swconfig dev switch0 set enable_vlan 1 #### what is the purpose of this command and why it only applies to VLAN 1?? I saw in other threads that also VLAN 2 and 3 were assigned but I dont get the point of it.
swconfig dev switch0 vlan 1 set ports "0t 2t 3 4 5" #### this is clear 0t (cpu port tagged/trunked) 2t= trunked Port 1; 3 4 5 (Port 2 3 4 = not tagged/trunked)
swconfig dev switch0 vlan 1 set vid 1 ### what is vid? is this the VLAN ID which the packets get tagged with?
swconfig dev switch0 vlan 9 set ports "0t 2t" ### VLAN9 gets its Trunk Port to Port 1 (2t)
swconfig dev switch0 vlan 9 set vid 9 ### same as above what is vid and why 9? is this the VLAN ID which the packets get tagged with?
swconfig dev switch0 vlan 10 set ports "0t 2t" #### same as above VLAN10 gets its Trunk Port to Port 1 (2t)
swconfig dev switch0 vlan 10 set vid 10 ### same as above what is vid and why 10? is this the VLAN ID which the packets get tagged with?
swconfig dev switch0 set apply ### apply settings to switch
vconfig add eth0 9 ### what does this line?
vconfig add eth0 10 #### same here?
ifconfig vlan9 up ### activate vlan9?
ifconfig vlan10 up ### activate vlan10?
ifconfig vlan9 txqueuelen 1000 #### absolute no idea?
ifconfig vlan10 txqueuelen 1000 #### absolute no idea?
ifconfig vlan9 192.168.109.2 netmask 255.255.255.0 #### I think this is what is usually done in the Setup/Networking tab of the web UI?
ifconfig vlan10 192.168.110.2 netmask 255.255.255.0 ### same here?
brctl addif br1 vlan9 ### add vlan9 to br1?
brctl addif br2 vlan10 ### add vlan10 to br1?
ifconfig br1 txqueuelen 1000 #### absolute no idea?
ifconfig br2 txqueuelen 1000 #### absolute no idea?
could anybody be so kind and explain my open questions?
thanks in advance
BR Tom _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
VLANs are working on the Gatway (Archer C7 - r44406) and on my WAP (WR1043 - r46069)
Configuration on the C7
Code:
# VLAN Configuration Archer C7 BEGIN
#Enable VLANs "1"
swconfig dev switch0 set enable_vlan 1
#Setup Switch Ports
#Port0: Processor
#Port1: WAN
#Port2-5: LAN
#Primary VLAN 1
swconfig dev switch0 vlan 1 set ports "0t 2t 3 4 5"
swconfig dev switch0 vlan 1 set vid 1
#VLAN200 VPN
swconfig dev switch0 vlan 200 set ports "0t 2t"
swconfig dev switch0 vlan 200 set vid 200
#VLAN300 GUEST
swconfig dev switch0 vlan 300 set ports "0t 2t"
swconfig dev switch0 vlan 300 set vid 300
#VLAN400 IoT
swconfig dev switch0 vlan 400 set ports "0t 2t"
swconfig dev switch0 vlan 400 set vid 400
#Apply VLAN Settings to switch0
swconfig dev switch0 set apply
#add VLANs to eth0
vconfig add eth0 200
vconfig add eth0 300
vconfig add eth0 400
#activate VLANs
ifconfig vlan200 up
ifconfig vlan300 up
ifconfig vlan400 up
#setup TX Queue Length to 1000 (Gigabit)
ifconfig vlan200 txqueuelen 1000
ifconfig vlan300 txqueuelen 1000
ifconfig vlan400 txqueuelen 1000
#add IP subnets to VLANs
ifconfig vlan200 192.168.20.1 netmask 255.255.255.0
ifconfig vlan300 192.168.30.1 netmask 255.255.255.0
ifconfig vlan400 192.168.40.1 netmask 255.255.255.0
#bridge VLANs to existing bridges
brctl addif br20 vlan200
brctl addif br30 vlan300
brctl addif br40 vlan400
#setup TX Queue Length to 1000 (Gigabit)
ifconfig br20 txqueuelen 1000
ifconfig br30 txqueuelen 1000
ifconfig br40 txqueuelen 1000
# VLAN Configuration Archer C7 END
Configuration WR1043
Code:
# VLAN Configuration WR1043ND_V4 BEGIN
#Enable VLANs "1"
swconfig dev switch0 set enable_vlan 1
#Setup Switch Ports
#Port0: Processor
#Port5: WAN
#Port1-4: LAN
#Primary VLAN 1
swconfig dev switch0 vlan 1 set ports "0t 1 2 3 4t"
swconfig dev switch0 vlan 1 set vid 1
#VLAN200 VPN
swconfig dev switch0 vlan 200 set ports "0t 4t"
swconfig dev switch0 vlan 200 set vid 200
#VLAN300 GUEST
swconfig dev switch0 vlan 300 set ports "0t 4t"
swconfig dev switch0 vlan 300 set vid 300
#VLAN400 IoT
swconfig dev switch0 vlan 400 set ports "0t 4t"
swconfig dev switch0 vlan 400 set vid 400
#Apply VLAN Settings to switch0
swconfig dev switch0 set apply
#add VLANs to eth0
vconfig add eth0 200
vconfig add eth0 300
vconfig add eth0 400
#activate VLANs
ifconfig vlan200 up
ifconfig vlan300 up
ifconfig vlan400 up
#setup TX Queue Length to 1000 (Gigabit)
ifconfig vlan200 txqueuelen 1000
ifconfig vlan300 txqueuelen 1000
ifconfig vlan400 txqueuelen 1000
#add IP subnets to VLANs
ifconfig vlan200 192.168.20.1 netmask 255.255.255.0
ifconfig vlan300 192.168.30.1 netmask 255.255.255.0
ifconfig vlan400 192.168.40.1 netmask 255.255.255.0
#bridge VLANs to existing bridges
brctl addif br20 vlan200
brctl addif br30 vlan300
brctl addif br40 vlan400
#setup TX Queue Length to 1000 (Gigabit)
ifconfig br20 txqueuelen 1000
ifconfig br30 txqueuelen 1000
ifconfig br40 txqueuelen 1000
# VLAN Configuration WR1043ND_V4 END
Bridges BR20,30,40 created in the networking tab both on the C7 and 1043
Bridges assinged to WiFi VAPs BR20 to VPN, BR30 to Guest NW, BR40 to IoT NW on the C7 and the 1043
DHCP assignement works on the C7 and also on the 1043, 1043 is configured as dhcp forwarder so IPs are assigned by the Gateway (C7)
I get internet access on all VAPs of the C7 (bridged & unbridged) and on the main WiFi of the 1043, on the unbridged WiFi Interfaces (VPN, GUEST, IoT) I don't get internet Access.
What do I need to do to enable Internet Access on the unbridged VAPs of the WAP (1043)
Next thing can anyone give me an iptables example I want to block access from GUEST to MAIN_NW and IoT to MAIN_NW but I want access from Main_NW to GUEST and IoT.
Thanks in advance! _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Tue Mar 23, 2021 15:55 Post subject:
tomron wrote:
What do I need to do to enable Internet Access on the unbridged VAPs of the WAP (1043)
If you are using "unbridged VAP" the standard (here) way to mean a wifi-only virtual access point, have a look at the third post of thread https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Thanks for your guide which brought me maybe to the root cause
SurprisedItWorks wrote:
check Unbridged for Network Configuration, and check Masquerade/NAT so your clients can reach the internet.
But then on the WR1043 V4 (r46069) I didn't found this option to activate Masqurade/NAT whereas on the C7 which is r44406, this option is available and enabled and also working as proposed....
Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Wed Mar 24, 2021 14:53 Post subject:
No NAT button! That's interesting. Out of curiosity, if you are in a CLI window (ssh, PuTTy), does nvram get wlan0.1_nat return a value? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
There is no NAT button if there is no WAN (WAN disabled) as that would be useless.
I assume this is a WAP with WAN disabled ?
Hi egc
no it was set to Automatic DHCP, but I disabled it now.
I fidled with this setting and now it seems to forward the internet Connection to the WAPs bridges br20, br30 and br40.. so this works actually now.
I implemented this iptables rule set but there are some things which are not working as expected
Code:
# Firewall Configuration BEGIN
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
# deny IoT network access to any other networks
iptables -I FORWARD -i br40 -o br+ -j DROP
# deny GUEST network access to any other networks
iptables -I FORWARD -i br30 -o br+ -j DROP
# allow Main VPN network access to any other networks
iptables -I FORWARD -i br20 -o br+ -j ACCEPT
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Firewall Configuration END
so basically I can access the the main Gatway/Router through all bridges br0 (main), br20 (main+vpn) br30 (guest) and br40 (IoT)
br30 and br40 should not have access to any other network I think this should be clear in this section
Code:
# deny IoT network access to any other networks
iptables -I FORWARD -i br40 -o br+ -j DROP
# deny GUEST network access to any other networks
iptables -I FORWARD -i br30 -o br+ -j DROP
but I still can access the main Gateway from both networks and out of curiosity I can access through br40 also the WAP whereas on br30 not.
The NAS and the PI can only be accessed by br0 and br20, as suppoesed
Code:
# allow Main VPN network access to any other networks
iptables -I FORWARD -i br20 -o br+ -j ACCEPT
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain
Thanks in advance _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M