Routing traffic properly on VLANs ... using nvram

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
geotux
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 11

PostPosted: Mon Dec 09, 2019 21:59    Post subject: Routing traffic properly on VLANs ... using nvram Reply with quote
Hi,

being spending the last weekend trying to get my head around routing tagged IP traffic through VLANs setup on my dd-WRT (v3.0-r40559 of 08/06/19) installation on my Netgear R7000.

SETUP
a) pfSense with VLANs setup: VL20, VL30 and VL10 used for management (i.e. connecting to the config interface of the switch and wireless AP)
b) Cisco switch correctly connected with a trunk to pfSense box
c) R7000 connected to Cisco with another trunk

PROBLEM DEFINITION
a) Route VL10 traffic to WLAN Port 0 so I can connect to the dd-WRT GUI
b) Route VL20 traffic to physical Wireless interface on R7000
c) Route VL30 traffic to virtual (wl0.1 & wl1.1) Wireless interface on R7000

It all started from this post [/url] https://netosec.com/dd-wrt-wifi-vlans/ where it seems this chap got things going just using the GUI. I tried and miserably failed (actually, I can get VL20 or VL30 to route correctly to the physical interfaces using the GUI at any one time but the other fails to work ... this demonstrates that the switch/pfSense is not the problem.

Then I read this [/url] https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports#VLANs , which gave me a different perspective and made me realise that I probably needed to use nvram. So I tried but nothing seems to be functioning. So I had hoped you could help me debug the problem.

So this is my setup with nvram:

root@gi:~# nvram show | grep vlan.*ports | sort
size: 40486 bytes (25050 left)
vlan10ports=0 5
vlan1ports=1 2 3 4 5*
vlan20ports=0t 5
vlan2ports=0 5u
vlan30ports=0t 5

root@gi:~# nvram show | grep port.*vlans | sort
size: 40486 bytes (25050 left)
port0vlans=10 16 20 30
port1vlans=1
port2vlans=
port3vlans=
port4vlans=
port5vlans=1 10 16 20 30

root@gi:~# nvram show | grep vlan.*hwname | sort
size: 40486 bytes (25050 left)
vlan10hwname=et0
vlan1hwname=et0
vlan20hwname=et0
vlan2hwname=et0
vlan30hwname=et0

Annoyingly, after rebooting, I was expecting to see vlan20 and vlan30 in the drop down boxes under SETUP -> NETWORKING -> ASSIGN TO BRIDGE, but nothing. However, strangely, I can see vlan10 in the drop down selection box. Strange! ... I thought.

So I decided to add the commands in ADMINISTRATION -> COMMANDS as follows (So I could link the virtual interfaces together.):

/sbin/ifconfig vlan20 up
/sbin/ifconfig vlan20 txqueuelen 1000
/usr/sbin/brctl addif br1 vlan20
/sbin/ifconfig vlan30 up
/sbin/ifconfig vlan30 txqueuelen 1000
/usr/sbin/brctl addif br2 vlan30

Then I rebooted. However, this time nothing works. You'll see from the above that I've left my self access to Port 1 so I can connect to the R7000 from my laptop.

If there is anyone that can help me make something out of this, that would be much appreciated.

Many thanks in advance.
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Dec 10, 2019 0:42    Post subject: Reply with quote
The stuff you entered in commands window, was that saved as startup? You don't have to put absolute pathnames in there. I don't *think* that you have to add anything syntax-wise if it's in your startup script. Not even going to bother asking why you're running 40559, already breathed enough fire today.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Dec 10, 2019 7:29    Post subject: Reply with quote
I have one VLAN running just by using the wiki: https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports#VLANs

But you need a recent build, your build is probably from the router database and is not the best one out.
So I suggest getting a recent build and reset (after uploading the new build) by doing the following from the CLI: nvram erase && reboot
and start fresh (do not restore from a backup, put settings in manually), otherwise ask help from our VLAN expert Per Yngve Berg.

I currently use 41664

Below some pointers which might help to get the best out of DDWRT and out of the forum:
1. Research your router, start with the supported devices wiki:
https://wiki.dd-wrt.com/wiki/index.php/Supported_Devices .
2. In the supported devices wiki you can see if your router is supported and what architecture your router has and if you are lucky also an install guide/wiki.
3. Post in the right forum, from the former step you can see if your router is Broadcom, Qualcomm/Atheros, Marvell or other, use that forum to post router specific questions, for networking questions post in the Advanced Networking forum and for other things in the General Questions forum.
4. When posting always state router model, build number and when applicable the Kernel version.
Describe your problem and how you think it can be solved.
Give as much detail as you can also provide your network setup if applicable.
For your Network setup, state what wiki you have used: https://wiki.dd-wrt.com/wiki/index.php/Linking_Routers
5. When posting pictures make sure the maximum width is not more than 600 pixels.
6. Do not hijack a thread, meaning do not post your own problem in someone else's thread. Just start your own thread.
7. If your post is answered and your problem solved, mark your thread with [SOLVED] (the header of your first post).
8. Do NOT use the router database, builds can be found at:
https://dd-wrt.com/support/other-downloads/?path=betas%2F2019%2F
All builds are beta including those from the router database.
9. Before uploading a new build to your router, research the build by looking in the build threads.
This is an example of a build thread for build 41328 for Broadcom routers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321699&highlight=41328
Search build threads with the search function and search on build number.
10. Use the build threads from the former step to report success or problems.
11. For older Broadcom routers (Linksys WRT54 and E series) read the peacock thread although some of it is outdated: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=51486
Builds can be found in the Broadcom directory for Linux kernel 2.4, in Broadcom_K26 for Linux K2.6 and in Broadcom_K3X for Linux K3.X.
12. If you are sure you have discovered a bug, after asking and querying the forum, you can report a real bug in the bug tracker: https://svn.dd-wrt.com/
This is also the place where the commits/changes to the source are administrated.
13. Recommended reading:
https://forum.dd-wrt.com/wiki/index.php/Main_Page
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=54845
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=54959
14. If you are happy with DDWRT and want it to live on then donate:
https://dd-wrt.com/donations/

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
geotux
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 11

PostPosted: Tue Dec 10, 2019 20:26    Post subject: Reply with quote
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Tue Dec 10, 2019 21:08    Post subject: Re: Routing traffic properly on VLANs ... using nvram Reply with quote
geotux wrote:
Annoyingly, after rebooting, I was expecting to see vlan20 and vlan30 in the drop down boxes under SETUP -> NETWORKING -> ASSIGN TO BRIDGE, but nothing. However, strangely, I can see vlan10 in the drop down selection box. Strange! ... I thought.

So I decided to add the commands in ADMINISTRATION -> COMMANDS as follows (So I could link the virtual interfaces together.):

/sbin/ifconfig vlan20 up
/sbin/ifconfig vlan20 txqueuelen 1000
/usr/sbin/brctl addif br1 vlan20
/sbin/ifconfig vlan30 up
/sbin/ifconfig vlan30 txqueuelen 1000
/usr/sbin/brctl addif br2 vlan30

Then I rebooted. However, this time nothing works. You'll see from the above that I've left my self access to Port 1 so I can connect to the R7000 from my laptop.

If there is anyone that can help me make something out of this, that would be much appreciated.

Many thanks in advance.
I also have the R7000. I think the GUI only works for VLAN 1-15 (as you can see under http://192.168.1.1/Vlan.asp), so I suspect you need to type in the commands from the shell - telnet/ssh - this is much better than under ADMINISTRATION -> COMMANDS, at least while you're testing (with my experience, you don't need to reboot the whole time, but once you have something working you want to save it there, reboot - test that it still works).

I'm not sure exactly what you've done, because I get:
Code:

ifconfig vlan20 up
ifconfig: ioctl 0x8913 failed: No such device
And then I stopped typing in commands - maybe you get the same error, but you don't see it. So: Log in via ssh/telnet and see directly the response, from your commands. Also, I can see on my main router I have something like this - feel free to replace vlan10 with vlan20 and continue in the direction you've described.
Code:

vconfig add eth0 10
ifconfig vlan10 up

brctl addbr br1
brctl addif br1 vlan10
ifconfig br1 192.168.10.1 netmask 255.255.255.0 up
I also see absolutely no reason for using an old firmware, I would upgrade ASAP if I were you. I hope this helps.
geotux
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 11

PostPosted: Tue Dec 10, 2019 22:15    Post subject: Reply with quote
I'm now on version r41686 (12/10/2019) ... can't be more up to date than that now Smile

newsboost, I took your advice and ran the vconfig/ifconfig commands to bring up the vlans in ssh. Interestingly, they then showed up in the GUI and I could assign the various vlans to the respective bridges. So I decided to copy those commands in ADMINISTRATION -> COMMANDS and rebooted.

I still see to be struggling to rout the traffic correctly. I ran all these in ssh:

DEFAULT AFTER FLASH
Code:
root@DD-WRT:~# nvram show | grep vlan.*ports | sort
size: 36939 bytes (28597 left)
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
root@DD-WRT:~# nvram show | grep port.*vlans | sort
size: 36939 bytes (28597 left)
port0vlans=
port1vlans=1
port2vlans=
port3vlans=
port4vlans=
port5vlans=1 16
root@DD-WRT:~# nvram show | grep vlan.*hwname | sort
size: 36939 bytes (28597 left)
vlan1hwname=et0
vlan2hwname=et0


Executed in SSH
Code:
root@DD-WRT:~# nvram set vlan10ports="0 5t"
root@DD-WRT:~# nvram set vlan20ports="0t 5t"
root@DD-WRT:~# nvram set vlan30ports="0t 5t"
root@DD-WRT:~# nvram set vlan40ports="0t 5t"
root@DD-WRT:~# nvram set port0vlans="10 16 20 30 40"
root@DD-WRT:~# nvram set port5vlans="1 10 16 20 30 40"
root@DD-WRT:~# nvram set vlan10hwname=et0
root@DD-WRT:~# nvram set vlan20hwname=et0
root@DD-WRT:~# nvram set vlan30hwname=et0
root@DD-WRT:~# nvram set vlan40hwname=et0
root@DD-WRT:~# nvram commit


AFTER RECONFGURATION
Code:
root@DD-WRT:~# nvram show | grep vlan.*ports | sort
size: 37104 bytes (28432 left)
vlan10ports=0 5t
vlan1ports=1 2 3 4 5*
vlan20ports=0t 5t
vlan2ports=0 5u
vlan30ports=0t 5t
vlan40ports=0t 5t
root@DD-WRT:~# nvram show | grep port.*vlans | sort
size: 37104 bytes (28432 left)
port0vlans=10 16 20 30 40
port1vlans=1
port2vlans=
port3vlans=
port4vlans=
port5vlans=1 10 16 20 30 40
root@DD-WRT:~# nvram show | grep vlan.*hwname | sort
size: 37104 bytes (28432 left)
vlan10hwname=et0
vlan1hwname=et0
vlan20hwname=et0
vlan2hwname=et0
vlan30hwname=et0
vlan40hwname=et0


Ran in SSH then copied to ADMINISTRATION->COMMANDS
Code:
vconfig add eth0 10
ifconfig vlan10 up
vconfig add eth0 20
ifconfig vlan20 up
vconfig add eth0 30
ifconfig vlan30 up
vconfig add eth0 40
ifconfig vlan40 up
ifconfig br1 192.168.20.1 netmask 255.255.255.0 up
ifconfig br2 192.168.30.1 netmask 255.255.255.0 up
[b][/b]


Any clues? Newsboost, I've also tagged port 5 for vlan20, 30 and 40 as I think that I need to tell the processor that traffic is tagged. Again, no difference. Sad
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Thu Dec 12, 2019 6:05    Post subject: Reply with quote
I'm also a relative noob - from the first time I began reading about VLANs and I tried many things like you - until it actually worked - it took me maybe 2 years (reading on/off in the forums, only working on it in my sparetime).

I think you're making progress and the last part seems ok to me. I'm happy you could use my suggestion(s). About this part:
geotux wrote:
I still see to be struggling to rout the traffic correctly.
I don't really understand exactly: What is that is not working? Is it e.g. because (what I've done) you attach a device to an access port somewhere and you don't get an IP address because your DHCP-server is not doing anything?

Is it that you want your devices to be on e.g. 192.168.10.xx, 192.168.20.xx, 192.168.30.xx... (what I'm working on)?

Is the problem that your device on VLAN 10 can see VLAN 1-devices? I suspect the next part of what you need, is working with iptables, e.g. disallow traffic between VLAN 1/VLAN 10 etc... Or is it dnsmasq/DHCP or something else?
geotux
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 11

PostPosted: Fri Dec 13, 2019 8:57    Post subject: Reply with quote
newsboost, I get what you are saying. I'm saying its not working but I'm not saying what is not working. In short, nothing is working. On pfSense DHCP log, there is no evidence that there is a request coming through to DHCP server when I try to connect to one of the wireless VLANs. In fact, the device (laptop, mobile phone, etc.) just keep hanging waiting for an IP to be assigned but it never gets it, no matter what VLAN I attempt to connect to (this is what I mean that the routing seems to not be doing its job).

Note that on DHCP server, i have configured to assign IP addresses to the divices based on the MAC address so, for example, "I want you to assign 102.168.20.20" to Mobile Phone 1 with MAC xx:xx:xx:xx:xx., etc.", but ths doesn't happen. Its as if dd-WRT is not routing the request for an IP to the DHCP server. I've got today off work to tackle this (I'm desperate to get my wifi working at home ... wife an kids are mad at me for breaking what was working Sad )
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Dec 13, 2019 10:58    Post subject: Reply with quote
Consider starting with the R7000 as WAP, so taking its WAN port (and routing) out of the equation.

See: https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Fri Dec 13, 2019 11:08    Post subject: Reply with quote
Ok, sorry, I understand. I have some of the same problems as you on my subnet, I also have problems debugging or figuring out exactly why clients don't have internet access (I need to improve my routing skills) or get a DHCP-supplied IP. For me, on my (2 router setup) secondary router I've figured out it helps me debugging by completely flushing the iptables-rules and allow all. The main router's firewall will block scanners from the internet so it's relatively safe. If that works, I re-enable iptables and look at the package-count. Next, my suggestion for you is: Have you tested if everything works if you manually set the ip address of e.g. your laptop (just to be sure it's not iptables, e.g. can you then access the LAN-devices, can you access the internet?). If the manual ip-assignment works, you've reduced the problem so you can focus on studying the dhcp-server. Is anything blocking ports 67,68 then? And so on, I try to see if that kind of "narrow-down"-approach works. Sorry I'm not very good at debugging DHCP-issues (but would like to become better, I also have issues) - I'll continue watching this thread, I hope to learn something also if you succeed (but I've been in a similar place as you and I also spend WAY too much time in my weekends, because I'm also not too experienced/proficient) Smile
geotux
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 11

PostPosted: Fri Dec 13, 2019 18:25    Post subject: Reply with quote
egc, do you mean that the WAN port (Port 0 on the R7000) should not be configured at all? I've been trying the whole afternoon with a setup that exclude Port 0 but I'm not getting far. This https://netosec.com/dd-wrt-wifi-vlans/ uses the WAN in the configuration.

But under the section of this page https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports#VLANs it says "Note: The WLAN is a separate interface from the switch and it does not support VLANs, although it can create virtual interfaces which are similar in some aspects"

Really confusing ... Sad
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Dec 13, 2019 19:14    Post subject: Reply with quote
I took a quick look and these instructions also start with setting up the router as a WAP.
A WAP has no WAN interface do not let that confuse you.
You can use that port as another LAN port and that is what they are doing.

WIFI does not support tagging but you can attached your wireless interface to a bridge which connects to your VLAN.

Jus start your setup as a WAP just as in the instructions.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
geotux
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 11

PostPosted: Sat Dec 14, 2019 16:06    Post subject: Reply with quote
Hi,

I've stripped down to the bear basics. I wanted to understand if a VLAN40 tagged packets could be sent to the LAN ports on the R7000 (VLAN10 is the management port on the CISCO SG300 an is marked as untagged on the trunk while VLAN40 is tagged on the Switch). The assumption was that if I could route these packets to the hardware port, then I would know that the packers are being routed properly. So I started from a reset on the R7000 (done this many times over the last 24 hrs Sad ).

Then followed this procedure:

a) Set "Disabled" for WAN Connection Type
B) Enabled "Assign WAN port to Switch" checkbox
c) Disabled DHCP
d) Disabled DNSMASQ
e) Disabled firewall
f) selected "Routing" for Operating Mode under "Advanced Routing"
g) assigned 192.168.40.10 to the LAN port on the Network Setup page of dd-wrt
h) Ran all the following on the SSH terminal.

nvram show | grep vlan.*ports | sort
vlan10ports=1u 2u 3u 4u 0t* 5t*
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
vlan40ports=1 2 3 4t 0t 5t
nvram show | grep port.*vlans | sort
port0vlans=10 40
port1vlans=40
port2vlans=40
port3vlans=40
port4vlans=40
port5vlans=10 16 40
nvram show | grep vlan.*hwname | sort
vlan10hwname=et0
vlan1hwname=et0
vlan2hwname=et0
vlan40hwname=et0


This is what I experience:
1) I can connect to the R7000 with my laptop setting the IP (192.168.40.11) to the same subnet as the LAN on the R7000
2) From the laptop, I can't get onto the internet (can't ping anything other the local network and the laptop
3) If I set the laptop to DHCP, no matter what port on the R7000 I connect it to, it fails to get an IP assigned from pfSense unit.

Note that packet taggin must be working as I have 8 subnets assigned to the first 8 ports of my switch. My laptop on DHCP will get the correct subnet IP assigned when I connect it to the differnt ports e.g. 192.168.10.101 on Port 1, 192.168.20.101 on Port 2, etc. I'm about to through my R7000 out of the window and get something a bit more professional like the Ubiquit wifi or Ruckus unit. It'll cost me bit but at least ...

Any thoughts?


Last edited by geotux on Sat Dec 14, 2019 18:44; edited 1 time in total
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Sat Dec 14, 2019 18:00    Post subject: Reply with quote
Ok, I'm not an expert as I've written. But other people have helped me too in here and as I have something similar to your setup working, I'll try to help a bit more and feel qualified as my setup works and your doesn't. First, I'm not completely sure if the part "nvram show | grep vlan.*ports | sort" is correct - but the other 2 output parts you showed is correct. What makes me think it's ok though is that you wrote you could assign a manual IP address to a laptop, and get internet access. So let's assume everything you wrote is setup correctly. As I understand you, you have a pfsense router as main router/gateway connected to your ISP, then you have a managed switch with untagged access ports and trunk ports tagged with the VLANs you wish to use, then finally you have your DDWRT router.

So, I would think it's safe to delete all firewall rules from the DDWRT-router, right? You have a firewall on the pfsense-device, to the WAN-side... Also you write that you can manually assign the the IP (192.168.40.11) and from this, get onto the internet (can't ping anything other the local and the laptop + DHCP doesn't work). IMHO this definately sounds like a firewall problem. There is a much better way than the following (allow udp 67+6Cool but just to be completely sure, try logging in to the r7000 ddwrt router and allow all traffic:

Code:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

When I mess around with removing firewalls, I sometimes do external port-scanning, just to ensure that nothing is exposed to the internet - I normally use the "shields up"-service at https://www.grc.com/x/ne.dll?bh0bkyd2 - if you try this and you then get a DHCP-address from your laptop, just run the "shields up"-external port scan test so you know if it's safe or not to leave your router this way (if any ports are exposed, reboot to re-enable your firewall settings).

If this doesn't work, maybe something needs to be setup differently on the pfsense device (I don't know about these, so perhaps somebody else needs to help you then, sorry)...
geotux
DD-WRT Novice


Joined: 31 Jul 2016
Posts: 11

PostPosted: Sat Dec 14, 2019 18:46    Post subject: Reply with quote
Sorry mate, I meant I can't get on the internet. I edited and corrected my previous post.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum