All sorted thank you, i now have numbered port 1 with 192.168.10.0/24
I will google what i need to know now like the STP on or off in the bridge.
Thank you, anywhere to learn what the swconfig means so i can get my head around it?
Thanks again
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Dec 09, 2020 9:53 Post subject:
foz111 wrote:
i see eth1.3 in port setup now, i've created bridge (br1) unsure if STP should be on or off in bridging currently went with default and STP is showing, i need to have a look what STP is, What ip do i give to br1? is it the 192.168.10.1 with netmask 255.255.255.0 as per command line sorry currently penny not dropped with this yet but i will get my head around it?
I assume i give the br1 the 192.168.10.1 ip and assign it to eth1.3?
Am i correct in assuming everything else should stay the same except now 1 port on rear is the Vlan, & WAN is still the WAN port? Any idea what number the Vlan port will be on rear?
Thanks again
"unsure if STP should be on or off"
i don't use STP (spanning three protocol)...
"What IP do i give to br1? is it the 192.168.10.1 with netmask 255.255.255.0"
yep what ever you want...this was just an example you have to tailor it to your set up as i dont know it...
but the idea is the same...
once you insert that script, reboot and under networks menu vlan 3 should appear and where bridges are there must be a new bridge numbered what ever you want...
as well specify DNS, it could be using the default DNS you've set up for general use or DNS you want by your choice in that case you ll need to add a line in DNSmasq, interface=br2 for example...
under networks you have to add a DHCP for this bridge
ports are opposite i believe... port 4 is 1 or the other way around
i ll sent you a pics of my set up from another router on PM to compare and copy the network set up
it will be easy... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Dec 09, 2020 10:03; edited 1 time in total
thanks for your reply, i edited the above message as you were replying sorry, i just went ahead and did it and it seemed to work, i do have 1 question with creating a bridge do i still have to enable Net Isolation, i am assuming so?
I was hoping to still use my pi-hole for DNS providing it does not create any problems but i can now start looking at that next.
Thanks for your help
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Dec 09, 2020 10:06 Post subject:
yep, i do have Net-isolation, as you want that Vlan to be isolated and secured from other communications...
yep you can point your Pi-DNS , if you already have any rules pointing to it...you may need some iptables.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Big Thanks to Alozaros for his help, giving me some idea what is required.
i am able to isolate VLan 1 (on actual port 1) by unbridging the eth1.3.
But if i create a bridge br1 assign it to eth1.3 i am unable to isolate the vlan, please see pics below of settings.
I would like to bridge it because i believe it is easier to use iptables to allow lan>vlan connections oneway but not allow vlan>lan as yet i have not got that far as it seems i am unable to isolate the vlan when using a bridge.
Alozaros spotted that eth0 (wan) mac is the same as the vlan eth1.3 and br1 is this the problem?
I have r7800 as my main router, and for testing to get it right before i move it over this is on another r7800 connected in gateway mode (dual router) nothing else running on this router and all settings were configured after factory reset.
Last edited by foz111 on Mon Jan 11, 2021 20:17; edited 2 times in total
Thank you for your reply Per Yngve Berg
i had already tried it without the ifconfig line
"ifconfig eth1.3 192.168.10.1 netmask 255.255.255.0"
before posting, tried it again after your post and i can confirm it is not isolating, i can reach router interface (192.168.1.1) and amend settings when connected to vlan port on 192.168.10.x.
I was hoping to isolate vlan but be able to connect one way lan>vlan using eibgrad firewall rules but first i need to get it to isolate.
https://pastebin.com/r4u62P0B
I can setup from fresh again if i am not missing anything, it's strange as it isolates fine if i use unbridged mode on the eth1.3 without the bridge br1 and assigning the bridge br1 to eth1.3.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Dec 11, 2020 17:39 Post subject:
Per Yngve Berg wrote:
You don't need a bridge if you do not intend to add wifi to the sub-net.
With your iptables rules you have blocked tcp connections between clients on br0 and br1.
To block access to the router GUI, you need a rule in the INPUT chain.
iptables -I INPUT -i br1 -p tcp --dport 80 -m state --state NEW -j REJECT
yep correct...
sry i could've suggest you that rule above...
i realised you can ping clients from the isolated network and that was odd to me...
but, yep for GUI, as its a local service you'd need a local INPUT rule...
i always have those rules to deny access to GUI
iptables -I INPUT 1 -i br0 -p tcp --dport 443 -j REJECT
iptables -I INPUT 2 -i br1 -p tcp --dport 443 -j REJECT
and have corresponding rules to permit only selected hosts to access it either by MAC or IP...
like
iptables -I INPUT 3 -i br0 -p tcp --dport 443 -m mac --mac-source xx:xx:yy:yy:xx:xx -j ACCEPT
that's why i PM'd you that in my case its ok...i totally forgot i ve those rules for GUI..
and im using a bridge instead on plain Vlan...
foz111 do you still able to ping those other devices ...br to br or i got it wrong? Or only GUI was your issue? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Fri Dec 11, 2020 17:41; edited 1 time in total
Thank you, i must admit i thought that net isolation blocks guest reaching your private network yet the router is on the private network ip?
obviously i was wrong and thank you for your help.
I just found it odd that if i used unbridged eth1.3 with net isolation it blocks any router access while connected to vlan port yet when i created a bridge and assigned it with net isolation it allowed access hence my confusion.
Added: Now configured on main router and i am very pleased, all seems to be working now as expected thanks to everyone in this thread and special thanks to Alozaros and Per Yngve Berg
Alozaros, Now this is running on my main router i can no longer get a response back pinging devices like printers or nas etc, i could previously when it was on router behind my main router.
Tried tagging and giving ID to Vlan on switch port 4 - actual port 1 can anyone confirm this is correct now please?
given vlan ID 59 br1 set to 192.168.59.0/24
tagged port 4 - This is to go into managed switch so i think i needed it tagging.
set vlan3hwname=et0 - unsure what this does?
set vlan port 4 to auto speed.
Startup script:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 3 set ports "4t 6t"
swconfig dev switch0 set port4vlans="3 18 19 21"
swconfig dev switch0 vlan 3 set vid 59
swconfig dev switch0 set vlan3hwname=et0
swconfig dev switch0 set apply
vconfig add eth1 3
brctl addif br1 eth1.3
Putty output:
root@DD-WRT:~# nvram show | grep vlan.*ports | sort
size: 27652 bytes (103420 left)
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 3 set ports "4t 6t"
vlan0ports=1 2 3 4 5*
vlan1ports=0 5
root@DD-WRT:~# nvram show | grep port.*vlans | sort
size: 27652 bytes (103420 left)
port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 16
swconfig dev switch0 set port4vlans="3 18 19 21"
root@DD-WRT:~# nvram show | grep vlan.*hwname | sort
size: 27652 bytes (103420 left)
swconfig dev switch0 set vlan3hwname=et0
vlan0hwname=et0
vlan1hwname=et0
As a beginner in vlans i have found this quite difficult hoping this is something like now?
Thanks for any input.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Dec 17, 2020 22:34 Post subject:
Per Yngve Berg wrote:
The swconfig commands are correct without these two:
swconfig dev switch0 set port4vlans="3 18 19 21"
swconfig dev switch0 set vlan3hwname=et0
Which looks like nvram variables used on a Broadcom.
yep they are from there...
than again, how do we set physical port, to a port speed, auto-negotiation/forced speed...in Athersos...please tell us??
10x in advance Per Yngve Berg _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
The swconfig commands are correct without these two:
wconfig dev switch0 set port4vlans="3 18 19 21"
swconfig dev switch0 set vlan3hwname=et0
Which looks like nvram variables used on a Broadcom.
Yes Per Yngve Berg i used the wiki and that was for Broadcom, thanks really confusing for me.
May I ask what command should I use to set vlan to auto detect speed or is this not required ?
Thanks again
