Issue creating vlans on Asus RT-AC5300 on 54095 firmware

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Fri Nov 24, 2023 4:37    Post subject: Issue creating vlans on Asus RT-AC5300 on 54095 firmware Reply with quote
Hello experts,

I have spent almost a week trying to configure my Asus RT-AC5300 router to have multiple vlans. My target is below:
* Have two lan ports (1 and 2) assigned to vlan1
* WAN port assigned to vlan2
* Lan ports 3 and 4 assigned to vlan3
* New bridge br1 assigned to vlan3
* Existing bridge br0 assigned to vlan1
* Change router IP to 10.10.10.1 and DHCP starting address to 10.10.10.100
* br1 IP to 10.10.20.1 and DHCP starting address to 10.10.20.100
* Configure firewall so traffic from br1 to br0 is dropped and traffic from br0 to br1 is allowed

So far, I have tried the following:
* Initially, I started with firmware 44715 from Router Database. Using this firmware, I was able to configure most of them, but configuring the firewall doesn't prevent computers connected to br1 to ping 10.10.10.1 or other machines in br0
* After going over forum topics, downloaded the latest firmware 54095. That started a longer process where I was not able to configure vlans properly. Did some searching and found I need to assign CPUPORT to all active vlans. So, did that and was able to configure vlans. But, then when I connect network cable to any ports, router don't assign any IPs to the laptop. I get the default 169 ip address. I was able to connect to the wireless network, which assigned an IP in 10.10.10.x range. But when I tried to create additional virtual AP, wireless also failed to assign IP.

At this stage, I am lost as to what should be done. I have reset/restarted/upgraded firmware multiple times and none of the firmware seems to allow me to configure two vlans with different IP ranges and configure firewall so one brige can communicate with other but not reverse. Has anyone done this with a RT-AC5300?

I was trying to follow a tutorial I found in YouTube https://www.youtube.com/watch?v=0ds4o2RxHAc , but my experience is not as simple as that shown in the video.
Sponsor
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Fri Nov 24, 2023 4:39    Post subject: Reply with quote
This is the firewall config I was trying

#block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP

#deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP

#allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT

#push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Fri Nov 24, 2023 4:41    Post subject: Reply with quote
I also tried to enter those commands one by one through ssh and afte each command, tried "echo $?" and got 0 as result (which I read means the command was successful), but it didn't prevent traffic going from br1 to br0
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12770
Location: Netherlands

PostPosted: Fri Nov 24, 2023 12:25    Post subject: Reply with quote
Start with a reset to defaults.

First do a basic setup of your router without the VLANs etc

some VLAN examples: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334342

You have only one CPU port which needs to be tagged.

Set up the VLAN and show a screenshot so that we can check

Then Setup your bridge. When working with bridges patience is your friend.
After each step Save/Apply and wait at least a minute!

Add br1 (again Save/Apply and wait at least a minute)
Setup br1 with its IP address etc.
Add MDCHPD server for br1 on the bottom of the page
Assign the VLAN you have created to br1

If you are stuck post screenshots

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 2:04    Post subject: Reply with quote
Thanks for your response and sorry for the delay, as I was trying to figure out how to get it working.

Here are the steps I followed the lessons I learned on the way (hopefully would help someone avoid the mistakes I made)
1. As "egc" pointed out, start with the basics. In my case, I first enabled https and disabled http in the Administration side. Save, then Apply Settings and wait for about a minute.
2. Went to Setup and changed the IP address of the router. Save and apply settings and wait for about a minute. I would recommend not to make any other changes when you are changing the IP (I tried to also update the dhcp starting address range, which screwed up my lan and couldn't get an ip, so ended up resetting the firmware)
3. For some reason, I couldn't change the starting IP of the dhcp at this stage. If I try to make any changes to that setting, my lan ports stopped working.
4. I then enabled ssh, downloaded the private key (save and apply settings)
5. I also enabled jffs, save and apply settings. Then enable "Wipe Flash Storage" and do apply settings (I read you should apply settings and not save for this step). Once done, change the setting back to disabled and save.
6. Up until now, my lan is working and my laptop get assigned the ip that I configured in Step 2.
7. I then start with the vlan configuration. Here, when you go to "Switch Config" for the first time, you would see vlan setup. But please refresh the page as it should show as disabled. Enable, save and apply settings. Wait for at least a minute, if not more.
8. By default, for RT-AC5300, there would be 3 vlans. vlan0 won't have anything assigned to it. vlan1 would have CPUPORT and all the lans assigned to it. vlan2 would have CPUPORT and WAN assigned to it.
8. For vlan configuration, started with creating a new vlan by clicking on the "+" sign.
9. Uncheck the lan port(s) from vlan1 and assign them to vlan3. Also check CPUPORT for vlan3 (I am told every active vlans should have CPUPORT assigned to it). Save, apply settings and wait for at least a minute.
10. Connect to ssh and run "swconfig dev switch0 show". It should show you three vlans like below (in my case, I assigned lan 3 and 4 to vlan3):
VLAN1: ports 1 2 7t
VLAN2: ports 0 7t
VLAN3: ports 3 4 7t
11.I then started configuring the bridge. Start by creating a new bridge "br1". I followed the link "egc" mentioned above and ensured STP is off and other settings remain the same. Save, apply settings and wait for at least a minute.
12. Next, assign the vlan to the new bridge. Create a new entry under "Assign to Bridge" and select "br1" under "Assignment" and "vlan3" under "Interface". Save, apply settings, and wait for a minute. Refresh the page after a minute and see if the page shows br1 with vlan3 under "Current Bridging Table".
13. Next, we have to setup the interface under "Interface Setup". I first setup "br1". Under "br1", provide label, ensure "Net Isolation" is enabled, and provide a different ip address (ensure you provide /24 at the end as well). Save, apply settings and wait for a minute.
14. Next, I configured DHCP for "br1". Save, apply settings and wait.
15. At this time, I switched my lan cable to port 3 and checked the ip of my laptop to ensure it was assigned an ip in the range I specified for "br1". I also checked other lan ports to ensure my laptop is assigned a correct ip in the range for each of the bridge.
16. I then setup a new Virtual AP under "Wireless" for my new bridge. Started with 2.4GHz network. Web UI access set to disabled and Network Configuration was "bridged" as I wanted the WLAN to have same IP as "br1". Save, apply settings and wait.
17. Next, I assigned the new WLAN to "br1" under Setup -> Networking. Save, apply settings, wait for a minute, refresh the page and ensure "Current Bridging Table" show wlan0.1 for "br1".
18. Next, created a new Virtual AP under 5.0GHz network. Save, apply settings and wait.
19. Assign the new wlan1.1 to "br1". Ensure mapping shows up in the bridging table.
20. I then started with the firewall commands. Ran the commands one by one from ssh, did a "echo $?" after each command to ensure return is 0.
21. Connected lan to port 4 (assigned to br1) and tried to ping br0 ip. Received a successful ping (was expecting not to).
22. Copied the commands to Firewall under "Administration", save, apply settings and reboot router.
23. Was unable to get ip address from any of the lan ports. Switched off the router, waited for a minute and then switched it back on. This time, I got ip address assigned from each lan port.
24. Tried pinging router ip from lan 4 and firewall didn't drop the connection. I was assuming that based on the commands I entered, any traffic from br1 to br0 would be dropped.

This is the commands I entered:

block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP

deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP

allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT

push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 2:18    Post subject: Reply with quote
Screenshots


Networking3.jpg
 Description:
 Filesize:  108.1 KB
 Viewed:  2429 Time(s)

Networking3.jpg



Firewall_Command.jpg
 Description:
 Filesize:  144.79 KB
 Viewed:  2429 Time(s)

Firewall_Command.jpg



Firewall_Command_ssh.jpg
 Description:
 Filesize:  64.67 KB
 Viewed:  2429 Time(s)

Firewall_Command_ssh.jpg


slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 2:19    Post subject: Reply with quote
Screenshots


Switch_Config.jpg
 Description:
 Filesize:  103.08 KB
 Viewed:  2428 Time(s)

Switch_Config.jpg



Networking1.jpg
 Description:
 Filesize:  173.54 KB
 Viewed:  2428 Time(s)

Networking1.jpg



Networking2.jpg
 Description:
 Filesize:  101.16 KB
 Viewed:  2428 Time(s)

Networking2.jpg


slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 2:20    Post subject: Reply with quote
Screenshots


Wireless.jpg
 Description:
 Filesize:  113.75 KB
 Viewed:  2427 Time(s)

Wireless.jpg


slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 2:33    Post subject: Reply with quote
There are three issues I am trying to solve:
1. How do I prevent machines connected to br1 from accessing machines connected to br0?
2. I don't see any of the wireless networks assigned to br1 from my laptop, but do see the wireless networks assigned to br0. Could it because I disabled "Web UI Access"?
3. When I set wireless security to WPA2, and when I try to connect to the wireless network, it asks for user and password. I thought WPA2 would only ask for the access key that I provided in the wireless security section.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2843
Location: Germany

PostPosted: Mon Nov 27, 2023 9:04    Post subject: Reply with quote
slsujith wrote:
There are three issues I am trying to solve:
1. How do I prevent machines connected to br1 from accessing machines connected to br0


Net-isolation does this, but only when your WAN is started.
Your WAN is activated but nothing is connected.

If you don't have a working WAN then

Code:
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -j REJECT
#iptables -I FORWARD -i br0 -o br1 -j REJECT



slsujith wrote:
2. I don't see any of the wireless networks assigned to br1 from my laptop, but do see the wireless networks assigned to br0. Could it because I disabled "Web UI Access"?
3. When I set wireless security to WPA2, and when I try to connect to the wireless network, it asks for user and password. I thought WPA2 would only ask for the access key that I provided in the wireless security section.


You speak in riddles.
If your notebook does not see the VAPs, how can you connect?

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12770
Location: Netherlands

PostPosted: Mon Nov 27, 2023 9:17    Post subject: Reply with quote
Unless you have setup as a Wireless Access Point (WAP) with its WAN disabled just ticking `Net Isolation` should isolate the networks.
You can allow traffic from br0 to br1 with:
Code:
iptables -D FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT


Strange that your WAN ip show 0.0.0.0 what is the problem with that?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 23:44    Post subject: Reply with quote
ho1Aetoo wrote:
slsujith wrote:
There are three issues I am trying to solve:
1. How do I prevent machines connected to br1 from accessing machines connected to br0


Net-isolation does this, but only when your WAN is started.
Your WAN is activated but nothing is connected.

If you don't have a working WAN then

Code:
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -j REJECT
#iptables -I FORWARD -i br0 -o br1 -j REJECT



slsujith wrote:
2. I don't see any of the wireless networks assigned to br1 from my laptop, but do see the wireless networks assigned to br0. Could it because I disabled "Web UI Access"?
3. When I set wireless security to WPA2, and when I try to connect to the wireless network, it asks for user and password. I thought WPA2 would only ask for the access key that I provided in the wireless security section.


You speak in riddles.
If your notebook does not see the VAPs, how can you connect?


Sorry if I wasn't clear. So, br0 has VAPs w0.0, w1.0 and w2.0, which are visible in laptop. I created two new VAPs w0.1 and w1.1 and assigned them to br1, which are not visible in laptop.
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 23:49    Post subject: Reply with quote
egc wrote:
Unless you have setup as a Wireless Access Point (WAP) with its WAN disabled just ticking `Net Isolation` should isolate the networks.
You can allow traffic from br0 to br1 with:
Code:
iptables -D FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT


Strange that your WAN ip show 0.0.0.0 what is the problem with that?


I haven't yet connected WAN to the internet cable as I first wanted to configure the router in the way I wanted before plugging in to the internet cable (I work from home and need internet, so didn't want to disturb my existing setup until I have configured my router and made sure everything else works the way I wanted).

I want traffic from br0 to br1, but not from br1 to br0. But both br0 and br1 should be able to connect to internet (WAN). Since I do want traffic from br0 to br1, would enabling "Net Isolation" help achieve what I want without having to do any iptable commands?

Basically, I would be connecting the router to WAN once the configuration is done. I want both br0 and br1 to connect to WAN, but traffic should be allowed only from br0 to br1 and traffic should be blocked from br1 to br0.

"ho1Aetoo" has given a set of iptables commands. Will try that and see if that helps with blocking br1 to br0 traffic.
slsujith
DD-WRT Novice


Joined: 21 Nov 2023
Posts: 12

PostPosted: Mon Nov 27, 2023 23:52    Post subject: Reply with quote
ho1Aetoo wrote:


If you don't have a working WAN then

Code:
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -j REJECT
#iptables -I FORWARD -i br0 -o br1 -j REJECT




Thanks "ho1Aetoo" for the iptable commands. Before I try these commands, wanted to check one thing:

When I connect the router WAN to internet and if I enable net isolation, would it achieve the below:
* Both br0 and br1 able to connect to internet
* Traffic from br0 to br1 accepted and traffic from br1 to br0 rejected
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12770
Location: Netherlands

PostPosted: Tue Nov 28, 2023 7:24    Post subject: Reply with quote
slsujith wrote:
egc wrote:
Unless you have setup as a Wireless Access Point (WAP) with its WAN disabled just ticking `Net Isolation` should isolate the networks.
You can allow traffic from br0 to br1 with:
Code:
iptables -D FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT


Strange that your WAN ip show 0.0.0.0 what is the problem with that?


I haven't yet connected WAN to the internet cable as I first wanted to configure the router in the way I wanted before plugging in to the internet cable (I work from home and need internet, so didn't want to disturb my existing setup until I have configured my router and made sure everything else works the way I wanted).

I want traffic from br0 to br1, but not from br1 to br0. But both br0 and br1 should be able to connect to internet (WAN). Since I do want traffic from br0 to br1, would enabling "Net Isolation" help achieve what I want without having to do any iptable commands?

Basically, I would be connecting the router to WAN once the configuration is done. I want both br0 and br1 to connect to WAN, but traffic should be allowed only from br0 to br1 and traffic should be blocked from br1 to br0.

"ho1Aetoo" has given a set of iptables commands. Will try that and see if that helps with blocking br1 to br0 traffic.


the commands from ho1Aetoo were in case you have a router setup with its WAN disabled and have setup as a Wireless Access Point (aka switch/dumb AP) so it does not apply in your case.
He actually also mentions this

In your case simply tick/enable Net isolation that will isolate your networks from each other and isolate the Guest network from the router.

The only thing you then have to do is to allow access from br0 to br1 and that is what my rules are supposed to do.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum