How to delete a vlan, R7800/r51530

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3
Author Message
Ontarier
DD-WRT Novice


Joined: 30 May 2015
Posts: 43

PostPosted: Tue Feb 07, 2023 16:12    Post subject: Reply with quote
Thanks for your help. You're so right about it being confusing. Let me ask you if this looks right. (It's the setup I had before trying your suggestions above.)

Current Bridging Table
Bridge/STP/Interface
br0/no/eth1 wlan0 wlan1 wlan1.1
br1/yes/eth1.3 wlan0.1

I get IP addresses from the new subnet whether connected by ethernet cable or wifi. Is this config wrong?

Also, you mentioned..."In addition to that, whatever your router's overall firewall would apply to VLAN3 the same way, as it would to the rest of your network." So I don't need iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE as a saved Firewall command, right?

Thanks again for your time and consideration.
Sponsor
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Tue Feb 07, 2023 19:43    Post subject: Reply with quote
Given your last queries (following my zoom in on VLAN), my suggestion in your case is to rebuild your R7800:

1. First, reflash your R7800 with DDWRT firmware, with 'Reset to factory Default' option selected.
2. Set up your R7800 with basic configuration (i.e. passwords, 5GHz AP for home use, vAP in 5GHz for Guest network; 'Unbridged' and 'Network isolation' selected for added security).
3. Repeat step (2) for 2.4GHz AP if there are legacy devices in the family. Otherwise, only 2.4GHz vAP for IoT device network.
4. Any AP, or vAP, with 'Unbridged' & 'Network Isolation' options selected will need same relevant details filled in again under Networking tab including its DHCP. (A bit of double handling here).
5. Make sure you Save & Apply settings at each step.
6. And verify that your R7800 works as exected . Wired and wireless.
- Wired: you can access router from any ethernet port.
- Wifi: Cannot access your router from any vAP (Unbridged). Cannot ping other device on vAP network (network isolation).

If your R7800 works as intended, prior to VLAN settings, it's great.

7. Now save your settings as PRE-VLAN configuration. (There will be something such as default bridge (br0) in use. But that's normal. Leave it alone).

Now, first decide on which Ethernet port/s, etc. to set up what VLANS. Then follow the earlier examples. It will become much clearer by the differences b/w pre- and post-VLAN settings.

It took me quite sometime to get my head around VLANs. I am sure that you will become a master of it with patience. Good luck.

(P.S. I'll be away for a while with a new assignment).

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
matjazk
DD-WRT User


Joined: 21 Aug 2019
Posts: 120
Location: Here, There And Everywhere

PostPosted: Tue Feb 07, 2023 23:03    Post subject: Reply with quote
@DWCruiser What would be the advantage of using an unbridged VAP vs. bridged VAP + additional firewall rules for security? Unbridged VAP disables SFE; in my case the speed difference was very noticable: 900 Mbps with SFE, and 500 Mbps without (R9000 on a nominal 1 Gbps line).

There is some discussion here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=18424 but still...
Ontarier
DD-WRT Novice


Joined: 30 May 2015
Posts: 43

PostPosted: Wed Feb 08, 2023 22:13    Post subject: Reply with quote
Hey @matjazk! The reason I bridged my vaps and vlans was it was the only way I could see to get the new vlans to use wifi. Is there another way?

You mentioned new firewall rules for the new vlans-included config. Someone said the existing firewall would protect them. And you may have mentioned adding "iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE". A couple of years ago I followed a YouTube vid using a different router where you could add the vlan from the GUI. The author advised using:

Firewall config:
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP

# deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP

# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT

# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Does that sound reasonable to you? Would adding iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE to it be even better?

Thanks!
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Thu Feb 09, 2023 23:39    Post subject: Reply with quote
@matjazk
Sorry, i do not know the specific answer to your question.

My understand is that SFE is not a standard protocol and it may vary from one model to the next. And i also believe that SFE has not reached maturity in its development stage.

In brief, SFE skips some repeated authenticating steps on SUBSEQUENT incoming packets, IF they're part of same 'delivery connection' already established & accepted by router. In this way, faster delivery of those packets occurs.

But it is, at least, in conflict with QoS.

I have a need for QoS. So, i do not use SFE. It's similar to Fasttrack which MikroTik developed a long time ago! I do not use Fasttrack either in my network.

As for virtual Access Point, i have only one 5GHz vAP for our guest network; and one 2.4GHz vAP for IoT devices. These have options of Unbridged (separate network) and Network Isolation (from other devices) selected. They work fine as is, w/o being placed on a bridge unless something was mis-configured somewhere (not aimed at you here). And, of course, my guests and IoT devices do not need to be as fast as mine. Cool. That's that.

(If it's a commercial environment, it's a different matter).

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
Ontarier
DD-WRT Novice


Joined: 30 May 2015
Posts: 43

PostPosted: Fri Feb 10, 2023 18:32    Post subject: Reply with quote
I hoped to create a new vlan in order to attach my wireless IoT devices to it and have them isolated from each other.

Does this sound like the correct config?

I have these startup commands to create vlan 3:

swconfig dev switch0 enable vlan 1
swconfig dev switch0 vlan 1 set ports "2 3 4t 6t"
swconfig dev switch0 vlan 3 set ports "1 4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 3

The new br1 has 3 vaps plus eth1.3 bridged and a new IP address with a different subnet in Multiple DHCP Servers.

If I understand correctly I don't need additional firewall rules because the vaps are isolated.

Sound right or is there still more to do?
Ontarier
DD-WRT Novice


Joined: 30 May 2015
Posts: 43

PostPosted: Sat Feb 11, 2023 20:33    Post subject: Reply with quote
I made another change and now have two vlans with isolated vaps, and did use Alozaros's
firewall reco found in a different thread.

Thanks to everyone who chipped in.
matjazk
DD-WRT User


Joined: 21 Aug 2019
Posts: 120
Location: Here, There And Everywhere

PostPosted: Sun Feb 12, 2023 8:47    Post subject: Reply with quote
@Ontarier
Wrt. firewall rules: I'm away this week, so I cannot definitely answer your query. But it seemz ok on the first sight. I will post mine (with the source) when I return.

Wrt. VLAN: would it be possible to put everything together (including your changes and Alozaros' firewall settings) and post it here? I plan to do practically the same (VLAN+VAPs) in the near future; however my main router is R9000 and I will have to steel myself before this Smile
matjazk
DD-WRT User


Joined: 21 Aug 2019
Posts: 120
Location: Here, There And Everywhere

PostPosted: Sun Feb 12, 2023 8:50    Post subject: Reply with quote
@DWCruiser

Thank you for your answer, very informative. As you can see from my answer to @Ontarier I will start playing with VLANs on R9000 soon; then I will likely ask (nay, beg) for your aid and wisdom.
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum