VLAN Detached Networks on R9000

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 9, 10, 11  Next
Author Message
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon May 09, 2022 13:51    Post subject: Reply with quote
The community at large thanks for combining every bit of useful information discussed in this thread into one single document so that folks who couldn't read through all the confusion can successfully tackle this beast.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon May 09, 2022 13:55    Post subject: Reply with quote
Big Thanks DWCruiser...i guess i was the first to download it Razz Razz i had a brief look at it looking forward to play with R9000 as soon as possible...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Tue May 10, 2022 5:30    Post subject: Reply with quote
kernel-panic69 wrote:
The community at large thanks for combining every bit of useful information discussed in this thread into one single document so that folks who couldn't read through all the confusion can successfully tackle this beast.


Coming from a man known for being thrifty with words (if i am not mistaken), i feel it's a great compliment.

I experienced everything i wrote in that document.

Thanks again for your kind words.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Tue May 10, 2022 5:31    Post subject: Reply with quote
Alozaros wrote:
Big Thanks DWCruiser...i guess i was the first to download it Razz Razz i had a brief look at it looking forward to play with R9000 as soon as possible...


No probs at all.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Mon Jun 20, 2022 21:34    Post subject: Reply with quote
My 'Taming the Recalcitrant Netgear R9000 for VLANing' article is updated for DD-WRT v3.0-r49212 std (06/16/22).

Summary:

LAN ports 1 & 2 are assigned VLAN8 ---> br8
LAN port 3 -- VLAN10 ---> br10
LAN port 4 -- VLAN12 ---> br12
LAN port 5 (internally conjoined to WAN port; left as is)
LAN port 6 -- VLAN14 ---> br14

wlan0.1 --->brGuests
wlan1.1 --->brIoT

The last two bridges were used for vAPs as i found that they work 'nicely' together with the rest. As you know, the R9000 is not a normal wireless router to start with.

The article is a 5-page long doc. to be displayed normally as a post. So you need to sign in to view it on page 5 of this thread.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.


Last edited by DWCruiser on Wed Sep 14, 2022 22:45; edited 2 times in total
edgerouter4
DD-WRT Novice


Joined: 30 Aug 2022
Posts: 5

PostPosted: Thu Sep 01, 2022 11:20    Post subject: It freezes when I enable_vlan 1 Reply with quote
DWCruiser. Thanks for the guide, but I am having issues.

When I create VLAN interfaces in the switch tab as soon a click apply settings my router freezes and never come back I have to reset it. Same happens when I execute swconfig dev switch0/1 set enable_vlan 1. When I set apply it freezes and have to reset factory defaults as well.

What I’m doing wrong? Using latest DDWRT release from 8/31/22

TIA
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Thu Sep 01, 2022 21:47    Post subject: Re: It freezes when I enable_vlan 1 Reply with quote
edgerouter4 wrote:
... Thanks for the guide, but I am having issues.

When I create VLAN interfaces in the switch tab as soon a click apply settings my router freezes and never come back I have to reset it. .....
TIA


In the guide, i do not use the Switch Config (under Setup) to configure VLANS at all. Certainly not for the R9000.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
edgerouter4
DD-WRT Novice


Joined: 30 Aug 2022
Posts: 5

PostPosted: Fri Sep 02, 2022 0:49    Post subject: Reply with quote
You are right! I didn't read thru to be honest, following your instructions after fully reading, it WORKED! thanks DWCruiser!

This is my configuration, I did change it to have Physical port 1, VLAN20 tagged and Untag traffic, bridging Wifi 2.4Ghz with VLAN20 and 5Ghz Traffic untag, which is tagged by my switch with VLAN10.

Thanks again

sleep 4
# Setup VLANS
# Switch0 Config
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 1 2 4t 6t"
swconfig dev switch0 vlan 2 set ports "3 5t"
swconfig dev switch0 vlan 20 set ports "0t 2t 4t 6t"

swconfig dev switch0 set apply
# Switch1 Config
swconfig dev switch1 set enable_vlan 1
swconfig dev switch1 vlan 1 set ports "0t 2 3 4 5t"
swconfig dev switch1 vlan 20 set ports "0t 5t"

swconfig dev switch1 set apply
# Adding vlan links
vconfig add eth1 20

# Give vlans a kick into life
ifconfig vlan20 up

# Bridging vlans for connection in the recalcitrant R9000
brctl addif br20 vlan20

# Adding 2.4Ghz to VLAN 20
brctl delif br0 wlan1
brctl addif br20 wlan1
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Fri Sep 02, 2022 21:41    Post subject: Reply with quote
I am glad that you got VLANS working on your R9000 using the guide i wrote earlier.

Have a good day.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
tdx79
DD-WRT Novice


Joined: 17 Dec 2017
Posts: 20

PostPosted: Tue Sep 13, 2022 17:41    Post subject: Reply with quote
DWCruiser wrote:
I am glad that you got VLANS working on your R9000 using the guide i wrote earlier.

Have a good day.


Hi.
I'm still trying to make the eth0 (SFP+) working with VLANs and R9000. Would you gently help me to configure it?

For some reason, following your guide I managed to get the S1‐Port2 (in your guide you wrote that it is "aligned to # 5 (conjoined with WAN port)") working with SFP+: ip address, subnet mask, gateway and dns of a pc connected to this port is being retrived via DHCP from pfSense and got internet working. On the other ports, none of the settings from above are being retrieved via DHCP (enabling R9000 DHCP for the related bridge in "networking" tab provides wrong gateway and dns to pc).
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Tue Sep 13, 2022 23:25    Post subject: Reply with quote
tdx79 wrote:

For some reason, following your guide I managed to get the S1‐Port2 (in your guide you wrote that it is "aligned to # 5 (conjoined with WAN port)") working with SFP+: ip address, subnet mask, gateway and dns of a pc connected to this port is being retrived via DHCP from pfSense and got internet working. On the other ports, none of the settings from above are being retrieved via DHCP (enabling R9000 DHCP for the related bridge in "networking" tab provides wrong gateway and dns to pc).


Hi,

I noticed your post of January 3rd and recalled that it somehow steered me towards using bridges to avoid the potential conflicts of R9000's VLANs. So i should thank you. I did not get my (freebie) R9000 till May. So you're ahead of me there. We all stand on the shoulders of giants.

I have not yet used the R9000's SFP+. But the thought of using it, in conjunction with my yet-to-arrive MikroTik RB4011iGS, excites me lately. My reply here is, therefore, simply a logical extension of my current understanding. Not kinda beta-tested. Please keep in mind.

_______________
To your question.

Sorry if my assumption is incorrect. But i'd stay away from using a mixture of 'switch config' GUI and CLI in setting up VLANs for reasons best explained by eibgrab. See (*) below.

If you have not used 'switch config' GUI at all, please post your 'Startup' here and also an image of the 'Current Bridging Table' section (under Setup/Networking tabs).

Cheers

________________________
P.S.
Quote eibgrad:-------
'I'll tell you what I tell everyone about VLANs w/ dd-wrt.

VLANs are hardware dependent, and as such, questions need to be asked in the relevant forum for your router's chipset (TP-Link is typically Qualcomm/Atheros). Each chipset has its own way of handling it. For example, in the case of Atheros (iirc), it uses its own switch utility called swconfig.

That's why VLAN (re)configuration rarely works using the GUI. It was originally designed for Broadcom routers, specifically the now ancient Linksys WRT54G series. As other brands w/ other chipsets got support from dd-wrt, little to no effort was made to keep the VLANs portion of the GUI compatible. It just fell by the wayside. And that's why nearly all VLAN support requires scripting and the CLI.

In short, it's NOT a pretty picture for anyone needing VLAN support and expecting to have it work w/ the GUI. And it's why many of us in tech support don't get involved in it (particularly in this forum). Even if we wanted to, it would likely mean needing access to the exact same hardware as you to diagnose any problems. And why it's best you address your issues in the relevant forum, where the likelihood of that happening is much greater.


---End quote

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328489&postdays=0&postorder=asc&start=0

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
tdx79
DD-WRT Novice


Joined: 17 Dec 2017
Posts: 20

PostPosted: Wed Sep 14, 2022 4:22    Post subject: Reply with quote
DWCruiser wrote:
tdx79 wrote:

For some reason, following your guide I managed to get the S1‐Port2 (in your guide you wrote that it is "aligned to # 5 (conjoined with WAN port)") working with SFP+: ip address, subnet mask, gateway and dns of a pc connected to this port is being retrived via DHCP from pfSense and got internet working. On the other ports, none of the settings from above are being retrieved via DHCP (enabling R9000 DHCP for the related bridge in "networking" tab provides wrong gateway and dns to pc).


Hi,

I noticed your post of January 3rd and recalled that it somehow steered me towards using bridges to avoid the potential conflicts of R9000's VLANs. So i should thank you. I did not get my (freebie) R9000 till May. So you're ahead of me there. We all stand on the shoulders of giants.

I have not yet used the R9000's SFP+. But the thought of using it, in conjunction with my yet-to-arrive MikroTik RB4011iGS, excites me lately. My reply here is, therefore, simply a logical extension of my current understanding. Not kinda beta-tested. Please keep in mind.

_______________
To your question.

Sorry if my assumption is incorrect. But i'd stay away from using a mixture of 'switch config' GUI and CLI in setting up VLANs for reasons best explained by eibgrab. See (*) below.

If you have not used 'switch config' GUI at all, please post your 'Startup' here and also an image of the 'Current Bridging Table' section (under Setup/Networking tabs).

Cheers

________________________
P.S.
Quote eibgrad:-------
'I'll tell you what I tell everyone about VLANs w/ dd-wrt.

VLANs are hardware dependent, and as such, questions need to be asked in the relevant forum for your router's chipset (TP-Link is typically Qualcomm/Atheros). Each chipset has its own way of handling it. For example, in the case of Atheros (iirc), it uses its own switch utility called swconfig.

That's why VLAN (re)configuration rarely works using the GUI. It was originally designed for Broadcom routers, specifically the now ancient Linksys WRT54G series. As other brands w/ other chipsets got support from dd-wrt, little to no effort was made to keep the VLANs portion of the GUI compatible. It just fell by the wayside. And that's why nearly all VLAN support requires scripting and the CLI.

In short, it's NOT a pretty picture for anyone needing VLAN support and expecting to have it work w/ the GUI. And it's why many of us in tech support don't get involved in it (particularly in this forum). Even if we wanted to, it would likely mean needing access to the exact same hardware as you to diagnose any problems. And why it's best you address your issues in the relevant forum, where the likelihood of that happening is much greater.


---End quote

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328489&postdays=0&postorder=asc&start=0


Hi.
I appreciate your efforts in trying to help me…and I will also follow your suggestion about looking into the relevant forum for VLANs applied to the R9000. About the GUI, I followed your guide and didn’t use the switch tab at all…so, please find my startup and firewall below (I commented out most of the rules for testing purposes, and I just used 5 6 10 12 vlans instead of 8 10 12 14):

# ‐‐‐‐‐‐>(Startup section) <‐‐‐‐‐‐‐‐‐
sleep 4
# Setup VLANS
# Switch0 Config
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 4t 6t" swconfig dev switch0 vlan 2 set ports "3 5t"
swconfig dev switch0 vlan 5 set ports "0t 1 2 4t 6t" swconfig dev switch0 vlan 6 set ports "0t 4t 6t" swconfig dev switch0 vlan 10 set ports "0t 4t 6t" swconfig dev switch0 vlan 12 set ports "0t 4t 6t" swconfig dev switch0 set apply
# Switch1 Config
swconfig dev switch1 set enable_vlan 1
swconfig dev switch1 vlan 1 set ports "0t 2 5t"
swconfig dev switch1 vlan 5 set ports "0t 5t"
swconfig dev switch1 vlan 6 set ports "0t 1 5t" swconfig dev switch1 vlan 10 set ports "0t 3 5t" swconfig dev switch1 vlan 12 set ports "0t 4 5t" swconfig dev switch1 set apply
# Adding vlan links
vconfig add eth1 5
vconfig add eth1 6
vconfig add eth1 10
vconfig add eth1 12
# Give vlans a kick into life
ifconfig vlan5 up
ifconfig vlan6 up
ifconfig vlan10 up
ifconfig vlan12 up

#‐‐‐‐‐‐>Firewalls<‐‐‐‐‐‐
iptables ‐t nat ‐I POSTROUTING ‐o 'get wanface' ‐j MASQUERADE
# Restrict router’s mgt web GUI access to 2 specified IPs
#iptables ‐I INPUT 1 ‐i br+ ‐p tcp ‐‐dport 443 ‐j REJECT
#iptables ‐I INPUT ‐i br0 ‐p tcp ‐s 172.30.110.10 ‐‐dport 443 ‐j ACCEPT
#iptables ‐I INPUT ‐i br0 ‐p tcp ‐s 172.30.110.15 ‐‐dport 443 ‐j ACCEPT
# Accept traffic from individual VLANs
iptables ‐I INPUT ‐i vlan+ ‐j ACCEPT
# Stop traffic from interVLAN crossing
#iptables ‐I FORWARD ‐i vlan8 ‐o vlan+ ‐j DROP #iptables ‐I FORWARD ‐i vlan10 ‐o vlan+ ‐j DROP #iptables ‐I FORWARD ‐i vlan12 ‐o vlan+ ‐j DROP #iptables ‐I FORWARD ‐i vlan14 ‐o vlan+ ‐j DROP #iptables ‐I FORWARD ‐i wlan0.1 ‐o vlan+ ‐j DROP #iptables ‐I FORWARD ‐i wlan1.1 ‐o vlan+ ‐j DROP

It’s curious that the only port accepting dhcp from pfSense is the S1P2 which has no vlan configuration (I left the ports configuration as yours to start with a known working configuration).
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Wed Sep 14, 2022 7:28    Post subject: Reply with quote
I notice that that the bridges were missing from your script. So, applying to your case, i'd add the following at the end of (your current) 'Startup'

# ---------------------
# Bridging vlans for connection in recalcitrant R9000
brctl addif br5 vlan5
brctl addif br6 vlan6
brctl addif br10 vlan10
brctl addif br12 vlan12

# ---------------------

Reason: i found that by placing each VLAN on a bridge, specifically in R9000 case, it becomes stable and works nicely with vAPs: WLAN0, WLAN0.1, WLAN1 and WLAN1.1, in the end. (By contrast, i did not need to use bridges in setting up R7800 VLANs at all due its simpler design than the R9000).

Hence the brctl commands above in R9000.

please note, as VLANs are subsumed by corresponding bridges, you'll need to fill in details for each bridge instead of VLANS (on Networking under Setup tab). In other words, the bridges are taking over the control of the corresponding VLAN interfaces. This is a standard networking protocol, of course.

See attached pic. for example.

I then use the following commands to separate the bridges from one another which was lost due to VLANS being subsumed by bridges.

# block traffic from crossing bridge boundaries
iptables -I FORWARD -i br5 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br6 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br10 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br12 -o br+ -m state --state NEW -j REJECT

(As detailed in V4.1. Now in one spot on page 5)

Lastly, i have no idea of how pfSense fits into your setup so i can't comment on your last point. Perhaps you want to post a simple diagram?

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.


Last edited by DWCruiser on Wed Sep 14, 2022 23:08; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Sep 14, 2022 8:53    Post subject: Reply with quote
as the others noted for better control over vlans, you have to add vlans to br, not that they could not exist as a vlans, but restriction rules for crossing vlans will not work on a switch level, the only option is to bridge those and than restriction rules will work on bridge/interface layer... Wink

p.s I may have a R9000 but haven't tried to fiddle with vlan's yet...
there was a wiki regarding using SFP port as a vlan do a quick search...
also to note SFP port tends to be very hot... and heat dispersing is the weak point of R9000 design..
there are mentions that to optic SFP version is not that hot but than again its bound with different hardware than the usual rj-45 connectors witch tend to be hot...
there is a thread about heat issues on R9000 probb XR700 too..you will find it in the forum, im sure...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
tdx79
DD-WRT Novice


Joined: 17 Dec 2017
Posts: 20

PostPosted: Thu Sep 15, 2022 6:24    Post subject: Reply with quote
DWCruiser wrote:
I notice that that the bridges were missing from your script. So, applying to your case, i'd add the following at the end of (your current) 'Startup'

# ---------------------
# Bridging vlans for connection in recalcitrant R9000
brctl addif br5 vlan5
brctl addif br6 vlan6
brctl addif br10 vlan10
brctl addif br12 vlan12

# ---------------------

Reason: i found that by placing each VLAN on a bridge, specifically in R9000 case, it becomes stable and works nicely with vAPs: WLAN0, WLAN0.1, WLAN1 and WLAN1.1, in the end. (By contrast, i did not need to use bridges in setting up R7800 VLANs at all due its simpler design than the R9000).

Hence the brctl commands above in R9000.

please note, as VLANs are subsumed by corresponding bridges, you'll need to fill in details for each bridge instead of VLANS (on Networking under Setup tab). In other words, the bridges are taking over the control of the corresponding VLAN interfaces. This is a standard networking protocol, of course.

See attached pic. for example.

I then use the following commands to separate the bridges from one another which was lost due to VLANS being subsumed by bridges.

# block traffic from crossing bridge boundaries
iptables -I FORWARD -i br5 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br6 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br10 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br12 -o br+ -m state --state NEW -j REJECT

(As detailed in V4.1. Now in one spot on page 5)

Lastly, i have no idea of how pfSense fits into your setup so i can't comment on your last point. Perhaps you want to post a simple diagram?


Sorry, I was trying to copy / paste from mobile while in train yesterday... and I forgot the br part:
# Bridging vlans for connection in the recalcitrant R9000
brctl addif br5 vlan5
brctl addif br6 vlan6
brctl addif br10 vlan10
brctl addif br12 vlan12

I will better explain with a diagram the configuration. I just discovered that if I unbridge (from networking tab) the eth0 port (SFP+), I don't get the dhcp from pfSense anymore.
Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 9, 10, 11  Next Display posts from previous:    Page 6 of 11
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum