Thanks for your help. You're so right about it being confusing. Let me ask you if this looks right. (It's the setup I had before trying your suggestions above.)
Current Bridging Table
Bridge/STP/Interface
br0/no/eth1 wlan0 wlan1 wlan1.1
br1/yes/eth1.3 wlan0.1
I get IP addresses from the new subnet whether connected by ethernet cable or wifi. Is this config wrong?
Also, you mentioned..."In addition to that, whatever your router's overall firewall would apply to VLAN3 the same way, as it would to the rest of your network." So I don't need iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE as a saved Firewall command, right?
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Tue Feb 07, 2023 19:43 Post subject:
Given your last queries (following my zoom in on VLAN), my suggestion in your case is to rebuild your R7800:
1. First, reflash your R7800 with DDWRT firmware, with 'Reset to factory Default' option selected.
2. Set up your R7800 with basic configuration (i.e. passwords, 5GHz AP for home use, vAP in 5GHz for Guest network; 'Unbridged' and 'Network isolation' selected for added security).
3. Repeat step (2) for 2.4GHz AP if there are legacy devices in the family. Otherwise, only 2.4GHz vAP for IoT device network.
4. Any AP, or vAP, with 'Unbridged' & 'Network Isolation' options selected will need same relevant details filled in again under Networking tab including its DHCP. (A bit of double handling here).
5. Make sure you Save & Apply settings at each step.
6. And verify that your R7800 works as exected . Wired and wireless.
- Wired: you can access router from any ethernet port.
- Wifi: Cannot access your router from any vAP (Unbridged). Cannot ping other device on vAP network (network isolation).
If your R7800 works as intended, prior to VLAN settings, it's great.
7. Now save your settings as PRE-VLAN configuration. (There will be something such as default bridge (br0) in use. But that's normal. Leave it alone).
Now, first decide on which Ethernet port/s, etc. to set up what VLANS. Then follow the earlier examples. It will become much clearer by the differences b/w pre- and post-VLAN settings.
It took me quite sometime to get my head around VLANs. I am sure that you will become a master of it with patience. Good luck.
(P.S. I'll be away for a while with a new assignment). _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 21 Aug 2019 Posts: 120 Location: Here, There And Everywhere
Posted: Tue Feb 07, 2023 23:03 Post subject:
@DWCruiser What would be the advantage of using an unbridged VAP vs. bridged VAP + additional firewall rules for security? Unbridged VAP disables SFE; in my case the speed difference was very noticable: 900 Mbps with SFE, and 500 Mbps without (R9000 on a nominal 1 Gbps line).
Hey @matjazk! The reason I bridged my vaps and vlans was it was the only way I could see to get the new vlans to use wifi. Is there another way?
You mentioned new firewall rules for the new vlans-included config. Someone said the existing firewall would protect them. And you may have mentioned adding "iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE". A couple of years ago I followed a YouTube vid using a different router where you could add the vlan from the GUI. The author advised using:
Firewall config:
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
# deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Does that sound reasonable to you? Would adding iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE to it be even better?
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Thu Feb 09, 2023 23:39 Post subject:
@matjazk
Sorry, i do not know the specific answer to your question.
My understand is that SFE is not a standard protocol and it may vary from one model to the next. And i also believe that SFE has not reached maturity in its development stage.
In brief, SFE skips some repeated authenticating steps on SUBSEQUENT incoming packets, IF they're part of same 'delivery connection' already established & accepted by router. In this way, faster delivery of those packets occurs.
But it is, at least, in conflict with QoS.
I have a need for QoS. So, i do not use SFE. It's similar to Fasttrack which MikroTik developed a long time ago! I do not use Fasttrack either in my network.
As for virtual Access Point, i have only one 5GHz vAP for our guest network; and one 2.4GHz vAP for IoT devices. These have options of Unbridged (separate network) and Network Isolation (from other devices) selected. They work fine as is, w/o being placed on a bridge unless something was mis-configured somewhere (not aimed at you here). And, of course, my guests and IoT devices do not need to be as fast as mine. . That's that.
(If it's a commercial environment, it's a different matter). _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 21 Aug 2019 Posts: 120 Location: Here, There And Everywhere
Posted: Sun Feb 12, 2023 8:47 Post subject:
@Ontarier
Wrt. firewall rules: I'm away this week, so I cannot definitely answer your query. But it seemz ok on the first sight. I will post mine (with the source) when I return.
Wrt. VLAN: would it be possible to put everything together (including your changes and Alozaros' firewall settings) and post it here? I plan to do practically the same (VLAN+VAPs) in the near future; however my main router is R9000 and I will have to steel myself before this
Joined: 21 Aug 2019 Posts: 120 Location: Here, There And Everywhere
Posted: Sun Feb 12, 2023 8:50 Post subject:
@DWCruiser
Thank you for your answer, very informative. As you can see from my answer to @Ontarier I will start playing with VLANs on R9000 soon; then I will likely ask (nay, beg) for your aid and wisdom.