Posted: Thu Oct 28, 2021 19:37 Post subject: How to setup VLANS on R7000?
Hello everybody.
I am in the process of creating vlans for my home network.
The hardware that I currently own for this task is:
Netgear Nighthawk R7000 (with latest build 47596)
And other Routers (Cudy AC2150 and Xiaomi IoT AC2350 (that have OpenWrt installed).
I am aware -- from reading other posts/threads -- that there are people here who were able to setup vlans on their R7000.
I am posting here to call upon any of you who have done it, with latest 'swconfig' builds for Broadcom, if they are able to share their experiences and 'enlighten' my dizzy and ashamed 'ignorance'
Thank you _________________ Villager of the Globe we all live in.
Used dd-wrt on:
ARCHER C9 - V.4 (EU)
(In a lingering "resurrection" state, will it revive? Stay tuned folks... )
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Thu Oct 28, 2021 20:02 Post subject:
The webUI is "supposed to work" regarding configuring vlans. I have not reviewed or tested this myself. I still am embarrassed that everyone took a note in the switched ports wiki as the sky is falling before the dust settled on swconfig implementation was fully completed to present point. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Oct 28, 2021 20:42 Post subject:
There is a one of my guides how to use GUI for VLAN on R7000
on my R7000 i did this Vlan as i made it in the past all via GUI and its working...
1.Log in to your router than go to Set up>Switch Config> create a vlan, click on the box VLAN 3, any port you want to remove from VLAN 1 (there must be 4 ports up on VLAN1) on the very right side (assigned to bridge leave to none) ... save & apply (bear in mind vlan2 is your WAN port and should not be used)
2. Reboot
3. Set up>networking create a br1 save & apply reboot
4. Set up>networking>assign to bridge br1 vlan3 save & apply
5. Leave Vlan3 to default, find br1, enable NAT,Filter WAN NAT, Net Isolation and give it an IP use /24 mask, as the other masks are not working with vlan setup yet, at least i tried few with no avail but this was in the past, i haven't tried it again on the recent builds, also you can give it specific DNS or not and it will use the default DNS from your general setup or by DNSmasq
6. Create dhcpd for br1 and reboot
7. Add to firewall script:
iptables -t nat -A POSTROUTING -s 192.168.1.3/24 -o $(get_wanface) -j MASQUERADE - replace 192.168.1.3 with your vlan ip
#iptables -I FORWARD -i br1 -o $(get_wanface) -m state --state NEW -j REJECT - kill switch for the new vlan only if you have VPN
#iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT - to cut off GUI access on this bridge
#iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT - to cut off GUI access on this bridge
iptables -A INPUT -i br1 -p udp --dport 502 -j DROP - this is mandatory firewall rule
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT those 2 are to prevent communication between br
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
uncomment those with # if you need their functionality
once again i did it all via GUI, no start up script was used, (as i do normally with Atheros router)..
you can repeat the steps for more ports/vlans the idea is the same
i hope it helps... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Fri Oct 29, 2021 14:37; edited 1 time in total
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Thu Oct 28, 2021 21:40 Post subject:
Alozaros wrote:
#iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT - to cut off GUI access on this bridge
#iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT - to cut off GUI access on this bridge
You need to specify destination IP here, otherwise, you may cut off http and https access to the Internet, methinks. Adding packet state is probably also a good idea. The other problem here is that if you do this on br0, you block access to the webUI from wired clients. Without a specific rule to accept from a specific MAC/IP address, you lock yourself out. This is why ebtables is much better to specify wireless interfaces as I have already noted in the past.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Fri Oct 29, 2021 9:54 Post subject:
kernel-panic69 wrote:
Alozaros wrote:
#iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT - to cut off GUI access on this bridge
#iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT - to cut off GUI access on this bridge
You need to specify destination IP here, otherwise, you may cut off http and https access to the Internet, methinks. Adding packet state is probably also a good idea. The other problem here is that if you do this on br0, you block access to the webUI from wired clients. Without a specific rule to accept from a specific MAC/IP address, you lock yourself out. This is why ebtables is much better to specify wireless interfaces as I have already noted in the past.
If I am in error on Internet blocking, please provide a screen record of successful internet surfing from br1.
hmmm feels like deja-vu ...
KP-69 if you remember we had a same conversation on the same subject, back in the days, where you ware proclaiming the use of ebtables instead...and you ended up to the conclusion this is working too...
and change iptables rules above to those ports you've selected...
on static IP or Dynamic ISP those rules ive had for many years, not breaking anything, apart of if your dslmodem ahead is pppoe and its using port 80, than it cuts off, so you need to change the microserver port to something else..
My personal approach is a bit different, i cut off GUI and than the only way to gain access is to log in via ssh secure key log-in only (even key is pass protected) and to activate GUI I add any of the permitting rules above...
Bear in mind one of my R7800 is in a students accommodation where students are very "krafty"
kernel-panic69 wrote:
If I am in error on Internet blocking, please provide a screen record of successful internet surfing from br1.
I don't have to, im typing to you right now, from an wifi connected PC on br0 on my 1043v2 where i have the same rules...on my router... as well i have a VLAN on br1 too
Hi @Alozaros and @kernel-panic69 (and fellow members of DD-WRT community)...
I've just seen the answers you've provided and am about to execute them.
I have a 'feeling' that my 'shame' is about to turn into the opposite state because your help and knowledge. (Although shame was indeed on myself, and never upon you)...
The @Alozaros post, might get into the the stickies series, (that's a hunch of mine...)
Stay tuned! (Be back soon for the confirmation)
Meanwhile, very much obliged, for your contributions! _________________ Villager of the Globe we all live in.
Used dd-wrt on:
ARCHER C9 - V.4 (EU)
(In a lingering "resurrection" state, will it revive? Stay tuned folks... )
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Oct 29, 2021 14:36 Post subject:
Alozaros wrote:
hmmm feels like deja-vu ...
KP-69 if you remember we had a same conversation on the same subject, back in the days, where you ware proclaiming the use of ebtables instead...and you ended up to the conclusion this is working too...
I never tested it or came to that conclusion, and "back in the days" was August of this year.
Also, it was @eibgrad that confirmed that they would work (and who also agreed with my approach). I never said 100% that I concluded that they would work, nor do I employ that solution for the simple fact that I still need wired access to the devices I have deployed. I said that I didn't consider using the br0 interface and the ebtables solution I gave was generic. When you're providing public wifi access for many small businesses and venues in 5-7 counties, you need something that is a no-nonsense solution and do not have time to muck around. Also, if you are talking about "way back in the day"...
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Fri Oct 29, 2021 15:12 Post subject:
i wont play a dog fight, as im not insisting anything, sharing yes...but nothing else...
bear in mind the OP was asking for VLAN on R7000 and you deviated to a totally different subject limiting just WIFI via ebtables... how this is related to the subject you tell me...
eibgrad wrote:
@Alozaros, those iptables rules will work, but that's not addressing the issue of denying strictly wireless from the GUI.
As someone who doesn't find this feature all that compelling anyway, seems to me @kernel-panic's solution based on ebtables makes more sense. To the extent anyone believes that wireless represents a bigger threat than wired, then why limit yourself to just the GUI?! Might as well include ssh, telnet, and whatever else is potentially accessible. Otherwise, use @Alozaros's approach based on iptables.
JMTC
not wasting more time atm, no time for searching and proving anything... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Oct 29, 2021 15:36 Post subject:
None of this had to do with the OP, either - and you're the one who introduced the deviation, lol. Which is what I was commenting on. Not picking a fight... You seem to think that it's all about arguing with you. Flawed perception, sir. As Fez so eloquently chides, "I said good day!"...
Alozaros wrote:
....
3. Set up>networking create a br1 save & apply reboot
4. Set up>networking>assign to bridge br1 vlan3 save & apply
5. Leave Vlan3 to default, find br1, enable NAT,Filter WAN NAT, Net Isolation and give it an IP use /24 mask, as the other masks are not working with vlan setup yet, at least i tried few with no avail but this was in the past, i haven't tried it again on the recent builds, also you can give it specific DNS or not and it will use the default DNS from your general setup or by DNSmasq
6. Create dhcpd for br1 and reboot
7. Add to firewall script:
iptables -t nat -A POSTROUTING -s 192.168.1.3/24 -o $(get_wanface) -j MASQUERADE - replace 192.168.1.3 with your vlan ip
#iptables -I FORWARD -i br1 -o $(get_wanface) -m state --state NEW -j REJECT - kill switch for the new vlan only if you have VPN
#iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT - to cut off GUI access on this bridge
#iptables -I INPUT -i br1 -p tcp --dport 443 -j REJECT - to cut off GUI access on this bridge
iptables -A INPUT -i br1 -p udp --dport 502 -j DROP - this is mandatory firewall rule
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT those 2 are to prevent communication between br
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
uncomment those with # if you need their functionality
once again i did it all via GUI, no start up script was used, (as i do normally with Atheros router)..
you can repeat the steps for more ports/vlans the idea is the same
Thank you very much to @Alozaros and to @kernel-panic69!
I think that the main reason why I did not manage to make VLANs work, was a straightforward procedure like the one @Alozaros shared.
( And that is mainly because I am a very impatient person ) (And even more so because I get distracted easily with different references for different scenarios that come along with generic approaches like the ones that are in the wiki).
Maybe I should revise my whole way of interpreting things...
So I picked up the guide from @Alozaros and followed it almost entirely to the letter.
I immediately had success on having a VLAN. I was missing the part of adding a VAP (where things were complicating). Luckily (yeah) there's the wiki that may indeed assist with particular scenarios or to troubleshoot glitches like the one I was facing with the VAP.
There, (at the Wiki page devoted to the Guest wireless setup), I 'picked' the parts referring to the firewall configuration to isolate the network traffic from the bridge where the VAP would sit, as well as the startup commands to bring up the interfaces where the wireless radios would 'sit' upon.
That pretty much wraps it up!
Now I'll be moving on:
1. To the creation of the third (V)LAN!
(remember: I had one 'physical' LAN already, I have just added the IoT VLAN, and now I will move on to adding a third (V)LAN for the guests).
2. And finally to distribute these (V)LANs to the subsidiary (OpenWrt) devices that I own.
Thank you for your time and assistance @Alozaros @kernel-panic69 and to all!
(See you soon) _________________ Villager of the Globe we all live in.
Used dd-wrt on:
ARCHER C9 - V.4 (EU)
(In a lingering "resurrection" state, will it revive? Stay tuned folks... )
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Oct 29, 2021 21:21 Post subject:
Awesome news, sorry for the tangent. I just got done following the procedure on one of my test devices and without the added iptables / ebtables rules, I can't seem to get br1 or vlan3 to connect to the router's IP address (without a static route). This is part of the reason why I interjected.
Also, there is *already* a wiki and sticky about this topic, and probably many similar threads throughout the forum. Don't need to sticky this one or add to the references thread sticky...
mccurly wrote:
The @Alozaros post, might get into the the stickies series, (that's a hunch of mine...)
Awesome news, sorry for the tangent. I just got done following the procedure on one of my test devices and without the added iptables / ebtables rules, I can't seem to get br1 or vlan3 to connect to the router's IP address (without a static route). This is part of the reason why I interjected.
Hi. Ok. But tell me, with that static route, are you able to control the undesirable traffic to your main VLAN?
I know there's a wiki for it. And the wiki should not be specific as it is a sort of rule of thumb for as many models as it can.
I even followed it for the firewall part of the guide/advice that Alozaros gently shared.
That was the (my) OP's purpose.
I guess that what I did differently from what's in the wiki was a procedure, as in a sequence of steps, and in most of them carrying out the advised reboots (which are steps that the wiki overlooks, maybe because different hardware reacts... differently).
By the way, are you aware that the managed switch settings (at least on my R7000, and I suspect that it happened the same with my defunct Archer C9 EU V.4), aren't all being reset by the web interface's "FACTORY RESET" button/option. Who knows why I was observing these "oddities"? And that leads me to some other "tangent" if you will... Are there any means to check the firmware images downloaded? I confess that I haven't searched much for this subject. But wouldn't that make sense? One other thing that I might have overlooked and that might have cost me the (beginning of a series of mishaps that culminated in the) "departure" of the now defunct Archer that I mentioned above: are "webflash" named images solely purposed for the routers web interface flashing or can they be installed within their cli as well. If so, can that cli flashing be followed by a reset instruction? If so which one? "erase nvram", "nvram erase"...?
So I digress... I am sorry for this digression but, actually it is one of the reasons why I felt so uncomfortable with the wiki pages, because they seem a kiltish sort of approach. They lack a sort of common structure. This diversity of contributions, which may sometimes be contradictory make me uneasy about what's stated in there. The Wiki spawns many references to the subject it is dealing. It does so without assuring you, the reader, that you will carry out the mission that brought you there in a timely fashion.
Have you read other wikies (for instance Arch Linux's or your competitor's OpenWrt?)
I am citing them because I think of them as good examples.
But hey, nonetheless, I thank you for having honored me with your time and effort.
I hope that you, kernel-panic69, would take this post of mine and regard it as being useful somehow.
But that is actually your call. Only you can tell.
Either way, thank you for all your assistance and concern.
Cheers. _________________ Villager of the Globe we all live in.
Used dd-wrt on:
ARCHER C9 - V.4 (EU)
(In a lingering "resurrection" state, will it revive? Stay tuned folks... )
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Tue Nov 02, 2021 15:24 Post subject:
You shouldn't need those firewall rules. A new bridge / vlan shouldn't be able to talk to the other bridge / vlan. If it can, especially with net isolation set, then there is a problem. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
You shouldn't need those firewall rules. A new bridge / vlan shouldn't be able to talk to the other bridge / vlan. If it can, especially with net isolation set, then there is a problem.
Ok thank you for your pointer.
Is there a reference to defining routes on the VLAN wiki page?
If it is mandatory then, it should, but when I've consulted it I didn't see that requisite.
And I confess that routes are concepts that I have to learn about a lot more.
But I am willing to improve on that flaw of mine.
Again thank you for your assistance @kernel-panic69.
Cheers. _________________ Villager of the Globe we all live in.
Used dd-wrt on:
ARCHER C9 - V.4 (EU)
(In a lingering "resurrection" state, will it revive? Stay tuned folks... )
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed Nov 03, 2021 16:16 Post subject:
as KP69 suggests br (bridge) with net isolation must not able to communicate with each other, than you can check if there are created default rules regarding those onece they are created with cat /tmp/.ipt if there are not such a rules present, than create your own...
even if you create your own and they are not needed, its not a harm at all..just a bit of wasted space...
for example in my cat /tmp/.ipt output i have
-A FORWARD -i br0 -o br1 -m state --state NEW -j logdrop
but i dont have
-A FORWARD -i br1 -o br0 -m state --state NEW -j logdrop
so i need it manually created
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
or if im not wrong you can have one in general banning any br to br communications
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
)
as well i have a VLAN on br1 too
You seem to think that it's all about arguing with you. Flawed perception, sir. As Fez so eloquently chides, "I said good day!"...