Posted: Tue May 02, 2023 12:42 Post subject: pfSense VLAN & DDWRT as WAP (dumb AP/switch)
Hi experts
I have:
- Asus RT-AC87U
- DD-WRT v3.0-r50274 std (09/27/22)
- CPU Broadcom BCM4709
I would like to have set up like on this video - but I ma stuck with router VLANS nog giving me internet or network at all access:
https://www.youtube.com/watch?v=Mu5V5VoRD7c
The challenge I am unable to solve, is how to create VLAN in DDWRT, that works with VLAN's created in pfSense. I spent a lot of time trying to make it works, but for some reason I am unable to success.
I think my problem is in DDWRT switch config set up. Can you please help, what is missing or incorrect ? Basically each time, I "enable" Tagged things go wrong and I have either no network access at all ( have to reset router) or no internet access.
To start with, I will mention, that I tried many different versions of DD-WRT software. Non of them worked for me. Especially I had troubles with the newest version, after enabling VLAN ( in Setup / Switch config) I was unable to connect to to router, only router reset helped.
To make it easier to explain, I am attaching print screens with setup.
Can you please advice what is missing or wrong ?
BTW:
I tried with startup command, but it is not helping:
sleep 20; stopservice nas; wlconf eth0 down; wlconf eth1 down; wlconf eth2 down; startservice nas; wlconf eth0 up; wlconf eth1 up; wlconf eth2 up;
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue May 02, 2023 13:00 Post subject:
Moved to the appropriate forum
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
It looks like you have setup this router as a WAP (check your settings with the instructions below):
Quote:
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.
Setup:
• On Basic Setup page:
o WAN disabled
o DHCP server Disabled (=off and NOT set as Forwarder!)
o Local IP address in subnet of primary router but outside DHCP scope, make sure the used IP address is unique on your network you cannot have duplicates.
o Gateway and Local DNS pointing to primary router
Example:
If your primary router is 192.168.1.1 then set the Local IP address of the WAP to 192.168.1.2 (make sure that is not used).
The Gateway and Local DNS are set to point to the primary router e.g.: 192.168.1.1
• Keep DNSMasq enabled (both on Basic Setup page and Services page)
• On Setup > Advanced Routing, keep Operating mode in the default Gateway (the wiki says Router mode but do not do that, either it does not matter (this case) or break things)
• On Security > Firewall keep the SPI Firewall enabled, although you do not want a firewall it will be automatically disabled as there is no WAN so no need to change this setting from default.
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre and there are some routers where the WAN port is not added to br0 so the WAN port could be non-functional on some routers).
Note: For Broadcom routers for best throughput enable CTF on Basic Setup Page
If you have unbridged interfaces on the WAP (Virtual Access Point (VAP), bridge etc.), you have to add the following rule to the firewall in order to get internet access.
In the web-interface of the router (the WAP): Administration > Commands save Firewall:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
You want a trunk port to your pfsense router.
For starters upgrade to the latest build 52369
You might need a reset *after* upgrade and put settings in manually but you can try without.
The Switch config tab is upgraded and (almost) everything can be done from that.
But you first need to set the default values.
I will search for some examples but basically the CPU port (NEW) should be ticked/enabled for all VLANs and it should be tagged.
When using a WAP (dumb AP/switch) better not use the WAN port as trunk but use port 4, depending on the router the WAN port is a separate port and not part of the switch.
Thanks for good suggestions.
I followed your advices, so I:
1) upgraded router to newest version
2) did small changes as suggested (example enable DNSmasq & change in Advanced Routing to "Gateway" )
3) enabled VLANs
4) set up VLANS with default configuration
ps. I was not aware of default set up, therefore my previous attempts failed.
I tried again but it is not working still.
This time however, I am able to be online when cable from pfSense is connected to port WAN.
However, when I plug cable into Port 1, then I am completely offline (can not connect to router).
BTW: I do not know, why my Port 4 is green (there is nothing plug into it, I think it should be red with info "Down" - that is my assumption only).
To be 100% clear I am attaching print screens - they should explain best
Can you please advice what else I miss in my VLAN configuration ?
ps.
I am technical, but not "too" technical so please be easy on me
Yes, change the cable from port 1 to port 4.
As already mentioned the port numbers are swapped on some routers and the GUI shows you that there is nothing connected to your trunk port (VLAN1+VLAN6).
Then at least VLAN6 should work and the WLAN interface wl0.1 should work.
For the main LAN (VLAN1 + wl0.2) you have to tag VLAN1 on the pfsense box.
Otherwise your error description makes no sense.
The WAN port is bridged... whether you connect the cable to the WAN port or port1 should technically make no difference
Posted: Wed May 03, 2023 5:16 Post subject: VLAN, pfSense & DDWRT
Hi
Thank you for suggestion, I think I made a mistake in pfSense, that is why when I plug cable to trunk port where VLAN6 or VLAN1 are set up, I have no internet access or computer is not getting any IP address. I will correct and report back in 1 or 2 days.
For the trunk port plug in, you are right if I do not use VLAN, does not matter where I plug in internet cable ( from pfsense ) I always have internet.
That is also correct in my case, that port numbers are swapped on my router. When I plug cable and refresh page, then I can see which port is used. That works well and is not a problem as after page refresh all is correctly shown.
So far thank you so much for suggesting:
- upgrade to the newest version => works perfect
- set up standard default configuration in "Switch Config" => works perfect
- pointing me to pfsense => there mistake is I think => will investigate
--------------
What I noticed however after upgrade to the newest release. After making some changes on the router, then press Save and Apply Changes. Sometimes (but not every time) I can't connect to GUI any more, there is error message "connection refused" displayed in my browser.
That was confusing, but I noticed, that when this happen I have to restart router (unplug power cable, wait a bit, plug power back in). Router will start normally and again I can connect to GUI as usual.
Not sure if you noticed that same behave - in the past I had many different software releases installed on my router and never had this problem. It could be, that this is new or it is specific to my router.
Anyhow I wanted to mention that incase somebody will get same problem, so solution for me is simple - hard restart
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed May 03, 2023 6:45 Post subject:
It might also be browser related, Chrome seems not always play nice with DDWRT.
Try FireFox without extensions and in incognito mode or browsers like Waterfox classic.
Posted: Wed May 03, 2023 6:58 Post subject: VLAN & DDWRT
I use Brave browser with just 1 extension. I tried yesterday:
- Brave (both standard and incognito mode)
- Chrome (both standard and incognito mode)
- Edge standard mode
all of those browsers has same problem with connecting to GUI. But restart helped. I haven't tried ssh. That is because, I have default settings of DDWRT (I believe ssh is disabled by default).
Could be that I was not changing Bridge settings before on router. Setting up bridge most likely "is not light change" on router itself, which generate more changes on the back causing httpd problem.
Yeps, I spend few days fighting before posting. So patience and "keep fighting" is the way to go
BTW: DDWRT => is great piece of software. Really good job you all did - I really love it (a bit advanced however, so not "standard" users) but it is simply great & works.
Posted: Thu May 04, 2023 12:41 Post subject: DDWRT & VLANS
Hi
I did followed the guide & did some corrections on pfSense. It is still not working for me, but this time I am getting IP addresses from pfSense. I believe DDWRT VLAN's are working correctly now. That was not the case before, where quite often I had to reset router.
I think DDWRT is not correctly set-up.
Probably solution is not yet working for me, because I have VPN running on my pfSnese. Most likely due to that I am missing some steps in pfSense in relation to VPN. Something is blocking something .
Error displayed is: "DNS address could not be found".
So I will be looking into that now.
Thank you so much for help. It was great.
ps.
After reading document, I now understand what do you meant by "patience"
BTW: great document.