[Per Yngve Berg]

Almost correct.

Physical port1 = switch port4,
Physical port2 = switch port3,
Physical port3 = switch port2,
Physical port4 = switch port1.
Note that the processor port is switch port6 (eth0), and switch port5 is the secondary processor port (eth1).

WAN = switch port0

By distributing over both port6 and port5, you get better performance as traffic is split over two gigabit ports instead of sharing one.

[Trossy]

Thanks Per Yngve Berg

I decided to read the dd-wrt documentation on "Switched Ports" since posting.

The "t", "u" stands for tagged and untagged. Still very confusing gathering up all this information and putting it to use but know I at least have much more to work with.

[Trossy]

[Per Yngve Berg]

The port is tagged so the processor can see it on eth1.4 separated from VLAN1 (eth1).

[Trossy]

[Per Yngve Berg]

Don't use that wiki page, use the PBR field in the OpenVPN setup. Remember to disable SFE and don't include the router's own address in PBR.

See the Advanced Networking Forum for VPN issues.

[ait109]

First I want to say that this discussion has been super helpful for me in getting this working on my R7500v2 and I want to share my findings for future users.

I'm running r37495M and it has no "VLAN" tab in the menu.

My goal was to have a separate WWAN along with a single LAN port that was isolated from my regular home computing network. I used the UI to create a virtual WWAN, and added it to a new bridge (br2). Also using the UI, I added another DHCP range for br2. I then added the following startup commands:

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "2 3 4 6"
swconfig dev switch0 vlan 4 set ports "1 6t"
swconfig dev switch0 set apply
vconfig add eth1 4
brctl addif br2 eth1.4


This successfully allowed me to have a new WWAN along with port # 4 (as physically numbered on the switch) on a separate network with internet access.

My final hurdle was trying to get the configuration to work after a reboot. WWAN worked, but I was getting no DHCP on the ethernet port. After some experimentation (mostly around restarting dnsmasq that didn't help), adding the following two commands to the end of the startup solved my problem:

ifconfig eth1.4 down
ifconfig eth1.4 up


Hope this helps someone.

[student13]

Hello I have a nighthawk x4s, and I want to isolate all ethernet ports such that they can only access the internet and not see other ethernet or wifi devices on my network. Here are my nighthawk X4S (r7800) settings. Can someone tell me what is wrong with my settings.

Thanks.


startup>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6"
swconfig dev switch0 vlan 3 set ports "1 6t"
swconfig dev switch0 vlan 4 set ports "2 6t"
swconfig dev switch0 vlan 5 set ports "3 6t"
swconfig dev switch0 vlan 6 set ports "4 6t"
swconfig dev switch0 set apply
vconfig add eth1 3
ifconfig eth1.3 192.168.10.1 netmask 255.255.255.0
vconfig add eth1 4
ifconfig eth1.4 192.168.20.1 netmask 255.255.255.0
vconfig add eth1 5
ifconfig eth1.5 192.168.30.1 netmask 255.255.255.0
vconfig add eth1 6
ifconfig eth1.6 192.168.40.1 netmask 255.255.255.0


Firewall >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.

iptables -I FORWARD -i eth1.4 -o eth1.3 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.5 -o eth1.3 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.6 -o eth1.3 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.6 -o eth1.4 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.5 -o eth1.4 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.6 -o eth1.5 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.4 -o eth1.5 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.4 -o eth1.6 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.5 -o eth1.6 -m state --state NEW -j REJECT
iptables -I INPUT -i ath1.1 -d 192.168.2.1 -j DROP
iptables -I INPUT -i eth1.4 -d 192.168.2.1 -j DROP
iptables -I INPUT -i eth1.5 -d 192.168.2.1 -j DROP
iptables -I INPUT -i eth1.6 -d 192.168.2.1 -j DROP

[student13]

Here are som pictures of my settings

EDITED BY MODERATOR- YOU WERE ASKED TO CHANGE THE PICTURE SIZE AND DIDN'T. PICTURES REMOVED. POST AGAIN AT 768 PIXELS WIDE.

[student13]

more pics

EDITED BY MODERATOR- YOU WERE ASKED TO CHANGE THE PICTURE SIZE AND DIDN'T. PICTURES REMOVED. POST AGAIN AT 768 PIXELS WIDE.

[Per Yngve Berg]

I don't see any rules targeting br0 and ath1.1

[student13]

Hi Per,

My wireless setup is as such


ath0=main 5 GHz
ath1= main2.4 GHz
ath1.1=vap #1 on 2.4 GHz
ath1.2=vap #2 on 2.4 GHz

What rules do I have to add so that basically any Ethernet connected device won't see wifi connected devices?

Thanks.


Could this be a good example of what I have to enter:

iptables -I FORWARD -i eth1.4 -o ath1 -m state --state NEW -j REJECT ?

iptables -I FORWARD -i eth1.4 -o ath1.1 -m state --state NEW -j REJECT

iptables -I FORWARD -i eth1.4 -o ath1.2 -m state --state NEW -j REJECT

[Per Yngve Berg]

ath1 is bridged, so you have to use the bridge br0 on yhe rule.

[foz111]

What config and firewall would i require for 1 single vlan on R7800 (I am a complete vlan beginner)
My aim is to isolate Ethernet IoT devices. Hive tv's etc
My wireless is disabled on router, i use a mesh system that has isolated guest network already for wireless IoT
Thanks for any assistance in advance

[Alozaros]