Bridged VAP to VLAN not able to connect

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
Pat_Rich
DD-WRT Novice


Joined: 05 Nov 2020
Posts: 26

PostPosted: Wed Feb 24, 2021 20:03    Post subject: Bridged VAP to VLAN not able to connect Reply with quote
Hi,
I have a Dlink DIR868L Rev A with DDWRT r45767 installed.
I read a lot of posts and spent many hours to fix the VLAN issue. I hope someone would be able to help.

I use a start up script to setup the VLAN and not using the NVRAM method. I will explain why it is not working for me.

I would like to have the following:
LAN port 1 VLAN20
LAN port 2 VLAN20
LAN port 3 VLAN1
LAN port 4 VLAN1(trunk)

VAP VLAN30

The startup script as follow:
# Clear VLAN 0
echo "" > /proc/switch/eth0/vlan/0/ports

# Configure VLAN 1 with LAN port 2, 3 and CPU port
echo "2 3 5*" > /proc/switch/eth0/vlan/1/ports
echo "4 5u" > /proc/switch/eth0/vlan/2/ports

# Configure VLAN 20 Cam with LAN port 0, 1 and CPU port

echo "0 1 3t 5" > /proc/switch/eth0/vlan/20/ports

# Configure VLAN 30 Cam with LAN port 3 and CPU port
echo "3t 5" > /proc/switch/eth0/vlan/30/ports

# Setting up VLAN interfaces ...
# We don't need the vlan0 interface now ...
/sbin/ifconfig vlan0 down
/sbin/vconfig rem vlan0

# Setup vlan20 interface
/sbin/vconfig add eth0 20
/sbin/ifconfig vlan20 up
/sbin/ifconfig vlan20 txqueuelen 0
# Setup vlan30 interface
/sbin/vconfig add eth0 30
/sbin/ifconfig vlan30 up
/sbin/ifconfig vlan30 txqueuelen 0

I was able to get the LAN port 1 & 2(VLAN20) working fine.
I went to Setup >Networking >Assign to Bridge to create a connection for Wl0.1(VAP) to VLAN30.
But the client was not able to connect to the VAP.

After a reboot of the DDWRT device, the VLAN30 is disappeared from the "current bridging table". (see attached pic.

I have tried to change VLAN30 port be "3t 5t" and it did not make any difference.

If the Wl0.1(VAP) stay on the default bridge br0, there is no problem to get connected.The client receives an IP address from the default VLAN DHCP.

The current NVRAM value as follow:
vlan1ports= 0 1 2 3 5*
vlan2ports= 4 5u

port0vlans=1
port1vlans=1
port2vlans=1
port3vlans=1
port3vlans=1
port4vlans=2
port5vlans=1 2 16

I tired nvram method, hoping it could fix the VAP problem.

vlan1ports= 2 3 5*
vlan2ports= 4 5u
vlan20ports=0 1 3t 5
vlan30ports=3t 5

Then I discovered a problem on the webGUI of the switch config.For some unknown reason, the order of the LAN port reversed.

Originally

Port W 1 2 3 4
R R R G G
After the NVRAM set vlan.*ports

Port W 1 2 3 4
R G G R R

The original port.*vlans value
port0vlans=1
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=2
port5vlans=1 2 16

I tried both sets of values and I were not able to get the LAN port working, let alone with VAP. That is why I stay with the startup script method.
Set 1
port0vlans=20
port1vlans=20
port2vlans=1
port3vlans=1 2 20 30 16
port4vlans=2
port5vlans=1 2 20 30 16

Set 2
port0vlans=1 2 20 30 16
port1vlans=1
port2vlans=20
port3vlans=20
port4vlans=2
port5vlans=1 2 20 30 16

With the startup script, i have the LAN port works as it should be, but not VAP. Whereas with NVRAM method, I got nothing working.

BTW, I have this script to start the VAP.

sleep 20
nvram set wl1.1_hwaddr=
nvram commit
stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas; logger "VAP workaround executed";

With startup script, the LAN port works, but not VAP.

With NVRAM method, not able to geth LAN and VAP work.

I hope someone would be able to give me some suggestion to try.

Best Regards



Screen Shot 2021-02-24 at 1.53.52 PM.png
 Description:
After reboot VLAN30 is missing in bridging table
 Filesize:  135.2 KB
 Viewed:  335 Time(s)

Screen Shot 2021-02-24 at 1.53.52 PM.png


Sponsor
CtrlAltBeer
DD-WRT Novice


Joined: 23 Feb 2021
Posts: 11

PostPosted: Wed Feb 24, 2021 22:14    Post subject: Reply with quote
VLAN / VAP connectivity seems to be an ongoing issue. I'm struggling at the same point myself.

It sounds like you've been through much the same reading material as me, but in case any of these are new:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317181
https://wiki.dd-wrt.com/wiki/index.php/Guest_Network
https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs

Frustratingly, this guide https://netosec.com/dd-wrt-wifi-vlans/ makes it sound fairly straightforward. However, in that scenario DD-WRT was acting as a router rather than a gateway and DNS was provided by a separate machine. I wonder if that's relevant.
CtrlAltBeer
DD-WRT Novice


Joined: 23 Feb 2021
Posts: 11

PostPosted: Thu Feb 25, 2021 9:32    Post subject: Reply with quote
I probably should have said that that bridge / VAP connectivity seems to be an ongoing issue. There seem to be two symptoms and, based on my limited understanding, it's possible that these have distinct causes.

1) Cannot connect to VAP after reboot (hence the workaround in the start-up scripts)
2) Cannot connect to VAP if bridged and wireless security is enabled.

I've found that I have the second issue: either removing the bridge assignment (sending it back to br0) or removing security (WPA, WEP, anything) allows it to work.

Worryingly if this is also your problem, someone was having this issue in 2010 (https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=537215) and another in 2012 (https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=713846). There's also a ticket open (https://svn.dd-wrt.com/ticket/6404)

Hopefully it's not still because...
phuzi0n wrote:
The reason for it is Broadcom's closed source wireless driver and encryption daemon have bugs with unbridged wireless interfaces. On some hardware it doesn't even work with no encryption, some hardware it only affects VAP's but not the main interface... we're stuck dealing with it by using bridges.

Are you able to connect if you either remove the bridge or disable security?
Pat_Rich
DD-WRT Novice


Joined: 05 Nov 2020
Posts: 26

PostPosted: Thu Feb 25, 2021 22:59    Post subject: Reply with quote
The VAP was able to connect with the default VLAN with no issue. The DHCP is on the primary router. I wonder if this could be an issue for VAP.

The reason to have a VAP is to put it into a difference VLAN to separate the 2 traffic. Default VLAN for main network. VAP for IoT and guest network.

I just do not understand why it does not work with the new bridge.
I can create VAP1 and VAP2, both will work with default VLAN. but not VAP1 for VLAN-A and VAP2 for VLAN-B, for example, with new bridge BrA and BrB.

is it because of the hardware? on some model of router would work, but some don't.

someone have a difference model of router got this working? a VAP bridge with a non default VLAN and connected?
CtrlAltBeer
DD-WRT Novice


Joined: 23 Feb 2021
Posts: 11

PostPosted: Fri Feb 26, 2021 12:51    Post subject: Reply with quote
Presumably you have wireless security enabled on the VAP. Just for testing purposes, what happens if you turn it off (Security Mode = Disabled)?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8051
Location: Texas, USA

PostPosted: Fri Feb 26, 2021 13:37    Post subject: Reply with quote
You're not running a separate dhcp server or the VAP on the DD-WRT router?
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Pat_Rich
DD-WRT Novice


Joined: 05 Nov 2020
Posts: 26

PostPosted: Fri Feb 26, 2021 18:14    Post subject: Reply with quote
Hi,
Thank you for all the feedback.

When the security for the VAP was disable. The VAP was disable too. ie no VAP signal, only the main SSID.

All the DHCPs are on the primary router.

The VAP works on the main VLAN and client receives IP from DHCP on the primary router.

I tried WPA-PSK, WPA2-PSK,WPA2-PSK/WPA-PSK,CCMP-128,TKIP+CCMP and TKIP, they all failed to connected.

Best Regards
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8051
Location: Texas, USA

PostPosted: Fri Feb 26, 2021 18:57    Post subject: Reply with quote
Ok, I guess I have to ask. What is the primary router, and does it have the proper vlans assigned, etc? Seems like all kinds of pieces of the larger picture are missing here.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Pat_Rich
DD-WRT Novice


Joined: 05 Nov 2020
Posts: 26

PostPosted: Fri Feb 26, 2021 20:24    Post subject: Reply with quote
Hi,
I have a pfsence as a primary router. When I connect a laptop to the Dlink 868 AP via the LAN port (VLAN 1, 20 and 30) or the Main wifi (both 2.4G and 5G on br0 VLAN1).

The Laptop was able to obtain IP address from each of the respective DHCP, ie VLAN1, 20 and 30 from LAN port, VLAN1 from wifi

It should be fairly straight forward to do the bridging and i just do not understand why it is not working.

I tested again. The VAP (Wl0.1)works fine if it is on VLAN1.

FYI
WAN is Disable
Assign WAN to switch is Disable
DHCP is disable

Something to do with the bridge?

Best Regards



Screen Shot 2021-02-23 at 2.42.24 PM.png
 Description:
 Filesize:  150.38 KB
 Viewed:  200 Time(s)

Screen Shot 2021-02-23 at 2.42.24 PM.png


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8051
Location: Texas, USA

PostPosted: Fri Feb 26, 2021 21:03    Post subject: Reply with quote
I'm wondering if the '5's in your CLI vlan voodoo should be '5u's. How about trying that first.

Code:
vlan20ports=0 1 3t 5u
vlan30ports=3t 5u


If that doesn't work, try a '5*'

Code:
vlan20ports=0 1 3t 5*
vlan30ports=3t 5*


I don't think you need to tag them '5t'

Code:
vlan20ports=0 1 3t 5t
vlan30ports=3t 5t

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Pat_Rich
DD-WRT Novice


Joined: 05 Nov 2020
Posts: 26

PostPosted: Mon Mar 01, 2021 21:58    Post subject: Reply with quote
Hi,
I tried on the 3 combinations.

None of them are working.

I tried also
Vlan2=4 5t with vlan30=3t 5u, 3t 5, 3t 5*, 3t 5t
vlan2=4 5* wuth vlan30=3t 5u, 3t 5, 3t 5*, 3t 5t
vlan2=4 5 with vlan30=5 5 , 3t 5u, 3t 5t, 3t 5*

Not working.

I noticed if i put both eth1 and Wl0.1(VAP) both into VLAN30. The client is able to get connected with IP correspond to VLAN30 from eth1 or wl0.1 (VAP)

I am guessing the authentication is working, but the bridging is not working for VAP.

Best Regards



Screen Shot 2021-03-01 at 4.50.19 PM.png
 Description:
both eth1 and wl0.1(VAP) in the same VLAN
 Filesize:  147.18 KB
 Viewed:  118 Time(s)

Screen Shot 2021-03-01 at 4.50.19 PM.png


egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7237
Location: Netherlands

PostPosted: Mon Mar 01, 2021 22:12    Post subject: Reply with quote
Is the VAP itself bridged?

i.a.w. do not unbridge the VAP

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8051
Location: Texas, USA

PostPosted: Mon Mar 01, 2021 22:13    Post subject: Reply with quote
The only other thing I can think of is adding 4 to the list of vlan ports for 20, 30, etc. (Don't you have to have the WAN port assigned for it to pass through?!?!?)
Code:
vlan20ports=0 1 3t 4 5u
vlan30ports=3t 4 5u

If that doesn't work, then the * and t, but I'm pretty sure you don't have to tag port 5 (or port 4/0).

This is why I generally *don't* do complex vlan setups using DD-WRT, because my brain thinks how to do it on everything *but* DD-WRT Embarassed Rolling Eyes

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Pat_Rich
DD-WRT Novice


Joined: 05 Nov 2020
Posts: 26

PostPosted: Tue Mar 02, 2021 21:19    Post subject: Reply with quote
Hi All,

I had already tried to add port 4 for testing before my previous response. They all failed.

All the VAP and bridges are on default setting.

With the current setting as below:

vlan1port=2 3 5*
vlan2port=4 5u
vlan20port=0 1 3t 5t
vlan30port=3t 5t

In my previous response, I noticed eth1 and VAP on the same VLAN30 works,

Instead of vlan1 on 2.4G AP(dd-wrt) and vlan30 on VAP (dd-wrt-vap). I put dd-wrt-vap on VLAN1 and dd-wrt on VLAN30. They are now working well as it should be.

with dd-wrt-vap connection, the client receives ip from VLAN1 DHCP.

whereas with dd-wrt connection, the client receives ip from VLAN30 DHCP.

In other word, the VAP can only be used on the default VLAN1.

This is the only way to go around it if anyone want to use VAP and the DDWRT unit setup as a Access Point. It is not possible to have multiples VAP of the same frequency.

For you information:
Router: Dlink DIR868L RevA
Mode: Access Point, WAN Disable, DHCP disable, WAN port as switch NOT used

VLAN1 LAN Port 3 and 4(trunk to primary router)
VLAN20 LAN Port 1 and 2 (for camera)

VLAN30 DDWRT 2.4G for IoT and guest
VLAN1 DDWRT-AP 2.4GHz
VLAN1 DDWRT-5G 5GHz

The ideal setup up would be DDWRT(Main VLAN1), DDWRT-VAP1(IoT & Guest VLAN30) and DDWRT-VAP2(wireless Camera VLAN20) all on the 2.4GHZ, but it is not possible at this stage.

Thank you for the inputs and the suggestions from everyone.



Screen Shot 2021-03-02 at 3.54.56 PM.png
 Description:
DDWRT on new VLAN30, DDWRT-VAP on main VLAN1.
 Filesize:  104.75 KB
 Viewed:  61 Time(s)

Screen Shot 2021-03-02 at 3.54.56 PM.png


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 8051
Location: Texas, USA

PostPosted: Tue Mar 02, 2021 21:28    Post subject: Reply with quote
Why do you have port 3 tagged for vlan20 and vlan30 at the same time?
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum