Having fun with WAP, VAP, VLAN and OpenVPN client

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Dec 20, 2019 13:15    Post subject: Having fun with WAP, VAP, VLAN and OpenVPN client Reply with quote
This one is for the holidays if you are bored Smile

I have written down a setup I recently made with two routers, one setup as a WAP, with a combined VLAN between the routers with VAP's on that VLAN and an Open VPN client on the WAP using DNSMasq for Policy Based routing.

A nice showcase of what is possible.

I am no VLAN expert so cannot answer your questions about VLAN's

Just use the wiki it is all there:
https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports



DDWRT Having Fun with VAPs, WAPs, VLANs, Bridges and OpenVPN client.pdf
 Description:
Have fun

Download
 Filename:  DDWRT Having Fun with VAPs, WAPs, VLANs, Bridges and OpenVPN client.pdf
 Filesize:  473.59 KB
 Downloaded:  1770 Time(s)


_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Wed Jan 15, 2020 11:31    Post subject: Reply with quote
Thank you for this. With your help I now have a very similar setup working, with a WAP and 4 VAPs on both routers, connected using a vlan trunk. I'm also using openvpn, but in my case on router 1 (connected to the WAN) in my configuration, also successfully. This means I have no need for the firewall on router 2.

I would not have thought to use the .2 address in the bridges. Also insightful.

Thanks again
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jan 15, 2020 12:04    Post subject: Reply with quote
You are welcome, was fun setting it up and so I shared it with the community in the hope it would help and inspire my fellow DDWRT users Very Happy
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tinkeruntilitworks
Guest





PostPosted: Wed Jan 15, 2020 12:46    Post subject: Reply with quote
i'm subscribing to this thread so i can check this out later

thanks for posting

i haven't tried anything like this before
mache
DD-WRT User


Joined: 11 Apr 2010
Posts: 311
Location: San Francisco Bay Area

PostPosted: Wed Jan 15, 2020 17:21    Post subject: Reply with quote
I did something similar 5.5 years ago. Here is the link: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=907313#907313
SimonB27
DD-WRT Novice


Joined: 30 Dec 2021
Posts: 1

PostPosted: Mon Jun 20, 2022 13:06    Post subject: Reply with quote
mache wrote:
I did something similar 5.5 years ago. Here is the link: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=907313#907313


And that post is still really valuable now seven years later. I had my guest wifi and home wifi operating through my main router and two separate access points elsewhere in the house which needed VLANs to pull off. It all worked for ages and then I replaced some hardware and forgot how to do it!!!

Your post is still the go-to reference work

Thanks
mache
DD-WRT User


Joined: 11 Apr 2010
Posts: 311
Location: San Francisco Bay Area

PostPosted: Mon Jun 20, 2022 18:43    Post subject: Reply with quote
Appreciate the shout out.

Thank you.

For my R7000, running DD-WRT v3.0-r46885 std (06/05/21, I updated the configuration with the new VLAN commands:

For my main router, I placed these commands in Administration, Commands, Firewall:

Code:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4t 5t"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "4t 5t"
swconfig dev switch0 set apply

For the WAPs you need to apply these commands in Administration, Commands, Firewall so the VLANs match up to the main router. In this configuration, the WAN Ethernet port receives VLAN1 and VLAN3 tagged network traffic.

Code:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 1 2 3 4 5t"
swconfig dev switch0 vlan 2 set ports "5"
swconfig dev switch0 vlan 3 set ports "0t 5t"
swconfig dev switch0 set apply
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Jun 20, 2022 20:45    Post subject: Reply with quote
mache wrote:
Appreciate the shout out.

Thank you.

For my R7000, running DD-WRT v3.0-r46885 std (06/05/21, I updated the configuration with the new VLAN commands:

For my main router, I placed these commands in Administration, Commands, Firewall:

Code:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4t 5t"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "4t 5t"
swconfig dev switch0 set apply

For the WAPs you need to apply these commands in Administration, Commands, Firewall so the VLANs match up to the main router. In this configuration, the WAN Ethernet port receives VLAN1 and VLAN3 tagged network traffic.

Code:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 1 2 3 4 5t"
swconfig dev switch0 vlan 2 set ports "5"
swconfig dev switch0 vlan 3 set ports "0t 5t"
swconfig dev switch0 set apply


just to add for those readers that will follow the thread, different routers have different port ley out...
so those commands are strictly for this router..R7000

also mache if you price security you better update your old build...it has security holes and unpatched binaries and services...last build so far 49268..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Tue Nov 28, 2023 12:00    Post subject: Question regarding WAP (VAP) VLAN tagging Reply with quote
egc wrote:
You are welcome, was fun setting it up and so I shared it with the community in the hope it would help and inspire my fellow DDWRT users Very Happy


Hi EGC - I found this post and tried to follow/change it for my current configuration.

What I am trying to do:
I have reconfigured my 2 Netgear R7000 routers to just be APs using an available switch port to connect the two (giving complete wifi coverage). The main/primary AP is connected to a Firewalla Gold router using an available ethernet port on the R7000 AP. Both LAN and primary WL0/1 traffic flows through this ethernet port and is monitored/working properly.

The LAN/WL0/1 internal network address scheme is 192.168.100.1/32 - all working and able to be monitored correctly on Firewalla Gold router console.

I also have a guest network (VAP - wl1.1) - 172.16.1.1/24 configured on the same AP that has its own DHCPd with DNSMasq issued/controlled IP addressing - no issues and am able to access the internet when connected to this VAP (followed an earlier guide you posted for setting up a VAP).

However, no devices are shown in Firewalla monitor control for devices connected on this guest VAP (wl1.1) nor another VAP (wl0.1 - 192.168.1.1/24).

Per this guide/statement from Firewalla - I need to assign a WVLAN (Wireless VLAN tagging) on the wireless traffic I want monitored:


https://help.firewalla.com/hc/en-us/articles/4408644783123#h_01GQGCDQEPH11EGQX2SNPZAF4X

From your guide here https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1185512

VLAN tagging on a VAP is possible but in my case I just need to do the tagging on my main AP (no ddwrt router connected to it).

I am running a newer DDWRT build - Release 49934 (Aug.2022) as well on both Netgear R7000 "AP" devices.


I also tried following these steps for adding/assigning a VLAN tag to my wl1.1 VAP interface (see 55301's post):

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1179192

The end result, none of these methods add a VLAN tag to my VAP client traffic and I am unable to see any VAP wifi clients in the Firewalla Guest network manager. I have a separate ticket open with Firewalla at the moment but they are pointing back at DDWRT. Is what I am trying to do even possible or do I need a specialized AP (TP Link Omada etc) that fully supports 802.11q vlan tagging?

Thank you!

J
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Nov 28, 2023 12:21    Post subject: Reply with quote
DDWRT fully supports VLAN tagging via the switch config tab (on recent builds e.g. 52XXXX and higher) but the problem can be easier solved.
Do not use the masquerade rule, this rule will give all VAP clients the routers IP address.
Instead set a static route on the firewall to route the VAPs subnet via the IP address of the WAP

Note that if you do not masquerade, you can have trouble connecting to certain LAN clients frorm your VAP as those LAN clients will have their own firewall and will not allow the VAPs subnet by default.
Furthermore DDWRT routers will only allow internet access for their own subnet but as you are not using a DDWRT router as main that usually is not a problem, if it is you should masquerade the VAPs subnet on the main router out via the WAN.

The address of the WAP should be inside the firewalla's subnet, netmask should be /24 and local DNS and gateway should point to the main router i.e. the firewalla

Alternatively you can just use vlans to let everything (e.g. DHCP) be done by the main router no problem, that is actually what I describe.
Make a trunk port with the necessary vlans and create one bridge per vlan, assign the vlan to the bridge and assign the VAP to the bridge.

Some update information on my repo: https://github.com/egc112/ddwrt/blob/main/DDWRT%20VLANs%2C%20VAPs%20and%20WAPs-8.pdf

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum