VLAN success on WRT1900ACSv2, WRT3200ACM, et al.

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page Previous  1, 2, 3  Next
Author Message
matp
DD-WRT Novice


Joined: 13 Aug 2017
Posts: 6

PostPosted: Sun Dec 09, 2018 23:35    Post subject: Reply with quote
All you mentioned are UP and running.
I don't get internet access only from vlan1 and vlan3.
Every WLAN device (ath0, ath0.1, ath1) has access to internet.
Sponsor
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Mon Dec 10, 2018 0:08    Post subject: Reply with quote
Makes me wonder whether tagging is messed up in the swconfig lines that set up those two vlans, because it doesn't really seem that anything on either vlan can reach anything outside that vlan. Maybe the CPU is not actually getting usable packets from them.

You seem quite thorough in approach though, so I'm guessing you've checked those commands against the original post (noting the t for tagging) and the output of swconfig dev switch0 show. If that's the case, let's try two things. First, in the CLI try stopservice wan then startservice wan, in case something is different between our routers to do with the timing of wan startup. (Have a look at the networking page afterward to be sure each vlan is where it belongs and that eth0 and eth1 haven't reappeared in the bridges.)

Then let's have a look at the log to look for anything suspicious. grep -v ' hostapd:' /var/log/messages will get you a version free of all the MAC-revealing messages about wifi connection. You might want to look at the log in the GUI also, just because it marks stuff in red and yellow that it sees as iffy. Probably the best time to look at the log is a couple of minutes after a boot, so that log truncation doesn't trim off old stuff that matters.

I wonder whether we're discovering something different between the WRT1900ACSV2 and the WRT3200ACM.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Tue Dec 18, 2018 19:48    Post subject: Reply with quote
In light of the current WRT3200ACM impasse above, I have a request for anyone who has successfully used this VLAN approach on a WRT series router: Please post the router model and, ideally, any needed mods to my setup needed to get it working (or that just seemed to improve things). Maybe we can sort out what models this really works for and how to tweak where needed.

For my part, VLANs here still work great. No issues other than than needing reboots rather than applys on some gui pages, as described in a post above. (In most cases I just save without applying and then do do a reboot.) Has worked now on releases 36698 and 37736 with no change inbetween, and for each release it has worked on two WRT1900ACSv2 routers. Both halves of the split LAN are used nearly every day.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
reforo
DD-WRT Novice


Joined: 21 Jan 2017
Posts: 9

PostPosted: Tue Dec 25, 2018 14:04    Post subject: Reply with quote
hello sorry for my english.
Thank you very much for all the work, I work separately, I could help, I would be interested in sending ports 3 and 4 vlan1 and vlan3 (trunk mode).
Sincerely, Javier

_________________
Linksys WRT1900ACS V2-v3.0-r38060
Cisco SG350X-24
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Tue Dec 25, 2018 18:46    Post subject: Reply with quote
Hello Javier,

Don't worry about your English. Mi español es muy mal.

I don't know how I can help though. I'm not a networking expert and don't even know what "trunk mode" is. My little project in the first post here was really about splitting the LAN ports and nothing else.

I wish you luck though.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
matp
DD-WRT Novice


Joined: 13 Aug 2017
Posts: 6

PostPosted: Sun Dec 30, 2018 15:46    Post subject: Reply with quote
SurprisedItWorks wrote:
Makes me wonder whether tagging is messed up in the swconfig lines that set up those two vlans, because it doesn't really seem that anything on either vlan can reach anything outside that vlan. Maybe the CPU is not actually getting usable packets from them.

You seem quite thorough in approach though, so I'm guessing you've checked those commands against the original post (noting the t for tagging) and the output of swconfig dev switch0 show. If that's the case, let's try two things. First, in the CLI try stopservice wan then startservice wan, in case something is different between our routers to do with the timing of wan startup. (Have a look at the networking page afterward to be sure each vlan is where it belongs and that eth0 and eth1 haven't reappeared in the bridges.)

Then let's have a look at the log to look for anything suspicious. grep -v ' hostapd:' /var/log/messages will get you a version free of all the MAC-revealing messages about wifi connection. You might want to look at the log in the GUI also, just because it marks stuff in red and yellow that it sees as iffy. Probably the best time to look at the log is a couple of minutes after a boot, so that log truncation doesn't trim off old stuff that matters.

I wonder whether we're discovering something different between the WRT1900ACSV2 and the WRT3200ACM.


Sorry for not responding for some time. Anyways, I decided to start from scratch and Restore Factory Defaults, configure wifi as it was before, add br1 with dhcp and then apply your setup script on top of that.

...and it works perfectly now!! Very Happy

All interfaces in br0 can communicate with each other. Same for br1, according to the following configuration:

Bridge Name STP Interface
br0 no ath0 vlan1
br1 no ath0.1 ath1 vlan3

I cannot tell the exact reason why it didn't work before restoring to defaults.

"It doesn't work! But why? Surprised It works! But why?" Surprised
In general a possible cause could be that I've been tinkering with my dd-wrt setup for a couple of months, trying to configure vlans with nvram, swconfig and UI all together. Meanwhile I was constantly upgrading the firmware (in hope there is something in that one build that can fix my vlaning problem). The upgrades could have been in conflict with my custom config.

Thanks again SurprisedItWorks for sharing the script!
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Mon Dec 31, 2018 2:07    Post subject: Reply with quote
That's great news, MatP! And now we know that the whole approach is good for both the WRT1900ACSv2 and WRT3200ACM!

Not surprised you did better starting over. It's easy to become entangled in various dd-wrt bugs, even version-specific ones, and sometimes our first workarounds (mine anyway Smile ) are not the greatest and can have weird side effects. Shocked

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Mon Jan 14, 2019 20:12    Post subject: Reply with quote
This is a quick update re a new dd-wrt release.

I just did this VLAN installation on my daughter's new WRT1900ACSv2 running BS release r38159, and I found that if I skipped the step that stopped and restarted the WAN in the startup commands, the bridging table did not pick up eth0 and eth1 in error as with earlier releases. However, I also found that if I commented out the wan-restart line, the WAN was not functional. I had no internet! Further, some Apply buttons (and Save Firewall) still misconfigured the bridging table. So the stopservice/startservice commands had to remain in.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
diverts
DD-WRT Novice


Joined: 05 Mar 2019
Posts: 2

PostPosted: Sat Mar 16, 2019 18:57    Post subject: Reply with quote
SurprisedItWorks wrote:
This is a quick update re a new dd-wrt release.

I just did this VLAN installation on my daughter's new WRT1900ACSv2 running BS release r38159, and I found that if I skipped the step that stopped and restarted the WAN in the startup commands, the bridging table did not pick up eth0 and eth1 in error as with earlier releases. However, I also found that if I commented out the wan-restart line, the WAN was not functional. I had no internet! Further, some Apply buttons (and Save Firewall) still misconfigured the bridging table. So the stopservice/startservice commands had to remain in.


Thank you very much for the tutorial. I have just worked through it on a WRT1900ACS V2 on r39144. There was one glitch: the WAN port assignment to vlan2 in the GUI seemed to overwrite / negate the three bridging commands before it in the tutorial. Repeating them got to the required state. The start up commands seem to work fine.

My aim was to separate one LAN ethernet port and run a separate subnet isolated from the wireless and other ethernet ports. I am new to this and am assuming that selecting LAN isolation in the GUI is all one needs to do separate the subnets and run both with the default firewall rules. Would one need to do anything else if one enabled IPv6? Not a big deal but it is there and the ISP pushes a prefix.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Sat Mar 16, 2019 21:00    Post subject: Reply with quote
Thanks for the heads-up re 39144. My VLANned routers are still on 38159, though 39144 is in their future soon. When I webflashed 38159 I was happy to discover that nothing special had to be done to get the VLANs working again. The router booted up with the bridge configurations and WAN selection just as they should be. (I haven't tested to see whether the stopping and starting of the wan service is still necessary.)

I've never even tried IPv6 in my router, as my vpn provider's dd-wrt instructions for setting up OpenVPN specify disabling it, and further, my ISP appears to offer only limited support for it.

I suspect you are good re isolation plans, though one heads up: if you go to more than two subnets, you may find that specifying isolation of the 2nd and 3rd, for example, isolates each from the 1st but not from each other. The last time I tested it, some months ago, that appeared to be the case. I finally just turned off isolation in all five of my subnets and put in firewall rules of the form

iptables -I FORWARD -i br0 -d 192.168.0.0/16 -m state --state NEW -j logdrop

one for each subnet, with br0 here replaced with the corresponding interface for each. Of course the logdrop can be replaced with DROP or REJECT as desired. It might seem strange here to prohibit access to seemingly all the subnets including the one corresponding to br0, but empirically it seems the firewall doesn't enter into things until a packet leaves the interface, so having one of these for every interface that corresponds to a subnet effectively puts walls between them. Perhaps someone with more than my minimal iptables experience can find a way that is less of a kludge.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
diverts
DD-WRT Novice


Joined: 05 Mar 2019
Posts: 2

PostPosted: Sun Mar 17, 2019 12:54    Post subject: Reply with quote
Thank you. I will play around with IPv6 when I have the opportunity.
The only other thing I would add to the tutorial is a reminder that any change to the Networking seems to reset the bridging to the default and a reboot (or I guess running the bridging commands might do it) is required to get the vlan operation up and running again.
Mnbadger
DD-WRT Novice


Joined: 13 May 2019
Posts: 1

PostPosted: Mon May 13, 2019 1:22    Post subject: WAN service won't start on 3200ACM Reply with quote
Hello everyone! Much thanks to all the contributors. With all the information on here I never suspected I'd need to ask for help but I've run into an issue that I haven't been able to resolve.

I've used the startup script on a fresh install of 39267 and have been having issues with my WAN service not starting. The odd part is when I install the script, then reboot, then switch WAN port to VLAN2 everything works perfectly. Unfortunately that only lasts until I reboot the 3200ACM. After reboot the WAN service doesn't seem to be starting or gets killed instantly. I also tried reinstalling the script and re-enabling VLAN2 for the WAN port. Oddly, it takes a fresh install to make it temporarily work again.

I reverted firmware back to the latest stable version and still had the same results. Suspect I'm missing one setting but have been driving myself crazy trying to find it. Has anyone else had this or could anyone point me to any potential culprits?

I did try restarting the WAN service through CLI as well.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Mon May 13, 2019 13:43    Post subject: Reply with quote
I'll go back and reread my first post above carefully and edit if this is really so, but it looks on a quick glance that I never mentioned going back into Setup>Networking and hitting the Save button. If after you change the WAN assignment to vlan2 you only Apply but do not Save, you will of course lose your new setting on a reboot. A Save is needed.

If it still misbehaves after Save is taken care of, we may have some weird race condition that calls for a sleep 10 or some such to be inserted in the startup commands at some critical point. But one thing at a time.

And for what it is worth, I run my VLAN setup on 39144 now with absolutely no problem. We do have different router models though. Yours being faster hardwarewise is what's making me wonder whether you might have a race condition.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
TheDude1864
DD-WRT Novice


Joined: 26 Jan 2012
Posts: 6

PostPosted: Mon May 13, 2019 15:38    Post subject: Linksys WRT3200ACM with DD-WRT v3.0-r37305 with vlans Reply with quote
First of all, Thank you for this post. I know this is an old thread, but i've been trying to figure out how to do vLans with my WRT3200ACM for a while now, and this is the first good guide i found to doing it with the Linksys routers with Marvell cpus.

I did some tweaks to your configuration to fit my needs, and i'd like to share some cool things.

I have a Linksys WRT3200ACM with DD-WRT v3.0-r37305

Here is my swconfig dev switch0 show output:

Code:
Global attributes:
   enable_vlan: 1
Port 0:
   mask: 0x0000: (0)
   qmode: 3
   pvid: 0
   link: port:0 link:up speed:1000baseT full-duplex
Port 1:
   mask: 0x0000: (1)
   qmode: 3
   pvid: 1
   link: port:1 link:down
Port 2:
   mask: 0x0000: (2)
   qmode: 3
   pvid: 1
   link: port:2 link:up speed:100baseT full-duplex
Port 3:
   mask: 0x0000: (3)
   qmode: 3
   pvid: 1
   link: port:3 link:up speed:1000baseT full-duplex
Port 4:
   mask: 0x0000: (4)
   qmode: 3
   pvid: 2
   link: port:4 link:up speed:1000baseT full-duplex
Port 5:
   mask: 0x0000: (5)
   qmode: 3
   pvid: 2
   link: port:5 link:up speed:1000baseT full-duplex
Port 6:
   mask: 0x0000: (6)
   qmode: 3
   pvid: 0
   link: port:6 link:up speed:1000baseT full-duplex
VLAN 1:
   port_based: 0
   vid: 1
   ports: 0t 1 2 3 6t
VLAN 2:
   port_based: 0
   vid: 2
   ports: 4 5
VLAN 3:
   port_based: 0
   vid: 3
   ports: 0t 6t
VLAN 4:
   port_based: 0
   vid: 4
   ports: 0t 6t

My startup script:
Code:

#switch config
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6t 0t 1 2 3"
swconfig dev switch0 vlan 2 set ports "5 4"
swconfig dev switch0 vlan 3 set ports "6t 0t"
swconfig dev switch0 vlan 4 set ports "6t 0t"
swconfig dev switch0 set apply
#vlan config
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 1
vconfig add eth1 3
vconfig add eth1 4
ifconfig vlan1 up
ifconfig vlan3 up
ifconfig vlan4 up
#bridge config
brctl addif br0 vlan1
brctl addif br1 vlan3
brctl addif br2 vlan4
brctl delif br0 eth1
brctl delif br0 eth0
#wan service restart
(stopservice wan;startservice wan) 2>&1 | logger -t startup[$$]


Here are a few differences...

I dont use vlan2 for my WAN connection. When configuring the switch instead of using "5t 4" for vlan2, which sets up a tagged port 5 and an untagged port 4, I used "5 4" instead. This did a few things. First of all, untagged port 5 is eth0, so I dont have to change my WAN connection to vlan2. Second, now that my WAN port is back to eth0, I dont need vlan2 to exist in the router cpu at all. I dont set up vlan2 with vconfig, or setup the interface with ifconfig. This pretty much makes the WAN side of the router function exactly the same as the default ddwrt setup without vlans.

Something else I did that I havent seen done on these routers anywhere else is a tagged connection to an external smart switch with multiple vlans over one cable. If you look at my switch config, ports 1,2,3 are untagged ports for vlan1, but port 0 is a tagged port carrying vlans 1,3,4. I've successfully set up 3 seperate networks with DHCP.

Also, just a side note. I connect all of my vlans to bridges. The reason for this is the DHCP service. Much like how the WAN service has to be restarted after configuration, so does a DHCP service on a vlan that wont exist until after the start up script has run. By assigning my vlans to a bridge and then setting up DCHP on the bridge there is no need for any service restarts in the script. The DHCP service starts and attaches to the bridge, and you're good to go.

To the guy trying to set VID 35 on the wan port (port 4), all you need to do is configure a vlan in the switch with "5 4t". Then make sure to set the pvid for that vlan to 35 and it should all work.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Mon May 13, 2019 22:34    Post subject: Reply with quote
Very, very cool! To edit this thread's original configuration to incorporate your simplified approach to the wan, here's what I did:

A. set "WAN Port Assignment" to eth0 and saved without applying,

B. in the Administration>Commands Startup code,

1. changed "5t 4" to just "5 4" in the swconfig of vlan 2,
2. removed the vconfig and ifconfig lines for vlan 2,
3. removed the wan restart and "brctl delif br0 eth0" lines.

Then I just rebooted. Step B3 is of course unnecessary, but the extra simplification seemed harmless. Everything seems to work fine!

More to follow after your next suggestion below. (Yes, this is an edited post.)

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.


Last edited by SurprisedItWorks on Fri May 17, 2019 14:36; edited 1 time in total
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum