CLI version of GUI "unbridging" vlan3

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 65

PostPosted: Tue Sep 25, 2018 23:48    Post subject: CLI version of GUI "unbridging" vlan3 Reply with quote
Hi,

I'm setting up vlans (starting by adding vlan3 to the existing vlan1+2) and I'm following the instructions from e.g. "https://wiki.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet)#VLAN_configuration_of_port_4 where items 6-9" specifically says to use the GUI to do this (I'm creating VLAN3, the instructions create VLAN6):
Quote:
Go to Setup -> Networking.
Under "Port Setup" set VLAN6 to Unbridged.
Set the IP Address to 192.168.5.1
Set the Subnet Mask to 255.555.255.0

I'm trying to understand, what exactly does it mean to have the interface "unbridged"? Why should it be "unbridged" Do I really have to unbridge or can I do something from the command line (CLI) with e.g. IP tables (I was under the impression that everything with VLANs could be setup without the GUI and that the CLI also should be better?)? Does pushing the "unbridged" radio button change nvram variables and if so, which? What does it correspond to, if I should "unbridge" using a script?
I saved iptables-stuff (only filter-table) just before and after I enabled the "unbridged" network interface. It seems to me that unbridged at least does this:

* It adds a single (unneccessary, right?) rule to the default OUTPUT-chain:
Code:
Chain OUTPUT (policy ACCEPT 24 packets, 2294 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  400  151K ACCEPT     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           

* It adds 2 lines/rules to the FORWARD-chain (it drops everything in the last rule, so here I understand the rule is to accept whatever is forwarded from br0 to vlan2, which is WAN I think - why is it necessary, that I don't understand):
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  vlan3  *       0.0.0.0/0            0.0.0.0/0           
   40  6859 ACCEPT     0    --  br0    vlan2   0.0.0.0/0

* It adds 2 lines/rules to the INPUT-chain (again, the last line drops br0-traffic and it's easier for me to understand the vlan3-line/lines than the br0-lines):
Code:
  105 17818 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  vlan3  *       0.0.0.0/0

But I'm sure/convinced more is happening in the background, e.g. with nvram-variables? I also don't completely understand the role of bridge 0, "br0", here (I've read and understand it's the default LAN-bridge, so why does unbridging add these iptables-rules to br0, that I'm not sure I fully understand)... Could anyone help my understanding a bit by explaining what the "unbridged"-radio button does etc?


Last edited by newsboost on Thu Sep 27, 2018 17:39; edited 2 times in total
Sponsor
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 65

PostPosted: Wed Sep 26, 2018 22:35    Post subject: Reply with quote
Update: I digged even more and discovered that "ebtables -t broute -L" is the same before and after "unbridging" e.g. vlan3. I think otherwise ebtables can do something with dropping packages from a bridge, that is what I intuitively understand of "unbridging" - but in the DDWRT-sense, apparantly "unbridging" means something completely different, because "unbridging" in the GUI does not change ebtables.

I then thought I wanted to try "iptables -L -v -n -t nat" before and after "unbridging" and from this I learned that something happens to the POSTROUTING-chain of the nat-tables (the last line has been added after "unbridging" vlan3 from the GUI and the 192.168.3.0/24 is exactly the "unbridging IP address + subnet mask" from the GUI):
Code:
   54  4770 SNAT       0    --  *      vlan2   192.168.1.0/24       0.0.0.0/0           to:83.88.58.172
    0     0 SNAT       0    --  *      vlan2   192.168.3.0/24       0.0.0.0/0           to:83.88.58.172

So, vlan2 is the "WAN Port Assignment" according to "Port Setup" on http://192.168.1.1/Networking.asp... I read that this means "Source NAT; change the source address of connections". So if I understand it correctly, this last line changes the source IP address of the packets, for those with source address from vlan3 - into the external WAN IP address and the line can be constructed manually using:
Code:
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o vlan2 -j SNAT --to 83.88.58.172
Why is this process called "unbridging"? I don't understand it, sorry... If it was something that had to do with brctl or removing vlan3 from "br0", I would have an easier time understanding "unbridging vlan3"... I'm a VLAN-noob, I would very much appreciate if someone has time to write a few words and help my understanding of these topics, thanks!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5909
Location: Netherlands

PostPosted: Thu Sep 27, 2018 12:34    Post subject: Reply with quote
Unbridging in this case means decoupling of br0.
You have to set up vlan3 on its own bridge (e.g. br1 or just use vlan3) and you have to give this bridge its own IP address (e.g. 192.168.3.1).
The GUI makes firewall rules to give internet access (POSTROUTING rule masquerading to WAN interface) and connects to br0 (FORWARD rule to br0)(unless you tick net isolation).
It is really simple (LOL it's not Sad )

I have one of my routers with a guest wifi on br1 and use one ethernet port which I unbridged and set to br1 so that guests can use that lan port.
In this case it is isolated from the main net (Net isolation)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 65

PostPosted: Thu Sep 27, 2018 18:21    Post subject: Reply with quote
egc wrote:
Unbridging in this case means decoupling of br0.
But this is exactly, what I don't understand... If I follow the first step in the GUI-tutorial of "https://wiki.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_%28Separate_Networks_With_Internet%29" + save + apply changes and go to http://192.168.1.1/Networking.asp, then I see that "br0" has the 3 interfaces: eth1, eth2, vlan1. I doesn't have vlan3?!? It confuses me: How can vlan3 become "unbridged", when it's not even really "bridged" (by this I mean: It's not even in the br0-bridge)? Is the GUI hiding something for me, the user? Also, if I login with SSH/telnet, just after assigning vlan3 to a physical lan port and just before "unbridging", this is what I see:
Code:
# brctl show
bridge name   bridge id      STP enabled   interfaces
br0      8000.9c3dcf8b8705   no      eth1
                     eth2
                     vlan1
Nothing about vlan3 in "br0", this confuses me... Neither the "default" radio button nor the "unbridged"-radio button seems to make vlan3 part of br0?
Quote:
You have to set up vlan3 on its own bridge (e.g. br1 or just use vlan3) and you have to give this bridge its own IP address (e.g. 192.168.3.1).
The GUI makes firewall rules to give internet access (POSTROUTING rule masquerading to WAN interface) and connects to br0 (FORWARD rule to br0)(unless you tick net isolation).

I understand what to do in the process, but not why. It confuses me that "unbridging" for instance didn't remove vlan3, from br0... Example: Say, e.g. that after I created the vlan3 (from the VLAN-GUI tab) and assigned vlan3 to physical port 2 and I then ran the "brctl show"-command and I could see in addition to eth1+eth2+vlan1, that DDWRT had added vlan3 - THEN it would all make sense to me (because then "unbridging" would remove vlan3 from br0, as shown by "brctl show")...

You also wrote that "The GUI makes firewall rules to give internet access (POSTROUTING rule masquerading to WAN interface) and connects to br0 (FORWARD rule to br0)". How does it connect to br0 (it begins to make sense to me, if you say that I can see how it does it, by examining the INPUT and OUTPUT chain-rule-differences, which was posted above here)?

I checked again my saved iptables-text-files, this is what was added after "unbridging" - to the FORWARD-chain:
Code:
    0     0 ACCEPT     0    --  vlan3  *       0.0.0.0/0            0.0.0.0/0           
   40  6859 ACCEPT     0    --  br0    vlan2   0.0.0.0/0

I think the first forward-rule says: Packages from vlan3 are allowed to be forwarded to * which I think is all the other router interfaces. The next forward-rule I think says that br0 is allowed to be forwarded to the WAN-side of the router, e.g. the internet...
If it connects vlan3 to br0 using iptables (which I think, by changing INPUT/FORWARD/OUTPUT-chains), why couldn't it just have added vlan3 to "br0" or would that defeat the purpose of having a vlan? Sorry for asking stupid question(s), I'm trying to learn and understand, as I understand what to do in the process, but I just don't understand why it should be done this way or why DDWRT works this way Smile

Quote:
It is really simple (LOL it's not Sad )
I think it's simple, for everyone once they've learned it - which I obviously haven't yet (LOL) Smile

Quote:
I have one of my routers with a guest wifi on br1 and use one ethernet port which I unbridged and set to br1 so that guests can use that lan port.
In this case it is isolated from the main net (Net isolation)
I also want to do something like that later, but right now I would rather not create br1 (I would rather just stick with vlan3, after the KISS-principle) before I understand what's going on "behind the scenes of the GUI-interface"...

I'm really truly grateful for your time, trying to help me understand things better, thanks a lot Smile
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5909
Location: Netherlands

PostPosted: Fri Sep 28, 2018 12:44    Post subject: Reply with quote
Well first of all not all version are equal we have K2.6 mini versions, K3 mega and big K4 versions, there probably are differences between these and there certainly are differences when using different build numbers.

I will start with how it is supposed to work Smile
On the VLAN page you can take a port out of VLAN2 and assign it to VLAN3 I did this with port 4
In the last column you can choose to assign this VLAN 3 to LAN (which is br0) or to none.
When assigning to LAN (br0) you should see firewall rules like FORWARD -i vlan3 -o bro -j ACCEPT and vice versa and also INPUT rules to allow VALN3 to reach the routeritself (that is what INPUT rules are for).
I think no NAT ruels are necessary in this case as VLAN3 is on the same subnet and the subnet is NATted already.

But when you try this you will see that it is not working and after refreshing or reboot, instead of assigened to LAN there is None so you can not assign VLAN3 to br0, but I am sure that there are versions where this is working.
However it is not strange because if you want it to be part of br0 you could just leave it like that.

On the Networking page you can see VLAN3 under port setup, and under Bridging Assignment it shows default, this is what you set under VLAN, assigned to bridge, as this is always None (in my version) VLAN3 is not connected to anything and there are no firewall rules regarding VLAN3.
When you unbridge it and give it its own IP you will have firewall rules forwarding VLAN3 and connecting VLAN3 with br0 (also INPUT rules to get to the router).
if you enable Masquerading you will have a NAT rule NATting your IP range of VLAN3 out via the WAN.

If you tick Net Isolation you will see a rule preventing New traffic from br0 to VLAN3 and preventing traffic from VLAN3 for the main subnet (192.168.1.0/24)

I am by no means a Guru in networking and firewalling so this is just how I understand that it should work Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 65

PostPosted: Sat Sep 29, 2018 1:57    Post subject: Reply with quote
egc wrote:
Well first of all not all version are equal we have K2.6 mini versions, K3 mega and big K4 versions, there probably are differences between these and there certainly are differences when using different build numbers.

I will start with how it is supposed to work Smile
On the VLAN page you can take a port out of VLAN2 and assign it to VLAN3 I did this with port 4
In the last column you can choose to assign this VLAN 3 to LAN (which is br0) or to none.
You're right, thanks a lot for reminding me of this... Because I've never had luck with that. If I choose "none" and then try to set it to LAN it doesn't complain... In fact the GUI vlans look just right for about 1-2 minutes. But when I then refresh the VLAN-page, I see that DDWRT sets e.g. VLAN3+ back to "none".
Quote:
When assigning to LAN (br0) you should see firewall rules like FORWARD -i vlan3 -o bro -j ACCEPT and vice versa and also INPUT rules to allow VALN3 to reach the routeritself (that is what INPUT rules are for).
It's great you're telling me, thanks... Because I cannot choose the "LAN"-setting (under "Assigned to bridge"; it just turns into "none" after a while so I've given up on this, at least using the GUI... But it's really fantastic and meaningful for me to understand, that I guess ddwrt is supposed to work like you write here (with "FORWARD -i vlan3 -o bro -j ACCEPT"). So I trust it, that if the "LAN"-setting worked here at my place, then my VLAN3 would become bridged (caveat: not meaning that vlan3 will be part of br0 as "brctl show" would tell, but as I understand it, the iptables rules will allow vlan3 traffic to/from br0)... And then it makes totally sense to later "unbridge" it under "Settings/Networking"... The labeling of the radio button "default" is just confusing, for "none" as "assigned to bridge", which is the only thing that works for me... Thanks.
Quote:
I think no NAT ruels are necessary in this case as VLAN3 is on the same subnet and the subnet is NATted already.
I'm not sure I completely understood that sentence, but I agree that until I enable "multiple dhcp-servers" and use that (or manually) change dnsmasq.conf such that the router will hand out e.g. 192.168.3.0/24-addresses to vlan3, then vlan1 and vlan3 must be on the same subnet, I think I understand that part (part of same subnet, but traffic still comes from different vlans, e.g. vlan1 and vlan3, which is allowed by iptables-rules)...
Quote:
But when you try this you will see that it is not working and after refreshing or reboot, instead of assigened to LAN there is None so you can not assign VLAN3 to br0, but I am sure that there are versions where this is working.
I totally agree with your observations/explanation, I've seen the same, this is really great for me to know/understand or get this explanation, thanks!
Quote:
However it is not strange because if you want it to be part of br0 you could just leave it like that.
You mean: I can leave the iptables rules such that vlan3-packages to br0 will be accepted and vice-versa, right? Or I can choose to block from vlan3 to br0 and vice-versa (e.g. by either clicking/choosing "isolation" when unbridging or manually, in which case I might need to open udp/tcp port 53 and a few extra things to get dhcp-server and internet access working). I think I understand (I posted some iptables rules before/after doing these changes earlier, I've learnt something from that also), thanks.
Quote:
On the Networking page you can see VLAN3 under port setup, and under Bridging Assignment it shows default, this is what you set under VLAN, assigned to bridge, as this is always None (in my version) VLAN3 is not connected to anything and there are no firewall rules regarding VLAN3.
Yep, ok, got it, thanks (I checked my iptables-rules at this stage of the process, you're right, I agree)...
Quote:
When you unbridge it and give it its own IP you will have firewall rules forwarding VLAN3 and connecting VLAN3 with br0 (also INPUT rules to get to the router).
if you enable Masquerading you will have a NAT rule NATting your IP range of VLAN3 out via the WAN
Yes, thanks I begin to understand it much better now, thanks a lot!
Quote:
If you tick Net Isolation you will see a rule preventing New traffic from br0 to VLAN3 and preventing traffic from VLAN3 for the main subnet (192.168.1.0/24)
I agree, I'm understanding it much better now, thanks!
Quote:
I am by no means a Guru in networking and firewalling so this is just how I understand that it should work Smile
It has helped me a lot to read what you've described, I'm very grateful for that, it's really difficult to google to find exactly these answers (I tried, I didn't succeed so I had to ask here)... It's been a great help for me, to see this explanation, thanks a lot!

I did a bit more "investigation" of what the GUI exactly does. I also saved the nvram variables before/after "unbridging" and this is what I can see happens: After unbridging, DDWRT will add a lot of extra nvram-variables, which I guess makes it a bit difficult to use command-line interface to do everything. This is what happened for me:

DDWRT will add these nvram variables (which are variables that didn't exist before clicking "unbridge" and applying changes) after "unbridging" vlan3:
Code:
> vlan2_mtu=1500
> mdhcpd=
> vlan1_label=
> bridgesif=
> eth2_label=
> vlan3_label=
> eth1_label=
> br0_txq=1000
> bondings=
> vlan2_txq=1000
> eth0_label=
> bridges=br0>Off>32768>1500
> vlan_tags=
> br0_mtu=1500
Question: Maybe all the variable that are equal to "nothing" can be safely ignored as it probably wouldn't matter if they existed or not, I'm guessing so (I think the other variables are network parameters which are also shown in the GUI)? It's also maybe a little "mind boggling" that after "unbridging" vlan3, DDWRT sets the nvram variable "bridges=br0>Off+some numbers", I wonder a bit what it means by "br0>Off" but maybe this just tells the GUI to show the user that the "unbridged" radio button should be selected? Anyway, I also found out DDWRT will CHANGE these nvram variables, after "unbridging" vlan3:
    < vlan3_netmask=0.0.0.0
    > vlan3_netmask=255.255.255.0
    This is clearly understood...

    < wan_lease=144071
    > wan_lease=143822
    This I don't understand, it's probably just a counter or not important...

    < vlan3_ipaddr=0.0.0.0
    > vlan3_ipaddr=192.168.3.1
    Obviously easy to understand...

    < traff-09-2018=(A LOT OF NUMBERS, I HAVE NO IDEA WHAT THESE NUMBERS MEANS - MAYBE THEY'RE JUST PACKET COUNTERS, SO REALLY NOT IMPORTANT AT ALL, I GUESS?...)
    > traff-09-2018=(AGAIN MANY NUMBERS, SLIGHTLY CHANGED)

    < vlan3_bridged=1
    > vlan3_bridged=0
If it wasn't for the "bridges=br0>Off>32768>1500"-variable I would have guessed that this last variable ("vlan3_bridged") just tells the GUI which radio button should be selected (unbridged or default)... But we cannot have 2 variables telling which radio button to show in the GUI... Anyway, I guess this has no real effect as iptables rules determine what traffic is allowed to where. If anyone knows what it means, it could be nice to hear/read a bit more - but only "nice-to", not necessary for me to understand everything. It looks like there are a bit too many variables to manually change, if I should do the "unbridging" of vlan's completely from the command line...

I think I've learned enough now and need to start practicing iptables-rules in the weekend, making a great and more secure-than-now home-segmented network using different vlan's with iptables, I look forward to this, now I better understand things, thanks, LOL! Smile
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5702
Location: Akershus, Norway

PostPosted: Sun Oct 14, 2018 9:23    Post subject: Reply with quote
"bridges=br0>Off>32768>1500"

This is the set-up for br0

STP=off
Prio=32768
MTU=1500
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 65

PostPosted: Wed Oct 24, 2018 9:36    Post subject: Reply with quote
Per Yngve Berg wrote:
"bridges=br0>Off>32768>1500"

This is the set-up for br0

STP=off
Prio=32768
MTU=1500
Hi Per, sorry for the late reply, I've missed this post... It wasn't so much exactly br0 I was curious about (I'm also not completely sure what those numbers means and why/when to change them)... I was(am) mostly interested in - or curious about - the "command line"-method for GUI "unbridging" e.g. vlan3/vlan4/vlan5 etc, because I didn't felt I understood what happened "under the hood" - and wanted to better understand this "unbridging".

So far I understand the GUI "unbridging"-process as a combination of many things (maybe too many, so maybe I'll not make a script as I initially thought): There are several ipchanges/nvram-variables changes and it's still not completely clear for me, what is required and what is not (if I make a script using iptables do I then really also have to set all those nvram-variable changes etc?).

It confused me that if I create a new vlan, e.g. vlan 3/4/5, they're not automatically part of br0 ("part of" defined as "appears when using the 'brctl show'-command").

Instead some iptables-stuff happens to bridge traffic to/from the newly created vlan... So therefore I tried to make some comparisons before/after. I think it's a really good idea for me to compare iptables and nvram-variables before/after I've changed something in the GUI... Recently, I made a little script and in the future I will just "diff" 2 text-files (before GUI-change+after GUI-change) to learn more. After the coming weekend (next week) I plan to continue and further investigate my IOT/VLAN-segmentation-experiment/setup! Thanks for your interest/help though, much appreciated!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum