Help! R7800 vlan setup failure

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2, 3  Next
Author Message
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon Apr 19, 2021 4:10    Post subject: Help! R7800 vlan setup failure Reply with quote
Hey guys,

I really need your help!

I was trying to set up a separate vlan for some ip cameras and the PC that runs it's cam software. I don't want the cameras to be able to get out to the internet but I think I would like the computer to be able to so I decided to let everything on the new vlan see the internet for now.

These are the connections on my R7800:
Physical port1 = switch port4 <---- Netgear smart switch
Physical port2 = switch port3 <---- empty
Physical port3 = switch port2 <---- printer
Physical port4 = switch port1 <---- empty
Physical WAN port = switch port0 <--- internet

I haven't touched the Netgear switch yet. I thought it best to start with the router.

I saw these instructions in the "R7800 and VLANS" thread here and I entered my version of them into the router:
-------
Copy text below and paste into the 'Administration/Commands' Command Shell window of GUI.

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 97 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 97
ifconfig eth1.97 192.168.97.1 netmask 255.255.255.0
Click the 'Save Startup' button. The script will appear in the Startup window.

Copy text below and paste into the 'Administration/Commands' Command Shell window of GUI.
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE

Click the 'Save Firewall' button. The script will appear in the Firewall window. Without this Firewall script you cannot get internet access in the new vlan.

Reboot the router at the ‘Administration/Management tab at bottom of page.

Go to Setup/Networking tab and go to bottom of the page.
Click Add in the Multiple DHCP Server section
Select the new eth1.97. Save and Apply Settings. Reboot. (You may not need to reboot but I did.)

Go to Setup/Networking window of GUI to find the newly created interface Network Configuration vlan97 (shows as - Network Configuration eth1.97)
Click the 'unbridge' button associated with Network Configuration eth1.97
Masquerade / NAT should be Enabled
Net Isolation should be Enabled
Put in IP Address 192.168.97.1
Put in subnetmask 255.255.255.0
Click the 'Save' button at bottom of page.
Click the 'Apply Settings' button.
Reboot router
---------
When the router came back up, everything seemed ok but I realized that I can no longer ping or RDP to anything that is connected to the Netgear switch from my wireless laptop but I can reach the internet. Can someone please tell me where I went wrong?

EDIT: Computers attached directly to the smart switch can ping and connect to one another but they cannot ping the router or access the internet.
Sponsor
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Mon Apr 19, 2021 7:35    Post subject: Reply with quote
If you can connect a device to the routers vlan port and get ip range for your vlan that's working, You will need a managed switch or a separate switch to tag the trunk ports
_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon Apr 19, 2021 12:59    Post subject: Reply with quote
foz111 wrote:
If you can connect a device to the routers vlan port and get ip range for your vlan that's working, You will need a managed switch or a separate switch to tag the trunk ports

Hi foz111. I have a smart switch that vlan-compatible. I did not continue with the switch configuration when I lost connectivity to everything attached to it after setting up the vlan on the router.

I will do the switch config now to see if the new vlan works. I hope that gets me access back to the devices that are outside of the vlan as well.
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon Apr 19, 2021 15:20    Post subject: Reply with quote
I finished setting up vlan97 on the smart switch. I have a computer connected to that vlan that was set to grab a dhcp address which it successfully did, 192.168.97.116. However, that computer can reach the internet which is what I don't want.

More important than that though is that nothing on vlan1 and physically connected to the switch can get to the internet. My laptop which is also on vlan1 but is using wifi can see the internet but cannot ping or connect any of the computers attached to the smart switch.

I think something might have gone wrong with the firewall script part because there was a bunch of lines that disappeared once I added the iptables command and clicked on "Save Firewall".
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Mon Apr 19, 2021 17:00    Post subject: Reply with quote
try one of those rules

iptables -I FORWARD -i vlan 97 -o $(nvram get wan_iface) -p tcp -s xxx.xxx.xxx.xxx -j DROP

replace xxx with your IP that you dont want to reach internet

or this rule for more general cut off, that one will cut off the internet of all the vlan, but will still have LAN access...

iptables -I FORWARD -i vlan 97 -o $(nvram get wan_iface) -j DROP

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon Apr 19, 2021 19:46    Post subject: Reply with quote
Thanks, Alozaros. I am going to have postpone setting up vlans and revert back to where I started because no one seems to know what went wrong and having the full network working is a priority then maybe I'll play again. Smile
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Mon Apr 19, 2021 20:30    Post subject: Reply with quote
mrsean67 wrote:
Thanks, Alozaros. I am going to have postpone setting up vlans and revert back to where I started because no one seems to know what went wrong and having the full network working is a priority then maybe I'll play again. Smile


it seems your set up is a unnecessary complicated by your approach...

If you just want to put those cameras on a bridge0 (br0) witch will not have a WAN, but only LAN...
than just use

iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s ip of camera -j DROP

if you want that on a Vlan
than create a vlan and add it to a bridge, than add those rules regarding the bridge and you are done...
...to have better control over vlans, they must be on a bridge (br1 for example)...

you can still tag that vlan port/switch port, if you want to tagg a ports on that corresponding switch...

if you can obtain IP on that Vlan, than its working ok...
I have similar set up, for isolated IoT stuff, at home..
Well...im not using tagged switch, as i don't need that, i just added a managed switch to isolate them on layer 2 so, they will not communicate in-between...but still have an internet on that Vlan...
Also i have all my cams on different vlan, where all they are connected to another small WAP router, witch internet is cut off, by that rule i posted to you...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Mon Apr 19, 2021 21:45    Post subject: Reply with quote
Alozaros wrote:
if you want that on a Vlan
than create a vlan and add it to a bridge, than add those rules regarding the bridge and you are done...
...to have better control over vlans, they must be on a bridge (br1 for example)...

you can still tag that vlan port/switch port, if you want to tagg a ports on that corresponding switch...

This is what I would like to do because there will be computers on the segment with the cameras. I am confused though by the steps as this is all new to me. I can figure out how to create a vlan but the rest is "greek" to me.

Can you spell it out to me in more detail?
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Tue Apr 20, 2021 6:25    Post subject: Reply with quote
So I reset my router to factory setting and restored the backup that I created before attempting to create a vlan. Everything works fine with the exception of no vlan97.

While waiting for your response, I decide to slowly retrace my previous steps to isolate where I lost internet or LAN connectivity at. I have narrowed down the problem to occurring within these lines of code:

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 97 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 97
ifconfig eth1.97 192.168.97.1 netmask 255.255.255.0

I also tried adding these lines but the problem persists:

brctl addif br0 eth1.97
ifconfig eth1.97 up
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Tue Apr 20, 2021 8:07    Post subject: Reply with quote
swconfig dev switch0 vlan 3 set vid 22

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 97 set ports "4t 6t"
swconfig dev switch0 vlan 97 set vid 97
swconfig dev switch0 set apply
vconfig add eth1 97
ifconfig eth1.97 192.168.97.1 netmask 255.255.255.0
ifconfig eth1.97 up


did you get an internet/connectivity on that port at all...??
do in mind on R7800 ports are opposite port 1 is a physical port 4...
try to add those lines in bold...if this helps

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Tue Apr 20, 2021 13:26    Post subject: Reply with quote
Alozaros wrote:
did you get an internet/connectivity on that port at all...??
do in mind on R7800 ports are opposite port 1 is a physical port 4...
try to add those lines in bold...if this helps


I don't know what port you are referring to.

Yes. I know about the port reversal on the router. I would not have got this far without that knowledge.

The new lines did not help.

Vlan97 always works as expected. The problem is that the creation of vlan97 causes vlan1 to act screwy i.e. I cannot ping from wireless to wired devices connected to my smart switch and those wired devices can no longer access the internet. As soon as I remove the code from startup and reboot everything goes back to normal -just no more vlan97.

Thanks for your time and attention.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Tue Apr 20, 2021 13:52    Post subject: Reply with quote
well...otherwise, what is the point of heaving isolated vlan ??? Question Rolling Eyes to isolate them and not be able to ping your devices...isn't it...

You cannot ping your devices on that isolated vlan97 form vlan 1 as there is a NetIsoalation, if you want turn if off..but that makes no sense...to me...

If you don't have an internet on that vlan, than check your DNS settings and so, that may be the reason...as long, as you obtain an IP vlan is working...
for more control, you have to assign vlan97 to a new bridge...and work with that bridge instead...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mrsean67
DD-WRT Novice


Joined: 19 May 2020
Posts: 23

PostPosted: Tue Apr 20, 2021 16:12    Post subject: Reply with quote
Alozaros wrote:
well...otherwise, what is the point of heaving isolated vlan ??? Question Rolling Eyes to isolate them and not be able to ping your devices...isn't it...

You cannot ping your devices on that isolated vlan97 form vlan 1 as there is a NetIsoalation, if you want turn if off..but that makes no sense...to me...

If you don't have an internet on that vlan, than check your DNS settings and so, that may be the reason...as long, as you obtain an IP vlan is working...
for more control, you have to assign vlan97 to a new bridge...and work with that bridge instead...


Sorry. I don't think I was clear. There nothing wrong with vlan97 and I am not trying to ping devices on it from vlan1. As you said, what would be the point of all this?

What I meant to say is that wireless devices on vlan1 cannot ping or connect to wired devices on the same vlan (1) when vlan97 exists. Wired devices also lose internet access in this case. If I kill vlan97 then everything on vlan1 works fine.
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Tue Apr 20, 2021 17:05    Post subject: Reply with quote
It may help if you post some screen shots removing mac addresses and please keep within the forum rules picture width 768 PIXELS WIDE
_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Tue Apr 20, 2021 17:33    Post subject: Reply with quote
mrsean67 wrote:
Alozaros wrote:
well...otherwise, what is the point of heaving isolated vlan ??? Question Rolling Eyes to isolate them and not be able to ping your devices...isn't it...

You cannot ping your devices on that isolated vlan97 form vlan 1 as there is a Net-Isolation, if you want turn if off..but that makes no sense...to me...

If you don't have an internet on that vlan, than check your DNS settings and so, that may be the reason...as long, as you obtain an IP vlan is working...
for more control, you have to assign vlan97 to a new bridge...and work with that bridge instead...


Sorry. I don't think I was clear. There nothing wrong with vlan97 and I am not trying to ping devices on it from vlan1. As you said, what would be the point of all this?

What I meant to say is that wireless devices on vlan1 cannot ping or connect to wired devices on the same vlan (1) when vlan97 exists. Wired devices also lose internet access in this case. If I kill vlan97 then everything on vlan1 works fine.


Do you, by any chance have AP isolation - enabled from WiFi menu...?
as i said, for better control, you must assign that vlan in bridge...as sometimes it can play funny

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum