Another VLAN Tagging/Trunking Thread C7 Gateway - WR1043 WAP

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Thu Mar 18, 2021 17:32    Post subject: Reply with quote
tomron wrote:
is this still true that VLANs are limited up to 127?


You can create 127 VLANs, but use all 4096 vids.
Sponsor
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Thu Mar 18, 2021 18:11    Post subject: Reply with quote
Can somebody explain me the following sections of this script?


source thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1219973

Port0: Processor
Port1: WAN
Port2-5: LAN

swconfig dev switch0 set enable_vlan 1 #### what is the purpose of this command and why it only applies to VLAN 1?? I saw in other threads that also VLAN 2 and 3 were assigned but I dont get the point of it.
swconfig dev switch0 vlan 1 set ports "0t 2t 3 4 5" #### this is clear 0t (cpu port tagged/trunked) 2t= trunked Port 1; 3 4 5 (Port 2 3 4 = not tagged/trunked)
swconfig dev switch0 vlan 1 set vid 1 ### what is vid? is this the VLAN ID which the packets get tagged with?
swconfig dev switch0 vlan 9 set ports "0t 2t" ### VLAN9 gets its Trunk Port to Port 1 (2t)
swconfig dev switch0 vlan 9 set vid 9 ### same as above what is vid and why 9? is this the VLAN ID which the packets get tagged with?
swconfig dev switch0 vlan 10 set ports "0t 2t" #### same as above VLAN10 gets its Trunk Port to Port 1 (2t)
swconfig dev switch0 vlan 10 set vid 10 ### same as above what is vid and why 10? is this the VLAN ID which the packets get tagged with?
swconfig dev switch0 set apply ### apply settings to switch

vconfig add eth0 9 ### what does this line?
vconfig add eth0 10 #### same here?

ifconfig vlan9 up ### activate vlan9?
ifconfig vlan10 up ### activate vlan10?

ifconfig vlan9 txqueuelen 1000 #### absolute no idea?
ifconfig vlan10 txqueuelen 1000 #### absolute no idea?
ifconfig vlan9 192.168.109.2 netmask 255.255.255.0 #### I think this is what is usually done in the Setup/Networking tab of the web UI?
ifconfig vlan10 192.168.110.2 netmask 255.255.255.0 ### same here?

brctl addif br1 vlan9 ### add vlan9 to br1?
brctl addif br2 vlan10 ### add vlan10 to br1?
ifconfig br1 txqueuelen 1000 #### absolute no idea?
ifconfig br2 txqueuelen 1000 #### absolute no idea?



could anybody be so kind and explain my open questions?
thanks in advance
BR Tom

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Thu Mar 18, 2021 18:13    Post subject: Reply with quote
Per Yngve Berg wrote:
tomron wrote:
is this still true that VLANs are limited up to 127?


You can create 127 VLANs, but use all 4096 vids.


ok, thanks, now I got that Very Happy

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Mon Mar 22, 2021 14:04    Post subject: Reply with quote
Hello

VLANs are working on the Gatway (Archer C7 - r44406) and on my WAP (WR1043 - r46069)

Configuration on the C7

Code:


#   VLAN Configuration Archer C7 BEGIN
#Enable VLANs "1"
swconfig dev switch0 set enable_vlan 1
#Setup Switch Ports
#Port0: Processor
#Port1: WAN
#Port2-5: LAN
#Primary VLAN 1
swconfig dev switch0 vlan 1 set ports "0t 2t 3 4 5"
swconfig dev switch0 vlan 1 set vid 1
#VLAN200 VPN
swconfig dev switch0 vlan 200 set ports "0t 2t"
swconfig dev switch0 vlan 200 set vid 200
#VLAN300 GUEST
swconfig dev switch0 vlan 300 set ports "0t 2t"
swconfig dev switch0 vlan 300 set vid 300
#VLAN400 IoT
swconfig dev switch0 vlan 400 set ports "0t 2t"
swconfig dev switch0 vlan 400 set vid 400
#Apply VLAN Settings to switch0
swconfig dev switch0 set apply
#add VLANs to eth0
vconfig add eth0 200
vconfig add eth0 300
vconfig add eth0 400
#activate VLANs
ifconfig vlan200 up
ifconfig vlan300 up
ifconfig vlan400 up
#setup  TX Queue Length to 1000 (Gigabit)
ifconfig vlan200 txqueuelen 1000
ifconfig vlan300 txqueuelen 1000
ifconfig vlan400 txqueuelen 1000
#add IP subnets to VLANs
ifconfig vlan200 192.168.20.1 netmask 255.255.255.0
ifconfig vlan300 192.168.30.1 netmask 255.255.255.0
ifconfig vlan400 192.168.40.1 netmask 255.255.255.0
#bridge VLANs to existing bridges
brctl addif br20 vlan200
brctl addif br30 vlan300
brctl addif br40 vlan400
#setup  TX Queue Length to 1000 (Gigabit)
ifconfig br20 txqueuelen 1000
ifconfig br30 txqueuelen 1000
ifconfig br40 txqueuelen 1000
#   VLAN Configuration Archer C7 END


Configuration WR1043

Code:

#   VLAN Configuration WR1043ND_V4 BEGIN
#Enable VLANs "1"
swconfig dev switch0 set enable_vlan 1
#Setup Switch Ports
#Port0: Processor
#Port5: WAN
#Port1-4: LAN
#Primary VLAN 1
swconfig dev switch0 vlan 1 set ports "0t 1 2 3 4t"
swconfig dev switch0 vlan 1 set vid 1
#VLAN200 VPN
swconfig dev switch0 vlan 200 set ports "0t 4t"
swconfig dev switch0 vlan 200 set vid 200
#VLAN300 GUEST
swconfig dev switch0 vlan 300 set ports "0t 4t"
swconfig dev switch0 vlan 300 set vid 300
#VLAN400 IoT
swconfig dev switch0 vlan 400 set ports "0t 4t"
swconfig dev switch0 vlan 400 set vid 400
#Apply VLAN Settings to switch0
swconfig dev switch0 set apply
#add VLANs to eth0
vconfig add eth0 200
vconfig add eth0 300
vconfig add eth0 400
#activate VLANs
ifconfig vlan200 up
ifconfig vlan300 up
ifconfig vlan400 up
#setup  TX Queue Length to 1000 (Gigabit)
ifconfig vlan200 txqueuelen 1000
ifconfig vlan300 txqueuelen 1000
ifconfig vlan400 txqueuelen 1000
#add IP subnets to VLANs
ifconfig vlan200 192.168.20.1 netmask 255.255.255.0
ifconfig vlan300 192.168.30.1 netmask 255.255.255.0
ifconfig vlan400 192.168.40.1 netmask 255.255.255.0
#bridge VLANs to existing bridges
brctl addif br20 vlan200
brctl addif br30 vlan300
brctl addif br40 vlan400
#setup  TX Queue Length to 1000 (Gigabit)
ifconfig br20 txqueuelen 1000
ifconfig br30 txqueuelen 1000
ifconfig br40 txqueuelen 1000
#   VLAN Configuration WR1043ND_V4 END



Bridges BR20,30,40 created in the networking tab both on the C7 and 1043
Bridges assinged to WiFi VAPs BR20 to VPN, BR30 to Guest NW, BR40 to IoT NW on the C7 and the 1043

DHCP assignement works on the C7 and also on the 1043, 1043 is configured as dhcp forwarder so IPs are assigned by the Gateway (C7)

I get internet access on all VAPs of the C7 (bridged & unbridged) and on the main WiFi of the 1043, on the unbridged WiFi Interfaces (VPN, GUEST, IoT) I don't get internet Access.

What do I need to do to enable Internet Access on the unbridged VAPs of the WAP (1043)


Next thing can anyone give me an iptables example I want to block access from GUEST to MAIN_NW and IoT to MAIN_NW but I want access from Main_NW to GUEST and IoT.

Thanks in advance!

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Tue Mar 23, 2021 12:04    Post subject: Reply with quote
anyone?
_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Mar 23, 2021 12:40    Post subject: Reply with quote
I will transfer your question to the advanced networking forum

These are examples from @eibgrad:
https://pastebin.com/r4u62P0B

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Tue Mar 23, 2021 15:55    Post subject: Reply with quote
tomron wrote:
What do I need to do to enable Internet Access on the unbridged VAPs of the WAP (1043)

If you are using "unbridged VAP" the standard (here) way to mean a wifi-only virtual access point, have a look at the third post of thread https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Tue Mar 23, 2021 20:22    Post subject: Reply with quote
SurprisedItWorks wrote:
tomron wrote:
What do I need to do to enable Internet Access on the unbridged VAPs of the WAP (1043)

If you are using "unbridged VAP" the standard (here) way to mean a wifi-only virtual access point, have a look at the third post of thread https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070.


Thanks for your guide which brought me maybe to the root cause

SurprisedItWorks wrote:
check Unbridged for Network Configuration, and check Masquerade/NAT so your clients can reach the internet.


But then on the WR1043 V4 (r46069) I didn't found this option to activate Masqurade/NAT whereas on the C7 which is r44406, this option is available and enabled and also working as proposed....

C7:



WR1043:

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Wed Mar 24, 2021 14:53    Post subject: Reply with quote
No NAT button! That's interesting. Out of curiosity, if you are in a CLI window (ssh, PuTTy), does nvram get wlan0.1_nat return a value?
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Mar 24, 2021 15:08    Post subject: Reply with quote
There is no NAT button if there is no WAN (WAN disabled) as that would be useless.

I assume this is a WAP with WAN disabled ? Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Wed Mar 24, 2021 15:12    Post subject: Reply with quote
SurprisedItWorks wrote:
No NAT button! That's interesting. Out of curiosity, if you are in a CLI window (ssh, PuTTy), does nvram get wlan0.1_nat return a value?



_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Tue Mar 30, 2021 16:18    Post subject: Reply with quote
egc wrote:
There is no NAT button if there is no WAN (WAN disabled) as that would be useless.

I assume this is a WAP with WAN disabled ? Smile


Hi egc

no it was set to Automatic DHCP, but I disabled it now.

I fidled with this setting and now it seems to forward the internet Connection to the WAPs bridges br20, br30 and br40.. so this works actually now.

I implemented this iptables rule set but there are some things which are not working as expected

Code:
#   Firewall Configuration BEGIN
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
# deny IoT network access to any other networks
iptables -I FORWARD -i br40 -o br+ -j DROP
# deny GUEST network access to any other networks
iptables -I FORWARD -i br30 -o br+ -j DROP
# allow Main VPN network access to any other networks
iptables -I FORWARD -i br20 -o br+ -j ACCEPT
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#   Firewall Configuration END


so basically I can access the the main Gatway/Router through all bridges br0 (main), br20 (main+vpn) br30 (guest) and br40 (IoT)

br30 and br40 should not have access to any other network I think this should be clear in this section
Code:
# deny IoT network access to any other networks
iptables -I FORWARD -i br40 -o br+ -j DROP
# deny GUEST network access to any other networks
iptables -I FORWARD -i br30 -o br+ -j DROP


but I still can access the main Gateway from both networks and out of curiosity I can access through br40 also the WAP whereas on br30 not.
The NAS and the PI can only be accessed by br0 and br20, as suppoesed
Code:
# allow Main VPN network access to any other networks
iptables -I FORWARD -i br20 -o br+ -j ACCEPT
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain




Thanks in advance

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Tue Mar 30, 2021 16:55    Post subject: Reply with quote
You don't have any rules in the INPUT chain that blocks access to the router itself.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum