Help! R7800 vlan setup failure

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3
Author Message
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Thu Apr 29, 2021 17:06    Post subject: Reply with quote
I am seeing some really strange behavior with br1. If I remove the 2nd VAP, eth1.77 returns as the attached photo shows but after rebooting the router only wlan0.1 remains in br1. Why is this?
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Apr 29, 2021 18:48    Post subject: Reply with quote
Have you looked for any clue in syslog?
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Fri Apr 30, 2021 0:13    Post subject: Reply with quote
Per Yngve Berg wrote:
Have you looked for any clue in syslog?


I took your advice and I see this a lot in the log:

user info bridge : interface eth1 successfully deleted from bridge br0
user info bridge : interface eth1.77 successfully deleted from bridge br1
daemon info mstpd[493] MSTP_OUT_set_ageing_time: br1:eth1.77 Setting new ageing time to 300
daemon warning dnsmasq-dhcp[8982] DHCP packet received on br1 which has no address
daemon info mstpd[493] MSTP_OUT_set_state: br1:eth1.77:0 entering learning state
daemon info mstpd[493] set_if_up: Port eth1.77 : up
daemon info mstpd[493] MSTP_OUT_set_state: br1:eth1.77:0 entering forwarding state

I don't why it's deleting eth1 and eth 1.77 from their bridges. I did not tell the router to do this.

The gui only shows wlan0.1 as a member of br1 currently even though eth1.77 is also configured for br1. Wireless devices receive an ip address from br1, show up in Status/LAN as receiving addresses from br1 and work just fine.

If I plug my laptop into a switchport in vlan77, I get a DHCP address but no internet access. Status/LAN says the address is from eth1.77 which is not configured anywhere for DHCP. BR1 is configured to hand out the ip address that my laptop gets but according to the gui and the syslog eth1.77 is no longer a member of br1 so how is this possible?

This all so screwy.
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Fri May 07, 2021 5:36    Post subject: Reply with quote
...and we're back! Finally.

I have good news. While the forum was taking a siesta, I solved my vlan77 problem i.e. I have successfully bridged a vlan and 2 vaps together and it survives a router reboot. Yay! I wish everything in gui worked as intended so I didn't have to learn linux in the process but I understand that dd-wrt is a 'labor of love" project.

Anyhow, here's my startup commands and see the attachment for my bridge setup in the gui.

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4t 6"
swconfig dev switch0 vlan 77 set ports "4t 6t"
swconfig dev switch0 vlan 97 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 77
vconfig add eth1 97
ifconfig eth1.97 192.168.97.1 netmask 255.255.255.0
ifconfig eth1.77 up
ifconfig eth1.97 up
#
#
#
brctl delif br0 wlan0.1 wlan1.1
brctl addif br1 eth1.77 wlan0.1 wlan1.1
ifconfig wlan0.1 up
ifconfig wlan1.1 up
ifconfig br1 up

Now that vlan77 is straight, my attention has returned to vlan97. I have taken the PC with the camera software out of that vlan and placed it back in vlan1. Also, I removed the gateway ips from all camera since they don't need to route traffic outside of their subnet. So now, I need to figure out what firewall commands that are going to allow just the management PC to access the cameras. Vlan97 does not have internet access just lan.

I tried these commands but they are not working:

#Allow Blue Iris PC to connect to cameras in vlan97
iptables -I FORWARD -i eth1.97 -d 192.168.7.180 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i eth1.97 -d 192.168.7.180 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i eth1.97 -d 192.168.7.180 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -i eth1.97 -d 192.168.7.180 -p tcp --dport 443 -j ACCEPT

Edited iptables -vnL output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- eth1.97 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- eth1.97 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- eth1.97 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 DROP all -- eth1.97 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth1.97 * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1.97 * 0.0.0.0/0 192.168.7.180 tcp dpt:443
0 0 ACCEPT tcp -- eth1.97 * 0.0.0.0/0 192.168.7.180 tcp dpt:80
0 0 ACCEPT udp -- eth1.97 * 0.0.0.0/0 192.168.7.180 udp dpt:53
0 0 ACCEPT tcp -- eth1.97 * 0.0.0.0/0 192.168.7.180 tcp dpt:53
18864 9879K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- eth1.97 * 0.0.0.0/0 192.168.7.0/24 state NEW
818 42568 DROP all -- br0 eth1.97 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- eth0 eth1.97 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth1.97 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1.97 * 0.0.0.0/0 0.0.0.0/0 state NEW


Anybody have any suggestions?

Also does vlan97 have to be assigned an ip address if i am not using dhcp in it?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri May 07, 2021 16:45    Post subject: Reply with quote
I don't know why the bridges does not work for you.

In the networking tab, there is a switch on each interface with choices "unbridged" and "default (bridged)".


eth1.97 shall be set to unbrigded, while eth1.77 shall be default to be bridged to it's br1.

Unbridged interfaces must have an ip address while for bridges it's set on the bridge.

The cameras must have a gateway address set in order to reply to the management station on another sub-net.
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Sat May 08, 2021 4:23    Post subject: Reply with quote
Per Yngve Berg wrote:
I don't know why the bridges does not work for you.

In the networking tab, there is a switch on each interface with choices "unbridged" and "default (bridged)".


eth1.97 shall be set to unbrigded, while eth1.77 shall be default to be bridged to it's br1.

I have this already

Per Yngve Berg wrote:
Unbridged interfaces must have an ip address while for bridges it's set on the bridge.
Ok

Per Yngve Berg wrote:

The cameras must have a gateway address set in order to reply to the management station on another sub-net.

OMG. How embarrassing it is that I forgot routing between subnets requires gateways? My Cisco certification is crying right now.

Well, I added the gateway ips back to the cameras and for a while I was able to see the cameras through the software on the management PC (Yay!) but then I rebooted the router and it stopped working again. Grumble.
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon May 10, 2021 7:51    Post subject: Reply with quote
So I've management to get video on all 4 cameras but it's random every time the router is rebooted. Sometime I can only get video from 1 camera and the next only the other 3. Also, I cannot ping any of the cameras or access their web interfaces from the management PC.

I found the following command it seems to do the trick i.e. I can ping, enter the web console and view video from all 4 cameras. The weird intermittent camera behavior is gone. Yay.

iptables -I FORWARD -i br0 -o eth1.97 -j ACCEPT

Unfortunately, everything on br0/vlan1 can now see and access the cameras which is what I don't want. I want only the management PC to be able to interact with the the cameras on vlan97 so I added these commands:

iptables -I FORWARD -s 192.168.7.180 -j ACCEPT
iptables -I FORWARD -j DROP

This did not have the desired effect though. I loss internet access on br0 and nobody could ping anything in vlan97.

What mistake did I make this time?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Mon May 10, 2021 11:32    Post subject: Reply with quote
The iptables rules are in the wrong order. The reject rules comes first. When inserting, the last rules comeback first.

iptables -I FORWARD -j DROP
iptables -I FORWARD -s 192.168.7.180 -o eth1.97-j ACCEPT
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon May 10, 2021 17:28    Post subject: Reply with quote
Per Yngve Berg wrote:
The iptables rules are in the wrong order. The reject rules comes first. When inserting, the last rules comeback first.

iptables -I FORWARD -j DROP
iptables -I FORWARD -s 192.168.7.180 -o eth1.97-j ACCEPT


That DROP command still kills my internet on br0, but the second command is working beautifully!

My entire firewall commands are now just:

#Enables NAT to allow all subnets to reach the internet
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

#Allow Blue Iris PC to connect to cameras in vlan97
iptables -I FORWARD -s 192.168.7.180 -o eth1.97 -j ACCEPT

I am not sure why I even need that first command. Is it so that br1 gets internet too?

Please let me know if I am missing any other essential commands.

And again, thank you so much for your time and attention.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Mon May 10, 2021 17:39    Post subject: Reply with quote
This rule is deprecated:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

Use:

iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE


This rule is not specific. It will also block wan access:

iptables -I FORWARD -j DROP

Add input/output interface:

iptables -I FORWARD -i br0 -o eth1.97 -j DROP
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon May 10, 2021 20:56    Post subject: Reply with quote
Ok. All good with these commands:

#Enables NAT to allow all subnets to reach the internet
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE

#Allow only the Blue Iris PC to connect to cameras in vlan97
iptables -I FORWARD -i br0 -o eth1.97 -j DROP
iptables -I FORWARD -s 192.168.7.180 -o eth1.97 -j ACCEPT

I guess we can "mothball" this thread finally. I may do an IOT vlan in the future but I'll do a new thread if I need any assistance with that.

Thanks again to all who offered their help.
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum