Cannot make wireless interfaces to VLANs (multiple devices)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2
Author Message
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 32

PostPosted: Fri Oct 11, 2019 0:04    Post subject: Reply with quote
egc wrote:
newsboost wrote:
But still not working... I imagine things are a bit complicated, because I have VLAN10 devices both on the primary router (br1), as well as on the secondary router (br1 in this case, but it could've been something else, e.g. br2/3/4...) - and I want both to see each other. If VLAN10 was only on one router, I think I would not struggle so much as I do now...
egc wrote:
(Do not ask me about the VLAN's, I am not expert in that department)
Yeah, it's not so easy... Thanks a lot for your input though, I need to look into setting up static routes for VLANs. I don't really know how to proceed from here... I would be very grateful for any hints here, thanks! Smile

I just picked out the things I know:
when using the firewall rule on the secondary router the packets can indeed no longer be identified as coming from another subnet/bridge.
If you want this subnet not to access anything on your local network you add another firewall rule on the secondary router to block this, a rule like the following would do the blocking:
Code:
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

This rule blocks anything from br1 on your secondary router accessing your local network but you still have internet access.
I'm really happy about the feedback and help. But that command on the secondary router made it such that I had no internet access. I think it's because "-d $(nvram get lan_ipaddr)/$(nvram get lan_netmask)" corresponds to "192.168.1.3/255.255.255.0", where 192.168.1.3 is the IP address of the secondary router. So devices on the secondary router, on VLAN 10 (on 192.168.10.xx ip addresses) cannot access 192.168.1.3 anylonger (which is the IP address of the secondary router), hence they lose their internet connection, right (you wrote "but you still have internet access")? At least I lose the internet connection (VLAN 10 on the secondary router, VLAN 10 devices on the primary router are not affected by this rule, so no change for these devices). I'm thinking, in the weekend (saturday/sunday I have time), I'll see how to open up traffic to the router using iptables, but VLAN 10/192.168.10.xx devices should not have access to the routers webUI/ssh etc. Besides this, I think I understand the solution, thanks a lot!
egc wrote:
But you argument is valid and you can set a static route on the primary router.
I have not followed your thread that well but if I understand it correctly your primary router has br0 and br1, the latter is with VLAN10 and your secondary router is connected on this VLAN10 wired port.

If your secondary router also has a br1 with subnet 192.168.20.0/24 and you do not want the firewall rule on the secondary router then on your primary router you have to route traffic destined for this subnet via 192.168.1.2 (the IP address of your secondary router)
So set a static route on your primary like:
ip route add 192.168.20.0/24 via 192.168.1.2 dev br1

Normally you will not have to add the device the router nows what to pick, if your secondary router is not connected via vlan10/br1 you have to use dev br0
It's really great you wrote this part about fixing it on the primary router, even though I think it isn't/wasn't completely what I had to do, it has given me new ideas to work with in the coming weekend. I tried you suggestion and on the primary router, I wrote:
Code:
# ip route add 192.168.10.0/24 via 192.168.1.3 dev br1
RTNETLINK answers: No such process
I googled and tried various thing, among these:
Code:
# route add -host 192.168.1.3 dev br1
which lead to this new line:
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.3     *               255.255.255.255 UH    0      0        0 br1
Then I tried:
Code:
# ip route add 192.168.10.0/24 via 192.168.1.3 dev br1
RTNETLINK answers: File exists
So, I imagined I had to delete and recreate (=add the new) the rule:
Code:
# route del -net 192.168.10.0 netmask 255.255.255.0 dev br1
# ip route add 192.168.10.0/24 via 192.168.1.3 dev br1
I discovered that with this solution, things on the secondary router are actually as you wrote! I have internet access, for VLAN 10 on the secondary router now. But I also learned that by the "delete"-command I lost internet access for VLAN 10 on the primary router. So I've been googling and seeing if there's a way to join/merge the two VLAN 10's (br1 on the primary as well as on the secondary router), by having two route-lines, something kind of "fallback to primary router". But with the "RTNETLINK answers: File exists"-error message I begin to doubt if that is possible. Still, I'm EXSTREMELY happy that you learned me this, because I think I can live with this - or work with the iptables-solution on the secondary router (in the top of this post). So I think in the weekend, I can work with these things and add more VLANs/more bridges and I definately have a better understanding now of e.g. the routing table than before you helped me... So I'm extremely happy and grateful for your time here, thanks!
egc wrote:
If you are gong with the static route way and have setup this correctly you still will not have internet access.
Why?
Because your main router is also DDWRT and this only NAT's traffic from its own subnet out onto the internet (most commercial routers and other software NAT all traffic).
So to correct this you also have to add the following firewall rule on your primary router:
Code:
iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE
Sorry I'm not sure I completely understand that command and now I can't remember if I tested this command or not. Because you wrote "you still will not have internet access", but I think I did have internet access, at least for some devices (VLAN 1 or VLAN 10). As you can hear, I haven't had too much time - I'll work more with this in the weekend, thanks a lot!
egc wrote:
This is a rather broad rule normally I would specify the -s source (that is how @eibgrad taught me) but in this case I am a bit lost about the source Smile
I think the source is maybe "192.168.10.0/24" - or "192.168.1.0/24", sorry things are going a bit slow for me now. I'll experiment more with these things in the weekend, for now I'm just really grateful, that you've pointed me in the right direction and opened my eyes with new ideas that I can use as inspiration for future experiments/testing...
egc wrote:
I am sorry I can not be more specific, your thread is a kind of TL;DR and I am at the moment busy with other DDWRT projects.

Oh one word of advice you mention disabling routing, I would not do that, the same holds true for disabling gateway mode just leave all that at its default state. disabling routing or gateway mode tends to break things
No, don't worry, I understand it's kind of TL;DR and I fully understand we have other work to do also. It's great you wrote about disabling gateway mode and routing: I'll also revert that in the weekend, thanks a lot.

I think this thread is now so long that I don't expect more replies. The most important thing for me is that you (and bkaskar) both helped me enough so that I think I can figure out the rest of the details in the weekend, so I can have 2-routers and multiple VLANs with opensource firmwares - one way or the other I think I know have learned enough to make it work (either with iptables on secondary router or with routing table on primary router). Maybe I won't get the prettiest or most perfect textbook iptables-configuration or routing table, but with time I hope I'll learn more and I feel with your feedback (both of you) I can now finish the project and I believe and am optimistic about adding more VLANs, using the methodology and inspiration I've learned from you and bkaskar.
Thanks a lot for really great help and friendly advice on topics I couldn't have googled or learned otherwise in reasonable time, as I feel it's slightly complicated for ordinary people, I hope I can also help other people here and will follow the forum for a while in near future to learn/share more!
Sponsor
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum