So I decided to upgrade my router from r43192 to r46069. I then entered only the basic lan/wifi info and Active Clients looked like the "Active Cients" screenshot. Next, I did the same vlan97 configuration that I mentioned at the beginning of this thread. That result is the "Active Clients with vlan97 configured" screenshot.
A lot of things attached to my Netgear smart switch disappear off the network after the new vlan is configured like my Tivo (192.68.7.40) and DVD player (192.168.7.133).
Everything on wireless and my Plex server (192.168.7.220) remains after the vlan97 is created but it does not reply to pings and cannot be connected to via RDP.
Everything goes back to normal when vlan97 is removed. I think my trunking switch port4 (physical 1) is killing the connection between the router and the smart switch for everything with the exception of the one computer in vlan97. The ip cameras have not been configured as of yet.
Moderator edit 04.42.2021: Please refer to the forum rules and guidelines regarding image sizes. There is also an announcement in THIS forum regarding image sizes. Maximum width for attached images is 768 pixels wide. If you must have higher-resolution images, use an image hosting site. Thank you.
Are you using the Netgear prosafe plus configuration utility to configure your switch?
If so with my switches anyway i have to select 802.1Q > advanced.
I had issues giving mine vlan id of 53 or what ever i originally used, i ended up using ID vlan 3 see below my router settings. (with a bridge)
Make the vlan id in switch 03
remove the ports you want to use from vlan 1 in switch (by removing U)
assign tag the trunk port (from router to switch) (T group 03) assign the ports on switch you want to use for vlan group (U)
In my pics i have port 8 Tagged in comming from router and use port 7 for vlan out everything else is being used by group 1 vlan 1
Router config
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 3 set ports "4 6t"
swconfig dev switch0 set apply
vconfig add eth1 3
brctl addif br1 eth1.3
ifconfig eth1.3 down
ifconfig eth1.3 up
Pics of switch config
https://ibb.co/Kr7vQbm https://ibb.co/KDG5Nfd https://ibb.co/j9tjqj7 https://ibb.co/7C43bXQ _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Thanks, foz111 for providing screenshots of your switch settings. I verified that we have the same configuration with exception of me not being able to use vlan3 because it is ironically an "Auto-Video" default vlan.
EDIT: Problem resolved!!!
The correct settings are on the first page of the "R7800 and VLANS" thread. They are from Per Yngve Berg. I read that entire thread last week and I am sure I tried his settings but I also just discovered that I had entered the wrong subnet mask for the new vlan on the Setup --> Networking page.
Here's what worked for me finally:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4t 6"
swconfig dev switch0 vlan 97 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 97
ifconfig eth1.97 192.168.97.1 netmask 255.255.255.0
ifconfig eth1.97 up
Thanks so much to foz111 and Alozaros for being patient with me. Also to Per Yngve Berg and everyone who held up hope that I would get a resolution even when I was ready to "throw in the towel".
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Apr 22, 2021 15:28 Post subject:
mrsean67 wrote:
Alozaros wrote:
If you just want to put those cameras on a bridge0 (br0) witch will not have a WAN, but only LAN...
than just use
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s ip of camera -j DROP
This command does not work for me.
hmm you have to adapt it to your case...
-i br0 could be any interface you have, br0, vlan97 and ect. and means (-i 'input')
-o (output) $(nvram get wan_iface) or $(get_wanface) try the other spelling...this is correct WAN
ip of camera - here, you have to put the corresponding IP of thh camera that router is fetching to it...
you may need another rule like this, to cut of the udp too, as -p tcp is for tcp only...
im glad you made it work, as i started to believe my Alzheimer is kicking in...(joke)
and yep its very often..ppl always miss look something and blame the software...i also do it sometimes _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Apr 22, 2021 20:13 Post subject:
mrsean67 wrote:
Alozaros wrote:
hmm you have to adapt it to your case...
-i br0 could be any interface you have, br0, vlan97 and ect. and means (-i 'input')
-o (output) $(nvram get wan_iface) or $(get_wanface) try the other spelling...this is correct WAN
ip of camera - here, you have to put the corresponding IP of thh camera that router is fetching to it...
you may need another rule like this, to cut of the udp too, as -p tcp is for tcp only...
I saw your post in the other thread and figured out that I have to use the interface name instead of just vlan 97 so this works:
iptables -I FORWARD -i eth1.97 -o $(nvram get wan_iface) -p tcp -s 192.168.97.180 -j DROP
However, I was under the impression that it would block internet access entirely which I see now it does not just web traffic.
I can't just drop "-udp" into the same command? Otherwise, I am going to need 8 rules for 4 cameras.
yep i named it vlan97, as i didnt know your interface final name, but i guess you would ve found it...what i was talking about...
to cut off entirely accesses to wan interface,
iptables -I FORWARD -i eth1.97 -o $(get_wanface) -j DROP
so, you dont need to specify port
there are many ways to interpret this communication cut off, it depends what do you need it for...
for example:
iptables -I FORWARD -i eth1.97 -o $(get_wanface) -m state --state NEW -j DROP
this is more gentle rule where it does not allow that interface to initiate new connection, but those regarding it will be permitted...it depends what you'd need it for...
to get more bright idea you have to see https://wiki.dd-wrt.com/wiki/index.php/Iptables_command _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Originally, I wanted to block the entire vlan97 from internet access because I don't want the cameras to be able to phone "home". However, there's a PC running Blue Iris camera software on the vlan too so I thought it would be a good idea to let the computer access the internet (sometimes) for updates.
I plan on accessing that computer via static route but for some reason, the route doesn't work. I enclosed a screenshot of that. The gateway is ip of my router.
Another issue I have is that I cannot dhcp addresses from a bridged vlan that I just created. DHCP works fine on the VAP portion of the bridge. I have also provided photos of the bridge setup.
Here's the latest startup config:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4t 6"
swconfig dev switch0 vlan 77 set ports "4t 6t"
swconfig dev switch0 vlan 97 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 77
vconfig add eth1 97
ifconfig eth1.77 192.168.77.1 netmask 255.255.255.0
ifconfig eth1.97 192.168.97.1 netmask 255.255.255.0
ifconfig eth1.77 up
ifconfig eth1.97 up
Last edited by mrsean67 on Fri Apr 23, 2021 14:48; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Fri Apr 23, 2021 7:04 Post subject:
please hide the sensitive data, also read the forum rules...resize those pic down to 760 pixels...
posting sensitive data, is not good idea...m8...
ip, mac's must be hidden...now everyone knows something about you...
if im not wrong on the last firmwares, all dhcpd start from 100..
Have a look at your routing, bridges, unbridge/bridged situation and trace the problem...if its not working, there must be something messy from your side...ill leave that game to you... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
please hide the sensitive data, also read the forum rules...resize those pic down to 760 pixels...
posting sensitive data, is not good idea...m8...
ip, mac's must be hidden...now everyone knows something about you...
if im not wrong on the last firmwares, all dhcpd start from 100..
Have a look at your routing, bridges, unbridge/bridged situation and trace the problem...if its not working, there must be something messy from your side...ill leave that game to you...
Thanks for the save. I totally forgot to blank out that info. As you can see I pulled the images. I know that you have no way of knowing this but I do my own research before asking you guys for help. I spent practically every free minute of the past week just try to set up that one vlan you guys helped me. It's never my first instinct to come here or anywhere and yell "Help" like I did last week. But I do understand that you guys are volunteering your time and there are many others that need it.
Joined: 13 Aug 2013 Posts: 6866 Location: Romerike, Norway
Posted: Sat Apr 24, 2021 18:53 Post subject:
You don't need to put in a static route. The router will have a route to all networking it has an interface to. A static route is only needed on a router that does not have an interface to the destination and must go through an other router.
You don't need to put in a static route. The router will have a route to all networking it has an interface to. A static route is only needed on a router that does not have an interface to the destination and must go through an other router.
I have 4 cams and a computer in vlan97. I would like to be able to access them all from vlan1 without them being able to access anything on vlan1. I have been scouring the internet trying to figure out how to do this.
Also, I learned of a possibly better solution on another forum. They said that I could move the computer back to vlan1 and leave just the cameras in vlan97. The computer runs the camera software so just it alone would need to see vlan97.
Do you know if either of these scenarios is possible and how would I implement them?
So I solved my no dhcp problem with vlan77. I forgot to add the trunk port to it on the smart switch. Now I get ip addresses from both wired and wireless connections. However, only the vaps get internet. The bridged vlan does not.
Notice in the photo br1 only shows wan0.1 & wan1.1 as members even though I added eth1.77 too? Sometimes eth1.77 will show up there with the vaps but I will definitely if there's only 1 vap bridged. Can 1 vlan be bridged to 2 vaps? Is the bridge actually dropping eth1.77?
No combination of firewall commands get me internet on eth1.77?
