Posted: Thu Apr 06, 2023 6:33 Post subject: VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)
You must be registered in the forum and logged in to see the attachments!
The thread is valid for all newer firmware builds ≥ r52217
At the moment the thread is mainly for Atheros routers with 2 CPU ports like:
NETGEAR R7800, XR500, XR450, R7500, R7500V2, ASROCK G10, LINKSYS EA8500, D-Link DAP-3662, DIR-862L, TP-LINK Archer C7 v1-3, TL-WR1043ND v2, Comfast CF-WR650AC, Buffalo WZR-450HP2 etc...
The settings also work on Marvel routers like: WRT1200AC, WRT1900AC, WRT1900ACV2, WRT1900ACS, WRT3200ACM, WRT32X
If you have old CLI VLAN settings then remove them first or reset the router.
It is advantageous if you have a working WLAN connection when configuring the switch.
If you lock yourself out and the LAN ports no longer work, you can still connect to the router via WiFi.
The screenshots are from my R7800, so the port assignment shown via "swconfig dev switch0 show" may differ on other devices.
The "switch config tab" received a small update and the CPU ports are now configurable.
Finally VLANs can be configured via GUI on routers with multiple CPU ports.
The screenshot shows the "default configuration"
Last edited by ho1Aetoo on Sun Jan 07, 2024 12:50; edited 15 times in total
a second variant to tag the WAN port
In this example it is not done by the switch but by the processor.
This variant requires a bit more resources but has the advantage that the switch allows non-tagged traffic to pass through and you can access e.g. the WebIF of the modem.
I use VLAN7 again as an example
Last edited by ho1Aetoo on Wed Apr 12, 2023 7:05; edited 4 times in total
The settings shown in the screenshots are sufficient.
The GUI setting "Net Isolation" isolates interfaces from br0
This means that no connection between br0 <-> br1 is possible.
However, if you have created several new bridges and want a more finely controlled isolation, manual firewall settings are necessary.
As already mentioned, "Net Isolation" only isolates against br0, which means that br1 and br2 are not isolated from each other, for example
Manual firewall rules for isolation.
Insert the firewall rules in the "Diagnostics.asp" tab. (for a trunk port setup with a WAP, the rules are placed on the main router!).
## block connections from br1 to br0
## connection from br0 to br1 possible
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
## block connections from br2 to br0
## connection from br0 to br2 possible
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
## block connections from br1 to br2
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
## block connections from br2 to br1
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
Last edited by ho1Aetoo on Wed Dec 20, 2023 12:48; edited 2 times in total