW -j ACCEPT
Looks like I localized the connection issue to a VLAN.
I did the reset of the router one more time.
Configuration steps:
1) initial router setup
2) VLAN config added + DHCP config for every VLAN
3) VPN client configured
4) DNSmasq configured
5) Firewall rules added
6) VPN server configured
Everything was fine until step 7
7) USB core Support enabled and BAM! can't connect to my VLANs again.
Disabled and enabled USB core support few more times, rebooted router off course. Once USB Core support is disabled I can connect to my VLANs via cable or via wifi, but when it is enabled I can't.
Have no idea how VLAN and USB Core Support correlate with each other but definitely, they are, there is an issue at least with this version v3.0-r45563.
Tried to set up the router one more time.
Reboot after each step.
1) Reset
2) Enabled USB Core Support
3) Added VLAN commands:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4u 5 6"
swconfig dev switch0 vlan 1 set vid 1
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 20 set ports "4t 6t"
swconfig dev switch0 vlan 30 set ports "4t 6t"
swconfig dev switch0 vlan 40 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 20
ifconfig eth1.20 192.168.20.1 netmask 255.255.255.0
vconfig add eth1 30
ifconfig eth1.30 192.168.30.1 netmask 255.255.255.0
vconfig add eth1 40
ifconfig eth1.40 192.168.40.1 netmask 255.255.255.0
4) DNSmasq config
no-resolv
interface=tun2,eth1.20,eth1.30,eth1.40
server=208.67.222.222
server=208.67.220.220
cache-size=10000
domain-needed
bogus-priv
And again I can't connect to my VLANs until I disable USB Core Support. I think it is a bug. Would appreciate it if someone stumbled upon the same issue and found a workaround and could share it here.
EDIT:
Noticed that DNSmasq commands for VLANs DHCP don't work
dhcp-range=eth1.20,192.168.20.128,192.168.20.191,255.255.255.0,72h
dhcp-option=eth1.20,3,192.168.20.1
dhcp-option=eth1.20,6,208.67.222.222
One more issue I have got.
I have different AIR sensors. I moved them to the IoT VLAN and reconfigured them. Now I can't manage them despite I see all the readings. I'm getting "Please connect to the same WIFI network as your device to manage its settings". I added them using the IoT WIFI network and when I'm trying to manage them I also connected to the IoT WIFI. I suppose there is something to do with the firewall rules, but really have no idea how to solve it yet, as I'm a complete noob in iptables, and again not sure that my guess is correct.
Desperately looking for help.