R7000: VLAN isolation issues? Tagged vs untagged traffic

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Oct 01, 2022 11:10    Post subject: R7000: VLAN isolation issues? Tagged vs untagged traffic Reply with quote
Hello,

A friend has a similar scenario to a uni campus / hotel. His internet access his provided by a single Ethernet cable that comes from another router. If you connect a computer that cable you'll get an IP via DHCP on the 10.x.x.x range. Using a switch it's possible to connect multiple computers and each one will get its own 10.x.x.x IP address.

The idea: setup a DD-WRT router for wireless / wired devices:

1) Local network 192.168.1.0/24 with its own DHCP and NAT;
2) Router ports 1,3,4 > access to the internal 192.168.1.0/24 network
3) Router port 2: "bridged" to the main router and get a 10.x.x.x IP.

For this I made the following changes on the router:



After this, wifi works well, ports 1,3,4 are ok. Now in port 2:
- Connected computer with ethernet card set to vlan id = 1: accesses internal network just fine
- Connected computer with ethernet card set to vlan id = 2: get's a 10.x.x.x IP and everything works.

Now the problem: if the computer in port 2 doesn't have any vlan tag id configured it will still get a 10.x.x.x IP. Why is this happening? Why isn't it isolated / without network?

Compared to a regular switch dd-wrt's UI doesn't give much info. From what I'm seeing it looks like it applies the vlan2 tag internally to untagged traffic coming into that port. How is this controlled? Actually can it be inverted? Making it so untagged traffics gets the local network and tagged with vlan2 gets the main router?

Firmware: DD-WRT v3.0-r50176 std (09/15/22)

Check the post here https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1276295#1276295 for solutions and multiple use cases.


Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).


Last edited by TCB13 on Sun Nov 27, 2022 20:36; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Oct 01, 2022 11:43    Post subject: Reply with quote
I am not 100% sure but you can research "pvid"

Normally the pvid (port vlan id) is the same as the VLAN id (vid)

I am not sure what happens with tagged ports maybe they revert to pvid 0, you can try to set the pvid to 1 of that port (but maybe that breaks it altogether)

You should be able do this with swconfig

Or wait till one of the experts chimes in Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Oct 01, 2022 14:38    Post subject: Reply with quote
Let us see your "swconfig dev switch0 show".
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Oct 01, 2022 14:52    Post subject: Reply with quote
Here you go:

Code:
Global attributes:
        enable_vlan: 1
        ports: 0x01bf
        reset_mib: ???
        enable_jumbo: 0
        allow_vid_4095: 0
Port 0:
        mib: TxOctets            : 1702435
(....)

        disable: ???
        pvid: 2
        link: port:0 link:up speed:1000baseT full-duplex auto
Port 1:
        mib: TxOctets            : 118801
(....)

        disable: ???
        pvid: 1
        link: port:1 link:up speed:1000baseT full-duplex auto
Port 2:
        mib: TxOctets            : 0
(....)

        disable: ???
        pvid: 0
        link: port:2 link:down
Port 3:
        mib: TxOctets            : 34468
(....)

        disable: ???
        pvid: 1
        link: port:3 link:up speed:1000baseT full-duplex auto
Port 4:
        mib: TxOctets            : 269134
(....)

        disable: ???
        pvid: 0
        link: port:4 link:up speed:1000baseT full-duplex auto
Port 5:
        mib: TxOctets            : 2141946
(....)

        disable: ???
        pvid: 0
        link: port:5 link:up speed:1000baseT full-duplex
Port 6:
        mib: ???
        disable: ???
        pvid: 0
        link: port:6 link:down
Port 7:
        mib: TxOctets            : 0
(....)

        disable: ???
        pvid: 0
        link: port:7 link:down
Port 8:
        mib: TxOctets            : 0
(....)

        disable: ???
        pvid: 0
        link: port:8 link:down
VLAN 1:
        ports: 1 2t 3 5t
VLAN 2:
        ports: 0 2t 5t
VLAN 60:
        ports: 4t 5t
VLAN 61:
        ports: 4t 5t

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Oct 01, 2022 18:41    Post subject: Reply with quote
Port 2 and 4 have pvid=0. That is untagged packets go to vlan0
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Oct 01, 2022 18:55    Post subject: Reply with quote
Per Yngve Berg wrote:
Port 2 and 4 have pvid=0. That is untagged packets go to vlan0


True but I've two questions there:

1) Isn't the WAN actually vlan2? If the traffic is tagged as 0 how come I get a 10.x.x.x IP?

2) How can I change the pvid on a the port? I didn't find a way to do that in the UI. I'm not sure what do expect from swconfig as there seems to be a lot of conflicting information on the forum / wiki.

Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).


Last edited by TCB13 on Tue Oct 04, 2022 10:36; edited 1 time in total
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Oct 01, 2022 20:36    Post subject: Reply with quote
Here is some progress I did.

1) Set the port 2 under DD-WRT's GUI to default;
2) Create a vlan55 and set it to untagged in port 0 and tagged in port 2

Code:
swconfig dev switch0 vlan 55 set ports "0 2t"
swconfig dev switch0 port 2 set pvid 1
swconfig dev switch0 set apply

swconfig dev switch0 show
Port 2:
        mib: TxOctets            : 2894517
        disable: ???
        pvid: 1
        link: port:2 link:up speed:1000baseT full-duplex auto

VLAN 1:
        ports: 1 2 3 5t
VLAN 2:
        ports: 0 5t
VLAN 55:
        ports: 0 2t


Now a computer connected to port 2 can access the local network (192.168.1.0/24) without any vlan tag and also get a 10.x.x.x if it sets the tag to 55.

It all looked okay but unfortunately due to some reason internet access in the router seems to be dead. I can't ping anything on the outside.

Update:

Apparently this caused the pvid of port0 (WAN) to be changed to 55 as well.

I don't get it because one would thing that
Code:
swconfig dev switch0 vlan 55 set ports "0 2t"
would tell the switch to "dump vlan55 traffic into port 0 without any tag and in port 2 with tag 55.".
_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Oct 01, 2022 21:48    Post subject: Reply with quote
The untagged interfaces is eth0 and eth1.

You have to select a new interface as wan on the Networking tab when the interface name changes.
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Oct 01, 2022 21:56    Post subject: Reply with quote
Per Yngve Berg wrote:
The untagged interfaces is eth0 and eth1.

You have to select a new interface as wan on the Networking tab when the interface name changes.


Do I need to to change the name?

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).


Last edited by TCB13 on Tue Oct 04, 2022 10:33; edited 2 times in total
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sun Oct 02, 2022 11:40    Post subject: Reply with quote
Okay lets toss aside the more complicated setup and do the basics. I wanted to test if vlans even work properly so I created a vlan55 and assigned it to port 2. This vlan is bridged in br0.



Code:

$ swconfig dev switch0 port 2 show
Port 2:
        disable: ???
        pvid: 0
        link: port:2 link:down

$ swconfig dev switch0 vlan 55 show
VLAN 55:
        ports: 2t 5t


When I connect a computer to port 2 with vlan 55 I get the local IP but the network actins weird. I can't access the router page and DNS seems to be broken.. I can access 1.1.1.1 or sites with cached DNS without issues.

Am I missing a big piece of critical info or ?

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Nov 23, 2022 13:48    Post subject: Reply with quote
reading your last post its not very clear what you want to achieve...

1. all those you created are on br0 and those communicate internally...so no idea if the tag of vlan55 will work as you expect... by default br0 contains all the interfaces vlan2, vlan1 (LAN ports) and both WiFi radios...
2.lets say you made vlan55 and it is bridged, so it will receive DHCP&DNS from the default br0...
if you want different results it must be unbridged and you have to gave it DNS & DHCP (subnet) than if you thick netisolation then it wont be seen the GUI until you add rules for this...

-on my R7000 vlans are working out of the box and i have x4 of them...with net isolation and those are assigned to their own bridge with DHCP and DNS and that's how i separate the traffic..
than if you want to tag those with vid you do it via start up commands(i dont do this as i dont need it...and those should be working with vid55 lets say...
-on the old builds you have to add masquarade rules to give those vlans/bridges NAT and make those subnets to have a WAN access or you can have a just a general rule for all those...instead
iptables -t nat -I POSTROUTING -s 192.168.55.0/24 -o $(nvram get wan_iface) -j MASQUERADE
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
-i've never used vid on my own systems as i dont need it, nor tagging as in my vlan segmentation case those work as they should and i have separated traffic..
-start with 1 vlan give it a name number and ect. than add it to a bridge (or not) give it dhcpd (subnet) and dns and happy days...
-than make as many vilan's as you want and tag those via gui, so they will share the traffic
that's my 2 cents...
-in the past on R7000 friends router i made a few tagged vlan's all linked to a port (one of the x4 LAN ports) and this port was linked to a managed vlan capable switch, where those vlan's ware corresponding with different ports on the switch, linked to their vlanid numbers... but it was a hell of a game to make it work and dont recall all the steps i've made, but idea was something like this...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Nov 23, 2022 14:03    Post subject: Reply with quote
@TCB13

no idea what exactly you want to do now.
but if I refer to your first post

Quote:
The idea: setup a DD-WRT router for wireless / wired devices:

1) Local network 192.168.1.0/24 with its own DHCP and NAT;
2) Router ports 1,3,4 > access to the internal 192.168.1.0/24 network
3) Router port 2: "bridged" to the main router and get a 10.x.x.x IP.



Quote:
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 5t"
swconfig dev switch0 vlan 2 set ports "0 2 5t"
swconfig dev switch0 set apply


then you have 2 wan ports that are internally connected via the switch.
one of them you can use as uplink to the upstream router and the second you can connect another device.

should in principle provide exactly what you have described in 1-3.

of course you can also set it somehow in the GUI
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Wed Nov 23, 2022 17:41    Post subject: Reply with quote
Thank you both for the tips, I'll test the proposed config very soon.

ho1Aetoo wrote:
no idea what exactly you want to do now.
(...)
of course you can also set it somehow in the GUI


As you saw in my last post, for debugging purposes, I just tried to have port 2 tagged as vlan55 and as described it broke the system. I guess it should've work.

Quote:
-in the past on R7000 friends router i made a few tagged vlan's all linked to a port (one of the x4 LAN ports) and this port was linked to a managed vlan capable switch, where those vlan's ware corresponding with different ports on the switch, linked to their vlanid numbers... but it was a hell of a game to make it work and dont recall all the steps i've made, but idea was something like this...


Just a rumbling, this is the kind of thing that it's easy to do on a regular switch but I'm afraid was broken in my R7000. In a switch is easy to define what VLANs are available in each physical port and if they're untagged or not and what's the default to assign internally to incoming untagged traffic. The interactions between switching and routing here are harder to understand here as well.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Nov 23, 2022 18:26    Post subject: Reply with quote
TCB13 wrote:

As you saw in my last post, for debugging purposes, I just tried to have port 2 tagged as vlan55 and as described it broke the system. I guess it should've work.


Yes should actually work, however you don't need to tag port2 ...
Better would be to let the tag away then the VLAN55 ports should get pvid 55 (port based vlan)

However, I also see stuff on the screenshots that doesn't match.
There is still a bridged VLAN60 + VLAN61 displayed and the output of swconfig is not complete.
So no idea but probably not a clean configuration.
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Wed Nov 23, 2022 18:56    Post subject: Reply with quote
ho1Aetoo wrote:

Yes should actually work, however you don't need to tag port2 ...
Better would be to let the tag away then the VLAN55 ports should get pvid 55 (port based vlan)

However, I also see stuff on the screenshots that doesn't match.
There is still a bridged VLAN60 + VLAN61 displayed and the output of swconfig is not complete.
So no idea but probably not a clean configuration.


I'll get my hands on a spare R7000 next week and I'll do a clean config from scratch to test this once again. Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum