Access to DD-WRT Control Panel across VLANs

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
Gromitd90
DD-WRT Novice


Joined: 20 Jan 2016
Posts: 40

PostPosted: Tue Aug 02, 2022 17:13    Post subject: Access to DD-WRT Control Panel across VLANs Reply with quote
I have an R7000 running DD-WRT r48646. It is configured as an AP with VAPs and VLANs. It is connected to a router (running Untangle) that provides DHCP Services and the VLANs are also configured there.

The R7000's WAN port is part of the default LAN with a fixed IP address.

Currently there are no rules set explicitly to prevent devices on the VLANs from communicating with each other.

If I associate a device (I've tried with Windows's PC's and iPads) with a VAP on the R7000 that is part of say VLAN3 should I be able to login to the dd-wrt control panel by typing in the IP address of the R7000? It doesn't work but I wanted to know if that was intentional and if so where is the blocking taking place?

I've run some packet captures at both the source device (PC) and on the R7000 using tcpdump. The client device sends a TCP SYN packet and the R7000 responds with a SYN ACK packet so it would appear they are trying to communicate. The only thing I can see in the trace is that the Ack number in the SYN ACK packet which should be 1, is actually set to what appears to be a random large number. On receipt of this the client sends a RST packet. This process repeats a number of times and eventually things time out. Everything else in the SYN ACK packet looks normal.

Any insights on what is going on would be welcome.

Mike
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue Aug 02, 2022 17:25    Post subject: Reply with quote
Are these different subnets? If so they must be told about each other.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Gromitd90
DD-WRT Novice


Joined: 20 Jan 2016
Posts: 40

PostPosted: Tue Aug 02, 2022 17:49    Post subject: Reply with quote
Yes they are different subnets and they know about each other.
I can ping the R7000 from a device on another VLAN,.

From the packet traces I can see that on receipt of the TCP SYN request (which is actually send via the Untangle router) the R7000 issues an ARP request for the client IP address and gets the correct mac address in response. They SYN ACK packet is addressed directly to the mac address of the client.

Logging into the R7000 via ssh I can run an arp -a command while the client is attempting to access the control panel and there is a correct arp entry for the client.

So I think they are aware of each other!
Gromitd90
DD-WRT Novice


Joined: 20 Jan 2016
Posts: 40

PostPosted: Sat Aug 06, 2022 16:51    Post subject: Reply with quote
So I did some more playing with this yesterday and the following things work:

Both AP's are running DD-WRT (fairly recent versions). AP1 is an R7000 and so can run tcpdump. AP2 is a WAC-124 and I have not tried tcpdump via Entware.
Firewall on Windows PC disabled for the test.
Source and target devices are associated with different AP's on different VLANs.

1. I can ping from a device associated with AP1 to another device on AP2. Ping also works if the target device is either AP1 or AP2.

2. I can connect from a device on AP1 to a service on another device on AP2 where both devices are on different VLANs. Where connection requires a TCP session.

The only thing that doesn't work is trying to connect to a service on either AP1 or AP2 from a device that is on a different subnet (VLAN) than the APs.

I have run several packet captures and the one that is most informative is the packet capture (tcpdump) on the AP (lets call it AP1) to which the source device is associated and is trying to connect to AP2 web interface (telnet and ssh also fail).

I can see the TCP SYN request from source device being sent to the router (via switch) and being received at AP2. The service on the AP2 sends a TCP SYN ACK to accept the session request. This SYN ACK can be seen on the eth0 interface of AP1 and has the following settings:

In the ethernet header the destination mac address is the mac address of the device requesting the session.
The source mac address is strange and is the mac address of a VAP interface on AP2 that is bridged to br3 along with the vlan interface that corresponds to the vlan of the source device on AP1.
The ethernet header contains the correct vlan tag for the source device.
The Ack number in the SYN ACK frame is 1.

If we capture on the vlan5 interface of AP1 we would expect that the VLAN tag on the SYN ACK frame would be remnoved - and this is the case. Other than the VLAN tag being removed the SYN ACK frame looks identical to the one captured on eth0. EXCEPT that the Ack number has been changed and appears to be a large random number.
That frame is then forwarded to the source device which rejects it (probably because of the Ack number) and issues a RST command.
Result is no connection.

Everything else in the network is working as expected so I'm curious as to whether what I have described above is a bug in DD-WRT or not.

Mike
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Aug 06, 2022 17:57    Post subject: Reply with quote
If ping works between subnets and APs, then the rest is down to configuration or lack of proper configuration.

As for the BUG, we dont know where it is, if it is DD-WRT or 3rd party or down to a mis-configuration, there is no reproducible steps or significant actionable information to be able to make any sort of determination.

Sorry if this sounds vague and unfair, but you hold all the cards and I'm not going to beg for the information or handhold anyone in order to get "there". Without actionable information, its meaningless. In order to reproduce we need information and the equipment in order to duplicate and this isnt a corporation where there are technicians with resources and equipment and time to be able to make any sort of determination.

We are DD-WRT users and volunteers only, so half our job depends on proper reports and information. Such what we seek normally is available on stickies and build threads.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Gromitd90
DD-WRT Novice


Joined: 20 Jan 2016
Posts: 40

PostPosted: Mon Aug 08, 2022 19:33    Post subject: Reply with quote
@the-joker - I fully appreciate the support you and others give on this forum and I will endeavour to report issues and/or queries with more substantive supporting documentation.

As for this particular issue I believe I have found a misconfiguration in my startup script where I assign VLANs to bridges. I adapted the script from elsewhere on the forum and as such have learned another valuable lesson. Don't run a script unless you know what each and every command is doing!

My dd-wrt devices are configured as AP's - not routers. In the setup script there was an ifconfig command to assign an IP address and a netmask to each of the additional bridges. My belief is that this is not necessary in my config. I have deleted those commands and now everything seems to be working properly.

Can you please confirm that assigning an IP address to a bridge that has a VLAN and a VAP assigned to it is not necessary?

The original script I used is below. The revised script is the same except for the last 3 commands being removed.

Of course getting around one problem always seems to incur a new one. I took one of my AP's (a WAC-124) out of my network configuration to use it to help solve this particular issue. Before putting it back into production I thought I would upgrade it to the latest firmware and now can't get my VAP configuration to work! I'll post details on that in the Ralink SoC forum later.

Regards
Mike

Code:
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6t 0 2 3 4"
swconfig dev switch0 vlan 3 set ports "6t 1 4t"
swconfig dev switch0 vlan 5 set ports "6t 4t"
swconfig dev switch0 vlan 100 set ports "6t 4t"
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
swconfig dev switch0 set apply
brctl delif br0 wlan1.1
brctl delif br0 wlan0.1
brctl delif br0 wlan1.2
vconfig add eth0 3
ifconfig vlan3 up
brctl addbr br1
brctl addif br1 vlan3
brctl addif br1 wlan1.1
ifconfig br1 up
vconfig add eth0 100
ifconfig vlan100 up
brctl addbr br2
brctl addif br2 vlan100
brctl addif br2 wlan0.1
ifconfig br2 up
vconfig add eth0 5
ifconfig vlan5 up
brctl addbr br3
brctl addif br3 vlan5
brctl addif br3 wlan1.2
ifconfig br3 up
ifconfig br1 192.168.3.254 netmask 255.255.255.0
ifconfig br2 192.168.100.254 netmask 255.255.255.0
ifconfig br3 192.168.5.254 netmask 255.255.255.0
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Aug 08, 2022 20:13    Post subject: Reply with quote
You shouldn't configure an interface without sending it down first
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Mon Aug 08, 2022 20:28    Post subject: Reply with quote
The R7000 is a Broadcom, but the scripts appear to be taken from the Marvell Forum.
Gromitd90
DD-WRT Novice


Joined: 20 Jan 2016
Posts: 40

PostPosted: Mon Aug 08, 2022 20:37    Post subject: Reply with quote
Actually this script was on the WAC-124. I have 2 WAC-124's and one R7000. I had a different script on the R7000 but it had the same ifconfig commands that I removed and it now works correctly too.

Sorry for any confusion

Mike
Gromitd90
DD-WRT Novice


Joined: 20 Jan 2016
Posts: 40

PostPosted: Mon Aug 08, 2022 20:44    Post subject: Reply with quote
@the-joker - when you say that I shouldn't configure an interface until sending it down first are you referring to the bridges?

If so those interfaces aren't created until the script runs so I didn't think they were up until i explicitly "Upped" them.

Does the brctl addbr br1 both create the bridge AND activate it?

Should the script have an ifconfig br1 down command following the addbr? For example:

brctl addbr br1
ifconfig br1 down
brctl addif br1 vlan3
brctl addif br1 wlan1.1
ifconfig br1 up
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Tue Aug 09, 2022 11:25    Post subject: Reply with quote
For Broadcom I use the GUI to set a port on another VLAN (Switch config) and add that VLAN on a newly created bridge on the Networking tab Smile

When you tick/enable Net isolation the bridge is isolated form the main (br0) network.

Bridges are not isolated from other bridges (on your router, it is working on mine).

The patch to do so is pending (see attachment)

This is known information see my attached notes page 3.



DDWRT Virtual Access Point Public-2.doc
 Description:

Download
 Filename:  DDWRT Virtual Access Point Public-2.doc
 Filesize:  507 KB
 Downloaded:  53 Time(s)


firewall.c-isolate-br-plus-2.patch.txt
 Description:

Download
 Filename:  firewall.c-isolate-br-plus-2.patch.txt
 Filesize:  1.63 KB
 Downloaded:  62 Time(s)


_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Gromitd90
DD-WRT Novice


Joined: 20 Jan 2016
Posts: 40

PostPosted: Tue Aug 09, 2022 15:51    Post subject: Reply with quote
@egc - thank you for your response. I had seen the VAP document and had read it and "thought" I understood but clearly need some clarification.

Let me reset on what I am trying to understand.

My network consists of a main router which is connected to my ISP on one interface and a L2 switch on another. The router is running Untangle and all VLAns and DHCP services are configured there.

Also connected to the switch are 3 WAPs all running DD-WRT, one Broadcom R7000 and 2 Ralink WAC-124's. I wanted the WAPs to have no restrictions with respect to isolation from one another. Any restrictions were to be defined at the main router.

Each WAP is configured as an AP using the settings on page 9 of your document with the exception that I do use the WAN ports as my trunk ports to connect back to the L2 switch as I need the physical LAN ports for other purposes.
Each Wap is assigned an address of the main VLAN.
Each AP is configured to support a VAP on the 5GHz channel and 2 VAPs on the 2.4GHz channel. Each VAP is assigned to a different bridge in bridge mode with no isolation.options configured.

Each AP is configured to support 3 VLANs each VLAN is also assigned to a corresponding bridge along with a VAP.

On the R7000 all LAN ports are assigned to the main VLAN. On each WAC-124 3 of the LAN ports are assigned to the main VLAN and one port is assigned to one of the VLANs.

On the WAC-124's I create the bridges, VLANs and assignments in a firewall script as described in a message about 3 up in this thread.
On the R7000 I create the bridges and assignment of VAPs to bridges using the GUI (I intend going back and doing it the same way on the WAC-124 once everything else is clear). I have attached screenshots of the Networking settings.
On the R7000 I create the VLANs and their assignments to bridges using the following firewall script. I have to do it via a script because on the main VLAN port 0 needs to be untagged, whereas it has to be tagged on the other VLANs and that is not possible to specify with the Switch Config in the GUI.

For the remainder of this discussion let's just focus on the Broadcom R7000 configuration

Firewall script:

swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0 1 2 3 4 5t"
swconfig dev switch0 vlan 3 set ports "0t 5t"
swconfig dev switch0 vlan 5 set ports "0t 5t"
swconfig dev switch0 vlan 100 set ports "0t 5t"
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
swconfig dev switch0 set apply
vconfig add eth0 3
ifconfig vlan3 up
brctl addif br3 vlan3
ifconfig br3 192.168.3.254 netmask 255.255.255.0
vconfig add eth0 5
ifconfig vlan5 up
brctl addif br5 vlan5
ifconfig br5 192.168.5.254 netmask 255.255.255.0
vconfig add eth0 100
ifconfig vlan100 up
brctl addif br2 vlan100
ifconfig br2 192.168.100.254 netmask 255.255.255.0

With the R7000 so configured everything works as I expected (hoped) it would. Devices attached to VAPs get the correct IP addresses assigned, can access the Internet without problem and can access services on other local devices attached to another AP.

The only thing that didn't work was that I could not telnet or ssh in to any of the APs or access the GUI of DD-WRT from a device that was not on the main VLAN.

My network has been working in this configuration for a couple of months.

I assumed in the above script that the ifconfig bridge commands would be equivalent to assigning an IP address of the appropriate subnet in the GUI. They don't show up in the GUI but do show up if I run an ifconfig command.

What I have found through experimentation is that if I remove the 3 ifconfig commands in the firewall script nor assign an IP address to the bridges in the GUI then everything works as before plus I can now access the services on the AP's that I couldn't before (telnet, ssh. web gui).

So here are my points of confusion:

1. I assume that because I have specified a static IP address for each WAP that no routing table entries are needed on the WAP for a VAP to have internet access. All routing is done by the main router. Is that correct?

2. What is your understanding on why, when no IP addresses are specified on the bridges, I can now access AP services from devices that are a different subnet.

I seem to have things working but now just looking for an explanation of why they work!! If you need to see any other specific settings let me know and I will supply them.

Thanks
Mike



R7000 bridge settings.jpg
 Description:
 Filesize:  80.49 KB
 Viewed:  1253 Time(s)

R7000 bridge settings.jpg



R7000 network settings - 1.jpg
 Description:
 Filesize:  154.53 KB
 Viewed:  1253 Time(s)

R7000 network settings - 1.jpg


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum