VLAN success on WRT1900ACSv2, WRT3200ACM, et al.

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page 1, 2, 3  Next
Author Message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Mon Oct 22, 2018 22:04    Post subject: VLAN success on WRT1900ACSv2, WRT3200ACM, et al. Reply with quote
[edited Nov. 6, 2018 and Nov. 22, 2018 to make minor corrections and clarify.]
[Edited May 17, 2019 to point out the tremendous simplifications developed by TheDude1864. See the posts below, at least four of them, beginning on May 13, 2019]

I have VLANning working on the two-cpu WRT1900ACSv2 (running dd-wrt Brainslayer build 36698). In view of the many failed attempts discussed in the forum on VLANning the two-cpu WRTs, I felt I should share. Disclaimer: I am an engineer by profession, but I work in a completely different field. I am not a networking engineer or a computer engineer. I'm basically making all this up. So offer fixes if you spot the need!

Also, note that things are significantly different for the one-cpu WRTs, so this discussion will not apply directly to those routers, though it may give you some useful clues for your own exploration.

There are many forum posts suggesting the use of nvram variables to set up vlanning, but dd-wrt guru Per Yngve Berg commented in a Nov 26, 2016 post in https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=305616, in a Linksys/marvell context, "Disregard these variables as they are used on Broadcom units only." This explains why those variables' values seemed to match early Broadcom hardware and not reference the 2nd CPU port at all! In any case, here we will use the alternate approach, also explored in many forum posts, of using swconfig commands. These commands have an added benefit: changes made with them do not persist across a reboot, so permanent changes will require adding explicit startup code. This is an advantage because we can see startup code! There will be no need two years from now to remember that someone in the past meddled with nvram variables in a way that left no visible record in the GUI.

To see whether the VLAN formulation below likely applies to you directly, there are a couple of steps. First you must verify that you are working with a seven-port switch configured as mine is and not the six-port switch typical of one-CPU routers. User Gigabitten at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=309654 showed the WRT3200ACM setup to be the same as mine, and briankfree at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=305616 did so for the WRT1900ACv1 as well. There may be others. To check your system, use the ssh/telnet/putty command-line interface (CLI):
Code:
root@DD-WRT:~# swconfig list
Found: switch0 - 10.mvsw61xx
root@DD-WRT:~# swconfig dev switch0 show
Global attributes:
        enable_vlan: 0
Port 0:
        mask: 0x004e: (0) 1 2 3 6
        qmode: 0
        pvid: 0
        link: port:0 link:down
Port 1:
        mask: 0x004d: 0 (1) 2 3 6
        qmode: 0
        pvid: 0
        link: port:1 link:down
Port 2:
        mask: 0x004b: 0 1 (2) 3 6
        qmode: 0
        pvid: 0
        link: port:2 link:up speed:1000baseT full-duplex
Port 3:
        Mask: 0x0047: 0 1 2 (3) 6
        qmode: 0
        pvid: 0
        link: port:3 link:up speed:1000baseT full-duplex
Port 4:
        mask: 0x0020: (4) 5
        qmode: 0
        pvid: 0
        link: port:4 link:up speed:1000baseT full-duplex
Port 5:
        mask: 0x0010: 4 (5)
        qmode: 0
        pvid: 0
        link: port:5 link:up speed:1000baseT full-duplex
Port 6:
        mask: 0x000f: 0 1 2 3 (6)
        qmode: 0
        pvid: 0
        link: port:6 link:up speed:1000baseT full-duplex

Ignore the "link" entries for other than ports 5 and 6. They only show you what happens to be plugged into your ports when the show command was run. Key here is that if you don't see ports 0...6, you are not working with a two-cpu machine, and if you don't see a mvsw61xx switch to start, all this is unlikely to apply directly. If other than the "link" fields you see exactly what I do, I suspect the setup below will apply without change.

Second, note that I do not deal here with DHCP and setting IP addresses. Instead I assume that in addition to the default bridge br0 there is already a bridge br1 on its own subnet with working DHCP services. At the beginning of this VLANning effort, that second bridge on my system contained only a wifi virtual access point (VAP). To get to a similar point, see https://wiki.dd-wrt.com/wiki/index.php/Guest_Network, Section entitled "Prior to 23020", steps 1...4. Do not skip the intermediate save/apply steps. I believe steps 5 and 6 are out of date and that instead you need to return to the section for your new bridge in Setup>Networking. The Masquerated/NAT and Network Isolation options there respectively give the new bridge internet access and isolate it from br0.

Now let us interpret the switch0 configuration above. Boolean flag "enable_vlan" is set to 0, which signals the use of port-based VLANning. Though YMMV, I believe this means that the masks specify precisely where traffic appearing on each port should be sent. Look at the binary masks from the last port back to the first (this is not code to enter... just a simple table):
Code:
port mask
6     0 0 0 1 1 1 1
5     0 0 1 0 0 0 0
4     0 1 0 0 0 0 0
3     1 0 0 0 1 1 1
2     1 0 0 1 0 1 1
1     1 0 0 1 1 0 1
0     1 0 0 1 1 1 0

The seven bits on the right represent ports 6543210. Switch ports 0...3 are rear-panel LAN ports 4...1 (per experiments by various posters, notably Gigabitten), switch port 4 is the rear-panel WAN port, and switch ports 5 and 6 are internal CPU ports with 5 dedicated to the WAN port and 6 used for the LAN ports. This matrix is symmetric, so if A can send to B, B can send to A. Look carefully and you will see that switch ports 0...3, the backpanel LAN ports, are connected to switch port 6, which is a CPU port, and switch port 4, the backpanel WAN port, is connected to switch port 5, which is a different CPU port presumably on the other CPU. Switch ports 5 and 6 are at this point accessed from the router as eth0 and eth1 respectively. We might say that this port-based setup carves the ports up into two VLANs. We have two CPUs with a switch port each, so each VLAN gets its own CPU.

Now let's look at actually configuring the new system. Start by backing up your configuration in case a disaster forces a reset using the little button on the back of the router. Initially you should enter these commands via the CLI and not have your boot process, through startup commands, configured into something that may contain an error. Be sure you are accessing the CLI and GUI over wifi, as the commands below will have your LAN scrambled at certain spots, and you don't want to lose control over your router! Also be aware that you'll lose internet access for a while during this process, so plan ahead re anything you will want to read while proceeding.

Now the configuration steps. To start with, enter the commands into the CLI, ideally by copying and pasting from a clean master copy somewhere. Putting things into the startup commands comes later, once the new configuration is tested and known to be working.

We start with the realization that when you have more VLANs than CPU switch ports, tagging will be needed. Below, for example, we'll end up with vlan1 and vlan3 both connected to CPU switch port 6. In order that the CPU knows which VLAN originated a packet it receives on that port, the packet must be tagged with a VLAN ID. This is 802.11q tagging, so our VLANning code (enter into the CLI) will begin with
Code:
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1

If you are still on the LAN, executing the first line may rudely remind you to switch to wifi. The second line says we'll be using tagging. The two modes, port-based and tagging, cannot be mixed, so we are committing to redoing the entire switch configuration in a tagged fashion, hence the "reset" command here for a clean start. Experiment showed that neither of these lines can be omitted.

My specific goal is to give my two bridges VLANs containing disjoint subsets of the original LAN ports. I put two ports into each VLAN, but splitting the four ports as three and one would require only a trivial change. The code that sets this up (yes enter it):
Code:
swconfig dev switch0 vlan 1 set ports "6t 2 3"
swconfig dev switch0 vlan 2 set ports "5t 4"
swconfig dev switch0 vlan 3 set ports "6t 0 1"
swconfig dev switch0 set apply

Nothing happens (other than the initial reset, apparently) in the physical switch until the last "apply" step, so the latter cannot be omitted. If the reset didn't do it before, these commands will for now scramble your LAN and cut off WAN (internet) access. But the effects of swconfig commands are not preserved across a boot, as far as I understand it, so if you get panicky, you can always reboot and start again.

Each "t" associated with ports 5 and 6 in the swconfig commands above specifies that a source VLAN ID (VID) is to be added to each packet sent to those two CPU ports. By default the VID is the same as the physical vlan number (1, 2, and 3 here), but using a VID different than the physical vlan number is possible. Some systems reserve VID 1 for other things, so in some posts you'll see something like "swconfig dev switch0 vlan 1 set vid 100", but it does not appear to be needed here. (Someone correct me if I'm wrong here!) I believe vlan 0 is forbidden. Compare the results of swconfig dev switch0 vlan 0 show and swconfig dev switch0 vlan 4 show and note that even though we have defined neither of these vlans, the results are very different. So start with 1. Thanks to the reset command in our code, there is no need to be compatible with what is in the switch to begin with.

Since CPU switch port 5 in those swconfig commands is associated with only one vlan, logic suggests that tagging there may be unneeded. The experience of others, however, says to include it (https://superuser.com/questions/1061327/how-to-setup-vlans-per-interfaces-on-linksys-wrt-1900-acs-openwrt-chaos-calmer/1102126).

The vlans have been specified, but the command ifconfig at the CLI will include no mention of vlans, because their interfaces do not yet exist. To create those interfaces (enter into CLI):
Code:
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth0 2
vconfig add eth1 1
vconfig add eth1 3

The numbers on the right are VIDs. Here we are associating the new VLAN interfaces with the dd-wrt code for eth0 and eth1, corresponding to the WAN interface and the LAN interface respecively. The VLAN_PLUS_VID_NO_PAD is a format specifier requiring that the new interfaces have names vlan1, vlan2, and vlan3. Experiment shows that if this line is omitted on a dd-wrt system, no interfaces are created at all.

(At this point ifconfig may or may not show that the vlan interfaces exist but are not yet up.) Before the newly defined vlan interfaces can be brought up, eth0 and eth1 must already be up. In fact ifconfig shows that the latter are already up at this point, and some experimentation shows that they are in fact already up when the startup commands are run during boot, so we don't actually need explicit commands ifconfig eth0 up and ifconfig eth1 up at all, though they'd be harmless. We can jump right in with this (enter):
Code:
ifconfig vlan1 up
ifconfig vlan2 up
ifconfig vlan3 up

Command ifconfig now shows that the three vlan interfaces are up.

Now it is time to configure bridges. We'll do this in two steps. First (enter):
Code:
brctl addif br0 vlan1
brctl addif br1 vlan3
brctl delif br0 eth1

The first two commands here add vlan1 and vlan3 to br0 and br1 respectively. I believe these two steps could be done in the GUI, but I prefer to keep everything possible in one place. The third command deletes eth1 from br0 and has no GUI equivalent.

Now we are at a particularly delicate point, where things get a little tricky because we need to make one change using the GUI. In principle we could instead use an equivalent CLI action using the nvram command, but using the GUI is clearer. We won't want nvram commands in the startup code later, so the GUI it is. In the GUI at Setup>Networking>PortSetup>PortSetup, change the "WAN Port Assignment" to vlan2 and hit "apply" at the bottom of the page (skipping "save" for now). Throwing eth0 out of its former role as WAN interface will put it into br0, so back in the CLI, remove it (enter):
Code:
brctl delif br0 eth0

[Edit 3/19: Reports re dd-wrt versions 38159 and 39144 suggest that setting the WAN interface to vlan2 may undo the first three brctl commands, from the last paragraph, as well. So you may need to redo them here.] At this point your WAN is vlan2, and your bridging table earlier on the same GUI page should look like
Code:
bridge  STP  interface
br0       no     ath1 vlan1
br1       no   ath1.2 vlan3

with ath1 and ath1.2 replaced by whatever wifi interfaces you started with in br0 and br1. The stp values for the bridges could be no or yes, but I believe that if you are using network isolation on br1, it makes no difference. Research "spanning tree protocol" for dd-wrt to sort this out in greater detail.

The switch configuration itself should now look like this, again give or take the link lines, as those reflect what is plugged into your backpanel ports:
Code:
root@DD-WRT:~# swconfig dev switch0 show
Global attributes:
   enable_vlan: 1
Port 0:
   mask: 0x0000: (0)
   qmode: 3
   pvid: 3
   link: port:0 link:down
Port 1:
   mask: 0x0000: (1)
   qmode: 3
   pvid: 3
   link: port:1 link:up speed:100baseT full-duplex
Port 2:
   mask: 0x0000: (2)
   qmode: 3
   pvid: 1
   link: port:2 link:up speed:1000baseT full-duplex
Port 3:
   mask: 0x0000: (3)
   qmode: 3
   pvid: 1
   link: port:3 link:up speed:1000baseT full-duplex
Port 4:
   mask: 0x0000: (4)
   qmode: 3
   pvid: 2
   link: port:4 link:up speed:1000baseT full-duplex
Port 5:
   mask: 0x0000: (5)
   qmode: 3
   pvid: 0
   link: port:5 link:up speed:1000baseT full-duplex
Port 6:
   mask: 0x0000: (6)
   qmode: 3
   pvid: 0
   link: port:6 link:up speed:1000baseT full-duplex
VLAN 1:
   port_based: 0
   vid: 1
   ports: 2 3 6t
VLAN 2:
   port_based: 0
   vid: 2
   ports: 4 5t
VLAN 3:
   port_based: 0
   vid: 3
   ports: 0 1 6t

This should be a working VLANned system, and some patient testing and experimenting to make sure your system is working as it should is in order at this point.

When you are certain that all is good and you are ready to edit the startup commands so as to install the VLAN configuration at boot time, in the GUI go to Administration>Commands. If you have startup commands, hit edit under them. If not, just proceed. Either way, add this next material to the Commands window at the top. Except for one line, to be discussed, and a couple of comments, these are just the commands we entered above:
Code:
#split LAN into vlan1 and vlan3
  swconfig dev switch0 set reset 1
  swconfig dev switch0 set enable_vlan 1
  swconfig dev switch0 vlan 1 set ports "6t 2 3"
  swconfig dev switch0 vlan 2 set ports "5t 4"
  swconfig dev switch0 vlan 3 set ports "6t 0 1"
  swconfig dev switch0 set apply
  vconfig set_name_type VLAN_PLUS_VID_NO_PAD
  vconfig add eth0 2
  vconfig add eth1 1
  vconfig add eth1 3
  ifconfig vlan1 up
  ifconfig vlan2 up
  ifconfig vlan3 up
  brctl addif br0 vlan1
  brctl addif br1 vlan3
  brctl delif br0 eth1
  #wan tried to start as vlan2 (set in gui) before vlan2 created, so restart
    (stopservice wan;startservice wan) 2>&1 | logger -t startup[$$]
  #having WAN port set in gui to vlan2 puts eth0 in br0 so fix
    brctl delif br0 eth0

I put this code first, before my other, existing startup commands. I have no idea whether it matters. Extremely tight nvram space (use nvram show | grep 'size:' in the CLI to check) might motivate you to omit comments and indentation, but I had lots of space. Once the edit window is as you like, hit "Save Startup" at the bottom.

Now look at what differs from what we entered earlier into the CLI. Near the end, where when entering things by hand we set the WAN port to vlan2, here we stop and start the wan service and log any messages output by that step. This step cannot be omitted, because it turns out that while the GUI designation of vlan2 as the WAN interface is carried over from the previous session, because of the "Save" we just did, at boot the wan service is started before the startup commands create vlan2. Without our explicit service restart, that mistiming of the original embedded wan service startup would leave one with no WAN access and a destroyed firewall (per bitter experience). So here we restart the wan service after vlan2 is created.

[Edited 13 May 2019 to add this next sentence.] Now return to Setup>Networking and hit "Save" at the bottom so that the new WAN Port Assignment of vlan2 is preserved across boots. Then do a reboot to see that everything works as it should. At a minimum, have a look at the Setup>Networking page, particularly the WAN port and the bridging table. Look at the system log, assuming it's enabled. In my system a few lines in the log are created here when this wan-restart code runs:
Code:
Jan  1 00:00:31 DD-WRT user.notice startup[1974]: The kernel doesn't support the ebtables 'nat' table.
Jan  1 00:00:31 DD-WRT user.notice startup[1974]: vlan2: No such process
Jan  1 00:00:31 DD-WRT user.notice startup[1974]: vlan2: No such process
Jan  1 00:00:31 DD-WRT user.notice startup[1974]: cat: can't open '/proc/net/ip_conntrack_flush': No such file or directory
Jan  1 00:00:31 DD-WRT user.notice startup[1974]: 0

Frankly I have no idea what the significance is or is not of these lines. (Anyone?) But the overall system appears to be right, per the networking GUI page. The firewall looks OK (iptables -vL in the CLI) and has vlan2 instead of eth0 in all the wan spots. Most importantly, system functionality appears to be what it should. It has been working fine in my system for several weeks [Edit: months, as of 3/19.] now.

There be VLANs!!!

[Edit 3/19: Do read the next post. Experience shows that "Apply" on many GUI pages undoes the brctl commands. Better to Save and reboot when you make changes in the GUI.]
[Edit 5/19: The suggestions of TheDude1864 simplify the configuration greatly. See the posts below, at least four of them, beginning on May 13, 2019]


Last edited by SurprisedItWorks on Mon Dec 09, 2019 19:05; edited 7 times in total
Sponsor
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Nov 11, 2018 16:48    Post subject: Reply with quote
APPENDIX: FIREWALL EDITS (AND OTHER APPLY ACTIONS?) SCRAMBLE THE LAN

Given the above VLANs setup, something again happens out of sequence when the firewall is edited in GUI>Administration>Commands. When Save Firewall is clicked after such an edit, some but not all of the boot process is repeated, and the router is completely offline for a minute or so. When it comes back up, you can see in GUI>Setup>Networking that neither bridge contains a vlan and br0 again contains eth0 and eth1. It's likely that there are other "apply" actions in the GUI that lead to the same confused state.

There are two ways to fix this once things come back up in this unfortunate state. Either works fine. No need to do both:

(1) Reboot the router, so that everything in the startup script is executed properly.

(2) Copy/paste these commands from the end of the code above into the CLI:
Code:
brctl addif br0 vlan1
brctl addif br1 vlan3
brctl delif br0 eth1
(stopservice wan;startservice wan) 2>&1 | logger -t startup[$$]
brctl delif br0 eth0

I used the CLI in my experiments, but one should be able to do (2) in the GUI. In Administration>Commands copy these commands from the Startup window, paste them into the Commands window at the top, then click Run Commands at the bottom.

One issue with the confused LAN state that we are remedying here is that because it leaves the entire LAN offline, you'll need to connect to the GUI over wifi to look at the state of things or to apply one of the fixes. If you do not use wifi in your system at all, the LAN being offline will force you to cycle power to get the reboot you need.
reforo
DD-WRT Novice


Joined: 21 Jan 2017
Posts: 9

PostPosted: Tue Nov 27, 2018 18:49    Post subject: Reply with quote
Thank you very much for your post, it helped me a lot.
_________________
Linksys WRT1900ACS V2-v3.0-r38060
Cisco SG350X-24
Micma99
DD-WRT Novice


Joined: 13 Sep 2015
Posts: 2

PostPosted: Sun Dec 02, 2018 14:52    Post subject: Re: VLAN success on WRT1900ACSv2 (and WRT3200ACM? WRT1900ACv Reply with quote
SurprisedItWorks wrote:
[edited Nov. 6, 2018 and Nov. 22, 2018 to make minor corrections and clarify.]

I have VLANning working on the two-cpu WRT1900ACSv2 (running dd-wrt Brainslayer build 36698). In view of the many failed attempts discussed in the forum on VLANning the two-cpu WRTs, I felt I should share. Disclaimer: I am an engineer by profession, but I work in a completely different field. I am not a networking engineer or a computer engineer. I'm basically making all this up. So offer fixes if you spot the need!


There be VLANs!!!


Hi and thanks for the post, it got me moving in the right direction.

However, I'm trying to get WAN port to communicate over VID 35 since my ISP requires this for the optical fibre gigabit feed. Here's where I stand now:

My configuration

Router Name: DD-WRT
Router Model: Linksys WRT32X
Firmware Version: DD-WRT v3.0-r37860 std 11/27/18
Kernel Version: Linux 4.9.141-rc1 #615 SMP Tue Nov 27 01:39:44 CET 2018 armv7l

Love this router for it's duo partitions booting into DD-WRT firmware for testing different configs and booting back to Venom default Linksys firmware to get back on the internet. While booting into DD-WRT I can see the activity lights blinking on my 10Gtek fiber to copper adapter, and when the router is fully booted, there's no activity whatsoever and these same activity lights as if nothing is sent over the wan port. Since the connection to the ISP is over PPPOE and the redial is set at 30 seconds, it should send the connect command over the wan but there's no activity at all looking at the status lights on the adapter.

The latest Venom firmware added vlan tagging to the gui and is a lone check box where I put 35 in the box to get on the internet after setting up the PPPOE credentials.

Now the setup:

First the default network config after installing DD-WRT that shows this is also a 7 port switch:

swconfig list
Found: switch0 - 10.mvsw61xx
swconfig dev switch0 show
Global attributes:
enable_vlan: 0
Port 0:
mask: 0x004e: (0) 1 2 3 6
qmode: 0
pvid: 0
link: port:0 link:down
Port 1:
mask: 0x004d: 0 (1) 2 3 6
qmode: 0
pvid: 0
link: port:1 link:up speed:1000baseT full-duplex
Port 2:
mask: 0x004b: 0 1 (2) 3 6
qmode: 0
pvid: 0
link: port:2 link:up speed:1000baseT full-duplex
Port 3:
mask: 0x0047: 0 1 2 (3) 6
qmode: 0
pvid: 0
link: port:3 link:up speed:1000baseT full-duplex
Port 4:
mask: 0x0020: (4) 5
qmode: 0
pvid: 0
link: port:4 link:up speed:1000baseT full-duplex
Port 5:
mask: 0x0010: 4 (5)
qmode: 0
pvid: 0
link: port:5 link:up speed:1000baseT full-duplex
Port 6:
mask: 0x000f: 0 1 2 3 (6)
qmode: 0
pvid: 0
link: port:6 link:up speed:1000baseT full-duplex

After reading the op's post, I came up with this config, note that I'm not segregating LAN ports so all four ports are configured to the same VLAN. I also tag the WAN port to VID 35 and yes, I did select VLAN2 to the WAN setup in networking:

Startup Commands

#configure vlan's 1 and 2 (2 is set to vid 35 for ISP)
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6t 0 1 2 3"
swconfig dev switch0 vlan 2 set ports "5t 4"
swconfig dev switch0 vlan 2 set vid 35
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth0 2
vconfig add eth1 1
ifconfig vlan1 up
ifconfig vlan2 up
brctl addif br0 vlan1
brctl delif br0 eth1
#wan tried to start as vlan2 (35) (set in gui) before vlan2 created, so restart
(stopservice wan;startservice wan) 2>&1 | logger -t startup[$$]
#having WAN port set in gui to vlan2 puts eth0 in br0 so fix
brctl delif br0 eth0

Below is the network setup after the router is fully booted:

Global attributes:
enable_vlan: 1
Port 0:
mask: 0x0000: (0)
qmode: 3
pvid: 1
link: port:0 link:down
Port 1:
mask: 0x0000: (1)
qmode: 3
pvid: 1
link: port:1 link:up speed:1000baseT full-duplex
Port 2:
mask: 0x0000: (2)
qmode: 3
pvid: 1
link: port:2 link:up speed:1000baseT full-duplex
Port 3:
mask: 0x0000: (3)
qmode: 3
pvid: 1
link: port:3 link:up speed:1000baseT full-duplex
Port 4:
mask: 0x0000: (4)
qmode: 3
pvid: 35
link: port:4 link:up speed:1000baseT full-duplex
Port 5:
mask: 0x0000: (5)
qmode: 3
pvid: 0
link: port:5 link:up speed:1000baseT full-duplex
Port 6:
mask: 0x0000: (6)
qmode: 3
pvid: 0
link: port:6 link:up speed:1000baseT full-duplex
VLAN 1:
port_based: 0
vid: 1
ports: 0 1 2 3 6t
VLAN 2:
port_based: 0
vid: 35
ports: 4 5t

Everything looks good but the kicker is no WAN activity. When using the connect button in the Status/WAN in the GUI, it sends the router in a sort of reboot frenzy and scambles the ports all over again as does changing, saving and applying settings. So I got into a habit of changing, saving and rebooting instead of applying. If someone could point me in the direction I should go from here, please do.

Sorry for the long post and thanks in advance.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 02, 2018 15:24    Post subject: Reply with quote
I'm not able to comment usefully here. My impression (that's all it is) is that the VLAN tagging I configured above exists only along the path from the switch to the CPU. (Maybe someone with more of a clue can comment.) It feels like tagging on the WAN is a whole different matter, maybe not even involving reconfiguring the switch. If it were me, I'd be focused on the VLAN-tagging section of the GUI, which I gather (again, no expertise here) is about WAN tagging.

There seem to be many forum posts and discussions about the WAN-tagging business, distinct from the matter I looked into of splitting the LAN. I'd focus on those and not get pulled into LAN-splitting discussions.

Do keep your eyes on the Marvell forum, including the new-build threads, about that WRT32X model, as it seems to be one with idiosyncracies. Fast but quirky.

Good luck to you.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
matp
DD-WRT Novice


Joined: 13 Aug 2017
Posts: 6

PostPosted: Sun Dec 09, 2018 12:24    Post subject: Reply with quote
Hi,

I really struggled with setting up VLANs on my WRT3200ACM and wasted a lot of time. The configuration you shared solves the main problem of setting up VLANs and actually making it work. Many thanks for that!

I still have one more problem to solve. Even though ath0 and vlan1 are on the same bridge - br0 - I cannot ping hosts between ath0 and vlan1. What could be the reason?
I used exactly the same script as in the original post and my firewall rules are empty.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 09, 2018 14:41    Post subject: Reply with quote
Congrats on getting VLANs up!

Now when you say firewall rules are empty, do you mean in GUI>Administration>Commands? Maybe we should call those the extra firewall rules, because if you do iptables -vL in the CLI you should see lots of default ones. If those default ones are missing you have bigger issues than those you mentioned!

Not sure what could be your actual problem. But start at the beginning I suppose. In GUI>Wireless>BasicSettings>ath0>AdvancedSettings, you definitely need "Network Configuration" to be "bridged" (not "unbridged" leftover from an earlier config). It'd be natural to assume that having ath0 in a bridge would take care of that, but I don't actually know whether it does. Then under GUI>Setup>Networking>Bridging the Current Bridging Table shows that br0 is has "ath0 vlan1" under Interface?

(Anyone more into networking out there with an idea for a next step?)

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
matp
DD-WRT Novice


Joined: 13 Aug 2017
Posts: 6

PostPosted: Sun Dec 09, 2018 16:01    Post subject: Reply with quote
Quote:
Now when you say firewall rules are empty, do you mean in GUI>Administration>Commands?

Yes.
Quote:
iptables -vL in the CLI you should see lots of default ones.

Indeed, there are lots of entries.
Quote:
In GUI>Wireless>BasicSettings>ath0>AdvancedSettings, you definitely need "Network Configuration" to be "bridged"

It is.

Quote:
Then under GUI>Setup>Networking>Bridging the Current Bridging Table shows that br0 is has "ath0 vlan1" under Interface?

Yes - only those.

Actually I just realised that the router itself cannot ping hosts on vlan1. Router is on the same subnet as hosts on vlan1 (and ath0).

Maybe I will need to got through the default firewall settings. Ultimately I may need to start with a clean setup and apply the script you provided.
Thanks again!
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 09, 2018 16:20    Post subject: Reply with quote
Certainly starting from scratch and developing your settings incrementally is a powerful approach if you have the patience. (Don't forget a backup first. Smile )

Re the firewall, I've certainly had various firewall issues over time, but the default behavior has always been too permissive, never too restrictive. I doubt that's where the trouble lies.

I assume you can ping within ath0 (AP isolation off, right?) and within vlan1?

Might be worth posting your Setup>Networking page if you can figure out how to shrink the image first. (Guru egc suggests 600 pixels width max and has sometimes offered a link to a tool or instructions or something. Perhaps you can find one of his posts on it.)

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 09, 2018 16:43    Post subject: Reply with quote
You don't happen to be able to ping ath0 devices from your other vlan, do you? Remember the port numbering in the swconfig commands is reversed (as well as offset) from that on the back panel.
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
matp
DD-WRT Novice


Joined: 13 Aug 2017
Posts: 6

PostPosted: Sun Dec 09, 2018 16:57    Post subject: Reply with quote
I am ble to ping between hosts in ath0 and also between hosts in vlan1.
AP Isolation is disabled.

I will post by Networking setup later.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 09, 2018 17:45    Post subject: Reply with quote
Before you go through the hassle of posting the network config, be sure by actual pinging that the issue isn't just confusion over which ports go with which vlan, since the numbering on the back panel is reversed (and offset) from what swconfig uses.

Once this is solved, be sure to note that "network isolation" actually means "isolation from br0," so if you have, for example, br0 and br1 but also some unbridged VAP and want them each isolated from the others, in addition to network isolation on br1 and on the VAP, you'll need firewall commands to isolate the VAP from br1.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 09, 2018 17:52    Post subject: Reply with quote
matp wrote:
Actually I just realised that the router itself cannot ping hosts on vlan1. Router is on the same subnet as hosts on vlan1 (and ath0).

Can devices on vlan1 access the internet?

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
matp
DD-WRT Novice


Joined: 13 Aug 2017
Posts: 6

PostPosted: Sun Dec 09, 2018 19:28    Post subject: Reply with quote
Quote:
You don't happen to be able to ping ath0 devices from your other vlan, do you? Remember the port numbering in the swconfig commands is reversed (as well as offset) from that on the back panel.

No, I'm not able to ping ath0 devices from other vlan (i.e. vlan3). I did make sure to use the right ports on the back of the router. I can also see that by "swconfig dev switch0 show".

Quote:
Can devices on vlan1 access the internet?

No, they can't.

And here's my Networking setup:
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Dec 09, 2018 21:30    Post subject: Reply with quote
I sure don't see anything alarming there. But the fact that you get no internet on that vlan is alarming indeed! When you do ifconfig in the CLI, are eth0, eth1, and your three vlans all up? And for that matter, ath0, ath1, ath0.1, br0, and br1 as well? (Second or third line, all caps, starting with UP.)

If they are all up, where else do you not get internet?
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum