Cannot make wireless interfaces to VLANs (multiple devices)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Sun Sep 22, 2019 4:28    Post subject: Cannot make wireless interfaces to VLANs (multiple devices) Reply with quote
Hi. I have 2 routers with 2 switches and the following physical layout:

    1) Asus RT-ACU87U-router at internet entry point (connected to cable modem with internet coming in my home here)
    2) TP-LINK Gigabit Smart Switch TL-SG2210P (easy setup I think)
    3) DGS-1100-08P Gigabit Ethernet Switch (easy setup I think)
    4) Netgear R7000 in a room with several IOT-devices

I want all my internet-of-things devices to be at VLAN10 (LED-lights, media-stuff incl. TV, thermostats) and isolated from VLAN1 (normal devices). Current status is:

    a) I can plug in a network cable directly to the main (Asus)-router's physical port 2 and the attached device (a laptop here) gets an DHCP-assigned IP in the 192.168.10.xx-range.
    b) I can *also* plug in a device to a LAN-port on my secondary router (R7000), which also gets an IP address in the VLAN 10-segments-range - this indicates the trunk port setup between both routers are ok.
    c) However: On the secondary router, on the Netgear R7000 (which works as a switch) neither of my wl-interfaces work now... I want the wl0.2-interface as VLAN 10 and all others wl-interfaces as VLAN 1 - but nothing works. I cannot connect to any of the SSID's anymore. So, I guess it's not just a question of adding wl0.2 to a bridge... The secondary router isn't even a DHCP-server - data must go through 2 managed switches before it reaches the DHCP-server..? I've searched a lot, but not many people have this problem...

My configuration and what I've done until now (numbers 1-4 refers to devices shown above):


1) Asus RT-ACU87U
This is my main router (running AsusWRT at 192.168.1.1) and it serves as the only DHCP-server. I've successfully setup one of the ports to be VLAN10 through bridge br1 and when I plug into this physical port, the device gets an IP at 192.168.10.xxx (instead of for VLAN 1: 192.168.1.xxx):

cat /jffs/scripts/services-start
Code:
##!/bin/sh
logger -t "$0" "Hey, I'm working - in /jffs/scripts/..."

# Tagging LAN-port 1 + CPU, LAN-ports2-4 are access ports:
#Model    {  WAN  L1  L2  L3  L4  CPU }
#RTAC87U: {   0,   5,  3,  2,  1,   7 }
robocfg vlan 1 ports "1 2 5t 7t"
robocfg vlan 10 ports "3 5t 7t"

vconfig add eth0 10
ifconfig vlan10 up

brctl addbr br1
brctl addif br1 vlan10
ifconfig br1 192.168.10.1 netmask 255.255.255.0 up

nvram set lan1_ifnames="vlan10"
nvram set lan1_ifname="br1"
nvram set lan1_ipaddr=192.168.10.1

# not exactly sure what the below does and if it's necessary (but I do know the dnsmasq.conf.add is required)!
killall eapd
eapd

cat /jffs/configs/dnsmasq.conf.add
Code:
#
...
interface=br1
dhcp-range=br1,192.168.10.100,192.168.10.200,255.255.255.0,1440m
dhcp-option=br1,3,192.168.10.1
dhcp-option=br1,6,192.168.1.1,0.0.0.0

cat vlanTESTrunThis.sh
Code:
## Fix dnsmasq not listen to br1
iptables -I INPUT -i br1 -j ACCEPT

# Allow guest wifi to access DHCP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

# Allow guest wifi to access DNS
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

# br1 wan access:
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $(nvram get wan_ipaddr)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# block br1 from accessing br0:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

# Keep br1 from accessing the router
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP

After the main router restarts I can run the "vlanTESTrunThis.sh"-script and:
Code:
# brctl show
bridge name   bridge id      STP enabled   interfaces
br0      8000.14dda9cb4040   yes      vlan1
                     eth1
                     wl0.1
br1      8000.14dda9cb4040   no      vlan10

I think the setup for both subsequent smart switches is ok (generally access ports are for devices to VLAN 1):


2) TP-LINK Gigabit Smart Switch TL-SG2210P:
The cable from the router port 1 above goes into switch port 8 and out again from port 2. I have setup 2 VLANs using the webUI and have 2 trunk ports:

Code:
VLAN ID    Name         Untagged Ports    Tagged Ports
   1     Default VLAN     1,3-7,9-10               2,8
  10     IOT_N_MEDIA                                   2,8
PVID = 1 for all ports, so VLAN 1 is default.



3) DGS-1100-08P Gigabit Ethernet Switch:
The cable from port 2 above goes into port 1 and from port 8 to another room, where I have the second/last router. Config for this switch is:
Code:
VLAN ID    Name         Untagged Ports    Tagged Ports
   1     Default VLAN         1-7                    1,8
  10     IOT_N_MEDIA                                 1,8
PVID = 1 for all ports, so VLAN 1 is default.



4) Netgear R7000 router running DD-WRT at 192.168.1.2:
The cable from port above goes into the WAN-port of the R7000-router, but under Setup/Basic Setup: WAN Connection type: Disabled, WAN port assigned to switch. Also, DHCP Type: "DHCP Forwarder" to 192.168.1.1. Under Services: Dnsmasq is "disabled" and also under "Networking", there are no "Multiple DHCP Server"-settings, as I want the Asus-router to deal with all of that, on all VLANs (and it already works nicely for the physical ports, but *not* for wl0.2)...

Some config-stuff:
Code:
# nvram show | grep vlan.*ports | sort && echo '-' && nvram show | grep port.*vlans | sort && echo '-' && nvram
 show | grep vlan.*hwname | sort
size: 41188 bytes (24348 left)
vlan10ports=0t 5
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
vlan3ports=3 5
-
size: 41188 bytes (24348 left)
port0vlans=1 10 16 18 19 21
port1vlans=10 18 19 21
port2vlans=10 18 19 21
port3vlans=10 18 19 21
port4vlans=1 18 19 21
port5vlans=1 10 16
-
size: 41188 bytes (24348 left)
vlan10hwname=et0
vlan1hwname=et0
vlan2hwname=et0
vlan3hwname=et0


Now we have arrived to where something must be wrong - and I don't know exactly what is wrong. Is the trunk port correct (VLAN1 and VLAN10 on the WAN-port)? Anyone can try to explain why I cannot connect to any of the SSID's anymore?

I've tried to make e.g. "vlan1ports=0t 1 2 3 4 5*" and deleting vlan2ports and vlan3ports, but just made things worser as nothing then responded (I think vlan2ports is some internal important stuff?). To show a bit more:
Code:
root@r7000:~# brctl show
bridge name   bridge id      STP enabled   interfaces
br0      8000.9c3dcf8b8706   no      eth1
                     eth2
                     vlan1
                     vlan2
                     wl0.1
                     wl0.2
                     wl1.1

So, I have a huge problem with internet access. First I tried fixing the wl0.2-interface (I get incorrect password, timeout error messages for all SSIDs). I want the devices connected to wl0.2, to be part of VLAN 10... I tried to create "br1":
Code:
root@r7000:~# brctl addbr br1
root@r7000:~# brctl delif br0 wl0.2
root@r7000:~# brctl addif br1 wl0.2
root@r7000:~# brctl addif br1 vlan10

root@r7000:~# brctl show
bridge name   bridge id      STP enabled   interfaces
br0      8000.9c3dcf8b8706   no      eth1
                     eth2
                     vlan1
                     vlan2
                     wl0.1
                     wl1.1
br1      8000.9c3dcf8b8705   no      vlan10
                     wl0.2
But it doesn't work, I'm stuck... No matter which of the SSIDs I try, I get either "no internet access", "Incorrect password" or it just times out with an error about that... I've checked the password, it's correct, so some of the data packets must be blocked. But the VLAN-setup cannot be completely incorrect as the physical ports work ok? Or maybe I cannot block br1 from access to br0 or something?

Anyone can help with an explanation or have a clue or any ideas about how to solve this, I would be grateful for any help that leads to solution, thanks!
Sponsor
bkaskar
DD-WRT Novice


Joined: 15 Feb 2019
Posts: 20

PostPosted: Mon Sep 23, 2019 14:56    Post subject: Reply with quote
Hi newsboost,
You need to mention the build num/firmware used in your setup for Netgear.

vlan10ports=0t 5
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
vlan3ports=3 5 < you want VLAN3 on port 3

port0vlans=1 10 16 18 19 21
port1vlans=10 18 19 21 < shouldn't VLAN1 and VLAN3 also come along on this?
port2vlans=10 18 19 21
port3vlans=10 18 19 21 < then why do you untag VLAN10 here?
port4vlans=1 18 19 21
port5vlans=1 10 16 < VLAN3 also needs to go to CPU

Next - I don't see you assigning br1 with 192.168.10.*
with those above fixed, try the wlconf restart workaround and it should work.
I do not have RT AC87, or Netgear R7000 but I do have AC68U and AC5300 from Asus with Netgear and Trendnet switches and the setup works for 68U with 5 VLANs on Kong's 36690M.

Also, you don't really need to run your scripts (even if you have posted and showed what works) you can do it all on RT AC87U from DD-WRT Web UI Vlan.asp, Networking.asp, and Services.asp (breaking out vlan 10, assigning to br1, adding dhcp-options in order in the above pages).

HTH.
-bkaskar
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Tue Sep 24, 2019 0:30    Post subject: Reply with quote
bkaskar wrote:
Hi newsboost,
You need to mention the build num/firmware used in your setup for Netgear.
Hi bkaskar, it's "DD-WRT v3.0-r39960M kongac (06/08/19)". Damn, I just read https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1177512#1177512:
Quote:
The final issue, as I've seen a good few times around this forum, is that I can't get the VAPs talking to the VLANs
- I'm trying to make wl0.1 (VAP) integrate with VLAN 10, maybe it's the same/similar issue? I'll look at the solutions in that thread tomorrow... My other comments, until then:
Quote:
vlan10ports=0t 5
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
vlan3ports=3 5 < you want VLAN3 on port 3
Actually VLAN3 is a leftover from previous experiments - you can disregard everything with VLAN3, it has no influence on what I'm trying. I've tried to delete this many times, but I think the GUI keeps recreating it and I've been too lazy to reconfigure all from a factory reset. But I have changed things a bit - because the WAN port on R7000 (I think) is port 0 and it should be tagged with VLAN1 and VLAN10, so I now have:
Code:
vlan10ports=0t 1 2 3 5
vlan1ports=0t 4 5*
vlan2ports=0 5u
It's the same problem with VLAN2, I think the GUI keeps recreating it and it's a bit annoying to look it (I would prefer more "clean nvram settings", but have to live with this as something keeps re-generating the variables, I think)...

Quote:
port0vlans=1 10 16 18 19 21
port1vlans=10 18 19 21 < shouldn't VLAN1 and VLAN3 also come along on this?
port2vlans=10 18 19 21
port3vlans=10 18 19 21 < then why do you untag VLAN10 here?
port4vlans=1 18 19 21
port5vlans=1 10 16 < VLAN3 also needs to go to CPU
Again, please disregard the vlan3-stuff. I've untagged VLAN10 on 3 of the switch ports, so they become access ports. This means the devices I connect to these ports will have VLAN 10-tags inserted to the data packets - and it works! My problem is the wireless stuff didn't work. Now, for the first time however it "semi-works" (not like I want, but now I can at least have wireless devices at VLAN 1:192.168.1.xx and use the switches ports for VLAN 10/192.168.10.xx, earlier either nothing worked, or only the cabled ports for VLAN 10). I changed the last line into:
Code:
port5vlans=1 10 16 18 19 21
... because I found a post where somebody did this. I don't understand the difference - as port 5 should be the internal cpu of the R7000, I think. Will this change make a difference? I'm not sure. I also found out I have the router in "gateway"-mode (Setup -> Advanced Routing -> "Operating Mode" : Now I changed it to "router", which I think is more correct).

Quote:
Next - I don't see you assigning br1 with 192.168.10.*
with those above fixed, try the wlconf restart workaround and it should work.
My idea is the main router should be the only DHCP-server. So you can see the configuration of dnsmasq.conf in my original post (under the first device, my Asus RT-ACU87U-router) - and remember that this configuration DOES work for the devices I plug into the R7000-access ports, these will belong to VLAN 10 and get the proper 192.168.10.xxx IP address... My problem is the wireless interfaces, the do *not* work with VLAN 10 for some reason and nothing works when I try to create a new bridge, br1 and add VLAN 10 and wl0.1-devices... It's a great idea with wlconf restart, I didn't knew that before you wrote it - I assume I just type
Code:
stopservice nas; stopservice wlconf; startservice wlconf; startservice nas
...
Quote:
I do not have RT AC87, or Netgear R7000 but I do have AC68U and AC5300 from Asus with Netgear and Trendnet switches and the setup works for 68U with 5 VLANs on Kong's 36690M.
I also think this would be much easier for me, if I only had a single router to setup. But this is a system of 4 devices, as described in my initial post - all 4 devices has to be configured correctly and that's also why I start with something "simple" with only 2 VLANs, i.e VLAN 1 and VLAN 10...
Quote:
Also, you don't really need to run your scripts (even if you have posted and showed what works) you can do it all on RT AC87U from DD-WRT Web UI Vlan.asp, Networking.asp, and Services.asp (breaking out vlan 10, assigning to br1, adding dhcp-options in order in the above pages).
I think I know what you mean, that I can do things entirely with the GUI. But I've tried it and nothing I do with the "br1"-bridge works... So I'm also asking, if someone maybe understands/knows why I cannot get any wireless devices to work with VLAN 10. I make a "br1"-bridge and add VLAN10 and add wl0.1 - and I would assume this should work. But it doesn't. Is it because packets first have to go through 2 switches, before arriving at the DHCP-server and then other packets have to go back again through their respective VLANs and then something happens that maybe blocks VLAN 10-packages so I receive "wrong password"-prompts, timeouts and similar errors... Thanks for your help and ideas...
bkaskar
DD-WRT Novice


Joined: 15 Feb 2019
Posts: 20

PostPosted: Tue Sep 24, 2019 17:48    Post subject: Reply with quote
Hello again,
Your RT AC87 or Switches are not the problem. It is only about your Netgear7000 setup.

Try the following (all changes not one-by-one):
When in AP mode (you were right about the Gateway to Router change I forgot to mention but its in wiki for years so I assumed you may have noticed).
* When in AP mode, I get your curiosity for using up the WAN port. But do not use it as the incoming tagged traffic port from your main router/setup. Use Port 1 (or any other port on the 4 port switch hardware lan side) for the tagged traffic.

* Use port 3 or another lan port (not WAN port) on VLAN10 and bridge it with VAP wl0.1
Leave the Vlan 1 and 2 entries as is

* Clean up your VLAN3 from port 3

* Leave the following AS IS
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u

* I know there is t for tagging and u for untagging but don't use those for this testing.. assuming you are using port 3 as suggested.
nvram set "vlan10ports=3 5"

*Since you are now bringing network using phy lan port 1 of your router leaving the wan port as is.. change this
nvram set port0vlans=2 (this used to be the default I suppose)
nvram set "port1vlans=1 10 18 19 21 16"
nvram set "port3vlans=10 18 19 21"

* Generally the bridge does not need an IP and should work with a network i.e 192.168.10.16 255.255.255.248 where .16 is a network address not an assignable IP. but please assign it an ip from your vlan10 say 192.168.10.19 both your port 3 and wl0.1 should get an address block.

2 things above, don't forget nvram commit and as starters do not create iptables buckets for br1 just ACCEPT all. Once you get the connection going get your guard up.

HTH
-bkaskar
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Wed Sep 25, 2019 8:13    Post subject: Reply with quote
bkaskar wrote:
Hello again,
Your RT AC87 or Switches are not the problem. It is only about your Netgear7000 setup.
I agree, that's also why I posted the question here, I think there are many clever R7000-users here...
Quote:
Try the following (all changes not one-by-one):
When in AP mode (you were right about the Gateway to Router change I forgot to mention but its in wiki for years so I assumed you may have noticed).
* When in AP mode, I get your curiosity for using up the WAN port. But do not use it as the incoming tagged traffic port from your main router/setup. Use Port 1 (or any other port on the 4 port switch hardware lan side) for the tagged traffic.
Are you sure using the WAN-port is a problem and why, if I may ask? To begin I had "Setup -> Basic Setup -> Internet Connection Type -> Connection Type" = Automatic configuration (DHCP)". But now I've changed it to "Disabled" and a bit further down this page, ""Assign WAN Port to Switch". Anyway, I'm desperate in trying to make it work and have tried what you suggested, I'll explain below...
Quote:
* Use port 3 or another lan port (not WAN port) on VLAN10 and bridge it with VAP wl0.1
Leave the Vlan 1 and 2 entries as is
I understand VLAN2 was something in gateway mode, where the WAN-side was VLAN2... For a router in "router"-mode, is it not safe to delete VLAN2 if I don't use it? I must also add that earlier, just until today "Setup -> Networking -> Port Setup -> (in the top of this section): WAN Port Assignment =?, it was earlier VLAN2. Then now I changed it "disabled" and the setting disappeared. Is it correct to have this disabled or should it be VLAN 1 or something else? I'm not sure if this setting had an impact on anything or not, as earlier VLAN 10 and VLAN 1 at least worked from all the switch ports... I'll explain more below...
Quote:
* Clean up your VLAN3 from port 3

* Leave the following AS IS
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u

* I know there is t for tagging and u for untagging but don't use those for this testing.. assuming you are using port 3 as suggested.
nvram set "vlan10ports=3 5"
This puzzles me a bit: Port 3 cannot both be VLAN 10 and VLAN 1, shouldn't it instead be: "vlan1ports=1 2 4 5*", so you remove port 3 from VLAN 1 and add it to vlan 10 with the last command "vlan10ports=3 5"? If not, why is this port both VLAN 1 and VLAN 10 and which IP address will it get, 192.168.1.xx or 192.168.10.xx? What will define that, with you configuration, how should the router know what to do? That I don't understand...
Quote:
*Since you are now bringing network using phy lan port 1 of your router leaving the wan port as is.. change this
nvram set port0vlans=2 (this used to be the default I suppose)
nvram set "port1vlans=1 10 18 19 21 16"
nvram set "port3vlans=10 18 19 21"

This I understand. The trunk port will carry both VLAN1 and VLAN10. I haven't seen the number 16 in the end (I normally sort the numbers), but I suppose it's valid, I understand the 16 means to tag the packets...
Quote:
* Generally the bridge does not need an IP and should work with a network i.e 192.168.10.16 255.255.255.248 where .16 is a network address not an assignable IP. but please assign it an ip from your vlan10 say 192.168.10.19 both your port 3 and wl0.1 should get an address block.

What does it mean that .16 is a network address, but not an assignable IP? Doesn't it mean that I cannot have another device use the .16 IP-address? I normally assign the bridge for vlan 10 as 192.168.10.1. Is this incorrect? Why do you choose .16 (in my case 192.168.10.16)? Anyway, this haven't really worked for me earlier. I've actually spent around 3 hours now, I had saved the configuration, began to do all you proposed, had no luck, tried to restore until last working configuration - and for some reason suddenly things didn't work although I restored using the backup/restore menu option. What happened to me also is that yesterday on my work pc, suddenly it wasn't working and I couldn't boot as it said it was/is missing /boot/vmlinuz and today I'm really busy. It means I'll have to revert back and repeat your suggestions, maybe tomorrow or at least within 2 days. Also, I figured out that I don't want to do all my experiments with a virtual wireless AP (Wireless -> Basic Settings -> Virtual Interfaces), so now I removed the VAP and changed the SSID of the Physical Interface wl0 so next time when I have a few hours I'll try to bridge this instead. Also, I think I'll do a factory reset and start from scratch with your latest suggestion - also because the "restore settings" didn't work. I suspect something is very wrong + it'll be good practice to start all over from scratch and repeat your latest suggestion. After this, I'll get back to you with results...
Quote:
2 things above, don't forget nvram commit and as starters do not create iptables buckets for br1 just ACCEPT all. Once you get the connection going get your guard up.
I agree with empty iptables, but I think this will be handled by "Security / Firewall Protection / SPI Firewall: All disabled" - I did check the nat and filter table and they looked ok... Thanks a lot for your valuable help, bkaskar, I have to get back to you within 1-2 days with more info as I have too many things to do today...
bkaskar
DD-WRT Novice


Joined: 15 Feb 2019
Posts: 20

PostPosted: Thu Sep 26, 2019 2:06    Post subject: Reply with quote
Hi newsboost,
I understand, even I myself is not a regular Smile . In fact I joined the forum a few months ago even though I've used DD-WRT pretty much since the beginning when WRT54GS were a thing. I recently had a need to run my ASUS routers as APs with compartmentalized (VLANs) access, and things didn't work quite well as before so I came back to forums. Anyway my 68U is working on the same firmware build r39960M kongac (06/08/19) with WAN port on a separate VLAN so I thought of suggesting you with what works.
newsboost wrote:

Are you sure using the WAN-port is a problem and why, if I may ask? To begin I had "Setup -> Basic Setup -> Internet Connection Type -> Connection Type" = Automatic configuration (DHCP)". But now I've changed it to "Disabled" and a bit further down this page, "Assign WAN Port to Switch".

I was not clear in my explanation. Using WAN-port is not a problem. This is something you are supposed to get by assigning the port to lan. But using it as a trunk is not OK (At least I failed a few times before realizing that its not necessary to have the first or last port of a switch as trunk). I should have clearly said, Use LAN1 as trunk. Wink

newsboost wrote:
I must also add that earlier, just until today "Setup -> Networking -> Port Setup -> (in the top of this section): WAN Port Assignment =?, it was earlier VLAN2. Then now I changed it "disabled" and the setting disappeared. Is it correct to have this disabled or should it be VLAN 1 or something else? I'm not sure if this setting had an impact on anything or not, as earlier VLAN 10 and VLAN 1 at least worked from all the switch ports... I'll explain more below...
bkaskar wrote:
* Clean up your VLAN3 ...

* Leave the ...

* I know ...
nvram set "vlan10ports=3 5"
This puzzles me a bit: Port 3 cannot both be VLAN 10 and VLAN 1, shouldn't it instead be: "vlan1ports=1 2 4 5*", so you remove port 3 from VLAN 1 and add it to vlan 10 with the last command "vlan10ports=3 5"? If not, why is this port both VLAN 1 and VLAN 10 and which IP address will it get, 192.168.1.xx or 192.168.10.xx? What will define that, with you configuration, how should the router know what to do? That I don't understand...

Let me explain this and here's my setting
Code:

| DD-WRT v3.0-r39960M kongac (c) 2019 NewMedia-NET GmbH
| Release: 06/08/19
| Board: Asus RT-AC68U
End of banner message from server
Authenticating with public key "imported-openssh-key"

BusyBox v1.30.1 (2019-06-08 11:12:49 CEST) built-in shell (ash)

root@RTRDDWRT02:~# nvram show | grep vlan.*ports | sort
size: 40616 bytes (24920 left)
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
vlan3ports=2 5
vlan4ports=3 5
vlan5ports=4 5
vlan7ports=0 5
root@RTRDDWRT02:~# nvram show | grep port.*vlans | sort
size: 40616 bytes (24920 left)
port0vlans=7 18 19 21
port1vlans=1 3 4 5 7 8 16 18 19 21
port2vlans=3 18 19 21
port3vlans=4 18 19 21
port4vlans=5 18 19 21
port5vlans=1 3 4 5 7 8 16
root@RTRDDWRT02:~#

* VLAN1 here is used as the management VLAN so port 3 can be in both VLAN1 and VLAN10
* Then I suggested leave VLAN2 (as you can see in my NVRAM settings.. port 0 is used by VLAN2 as well as 7). Since port0vlans is set to 7 (its like PVID declaration) I get a 192.168.7.x address. So for you the same with VLAN10 should work. But if you read the Switched Ports and look at the mapping illustration you'll see WAN port is designed in the OS/driver in a way that if you try bridging it with VAP or any other port on LAN side you may only end up inviting more trouble. (That is my just opinion, and I could be wrong but I anyway went ahead with using a LAN port with VAP instead. I think this is another virtual layer over what Broadcom by default provides after all.) I just needed to use the WAN port off of the AP just like you as its possible. Just a different wired VLAN.

My VAPs are simply tied to ports 2 3 and 4
Code:

root@RTRDDWRT02:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.aabbccdd1290       no              eth1
                                                        eth2
                                                        vlan1
                                                        vlan2
br1             8000.aabbccdd1290       no              vlan7
br2             8000.aabbccdd1290       no              vlan8
br3             8000.aabbccdd1290       yes             vlan3
                                                        wl0.1
                                                        wl1.1
br4             8000.aabbccdd1290       yes             vlan4
                                                        wl0.2
                                                        wl1.2
br5             8000.aabbccdd1290       yes             vlan5
                                                        wl0.3
                                                        wl1.3

And its working. At this time I have not confined them with firewall rules.
newsboost wrote:

This I understand. The trunk port will carry both VLAN1 and VLAN10. I haven't seen the number 16 in the end (I normally sort the numbers), but I suppose it's valid, I understand the 16 means to tag the packets...
bkaskar wrote:
* Generally the bridge does not need an IP and should work with a network i.e 192.168.10.16 255.255.255.248 where .16 is a network address not an assignable IP. but please assign it an ip from your vlan10 say 192.168.10.19 both your port 3 and wl0.1 should get an address block.

What does it mean that .16 is a network address, but not an assignable IP? Doesn't it mean that I cannot have another device use the .16 IP-address? I normally assign the bridge for vlan 10 as 192.168.10.1. Is this incorrect? Why do you choose .16 (in my case 192.168.10.16)?

That was just an example - if you have a network say 192.168.120.16/29 then you get 6 assignable addresses with 192.168.120.16 as network 192.168.120.23 as broadcast and everything in between assignable. didn't want to use the default 1-254 addressing space. and if you should/would assign an IP to your br1 of your VLAN.

newsboost wrote:
Also, I think I'll do a factory reset and start from scratch with your latest suggestion - also because the "restore settings" didn't work.
I think reset is a very good idea. Just run nvram erase && nvram commit just before uploading the firmware to be doubly sure that only fresh entries are there.

Which brings me to your last point:
newsboost wrote:
bkaskar wrote:
2 things above, don't forget nvram commit and as starters do not create iptables buckets for br1 just ACCEPT all. Once you get the connection going get your guard up.
I agree with empty iptables, but I think this will be handled by "Security / Firewall Protection / SPI Firewall: All disabled" - I did check the nat and filter table and they looked ok...
Since you run your custom init scripts. I believe they run after the firewall disabled settings are configured by the firmware. I vaguely recall there was a script sequence somewhere or a certain order (service or rc scripts) but I'm not sure if that's still followed.

As you mentioned try starting fresh, with making changes in GUI Vlan.asp and manually adding the vlan.*ports port.*vlans and vlan.*hwname values. Then adding the br1 in Networking.asp. It will work.

Good Luck!
-bkaskar
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Thu Oct 03, 2019 3:39    Post subject: Reply with quote
bkaskar wrote:
newsboost wrote:

Are you sure using the WAN-port is a problem and why, if I may ask? To begin I had "Setup -> Basic Setup -> Internet Connection Type -> Connection Type" = Automatic configuration (DHCP)". But now I've changed it to "Disabled" and a bit further down this page, "Assign WAN Port to Switch".

I was not clear in my explanation. Using WAN-port is not a problem. This is something you are supposed to get by assigning the port to lan. But using it as a trunk is not OK (At least I failed a few times before realizing that its not necessary to have the first or last port of a switch as trunk). I should have clearly said, Use LAN1 as trunk. Wink
Hi bkaskar. It's still not working. I tried a lot of things, including factory reset - am still on the same firmware version/build, though - it's still not working. Also now I'm using LAN port 4 instead of LAN port 1, I assume this isn't a problem as long as it isn't the WAN-port, which I started out using.

bkaskar wrote:
...[cut]
My VAPs are simply tied to ports 2 3 and 4
Code:

root@RTRDDWRT02:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.aabbccdd1290       no              eth1
                                                        eth2
                                                        vlan1
                                                        vlan2
br1             8000.aabbccdd1290       no              vlan7
br2             8000.aabbccdd1290       no              vlan8
br3             8000.aabbccdd1290       yes             vlan3
                                                        wl0.1
                                                        wl1.1
br4             8000.aabbccdd1290       yes             vlan4
                                                        wl0.2
                                                        wl1.2
br5             8000.aabbccdd1290       yes             vlan5
                                                        wl0.3
                                                        wl1.3

And its working. At this time I have not confined them with firewall rules.
It's frustrating that I cannot make it work. But you also use the same device as a DHCP-server, right? In my case I have the DHCP-server on another router, maybe this is the difference that I'm not dealing properly with. On the other hand, it works for the wired ports - just not the wl0.1 interface. I also found another thread suggesting I tried a patched wlconf-binary - https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1145042#1145042 - I tried, but it doesn't work in my case. Again, the DHCP-server is on another router, maybe this is the difference, I'm not sure...

Just to be sure we're doing exactly the same: In the GUI of the routers' webinterface (the Setup/Networking tab), let's look at your settings for br3. Under the "br3", "vlan3" and "wl0.1" what are your exact "Network Configuration"-settings? I suppose under "Bridge Assignment" you unbridge vlan3 and wl0.1 - in this case what is their IP address and subnet mask? I suppose you also set "Multicast forwarding", "Net Isolation" and "Forced DNS Redirection" to disabled...?

By the way, under Setup/VLANs, in
the bottom of the page it says "Wireless=LAN" (just above the "Link Aggregation on Ports 3 & 4"-setting). I tried several times to set "Wireless=None" but after around 1 minute or so, if I switch tabs and go back it keeps setting "Wireless=LAN". I think this is incorrect, if by "LAN" it means br0 (192.168.1.xx). In my case I want wireless to be bridged with br1 (vlan10 + wl0.1) to get an 192.168.10.xx-address, distributed by my primarily router through two managed switches... I'm a bit afraid I never find the solution, it's a bit frustrating that things are so complicated. Also I can see there are no new Kong's updates, I'm considering maybe spending the extra money on a router where this is easier to setup and will work - or maybe things are easier/better with openwrt... Just my thoughts... Thanks a lot for your valuable help, although I haven't succeeded...
bkaskar
DD-WRT Novice


Joined: 15 Feb 2019
Posts: 20

PostPosted: Fri Oct 04, 2019 4:38    Post subject: Reply with quote
newsboost wrote:
Hi bkaskar. It's still not working. I tried a lot of things, including factory reset - am still on the same firmware version/build, though - it's still not working.
bkaskar wrote:
...[cut]
My VAPs are simply tied to ports 2 3 and 4

Have you tried it?

newsboost wrote:
Also now I'm using LAN port 4 instead of LAN port 1, I assume this isn't a problem as long as it isn't the WAN-port, which I started out using.
That definitely is not/shouldn't be the issue.
Also from my previous post:

port2vlans=3 18 19 21
port3vlans=4 18 19 21
port4vlans=5 18 19 21

then
bkaskar wrote:
root@RTRDDWRT02:~# brctl show
Code:

bridge name     bridge id               STP enabled     interfaces
br3       8000.aabbccdd1290       yes      vlan3
                                           wl0.1
                                           wl1.1
br4       8000.aabbccdd1290       yes      vlan4
                                           wl0.2
                                           wl1.2
br5       8000.aabbccdd1290       yes      vlan5
                                           wl0.3
                                           wl1.3


Notice wired ports are separately assigned to these VLANs. (Even you said you get an IP on the wired port on VLAN10 on your access point. )

newsboost wrote:

In my case I have the DHCP-server on another router, maybe this is the difference that I'm not dealing properly with. On the other hand, it works for the wired ports - just not the wl0.1 interface.
I have the same my route is a pfSense instead of your AC87U.


newsboost wrote:
Just to be sure we're doing exactly the same: In the GUI of the routers' webinterface (the Setup/Networking tab), let's look at your settings for br3. Under the "br3", "vlan3" and "wl0.1" what are your exact "Network Configuration"-settings? I suppose under "Bridge Assignment" you unbridge vlan3 and wl0.1 - in this case what is their IP address and subnet mask? I suppose you also set "Multicast forwarding", "Net Isolation" and "Forced DNS Redirection" to disabled...?

I'm only running a home network with regular home stuff (TV, VoIP, laptops, phones, tablets), then comes security and smart home, some Chinese cameras Wink my IoT stuff and my Tesla.. so I do not want either to interact with another and want lots of VAPs but at higher subnet masks. none of my vlans go below /28.

newsboost wrote:
By the way, under Setup/VLANs, in
the bottom of the page it says "Wireless=LAN" (just above the "Link Aggregation on Ports 3 & 4"-setting). I tried several times to set "Wireless=None" but after around 1 minute or so, if I switch tabs and go back it keeps setting "Wireless=LAN".
Never had to change this settings. Although, at one point when my stuff wasn't working I found the same thing happening.

newsboost wrote:
.... if by "LAN" it means br0 (192.168.1.xx). In my case I want wireless to be bridged with br1 (vlan10 + wl0.1) to get an 192.168.10.xx-address, distributed by my primarily router through two managed switches...
Forgive me if I keep going back to my other setup that I have been trying for more than a month now. I must have failed at least as many times as you if not more with my RT AC5300.. I find the whole br0, br1 implementation here is buggy some of it works with webui and some doesn't. Then the et1 vs et0 naming. If vlan.*hwname is set as et1, Why the vlan is created on eth0 and not eth1? In my case I see both eth0 and eth1 always have the same MAC, regardless of which build I use. While eth2 and eth3 have next octate. And CPU ports 5 and 7. If you look at Merlin port 8 is CPU port. I've tried new, old, BS, Kong, pretty much all that's available here.. so yeah, it is a bit frustrating.

But let's try to fix your issue because as we both know that we have the same (that reminds me-what is your Hardware Revision on AC68U? Mine is one of the first released US versions it even got RMA'd so the one came back doesn't have the small square sticker).
Make sure you use VLAN10 on LAN side of Wired ports. First try with just one wired port assigned to 10 and bridge it with wl0.1.

newsboost wrote:
Also I can see there are no new Kong's updates, I'm considering maybe spending the extra money on a router where this is easier to setup and will work
There is one from July but that has not worked yet on my RT AC5300 either. However in one of my latest configs when I decided to take one step at a time and test it fully. I got the same result as you. Wired port would get vlan (unbridged) as long as I don't bridge a VAP with it. So it may be a bug very well.


newsboost wrote:
or maybe things are easier/better with openwrt...

I won't get my hopes high, I switched to DD-WRT only because there was more support (back in 2007 when first SD-Card hack came up on WRT54Gv2/GSv1).. then again had some interaction with NSLU but not after that... but hey, you never know! (now, I've to look up where they are at)

Anyway, take a look at the attached images...
So,
1. For now only use VLAN10 on LAN side.
2. Bridged is OK (as you can see in the images)
3. Don't worry about my mask you can go with /24
4. May be assign just one wired port to Vlan 10 to replicate my case.. and then extend.

Good Luck!



Networking.png
 Description:
Switch Config
 Filesize:  279.62 KB
 Viewed:  1444 Time(s)

Networking.png



VLANs.png
 Description:
Port Assignments
 Filesize:  52.83 KB
 Viewed:  1444 Time(s)

VLANs.png


newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Sun Oct 06, 2019 23:14    Post subject: Reply with quote
bkaskar wrote:
newsboost wrote:
Hi bkaskar. It's still not working. I tried a lot of things, including factory reset - am still on the same firmware version/build, though - it's still not working.
bkaskar wrote:
...[cut]
My VAPs are simply tied to ports 2 3 and 4

Have you tried it?
Yes, I've tried tying to ports and just tying to vlan10 - including a lot of other things. Nothing works, except if I change the switch settings such that (untagging port 8, such that VLAN 10 is everything from the DDWRT R7000-router, because this is connected to port 8 or eth8 on the switch):
Code:
VID    VLAN Name   Untagged VLAN Ports                     Tagged VLAN Ports
1                            eth2,eth3,eth4,eth5, eth6,eth7          eth1      
10      IOT_MEDIA     eth8                                                eth1
If I do this - and use the WebUI of the Netgear R7000 router to untag all traffic (stop using a trunk port), everything on that router will be VLAN10, as seen from my other devices and my main router. This is nice, so I at least have a partial working solution - in other words: Now everything - wired as well as wireless - becomes VLAN 10. The IP address from devices are 192.168.10.xx - both wired and wireless. But it would be much better to be able to use different VLANs on the DDWRT/R7000-router... I've spend countless hours, still can't find the solution. After this small test, I went back to this:
Code:
VID    VLAN Name   Untagged VLAN Ports                     Tagged VLAN Ports
1                            eth2,eth3,eth4,eth5, eth6,eth7          eth1,eth8
10      IOT_MEDIA                                                          eth1,eth8
It's painful that I cannot make the wl0.1 be part of VLAN 10... I'm so tired of this - and of spending so many hours trying different things, that I got rid of Kong's firmware - changed to Brainslayer DD-WRT v3.0-r41218 (10/01/19). I hoped this would change something, but it's still the same. This indicates I'm doing something wrong (2 firmware versions not working)...

bkaskar wrote:
...[cutting a part of the conversion - but thanks a lot, I've learned something but still am struggling]

But let's try to fix your issue because as we both know that we have the same (that reminds me-what is your Hardware Revision on AC68U? Mine is one of the first released US versions it even got RMA'd so the one came back doesn't have the small square sticker).
We have a very similar setup - but not completely the same. As main router I have Asus RT-AC87U. Then 2 managed switches. Then a Netgear R7000-router (and not the AC68U), which I think many people also use in here (that's why I bought it - however I also think many people in here use AC68U)... So I'm not sure what hardware revision I have or if you're still interested in knowing for the netgear R7000? The chip is a Broadcom BCM4709 - now running DD-WRT v3.0-r41218 std (10/01/19)...
bkaskar wrote:
Make sure you use VLAN10 on LAN side of Wired ports. First try with just one wired port assigned to 10 and bridge it with wl0.1.
Actually recently I stopped trying to assign VLAN10 to a physical port - because I know it's only the br1 or more specifically, it's only the wl0.1-interface that's causing a lot of problems for me... So now I only try to bridge wl0.1 and VLAN10 - if that works, I believe bridging to a physical port should also work. It puzzles me what is causing the problem with not being able to get an IP-address (the WiFi-connection times out, tries to reconnect several times and eventually fails or just says the wifi password is incorrect, which it isn't)... I don't even get an IP address, when trying to bridge VLAN10 with wl0.1... Really frustrating.
bkaskar wrote:
newsboost wrote:
Also I can see there are no new Kong's updates, I'm considering maybe spending the extra money on a router where this is easier to setup and will work
There is one from July but that has not worked yet on my RT AC5300 either. However in one of my latest configs when I decided to take one step at a time and test it fully. I got the same result as you. Wired port would get vlan (unbridged) as long as I don't bridge a VAP with it. So it may be a bug very well.
I'm thinking, maybe I need to downgrade and maybe use Brainslayer's builds now, where Kong has removed the downloads (I saw a mirror, but still, maybe the future is now with Brainslayer builds what will be updated)... Or maybe I just have to live with everything on VLAN 10 on that router, until I eventually buy a new router which hopefully deals with VLANs better...
bkaskar wrote:
newsboost wrote:
or maybe things are easier/better with openwrt...

I won't get my hopes high, I switched to DD-WRT only because there was more support (back in 2007 when first SD-Card hack came up on WRT54Gv2/GSv1).. then again had some interaction with NSLU but not after that... but hey, you never know! (now, I've to look up where they are at)

Anyway, take a look at the attached images...
So,
1. For now only use VLAN10 on LAN side.
2. Bridged is OK (as you can see in the images)
3. Don't worry about my mask you can go with /24
4. May be assign just one wired port to Vlan 10 to replicate my case.. and then extend.

Good Luck!
I did everything as in your screenshots - thanks a lot for sharing... But it's still like something is not working, the exact minute I try to bridge VLAN10 and wl0.1... Can't connect to that SSID after bridging into br1... Just to be completely sure: You have DNSMasq disabled (under the "services"-tab), right? You don't have any "static route's" or iptables commands on the last router?

OOOOOOOOOOOOOOOOHHHHhhhhhhh..... Hang on... I just found https://wiki.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_each_with_Wireless_and_Internet, namely the "Notes for Getting Encryption Working on the Virtual WiFi Interface" - and I believed this was *EXACTLY* my problem:
Quote:
Everything appeared to be working until I enabled encryption on the virtual interface.

I discovered that the encryption agent, the nas daemon was started with the following options:

nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br0 -i wl0.1 -A -m 132 -k <passwd> -s <SSID> -w 6 -g 3600

Where <passwd> is your WPA PSK, and <SSID> is the SSID you want for the virtual WiFi interface.

The issue is that nas is using the wrong bridge interface. It should be using br1.
So I first tried:
Code:
# kill $( cat /tmp/nas.wl0.1lan.pid ); nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 -A -m 128 -k secretPassWordHere -s SSIDVLAN10 -w 4 -g 3600
... but it wasn't the solution. Next I tried the following command, which I also added to my startup script in /jffs/etc/config/myscript.startup:
Code:
stopservice nas; wlconf eth1 down; wlconf eth1 up; wlconf eth2 down; wlconf eth2 up; startservice nas
I could see that for the first time, now I can actually connect to the SSID for wl0.1! However, there's no internet access... I can ping all the wireless devices so at least something now works! I'm very happy about that (currently br1 contains vlan10 and wl0.1) - my wireless devices obtain the correct ip address in the 192.168.10.xx-segment, but there's no internet access... It's a bit strange there's no internet access, because if I plug in a cable directly to one of the main routers ports it obtains 192.168.10.xx IP address and I can also browse the internet...

It's a big step in the right direction now! I'll try a bit more tomorrow, hopefully I figure out what is the last step to also get internet access, this is the result of around 10-15 hours of testing since your last post. So am a bit tired now and am also behind with other tasks, as I've spend too much time on this (but am very happy I'm making a bit progress now) Smile

UPDATE: It seemed after reboot, the router apparently "forgot" the "nvram set vlan10hwname=et0"-command - after adding this, I've got internet connectivity on VLAN10 - hooray! Will do some more testing tomorrow, currently it seems, for the first time that things are working nicely, gosh, that was a hard battle with this stupid router, I'm really happy (and grateful) that someone/somebody posted that incredibly important command-line "stopservice nas; wlconf eth1 down; wlconf eth1 up; wlconf eth2 down; wlconf eth2 up; startservice nas" that seemed to fix the most important problem here...

However it's not all good - now 5-10 minutes has passed and again I cannot connect to the wl0.1. Maybe I need again to run that "stopservice-stuff" - but hopefully not every 5-10 minutes... I need to test more, reboot the router etc, thanks a lot, bkaskar, I wouldn' have struggled so hard and spend so many hours if you didn't help with suggestions/ideas. However I can see that things aren't still completely ok... 5-10 minutes is too short...
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Mon Oct 07, 2019 23:09    Post subject: Reply with quote
Hi bkaskar (or anyone else):

We have a primary router dealing with DHCP-requests from all VLANs and traffic passing through VLAN-capable managed switches before arriving at a secondary router: What is/are your firewall settings on the secondary router, if I may ask?
Because in my case, I don't have internet access on the secondary router with my wireless devices (wl0.1 attached to VLAN10 and br1) until I do:
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
... which I also think is strange, because "get_wanface=br0" and not br1...?

So, I think this command is incorrect (and replacing get_wanface with br1 didn't give internet access). At least it is incorrect in the sense that I not only gain access to the internet, the wireless devices also gain access to 192.168.1.xx - which is VLAN 1, which I'm otherwise blocking for access to, with firewall rules on the primary router (at IP address 192.168.1.1). On the secondary router I have "nvram get wan_ipaddr=192.168.1.3", such that I can access the router webUI through these two IP-addresses (..168.1.1 and ..168.1.3)... I later discovered I think something I believe is slightly better, but I'm asking myself is it good enough and is it the right way to do it? On the secondary router I apply the following rules (and again, of mysterious reasons get_wanface=br0, not br1, so I'm not even using br1 to get internet access on br1/vlan10 which I think is strange/confusing or I don't understand it):

Code:
# This rule is just as bad as the above - it opens up EVERYTHING so VLAN1 and VLAN10 is not separated at all:
# iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
# But this seems to help restrict VLAN10 from VLAN1 - while I still have internet connection for my wireless VLAN10-devices (haven't check with wired devices, currently assuming they're working otherwise I'll write back in the coming days):
# iptables -I FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j DROP
In the above "nvram get wan_ipaddr = 192.168.1.3" (=secondary router). I'm relatively ok with the last 2 rules, at least I have something that "kind of works", after countless hours. I'm very happy with that... I just had the impression that everything (DHCP-server, DNS and firewall-rules) could be handled on the primary router... Have I misunderstood that part? Everything seemed to be handled by the primary router, before I added wl0.1 (wireless) to VLAN10... Now after adding wl0.1 to VLAN10 (actually only br1, but in principle it should be the same I guess), I suddenly need extra firewall scripts on the secondary router? Is that right? Do you have that too?

And/or is this routing table correct (from the secondary router's point of view)? I don't see any 192.168.1.3 (secondary router) anyway, is that correct (neither do I do in the primary router's routing table, but I'm guessing it understands vlan10 and don't need it?)?
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         router.asus.com 0.0.0.0         UG    0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    *               255.255.255.0   U     0      0        0 br1

Not many people have this setup with 2 routers and switches between and I don't see many posts with this or a similar setup... So I would be grateful for any feedback, thanks!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4338
Location: Netherlands

PostPosted: Tue Oct 08, 2019 11:30    Post subject: Reply with quote
When you have a secondary router setup as a WAP (https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point)And you the have setup a VAP (like br1 or a VLAN), which have their own subnet, you primary router has to know where to send traffic to.

You can deal with this in two ways:
1. use the NAT rule to nat all traffic comming from the secondary router to its LAN ip address:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
2. The alternative is to set a static route on your primary router to the LAN IP address of the secondary router.

(Do not ask me about the VLAN's, I am not expert in that department)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
bkaskar
DD-WRT Novice


Joined: 15 Feb 2019
Posts: 20

PostPosted: Tue Oct 08, 2019 23:00    Post subject: Reply with quote
Hello again,
Apologies for forgetting that your secondary AP was a Netgear 7000 and not Asus RT AC68U.
newsboost wrote:
Hi bkaskar (or anyone else):
We have a primary router dealing with DHCP-requests from all VLANs and traffic passing through VLAN-capable managed switches before arriving at a secondary router: What is/are your firewall settings on the secondary router, if I may ask?
My firewall on secondary is disabled (I mentioned that in my first reply). BTW I achieved partial success in my goal as well - where I'm trying to run RT-AC5300 with VAPs (VLANs on other bridges) but for some reason, connection keeps dropping - and yes I have yet to enable firewall and other measures.. but for now br3 has 192.168.30.x, br4 gets ..40.x and, br5 gets ..50.x
WAN port is on vlan8 ..8.x and one of the LAN switch ports are on VLAN14. (I have not explored going above 16 even though docs mention support upto 4096). I do loose wifi connection as well, but as I said getting VLANs up in other bridges was the first goal.

newsboost wrote:
Because in my case, I don't have internet access on the secondary router with my wireless devices (wl0.1 attached to VLAN10 and br1) until I do:

Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
... which I also think is strange, because "get_wanface=br0" and not br1...?

As @egc pointed out correctly why you need WAN in AccessPoint mode its not supposed to play any part, isn't it?

newsboost wrote:
I just had the impression that everything (DHCP-server, DNS and firewall-rules) could be handled on the primary router... Have I misunderstood that part? Everything seemed to be handled by the primary router, before I added wl0.1 (wireless) to VLAN10... Now after adding wl0.1 to VLAN10 (actually only br1, but in principle it should be the same I guess), I suddenly need extra firewall scripts on the secondary router? Is that right? Do you have that too?
In my case DHCP, DNS, Firewall all are on the primary router. I haven't connected devices to multiple VAPs and checked their interactivity. But AFAIK VLAN1 is the mgmt. LAN so it could see VLAN10 but not the other way around.

newsboost wrote:
And/or is this routing table correct (from the secondary router's point of view)? I don't see any 192.168.1.3 (secondary router) anyway, is that correct (neither do I do in the primary router's routing table, but I'm guessing it understands vlan10 and don't need it?)?
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         router.asus.com 0.0.0.0         UG    0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    *               255.255.255.0   U     0      0        0 br1

Not many people have this setup with 2 routers and switches between and I don't see many posts with this or a similar setup... So I would be grateful for any feedback, thanks!

Here is the route from my AC68U
Code:

| DD-WRT v3.0-r39960M kongac (c) 2019 NewMedia-NET GmbH
| Release: 06/08/19
| Board: Asus RT-AC68U
End of banner message from server
Authenticating with public key "imported-openssh-key"


BusyBox v1.30.1 (2019-06-08 11:12:49 CEST) built-in shell (ash)

root@RTRDDWRT02:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.8.64      *               255.255.255.240 U     0      0        0 br2
192.168.1.0      *               255.255.255.0   U     0      0        0 br0
192.168.30.0      *               255.255.255.192 U     0      0        0 br3
192.168.40.16     *               255.255.255.240 U     0      0        0 br4
192.168.50.0      *               255.255.255.0   U     0      0        0 br5
192.168.70.64     *               255.255.255.240 U     0      0        0 br1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo



But when I look at my newly setup AC5300 it looks like this Confused
Code:

| DD-WRT v3.0-r39960M kongac (c) 2019 NewMedia-NET GmbH
| Release: 06/08/19
| Board: Asus RT-AC5300
End of banner message from server
Authenticating with public key "imported-openssh-key"


BusyBox v1.30.1 (2019-06-08 11:24:13 CEST) built-in shell (ash)

root@RTRDDWRT01:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1      0.0.0.0         UG    0      0        0 br0
192.168.1.0      *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo

Now, while trying to help you, I see there is no default route on my working AP(AC68U) _AND_ on the newly setup one I definitely have issues, as none of the brX interfaces show up here in the routing table. so problems everywhere Sad but if there was a default route on the 68U, no mention of AP's IP address so I'd day the route matches (so that's how it is designed to be on an AP?).
I'll post more findings as I get time to look at it. As you said, this project has created a lot of backlog for other things in life.
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Wed Oct 09, 2019 3:56    Post subject: Reply with quote
egc wrote:
When you have a secondary router setup as a WAP (https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point)And you the have setup a VAP (like br1 or a VLAN), which have their own subnet, you primary router has to know where to send traffic to.
Understood - and thanks for posting that link, I discovered I think it's best to disable "Routing" under the "Routing"-tab even though I don't have anything under "Setup/Advanced Routing" (just to be sure nothing interferes, between my 2-router setup).
egc wrote:
You can deal with this in two ways:
1. use the NAT rule to nat all traffic comming from the secondary router to its LAN ip address:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
2. The alternative is to set a static route on your primary router to the LAN IP address of the secondary router.
As I understand it, when we add this POSTROUTING rule to the secondary router, it does NAT/masquerading such that all packets from the secondary router (including those from VLAN10) will have their source IP address changed into lan_ipaddr=192.168.1.3. When this happens, the firewall rule on the primary router don't work any longer, i.e. traffic from 192.168.1.xx is mixed with traffic from 192.168.10.xx and the two networks are not separate - I can access ALL 192.168.1.xx addresses from my devices connected to VLAN 10 on my secondary router. And that is not what I want, I would like to have network segmentation (but *WITH* internet access)... So method 1 (the POSTROUTING-rule) is not the solution I'm prefer - it however helps getting internet connection, when I have have an iptables DROP rule between "-i br1 -o br0" on the primary router (for segmentation)...

I've tried to figure out how to use method 2, you mentioned - with a static route on the primary router (192.168.1.1) to the secondary router (192.168.1.3). First, I have this:
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
....
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    *               255.255.255.0   U     0      0        0 br1
Next I've been trying to figure out how to make a routing table such that if the primary router cannot deliver a packet to VLAN 10 on the local br1-interface, then it needs to try to deliver the packet to 192.168.1.3 (the secondary router). Then I tried this:
Code:
# route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.1.3 dev br1
route: SIOCADDRT: No such process
I googled and thought I need to solve the problem like this (2 extra possibilities for success, that's what I thought):
Code:
# route add -host 192.168.1.3 dev br1
# route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.1.3 dev br1
# route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1 dev br1
But neither does work and I'm not really sure why because I don't completely understand how these things work, also with VLANs involved... I can however ping 192.168.10.1 from my primary router (which is the ip address of br1 on my secondary router)... I still have no internet access with these settings. New routing table (primary router):
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.3     *               255.255.255.255 UH    0      0        0 br1
...
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    192.168.10.1    255.255.255.0   UG    0      0        0 br1
192.168.10.0    192.168.1.3     255.255.255.0   UG    0      0        0 br1
192.168.10.0    *               255.255.255.0   U     0      0        0 br1
I don't understand why it says "br1" next to 192.168.1.3 (secondary router), I think it automatically set this value... I've also tried the following, which also seemed intuitively correct:
Code:
route del -net 192.168.10.0 gw 192.168.1.3 netmask 255.255.255.0 dev br1
This means there are now 2 lines in the routing table for VLAN 10 on the primary router:
Code:
192.168.10.0    192.168.10.1    255.255.255.0   UG    0      0        0 br1
192.168.10.0    *               255.255.255.0   U     0      0        0 br1
But still not working... I imagine things are a bit complicated, because I have VLAN10 devices both on the primary router (br1), as well as on the secondary router (br1 in this case, but it could've been something else, e.g. br2/3/4...) - and I want both to see each other. If VLAN10 was only on one router, I think I would not struggle so much as I do now...
egc wrote:
(Do not ask me about the VLAN's, I am not expert in that department)
Yeah, it's not so easy... Thanks a lot for your input though, I need to look into setting up static routes for VLANs. I don't really know how to proceed from here... I would be very grateful for any hints here, thanks! Smile

Last edited by newsboost on Wed Oct 09, 2019 5:04; edited 6 times in total
newsboost
DD-WRT Novice


Joined: 05 Jul 2018
Posts: 43

PostPosted: Wed Oct 09, 2019 4:37    Post subject: Reply with quote
bkaskar wrote:
Hello again,
Apologies for forgetting that your secondary AP was a Netgear 7000 and not Asus RT AC68U.
Hi bkaskar, no problem about that, you've been a huge help for me, I'm very happy for the all the valuable help and input you've provided, by sharing your config etc Smile
bkaskar wrote:
newsboost wrote:
Hi bkaskar (or anyone else):
We have a primary router dealing with DHCP-requests from all VLANs and traffic passing through VLAN-capable managed switches before arriving at a secondary router: What is/are your firewall settings on the secondary router, if I may ask?
My firewall on secondary is disabled (I mentioned that in my first reply). BTW I achieved partial success in my goal as well - where I'm trying to run RT-AC5300 with VAPs (VLANs on other bridges) but for some reason, connection keeps dropping - and yes I have yet to enable firewall and other measures.. but for now br3 has 192.168.30.x, br4 gets ..40.x and, br5 gets ..50.x
WAN port is on vlan8 ..8.x and one of the LAN switch ports are on VLAN14. (I have not explored going above 16 even though docs mention support upto 4096). I do loose wifi connection as well, but as I said getting VLANs up in other bridges was the first goal.
I really prefer, if possible - to have all the firewall rules etc on the main router. Then it's easier to switch/upgrade the secondary router and easier to understand the setup or make changes. I also started with disabling firewall between all subnets, but now I would like to add that - and with only 2 VLANs I hope it's easier to understand (later I'll add more VLANs like you have). I also later would like to experiment with VLANs above maybe 50 (I understand we cannot use VLANs at least those around 16-18 as these have a different meaning in DDWRT). Does your connection also drop with fewer VLANs? Is the CPU usage too high, maybe? Sounds terrible, this confirms it's a good idea that I'm starting with only 2 VLANs and I'll test that carefully before adding more.

bkaskar wrote:
newsboost wrote:
Because in my case, I don't have internet access on the secondary router with my wireless devices (wl0.1 attached to VLAN10 and br1) until I do:

Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
... which I also think is strange, because "get_wanface=br0" and not br1...?

As @egc pointed out correctly why you need WAN in AccessPoint mode its not supposed to play any part, isn't it?
Not sure I understood this question: I added this POSTROUTING rule because after I added these rules (on the primary router), I didn't have any internet access on VLAN-10-devices on my secondary router (can't remember if it was only wireless devices or all, however):
Code:
# block br1 from accessing br0:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

# Keep br1 from accessing the router
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP
This/these rule(s) that disallows traffic between br0 and br1, keeps traffic between VLAN1 and VLAN10 separately. It's important for me, because I would like to have several insecure IOT devices on VLAN10 and these should not have access to my more critical/important devices on VLAN 1 (such as my NAS-server, where ALL my important mails, stuff, backup of private data etc is)... The "iptables -t nat -I POSTROUTING..."-rule is one I found out that gave me internet access back on VLAN 10. I initially didn't understand why it neutralized the effect of my firewall-VLAN-segmentation rule, now I understand it's because it does NAT/masquerading so all VLAN 10 packets looks like they're from 192.168.1.3 (the IP of the secondary router). This not the effect I'm looking for. So as per suggestion from @egc, I'll spend some days to see if I can understand how to make a proper routing table...
bkaskar wrote:
newsboost wrote:
I just had the impression that everything (DHCP-server, DNS and firewall-rules) could be handled on the primary router... Have I misunderstood that part? Everything seemed to be handled by the primary router, before I added wl0.1 (wireless) to VLAN10... Now after adding wl0.1 to VLAN10 (actually only br1, but in principle it should be the same I guess), I suddenly need extra firewall scripts on the secondary router? Is that right? Do you have that too?
In my case DHCP, DNS, Firewall all are on the primary router. I haven't connected devices to multiple VAPs and checked their interactivity. But AFAIK VLAN1 is the mgmt. LAN so it could see VLAN10 but not the other way around.
That would also be ok for me - that VLAN 1 can see VLAN 10, but not the other way around. Currently, I have to choose between no internet access on VLAN 10 - or that VLAN 10 can access VLAN 1, not a good solution, I hope I'll soon figure out how to make this routing table-stuff work Smile

bkaskar wrote:
newsboost wrote:
And/or is this routing table correct (from the secondary router's point of view)? I don't see any 192.168.1.3 (secondary router) anyway, is that correct (neither do I do in the primary router's routing table, but I'm guessing it understands vlan10 and don't need it?)?
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         router.asus.com 0.0.0.0         UG    0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    *               255.255.255.0   U     0      0        0 br1

Not many people have this setup with 2 routers and switches between and I don't see many posts with this or a similar setup... So I would be grateful for any feedback, thanks!

Here is the route from my AC68U
Code:

| DD-WRT v3.0-r39960M kongac (c) 2019 NewMedia-NET GmbH
| Release: 06/08/19
| Board: Asus RT-AC68U
End of banner message from server
Authenticating with public key "imported-openssh-key"


BusyBox v1.30.1 (2019-06-08 11:12:49 CEST) built-in shell (ash)

root@RTRDDWRT02:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.8.64      *               255.255.255.240 U     0      0        0 br2
192.168.1.0      *               255.255.255.0   U     0      0        0 br0
192.168.30.0      *               255.255.255.192 U     0      0        0 br3
192.168.40.16     *               255.255.255.240 U     0      0        0 br4
192.168.50.0      *               255.255.255.0   U     0      0        0 br5
192.168.70.64     *               255.255.255.240 U     0      0        0 br1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo



But when I look at my newly setup AC5300 it looks like this Confused
Code:

| DD-WRT v3.0-r39960M kongac (c) 2019 NewMedia-NET GmbH
| Release: 06/08/19
| Board: Asus RT-AC5300
End of banner message from server
Authenticating with public key "imported-openssh-key"


BusyBox v1.30.1 (2019-06-08 11:24:13 CEST) built-in shell (ash)

root@RTRDDWRT01:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1      0.0.0.0         UG    0      0        0 br0
192.168.1.0      *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo

Now, while trying to help you, I see there is no default route on my working AP(AC68U) _AND_ on the newly setup one I definitely have issues, as none of the brX interfaces show up here in the routing table. so problems everywhere Sad but if there was a default route on the 68U, no mention of AP's IP address so I'd day the route matches (so that's how it is designed to be on an AP?).
I'll post more findings as I get time to look at it. As you said, this project has created a lot of backlog for other things in life.
It's interesting to see your routing table... I think I understand my problem better now:

On my primary router I have:
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
83.88.36.1      *               255.255.255.255 UH    0      0        0 eth0
...
...
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
1.1.1.0         *               255.255.255.0   U     0      0        0 br0
192.168.10.0    *               255.255.255.0   U     0      0        0 br1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
...
On the secondary router I have:
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         router.asus.com 0.0.0.0         UG    0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    *               255.255.255.0   U     0      0        0 br1

What I would like to do, is on the primary router to accomplish:
Code:
# route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.1.3 dev br1
route: SIOCADDRT: No such process
What I mean by this, is that if the primary routers tries to reach 192.168.10.0 and if it ISN'T on the local br1 - then it must route to 192.168.1.3 (secondary router), which has the other VLAN 10-devices... This I don't know how to accomplish?!?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4338
Location: Netherlands

PostPosted: Wed Oct 09, 2019 8:33    Post subject: Reply with quote
newsboost wrote:
egc wrote:
When you have a secondary router setup as a WAP (https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point)And you the have setup a VAP (like br1 or a VLAN), which have their own subnet, you primary router has to know where to send traffic to.
Understood - and thanks for posting that link, I discovered I think it's best to disable "Routing" under the "Routing"-tab even though I don't have anything under "Setup/Advanced Routing" (just to be sure nothing interferes, between my 2-router setup).
egc wrote:
You can deal with this in two ways:
1. use the NAT rule to nat all traffic comming from the secondary router to its LAN ip address:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
2. The alternative is to set a static route on your primary router to the LAN IP address of the secondary router.
As I understand it, when we add this POSTROUTING rule to the secondary router, it does NAT/masquerading such that all packets from the secondary router (including those from VLAN10) will have their source IP address changed into lan_ipaddr=192.168.1.3. When this happens, the firewall rule on the primary router don't work any longer, i.e. traffic from 192.168.1.xx is mixed with traffic from 192.168.10.xx and the two networks are not separate - I can access ALL 192.168.1.xx addresses from my devices connected to VLAN 10 on my secondary router. And that is not what I want, I would like to have network segmentation (but *WITH* internet access)... So method 1 (the POSTROUTING-rule) is not the solution I'm prefer - it however helps getting internet connection, when I have have an iptables DROP rule between "-i br1 -o br0" on the primary router (for segmentation)...

I've tried to figure out how to use method 2, you mentioned - with a static route on the primary router (192.168.1.1) to the secondary router (192.168.1.3). First, I have this:
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
....
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    *               255.255.255.0   U     0      0        0 br1
Next I've been trying to figure out how to make a routing table such that if the primary router cannot deliver a packet to VLAN 10 on the local br1-interface, then it needs to try to deliver the packet to 192.168.1.3 (the secondary router). Then I tried this:
Code:
# route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.1.3 dev br1
route: SIOCADDRT: No such process
I googled and thought I need to solve the problem like this (2 extra possibilities for success, that's what I thought):
Code:
# route add -host 192.168.1.3 dev br1
# route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.1.3 dev br1
# route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1 dev br1
But neither does work and I'm not really sure why because I don't completely understand how these things work, also with VLANs involved... I can however ping 192.168.10.1 from my primary router (which is the ip address of br1 on my secondary router)... I still have no internet access with these settings. New routing table (primary router):
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.3     *               255.255.255.255 UH    0      0        0 br1
...
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.10.0    192.168.10.1    255.255.255.0   UG    0      0        0 br1
192.168.10.0    192.168.1.3     255.255.255.0   UG    0      0        0 br1
192.168.10.0    *               255.255.255.0   U     0      0        0 br1
I don't understand why it says "br1" next to 192.168.1.3 (secondary router), I think it automatically set this value... I've also tried the following, which also seemed intuitively correct:
Code:
route del -net 192.168.10.0 gw 192.168.1.3 netmask 255.255.255.0 dev br1
This means there are now 2 lines in the routing table for VLAN 10 on the primary router:
Code:
192.168.10.0    192.168.10.1    255.255.255.0   UG    0      0        0 br1
192.168.10.0    *               255.255.255.0   U     0      0        0 br1
But still not working... I imagine things are a bit complicated, because I have VLAN10 devices both on the primary router (br1), as well as on the secondary router (br1 in this case, but it could've been something else, e.g. br2/3/4...) - and I want both to see each other. If VLAN10 was only on one router, I think I would not struggle so much as I do now...
egc wrote:
(Do not ask me about the VLAN's, I am not expert in that department)
Yeah, it's not so easy... Thanks a lot for your input though, I need to look into setting up static routes for VLANs. I don't really know how to proceed from here... I would be very grateful for any hints here, thanks! Smile


I just picked out the things I know:
when using the firewall rule on the secondary router the packets can indeed no longer be identified as coming from another subnet/bridge.
If you want this subnet not to access anything on your local network you add another firewall rule on the secondary router to block this, a rule like the following would do the blocking:
Code:
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

This rule blocks anything from br1 on your secondary router accessing your local network but you still have internet access.

But you argument is valid and you can set a static route on the primary router.
I have not followed your thread that well but if I understand it correctly your primary router has br0 and br1, the latter is with VLAN10 and your secondary router is connected on this VLAN10 wired port.

If your secondary router also has a br1 with subnet 192.168.20.0/24 and you do not want the firewall rule on the secondary router then on your primary router you have to route traffic destined for this subnet via 192.168.1.2 (the IP address of your secondary router)
So set a static route on your primary like:
ip route add 192.168.20.0/24 via 192.168.1.2 dev br1

Normally you will not have to add the device the router nows what to pick, if your secondary router is not connected via vlan10/br1 you have to use dev br0

If you are gong with the static route way and have setup this correctly you still will not have internet access.
Why?
Because your main router is also DDWRT and this only NAT's traffic from its own subnet out onto the internet (most commercial routers and other software NAT all traffic).
So to correct this you also have to add the following firewall rule on your primary router:
Code:
iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE


This is a rather broad rule normally I would specify the -s source (that is how @eibgrad taught me) but in this case I am a bit lost about the source Smile

I am sorry I can not be more specific, your thread is a kind of TL;DR and I am at the moment busy with other DDWRT projects.

Oh one word of advice you mention disabling routing, I would not do that, the same holds true for disabling gateway mode just leave all that at its default state. disabling routing or gateway mode tends to break things

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum