Routing problem - specific to Marvell ? (maybe about vlan )

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
shb
DD-WRT Novice


Joined: 06 Oct 2013
Posts: 39

PostPosted: Wed Feb 15, 2023 2:58    Post subject: Routing problem - specific to Marvell ? (maybe about vlan ) Reply with quote
I have 2 different installations - in two different locations (actually in different countries). For simplicity of my life I try to keep the network configurations as close to identical as (reasonably) possible. However one difference is the router - one is a Netgear R7000 and the other one is a Linksys WRT1900ACSv2 (on 51306) . The R7000 location has no problem. The Linksys location has problem.

I use vlans, in both locations. The R7000 has been running for over a year. I just setup the Linksys over the last week or two. Yes, I know about the vlan differences for Marvell. And I have studied every line in this thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199

And let me offer my ETERNAL thanks to @SurprisedItWorks and @TheDude1864 . Thank you and wow !.
My startup commands, only for the Linksys site:
Code:
# vlans do not work by the gui for marvell cpu routers - like wrt1900acs
# https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199&postdays=0&postorder=asc&start=30
# SJS modified Feb 2023, to just have 1 port on vlan3.
# note: ports 5 and 6 are virtual ports representing the 2 cpu's in the router
#
# split the LAN on the port 6 cpu into eth1 (untagged) and vlan3 (tagged)
   swconfig dev switch0 set reset 1
   swconfig dev switch0 set enable_vlan 1
# vlans 1 and 2 connect eth1 and eth0 to the correct ports
      swconfig dev switch0 vlan 1 set ports "6 0 1 2"
      swconfig dev switch0 vlan 2 set ports "5 4"
# a new vlan 3 interface will handle the remaining ports
      swconfig dev switch0 vlan 3 set ports "6t 3"
   swconfig dev switch0 set apply
   vconfig set_name_type VLAN_PLUS_VID_NO_PAD
   vconfig add eth1 3
   ifconfig vlan3 up
   brctl addif br1 vlan3

My vlans are working - no problems with the vlans in either location. All devices on each vlan can be pinged, and can access the internet. I mention the vlans because, although the IP addresses are identical in my 2 locations, the way the vlans were setup are different (as per the link and code above).

Here is the problem:

My router is 192.168.9.1. one of the ethernet devices connected to at 192.168.33.11, which is setup on vlan3. The 33.11 device can be pinged, ssh to it, can serve up http pages - for any device on the 9.x subnet, including the router. All good so far. The 33.11 device also shows as connected in the Router's Status->LAN tab. The 33.11 device can access the internet. It seems the 33.11 (it is the only device on vlan3) is connected and working fine....

I need the 192.168.33.11 device to serve out to the internet, via a wireguard tunnel and some port-forwarding. Note: this is working in my R7000 location (same addresses) for last 18 months. The wireguard tunnel (oet2) is delivering the incoming IP packets.traffic.

Here are the routes, first PREROUTING with DNAT, then the FORWARD.

Code:
iptables -t nat -A PREROUTING  -i oet2 -p tcp --destination-port 8011 -j DNAT --to-destination 192.168.33.11
iptables -I FORWARD -p tcp --dst 192.168.33.11 --dport 8011 -j ACCEPT


In both locations, I can see the PREROUTING rules get hit (counters increase):
Code:
root@magnest:~# iptables -v -t nat -L  --line-numbers
Chain PREROUTING (policy ACCEPT 7006 packets, 2148K bytes)
num   pkts bytes target     prot opt in     out     source               destination

7       68  3536 DNAT       tcp  --  oet2   any     anywhere             anywhere             tcp dpt:8011 to:192.168.33.11


But in the Linksys site, the packets NEVER get to the FORWARD chain.
Code:

root@magnest:~# iptables -v -t filter -L FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
6        0     0 ACCEPT     tcp  --  any    any     anywhere             192.168.33.11             tcp dpt:8011


At Linksys site, the counter in the FORWARD chain stays at zero, in the R7000 site that rule in the FORWARD chain gets hit (counter increases) and the packets get delivered to 33.11. In Linksys site no packets get to 33.11. All routes are IDENTICAL in both sites. However they work in the R7000 site, but they do not work in the Linksys site .

Is there some reason with the manually created vlans in Linksys that the routes need to be different ? The only difference I can see is that vlan3 is "tagged" in the Linksys site.

1. Can anyone explain it ?
2. How to fix it ?
Sponsor
shb
DD-WRT Novice


Joined: 06 Oct 2013
Posts: 39

PostPosted: Wed Feb 15, 2023 23:23    Post subject: Reply with quote
I found this:

Quote:
Assigning a tagged VLAN to a port adds that port to the VLAN, but all ingress and egress traffic must be tagged with the VLAN ID in order to be forwarded.


That could potentially explain it. I mean, if the incoming traffic (on oet2) is not getting tagged, then according to that quote above, it will not FORWARD to vlan3. I am not explicitly "tagging" anything. And what I am seeing it that it does not get forwarded..... So it seems like it

But I have not enough expertise to comment much further, or to take that above information, and somehow apply it to solve my problem. Anyone who does, please help

After a quick conversation about it with my friend ChatGPT, I am testing with this addition to my routes. :

Code:
iptables -t mangle -A PREROUTING -i oet2 -j VLAN --vlan-id 3


I will report back... update: that did not work.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Thu Feb 16, 2023 8:40    Post subject: Reply with quote
You need a better ip addressing plan.

Site A:

Vlan1: 172.16.1.0/24
Vlan3: 172.16.3.0/24

Site B:

vlan1: 172.17.1.0/24
vlan3: 172.17.3.0/24

Route to Site A: 172.16.0.0/16

Route to Site B: 172.17.0.0/16

In addition you need another network for the Tunnel itself.

Note: Private addresses is 172.16-32.0.0
shb
DD-WRT Novice


Joined: 06 Oct 2013
Posts: 39

PostPosted: Thu Feb 16, 2023 10:22    Post subject: Reply with quote
With respect, I do not need a different IP addressing plan.

Site A and Site B are completely 100% unrelated to each other. They never route to each other. The tunnels are NOT from Site A to Site B. The two sites are unaware of the existence of the other. The only common thing is - me. That is, I set up both and I support the IT in both.... think of it as both are "my clients"... even though it is more as a favor and no money exchanges hands.


The only problem is in the Linksys site. And the only problem in the Linksys site is that - incoming packets (that come from the internet via the oet2 tunnel ) - in step 1 of 2 - they DO correctly hit the PREROUTING rule in the nat table (changes destination address to 192.168.33.11). But then in step 2 of 2 they do NOT hit the FORWARD rule after that.

In the other site, only described here for comparison, the incoming packets (via oet2 tunnel ) first hit - step 1 of 2 - the rule in the nat table, and then they also - step 2 of 2 - hit the FORWARD rule.

So , as it works in one site but not in the other, what are the differences ?? The answer is : the destination address 192.168.33.11 exists on vlan3 in both sites, BUT vlan3 and the other vlans, are setup differently in each of the two sites. One site is Marvell router.

For some unknown reason, the incoming packets, after successfully getting DNAT-ed in the nat table, I cannot find those packets anywhere. I cannot find them being DROPped anywhere. They are not dropped in FORWARD. And they hit no other rules, I mean rules that they should hit.... It is doing my head in... What am I missing here ?
shb
DD-WRT Novice


Joined: 06 Oct 2013
Posts: 39

PostPosted: Sun Feb 19, 2023 2:06    Post subject: Reply with quote
Any ideas ?? Anyone ??

Even ideas of where and what to continue investigating ??
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum