Daemos28
DD-WRT Novice
Joined: 12 Jun 2018
Posts: 3
|
 Posted: Tue Jun 12, 2018 3:00 Post subject: Help Needed - Multiple VLAN Setup - WRT1900ACSv2 |
 |
Hi everyone! This is my first attempt to get VLANs up and running via CLI (previously only done this on Broadcom chips via the GUI), and I'd like to get some expert opinions before I implement anything so I don't brick my device, or worse, leave something unintended open and exposed to the public internet. I would greatly appreciate any guidance you folks can offer on how to get this up and running correctly. I apologize in advance for the long post.
I know what I'm trying to accomplish will also require the use of IPTables in addition to VLANs, but I'm reasonably sure I can handle those myself. I do welcome any input the community may have in that regard, but I'm also happy to work that part out on my own.
Here's my setup:
Router: Linksys WRT1900ACS v2
Firmware Build: r36079 (2018-06-01)
Network Layout:
- LAN1: PC
- LAN2: PC
- LAN3: DNS Server (Pi-Hole)
- LAN4: VPN Server
- ATH0: Assorted 5Ghz Devices
- ATH1: Assorted 2.4Ghz Devices
- ATH1.1(Virtual Interface): Guest 2.4Ghz Network (unbridged so it can't see the rest of the network.)
My goal is to achieve the following:
- All ports/interfaces should be able to reach the public internet and have IP's assigned to them via DHCP (if a static IP isn't set on that device)
- LAN1, LAN2, ATH0, ATH1 are all reachable to each other, can reach LAN3 on ports 22, 53, & 80, and can reach LAN4 on port 22.
- LAN3 can accept inbound on ports 22, 53, and 80 from the internal network, but can only initiate outbound to the public internet.
- LAN4 can only reach LAN3 on ports 53, & 80, and cannot send any unsolicited traffic anywhere else on the internal networtk.
- All ports / interfaces should be able to receive IP addresses from the router via DHCP or DnsMasq if a reserved / static IP is not set
- NAT should still block unsolicited inbound traffic from the internet as normal, to all ports except where port forwarding is specified.
- Router port-forwards incoming (from WAN) UDP500, UDP4500, ESP(IP Protocol 50) traffic to LAN4 (can do this part by IP if needed, but by port is preferred)
From what I've been able to work through so far, I should be able to achieve these goals with the following VLAN config and IPTABLES, but I have no idea if this is actually correct or how to implement this VLAN layout via command line.
What I think would work
- VLAN0: 1, 2, 5*
- VLAN1: 0, 5
- VLAN1: 3, 5
- VLAN2: 4, 5
- Leave the default bridge between Br01, Ath0, Ath1, and Eth1 unchanged
- Use IPtables to allow or deny communication according to the rules described above
Any guidance you can provide on what commands would be needed to get this up and running are greatly appreciated! Thanks for your time!
-------------------------------------------------
Details of my existing router config:
nvram show | port.*vlans
port5vlans=0 1 16
port4vlans=0
port3vlans=0
port2vlans=0
port1vlans=0
port0vlans=1
nvram show | grep vlan.*ports
vlan1ports=0 5
vlan0ports=1 2 3 4 5*
nvram show | grep vlan.*hwname
vlan0hwname=et0
vlan1hwname=et0
brctl show
| Code: | bridge name bridge id STP enabled interfaces
br0 8000.6038e0106974 no ath0
ath1
eth1 |
swconfig dev switch0 show
| Code: | Global attributes:
enable_vlan: 0
Port 0:
mask: 0x004e: (0) 1 2 3 6
qmode: 0
pvid: 0
link: port:0 link:down
Port 1:
mask: 0x004d: 0 (1) 2 3 6
qmode: 0
pvid: 0
link: port:1 link:up speed:1000baseT full-duplex
Port 2:
mask: 0x004b: 0 1 (2) 3 6
qmode: 0
pvid: 0
link: port:2 link:up speed:100baseT full-duplex
Port 3:
mask: 0x0047: 0 1 2 (3) 6
qmode: 0
pvid: 0
link: port:3 link:up speed:1000baseT full-duplex
Port 4:
mask: 0x0020: (4) 5
qmode: 0
pvid: 0
link: port:4 link:up speed:1000baseT full-duplex
Port 5:
mask: 0x0010: 4 (5)
qmode: 0
pvid: 0
link: port:5 link:up speed:1000baseT full-duplex
Port 6:
mask: 0x000f: 0 1 2 3 (6)
qmode: 0
pvid: 0
link: port:6 link:up speed:1000baseT full-duplex |
swconfig dev switch0 help
| Code: | switch0: 10.mvsw61xx(MV88E6176), ports: 7 (cpu @ 5), vlans: 64
--switch
Attribute 1 (int): enable_vlan (Enable 802.1q VLAN support)
Attribute 2 (none): apply (Activate changes in the hardware)
Attribute 3 (none): reset (Reset the switch)
--vlan
Attribute 1 (int): port_based (Use port-based (non-802.1q) VLAN only)
Attribute 2 (int): vid (Get/set VLAN ID)
Attribute 3 (ports): ports (VLAN port mapping)
--port
Attribute 1 (string): mask (Port-based VLAN mask)
Attribute 2 (int): qmode (802.1q mode: 0=off/1=fallback/2=check/3=secure)
Attribute 3 (int): pvid (Primary VLAN ID)
Attribute 4 (unknown): link (Get port link information) |
|
|
SurprisedItWorks
DD-WRT Guru
Joined: 04 Aug 2018
Posts: 1447
Location: Appalachian mountains, USA
|
| Posted: Tue Oct 23, 2018 15:12 Post subject: |
|
I just posted a working VLAN solution for the WRT1900ACSv2 at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199. I would have just put it here, but I wanted the word "success" in the subject line, to catch the eye of the many users who appear to need a solution to this long-standing puzzle, not just for our router model but also for several related ones. And I didn't want to eat your entire thread with a gigantic post! That post is long because I tried to keep it tutorial and fairly thorough, but the key that I suspect is what was keeping most people from getting things working is really the business, discussed briefly fairly far down in the post, about the need to stop and restart the wan.
Many thanks for your efforts here. I read over drozens of threads over many weeks (the beauty of being retired!), including yours, to put the pieces together. It was really a group effort.
Cheers and good luck. |
|
