Multiple SSIDs on multiple routers

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
margemailbox
DD-WRT Novice


Joined: 17 Jan 2014
Posts: 11

PostPosted: Wed Jan 22, 2014 8:05    Post subject: Multiple SSIDs on multiple routers Reply with quote
I've been reading through tutorials and this message board for days, but I can't find anyone who's posted on the exact problem I'm trying to solve. I have some ideas for how to do it, but I'm hoping to get some guidance from someone more experienced with DD-WRT.

Here's what I'm trying to accomplish: I have two TP-Link WDR3600 routers running Brainslayer 23320. My goal is to use one of them as a WiFi router and the other as an AP because my house has four floors. The two routers will be connected to each other via Ethernet cable. I plan to have two private SSIDs (a 2.4GHz and 5GHz) and two guest SSIDs (also 2.4GHz and 5GHz). All WiFi clients should be able to connect to the Internet, but the guest clients shouldn't be able to connect to anything else. I want the SSIDs hosted on both routers to be identical, and I want only the main router running DHCP.

I've got the main router set up with all four SSIDs. The two main SSIDs are serving up addresses on the 192.168.0.0 subnet, and the two guest SSIDs are serving up addresses on the 192.168.2.0 subnet (I've attached the guest SSIDs to a bridge br1 and given br1 a DHCP server). I have not done anything else to explicitly segregate the guest and private networks (yet), but as far as I can tell the only thing the guests can reach other than the Internet is the router (I have AP isolation enabled).

I'm getting ready to set up the second router now, and my big concern is DHCP. How do I get the guest SSID clients going to 192.168.2.1 for DHCP, and all the other clients going to 192.168.0.1 for DHCP? Will they just do this by default if I disable DHCP on the router and give the SSIDs IP addresses on those subnets (I'm guessing not)? Do I need to set up VLAN tagging to make this work, and, if so, how (I've looked high and low for a good answer to this)? Does the answer change if I later decide to set up a third subnet for my servers or for a VPN connection?

I know the last thing I'll need to do is setup my firewall rules, but I want to get all of the stuff in the previous paragraph figured out before I get to that.

Thanks to anyone who has suggestions!
Sponsor
margemailbox
DD-WRT Novice


Joined: 17 Jan 2014
Posts: 11

PostPosted: Wed Jan 22, 2014 16:05    Post subject: Reply with quote
I just set up the second router, and the behavior is exactly as I feared. I followed the instructions for making the secondary router an AP (http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point), and it's working fine for the main subnet, but clients on the guest VAPs can't get IP addresses when connected through the second router.

On the second router, I have the two guest VAPs set up on their own bridge, with no DHCP server running, and I gave them IP addresses on the same subnet as the guest VAPs on the main router. If I bridge the VAPs on the second router to br0, I get assigned an IP by my main DHCP server, so the client ends up with full network access, which is definitely not what I want.

How can I point the guest VAPs on the second router to the guest DHCP server on the first router? If I do so successfully, is there any way to setup DHCP reservations for guest VAP clients?
margemailbox
DD-WRT Novice


Joined: 17 Jan 2014
Posts: 11

PostPosted: Thu Jan 23, 2014 4:26    Post subject: Reply with quote
In case anyone ever discovers this thread while trying to solve a similar problem, I just found a clever solution in another thread: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=874548

I would have liked to have solved this using VLANs, but almost all the VLAN guidance I could find for problems like this focused on Broadcom hardware (http://www.dd-wrt.com/phpBB2/viewtopic.php?t=172506), and I just couldn't get those approaches to work with Atheros. EoIP may not be designed for this problem, but it's working perfectly.
margemailbox
DD-WRT Novice


Joined: 17 Jan 2014
Posts: 11

PostPosted: Fri Jan 24, 2014 7:03    Post subject: Reply with quote
After a lot of searching, I finally figured out how to do this with VLANs. The EoIP solution was working fine, but 1) it's very likely slower than a VLAN, which doesn't matter for my guest network, but would matter if I wanted to create other network enclaves for use inside my network; and 2) I really wanted to figure out how to get VLANs working with this hardware.

I used three main resources for reference:
1) http://www.dd-wrt.com/wiki/index.php/Switched_Ports
2) http://www.dd-wrt.com/phpBB2/viewtopic.php?t=172506&highlight=vlan+ssid
3) http://fixedit.itxpress.biz/2013/12/16/using-vlans-and-vpn-with-dd-wrt/

Reference 1 is the standard DD-WRT documentation on setting up VLANs, and it's important for understanding how VLAN setup is supposed to work. Reference 2 is a thread in which someone who was trying to solve the exact same problem I was trying to solve did so successfully using VLANs, but did it with a Broadcom chipset. Reference 3 is a guide from someone who solved a similar problem on the TP-Link WDR3600, which is the same router I have.

There are two important pieces of information I had to figure out to make this work:
1) The standard "nvram set" way of defining VLANs at the command line doesn't appear to work on the Atheros chipset, and that's why just following Reference 1 and Reference 2 wasn't working.
2) Once I got away from "nvram set" and instead used swconfig (as in Reference 3) to build a startup script, I had to realize that the port numbering schemes that swconfig recognizes are completely different from the port numbering schemes that "nvram set" recognizes.

Here is an example of the difference in port numbering:
"nvram set" example: nvram set vlan0ports="1 2 3t 4 5*"
swconfig example: swconfig dev eth0 vlan 1 set ports "0t 2 3 4t 5"

The two commands above are basically meant to accomplish the same thing. They take the VLAN that is listed in the GUI as VLAN 1, and they turn the port labeled 3 on the back of the router into a trunk port (the first example might be slightly off, as it may be 2t rather than 3t, but I couldn't test it since this method wasn't working on this router). Whereas the switch's internal port is port 5 in the first example, it's port 0 in the second (and it must be a trunk). Whereas ports 1-4 are the switch ports on the back of the router in the first example, ports 2-5 are the switch ports on the back of the router in the second example.

Given that background, here is what I did:

Router 1
Wireless->Basic Settings:
VAP SSID: Guest
AP Isolation: Enabled
Unbridged
IP Address: 192.168.3.1
Subnet Mask: 255.255.255.0

Startup script:
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 vlan 1 set ports "0t 2 3 4t 5"
swconfig dev eth0 vlan 3 set ports "0t 4t"
swconfig dev eth0 set apply
vconfig add eth0 3
ifconfig vlan3 192.168.3.1 netmask 255.255.255.0
ifconfig vlan3 up
brctl addif br1 vlan3

Aside explaining how the startup script works: Create VLAN3, trunk the port that connects to router 2, and put only that trunk port and the internal port on VLAN3. Give VLAN3 an IP address (same one as the VAP) and bring VLAN3 up. Then add VLAN3 to Bridge br1 since doing so in the GUI won't work when you reboot (as VLAN3 isn't created until after br1 is brought up).

Setup->Networking:
Bridge br1
Assignment 0: ath0.1 (the VAP)
IP Address: 192.168.3.1
Subnet Mask: 255.255.255.0
STP On

VLAN3
Unbridged
IP Address: 192.168.3.1
Subnet Mask: 255.255.255.0

ath0.1
Unbridged
IP Address: 192.168.3.1
Subnet Mask: 255.255.255.0

DHCP Server on Interface br1

Firewall:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

Firewall explanation:
1) Allow systems behind the router to use NAT to get to the Internet
2) Don't allow br1 (guest network) to communicate with br0 (private network)
3) Only allow br1 to communicate with the router for DHCP and DNS requests

Router 2
Wireless->Basic Settings:
VAP SSID: Guest
AP Isolation: Enabled
Unbridged
IP Address: 192.168.3.2
Subnet Mask: 255.255.255.0

Startup script:
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 vlan 1 set ports "0t 2 3 4 5t"
swconfig dev eth0 vlan 3 set ports "0t 5t"
swconfig dev eth0 set apply
vconfig add eth0 3
ifconfig vlan3 192.168.3.2 netmask 255.255.255.0
ifconfig vlan3 up
brctl addif br1 vlan3

Note: Replace "5t" with whichever port is connected to Router 1.

Setup->Networking:
Bridge br1
Assignment 0: ath0.1 (the VAP)
IP Address: 192.168.3.2
Subnet Mask: 255.255.255.0
STP On

VLAN3
Unbridged
IP Address: 192.168.3.2
Subnet Mask: 255.255.255.0

ath0.1
Unbridged
IP Address: 192.168.3.2
Subnet Mask: 255.255.255.0

Firewall:
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


That's it. It's working like a charm. My thanks go out to the guys who wrote the tutorials I referenced above, as I wouldn't have gotten anywhere without them.
farrukh
DD-WRT Novice


Joined: 31 Dec 2013
Posts: 41

PostPosted: Fri Jan 24, 2014 8:09    Post subject: Reply with quote
margemailbox wrote:
After a lot of searching, I finally figured out how to do this with VLANs. The EoIP solution was working fine, but 1) it's very likely slower than a VLAN, which doesn't matter for my guest network, but would matter if I wanted to create other network enclaves for use inside my network; and 2) I really wanted to figure out how to get VLANs working with this hardware.


Thanks I'll try this setup tonight. I have WDR3600 connected to the WAN and 1043ND as a second router (AP).

And If I read correctly, both of your routers are WDR3600?
margemailbox
DD-WRT Novice


Joined: 17 Jan 2014
Posts: 11

PostPosted: Fri Jan 24, 2014 14:08    Post subject: Reply with quote
Yes, both are WDR3600.
farrukh
DD-WRT Novice


Joined: 31 Dec 2013
Posts: 41

PostPosted: Sat Jan 25, 2014 5:45    Post subject: Reply with quote
OK I did the Vlan + + bridging + Firewall settings on both routers accordingly but VAP on router2 is unable to get an IP from DHCP.
Port3 of router 1 is connected to port2 of router 2.

Router1: swconfig dev eth0 show:

Code:
VLAN 1:
        vid: 1
        ports: 0t 2 3t 4 5
VLAN 2:
        vid: 2
        ports: 0t 1
VLAN 3:
        vid: 3
        ports: 0t 3t


Router 2: swconfig Dev eth0 show:

Code:
VLAN 1:
        info: VLAN 1: Ports: '12t345t', members=003e, untag=001a, fid=0
        fid: 0
        ports: 1 2t 3 4 5t
VLAN 2:
        info: VLAN 2: Ports: '05t', members=0021, untag=0001, fid=0
        fid: 0
        ports: 0 5t
VLAN 3:
        info: VLAN 3: Ports: '2t5t', members=0024, untag=0000, fid=0
        fid: 0
        ports: 2t 5t


Also please confirm that your router 2 is an AP without WAN right ? Please add more detail about your 2nd router basic configuration and share your dmesg if possible.

Does this dmesg screenshot give any clue ?
farrukh
DD-WRT Novice


Joined: 31 Dec 2013
Posts: 41

PostPosted: Sat Jan 25, 2014 8:12    Post subject: Reply with quote
UPDATE:

I got it working!! The culprit was a bug in the switch (rtl8366rb) of TP-Link 1043ND v1.8. I found a workaround from this OpenWRT ticket https://dev.openwrt.org/ticket/7795

So basically, the switch on 1043ND rtl8366rb needs a "kick" to enable proper dot1q tagging off a non-CPU port.

So I just added an extra line in swconfig commands. And now the start up commands look like this:

Code:
swconfig dev rtl8366rb set enable_vlan 3
swconfig dev rtl8366rb vlan 1 set ports "1 2t 3 4 5t"
swconfig dev rtl8366rb vlan 3 set ports "2 5t"
swconfig dev rtl8366rb vlan 3 set ports "2t 5t"
swconfig dev rtl8366rb set apply
vconfig add eth0 3
ifconfig vlan3 192.168.7.2 netmask 255.255.255.0
ifconfig vlan3 up
brctl addif br1 vlan3

The following 2 lines from the above code do the "kick"

swconfig dev rtl8366rb vlan 3 set ports "2 5t"[pings continue to drop]
swconfig dev rtl8366rb vlan 3 set ports "2t 5t"[redoing trunk config]

So basically it means once I set the port2 to a normal non-tagged vlan and then back to a trunk port, I then got a properly tagged traffic.

End result:

WDR3600(Main router) + 1043ND v1.8 (Just an AP) are now working perfectly together providing multiple VAP's with seamless roaming.

I've come across so many unsolved threads here on how to make a separate network VAP on a dumb AP. So kudos to margemailbox who made this possible on Atheros with his research.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum