Configuring VLAN

Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware
Author Message
seneka21
DD-WRT Novice


Joined: 12 Nov 2022
Posts: 32

PostPosted: Wed Apr 10, 2024 0:36    Post subject: Configuring VLAN Reply with quote
Hi,

I use an activated DD-WRT r55678 (dd-wrt_x64_full_vga_2GB) firmware.

Despite multiple hours spent on various guides search and trial - error attempts I didn't manage to create a working VLAN on eth1 (for safety reasons - IoT network).

The Networking configuration settings as in the attached picture (default settings).

It may be helpful to mention that the command "nvram show | grep vlan.*ports"
returns "size: 21553 bytes (109519 left)
vlan3ports=1"

I would be grateful if smn could give me some help in this - preferably through command line.
Sponsor
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1283
Location: WV, USA

PostPosted: Wed Apr 10, 2024 4:10    Post subject: Reply with quote
A screenshot of your Switch Config tab would also be useful. Did you set that up?
_________________
- Linksys EA8500: I-Gateway, AP/VAP 5ghz only r56820: Features: WDS-AP, VLANs, Samba, WG, Entware
- Linksys EA8500: WDS Station x2 - r56941
- Netgear R6400v2: WAP/VAP 2.4ghz only w/VLANs over single trunk port. r56820
- Netgear R7800 (WDS-AP, WAP/VAP) - r56820: Features in use: multiple VLANs over single trunk port
- Linksys MR7350: Testing r56941
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.

- Forum member #248
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3116
Location: Germany

PostPosted: Wed Apr 10, 2024 7:45    Post subject: Reply with quote
x86 do not have a "switch config" tab because they do not have a switch...
VLANs can be easily configured on x86...
See sticky

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1283409#1283409

Quote:
a second variant to tag the WAN port
In this example it is not done by the switch but by the processor.


It is for the WAN port, but you can also use any other port - it doesn't matter.

unbridge eth1
create VLAN tag for eth1 (eth1.x)

do whatever you want with eth1.x
it is usually recommended to work with bridges

create a new bridge br1
bridge eth1.x with br1
create a DHCP server for br1

etc

you can also omit the bridge and configure the DCHP server directly for eth1.x.

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
seneka21
DD-WRT Novice


Joined: 12 Nov 2022
Posts: 32

PostPosted: Wed Apr 10, 2024 16:22    Post subject: Reply with quote
Dear ho1Aetoo and lexridge thank you a lot.

By following your instructions I have done some configurations in Networking tab in order to attach any device on physical port Eth1 to VLAN7.(attached picture)

Although everything seems to me OK none of the devices connected on physical port Eth1 gets online.

I have tried a lot to find a way around with no success Sad

I rely on your expertise and your goodwill for some further help:-)

Have a nice day
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3116
Location: Germany

PostPosted: Wed Apr 10, 2024 16:36    Post subject: Reply with quote
Everything looks right.

A few notes:

disable STP on br1
enable net isolation on br1
delete the additional DHCP server for br0

Which IP address range does the normal LAN network have?
(hopefully a different one than br1)

second question do the devices connected to eth1 get IP addresses in the range 192.168.107.1/24?

and finally the price question, is there a device connected to eth1 that is capable of VLAN7 tagging?

this is a tagged VLAN
only devices that can handle IEEE 802.1q, such as managed switches or other routers, can be connected to a tagged port.

If you want to connect a normal end device to the port that is not capable of tagging, then it will not work.
But then you don't need a tagged VLAN... then you can delete eth1.7 again and bridge eth1 with br1.

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1283
Location: WV, USA

PostPosted: Wed Apr 10, 2024 16:58    Post subject: Reply with quote
ho1Aetoo wrote:
x86 do not have a "switch config" tab because they do not have a switch...

Duh! I knew that. Wasn't paying enough attention when I posted. Sorry for the bad information.

_________________
- Linksys EA8500: I-Gateway, AP/VAP 5ghz only r56820: Features: WDS-AP, VLANs, Samba, WG, Entware
- Linksys EA8500: WDS Station x2 - r56941
- Netgear R6400v2: WAP/VAP 2.4ghz only w/VLANs over single trunk port. r56820
- Netgear R7800 (WDS-AP, WAP/VAP) - r56820: Features in use: multiple VLANs over single trunk port
- Linksys MR7350: Testing r56941
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.

- Forum member #248
seneka21
DD-WRT Novice


Joined: 12 Nov 2022
Posts: 32

PostPosted: Wed Apr 10, 2024 19:04    Post subject: Reply with quote
ho1Aetoo wrote:
Everything looks right.

A few notes:

disable STP on br1
enable net isolation on br1
delete the additional DHCP server for br0

Which IP address range does the normal LAN network have?
(hopefully a different one than br1)

second question do the devices connected to eth1 get IP addresses in the range 192.168.107.1/24?

and finally the price question, is there a device connected to eth1 that is capable of VLAN7 tagging?

this is a tagged VLAN
only devices that can handle IEEE 802.1q, such as managed switches or other routers, can be connected to a tagged port.

If you want to connect a normal end device to the port that is not capable of tagging, then it will not work.
But then you don't need a tagged VLAN... then you can delete eth1.7 again and bridge eth1 with br1.


Firstly I applied your remarks with no success Sad .Moreover it may be helpful to mention that:
1. My normal LAN network have basic IP address 192.168.1.1/24 starting at 192.168.1.2 with Maximum DHCP Users 240. The br1 Network have basic IP address 192.168.107.1/24 starting at 192.168.107.2 with Maximum DHCP Users 240.
2. The IoT network on eth1 is based upon an ASUS RT-AC68U with factory firmware configured as Access Point with factory default settings.
3. The smart devices, connected through the aforementioned AP, are mostly of the sonoff smart switch type, Alexa echo dot, and some wifi capable devices like A/Cs and kitchen appliances. So I cant be sure if they are capable of tagging or not.

Secondly I followed the alternative proposed solution by bridging eth1 with br1 (1st Picture) which seem to work i.e. I cannot ping from one virtual network to the other.(2nd Picture)

I feel really indebted Very Happy

P.S. Should I denote this topic as SOLVED or smth?
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3116
Location: Germany

PostPosted: Wed Apr 10, 2024 19:24    Post subject: Reply with quote
The Asus router is certainly capable of VLAN tagging.
But this is not required for such a simple configuration.
Tagging is required if you want to transport several VLANs via one port and one cable.

The GUI setting "network isolation" only becomes active when a WAN connection is established.
If there is no WAN connection, the networks are not isolated from each other.
If you want to change this, you need manual firewall settings.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1283412#1283412

This provides better isolation than the GUI switch

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
seneka21
DD-WRT Novice


Joined: 12 Nov 2022
Posts: 32

PostPosted: Thu Apr 11, 2024 16:40    Post subject: Reply with quote
Dear ho1Aetoo, thank you very much.

Your help was invaluable in order to increase the safety in my network.
As for any additional firewall settings that you have mentioned in previous post, according to my limited experience, it would be more like opening up a can of worms Smile

In any case I got a lot of useful knowledge about VLANs, tagging, bridges etc.

Thanks once more!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum