[SOLVED] Dual-router: DDWRT + pfSense - adding a VLAN...

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Tue May 17, 2022 20:49    Post subject: [SOLVED] Dual-router: DDWRT + pfSense - adding a VLAN... Reply with quote
Hi all,

I have (almost) everything working on my new setup: A main pfSense router, which is connected to a netgear r7000-router via 2 managed switches. My issue is entirely with the r7000 DDWRT-router, because I already have VLAN 1 and VLAN 10 running - hence this post.

Now I'm trying to add VLAN 15 and it's easy on the pfSense-router and also easy to modify the trunk ports on the managed switches. But on the DDWRT-side, something isn't working and I've been struggling with this issue for some hours and days and realize, I just don't understand or get it... So I need to ask... To make it simple, assume everything before the DDWRT-router works. The DDWRT router also work with VLAN 1 and VLAN 10. So I thought adding VLAN 15 would be easy, right? My setup and some comments:

    * I'm using DD-WRT v3.0-r48865 std (05/13/22).
    * The main router (pfSense) acts as DHCP-server - (and the only DHCP-server)...
    * "Operating Mode" (Setup -> Advanced Routing) is "Router".
    * "SPI Firewall" is disabled (Security -> Firewall).
    * I can often get an IP address from the DHCP-server aka the main router/pfSense-box - but I cannot access the internet no matter what I do. So it's probably some kind of routing issue?
    * I tried to assign one/some physical ports to VLAN 15 (Setup -> Switch Config) and I tried many combinations of adding VLAN 15 to either an existing br0/br1-bridge - or creating a new br2-bridge where I added VLAN 15 - nothing worked - could never access the internet although I got an IP address.
    * I began searching the forum(s) for similar problems, sometimes this is enough for me to figure it out myself - but not here.

The moment where I realized I couldn't possible figure this out myself is after I learned I can run:

Code:
   # swconfig dev switch0 show

   ...
   VLAN 1:
     ports: 0t 5t
   VLAN 2:
     ports: 0t 5t
   VLAN 10:
     ports: 0t 1 2 3 4 5t
   VLAN 15:
     ports: 0t 5t

The last part looked suspicious: Why is VLAN 10 different? In the old days I did a lot of "robocfg vlan 10 ports "bla bla"" - but with a newer DDWRT-firmware I got the impression this wasn't needed anymore. So I made a backup - then did "nvram erase && reboot" and then restored from the backup. But after rebooting, I can see nothing is changed. Maybe these variables are a reminiscent of some old stuff that shouldn't be there (I mean maybe I shouldn't always backup and restore, maybe reset everything and manually use the GUI to restore things?)?

I also did:

Code:
# nvram show | grep vlan.*ports | sort && echo '-' && nvram show | grep port.*vlans | sort && echo '-' && nvram show | grep vlan.*
hwname | sort
size: 39121 bytes (26415 left)
vlan1ports=1 2 3 4 5*
vlan2ports=0 5u
-
size: 39121 bytes (26415 left)
port0vlans=1 2 3 4 16000 18000 19000 20000
port1vlans=3 18000 19000 20000
port2vlans=3 18000 19000 20000
port3vlans=3 18000 19000 20000
port4vlans=3 18000 19000 20000
port5vlans=1 2 3 4 16000
-
size: 39121 bytes (26415 left)
vlan1hwname=et0
vlan2hwname=et0

So nothing with VLAN 15 - but both VLAN 1 and VLAN 10 works on the r7000 ports via the GUI.

What is it I don't understand? Do I need to run startup command - robocfg-commands again? If I forgot any information, please let me know, I've spend days and many hours on this and realize I just don't understand what's going on... Could anyone please help with some advice/ideas? As said DHCP works - it thought it would be simple enough to add VLAN 15 when VLAN 1 and 10 already seems to work, but I'm clearly not understanding something - thanks!
Sad



DDWRT_issue_cannot_add_VLAN15.png
 Description:
GUI-setup
 Filesize:  687.33 KB
 Viewed:  2156 Time(s)

DDWRT_issue_cannot_add_VLAN15.png


Sponsor
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Wed May 18, 2022 7:29    Post subject: Re: Dual-router-setup: DDWRT + pfSense - Cannot add VLAN...? Reply with quote
* "Operating Mode" (Setup -> Advanced Routing) is "Router".
Router mode: Pfsense LAN to R7000 LAN
Gateway Mode: Pfsense LAN to R7000 WAN
Do you have this correct?

mod-edit: removed full post quote, please quote only the necessary portion(s) to make reading/following thread easier for all.

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed May 18, 2022 7:32    Post subject: Reply with quote
I have done it in the past the old way and not an expert in doing it the new way with swconfig there are threads about swconfig.
Simple things might work using the GUI, but the greatest drawback of the GUI is that you have to tag all ports and cannot have one left untagged.

The new way is using swconfig and you have to add that to startup.

It looks like you setup this router as a WAP:

A secondary router connected wired LAN<>LAN on the same subnet as the primary router:
• WAN disabled
• DHCP server Disabled (=off and NOT set as Forwarder!)
• Local IP address in subnet of primary router but outside DHCP scope (you can run udhcpc to give the WAP a static lease but because you can it doesn't mean you should Wink
• Gateway and Local DNS pointing to primary router
• DNSMasq enabled
• Router kept in the default Gateway mode (the wiki says Router mode but do not do that, Router can break things)

If so then you have to add the following rule to the firewall in order to get internet access from the unbridged VAPS/VLANS/BRIDGES.
In the web-interface of the router (the WAP): Administration/Commands save Firewall:
#Always necessary (alternatively set static route on main router):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

The above rule should actually not be necessary in your case as the VLANS should do the heavy lifting (I asssume every VLAN has its DHCP server)

When using a WAP with WAN disabled I would assume that all ports should be on VLAN 1 and that VLAN2 is gone.
However that does not work, the WAN port is a separate port which acts in a way which I have yet to discover.

My advice use port 4 as the trunk port.

I would reset to defaults first and setup as a proper WAP the way described, use port 4 as the trunk and leave the WAN port alone.

Alternatively and probably better wait for someone with real expertise to chime in

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Wed May 18, 2022 7:33    Post subject: Reply with quote
Please post this in the Broadcom forum for the R7000. VLAN is chip-set dependant.
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Wed May 18, 2022 20:02    Post subject: Re: Dual-router-setup: DDWRT + pfSense - Cannot add VLAN...? Reply with quote
foz111 wrote:
* "Operating Mode" (Setup -> Advanced Routing) is "Router".
Router mode: Pfsense LAN to R7000 LAN
Gateway Mode: Pfsense LAN to R7000 WAN
Do you have this correct?

Hi. Sorry, I don't understand what you mean about having it correct. I believe it is correct and as described in the top I have: "Operating Mode" (Setup -> Advanced Routing) is "Router". Furthermore I have no WAN-ports because as shown in the top of the screenshot "WAN Connection Type -> Disabled", so all are LAN ports. As far as I know, there's no such things as "Gateway mode" on the pfSense router, but that (I thought) had it's connection for VLAN 15, just as for VLAN 10, i.e. using a trunk port with both VLANs tagged - this was a wrong assumption, I know what is wrong now - I'm terrible, terrible sorry, will post the explanation below in the other reply, thanks!
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Wed May 18, 2022 20:06    Post subject: Reply with quote
Per Yngve Berg wrote:
Please post this in the Broadcom forum for the R7000. VLAN is chip-set dependant.
I know when/if we're forced to use those nasty "robocfg"-command lines that part is chipset-specific - but the last time I setup VLAN with DDWRT I could use the GUI I think - I think entirely... I thought VLANs were part of advanced networking? Anyway, let's not discuss that: I made a mistake in my original post which is not Broadcom-chipset-specific and am truly sorry, will explain my mistake shortly. Thanks!
newsboost
DD-WRT User


Joined: 05 Jul 2018
Posts: 83

PostPosted: Wed May 18, 2022 21:03    Post subject: Reply with quote
egc wrote:
I have done it in the past the old way and not an expert in doing it the new way with swconfig there are threads about swconfig.

Right, I learned about the new GUI-way some months back - I was - and am still extremely pleased with the new GUI-way of setting up those things entirely without using the commandline (with nasty hardware-specific things to remember, which I kept forgetting, i.e. weird/counter-intuitive mapping between physical and logical ports, that's much easier with a GUI)...

egc wrote:
Simple things might work using the GUI, but the greatest drawback of the GUI is that you have to tag all ports and cannot have one left untagged.
Not sure I understand that: I have a single trunk port where all VLANs are tagged. But that's the same thing I have to do in the config for both my managed switches so I don't see this really as a problem or maybe I misunderstood it? I have the "Setup -> Switch Config" currently pretty much just as in the screenshot (except now VLAN 15 works so some of the physical ports have been changed to VLAN 15 instead of VLAN 10 before). Anyway, let's not keep stalling I'll just explain now why I'm very sorry, because I've made a fundamental serious mistake in my config leading to my problem which is explained in the attached picture - so it seems my config was ok on the DDWRT, I feel I'm not completely a noob anymore although the upstream NAT-mistake maybe was a noob-mistake Laughing

egc wrote:
The new way is using swconfig and you have to add that to startup.

It looks like you setup this router as a WAP:

A secondary router connected wired LAN<>LAN on the same subnet as the primary router:
• WAN disabled
• DHCP server Disabled (=off and NOT set as Forwarder!)
• Local IP address in subnet of primary router but outside DHCP scope (you can run udhcpc to give the WAP a static lease but because you can it doesn't mean you should Wink
• Gateway and Local DNS pointing to primary router
I agree and have the same settings as you - except I had local DNS set to 0.0.0.0. That also seems to work (I'm not really sure why though, maybe someone knows?)? Anyway my guess is that the pfSense DHCP-server router pushes out the local DNS-information along with the DHCP-assigned IP addresses...

egc wrote:
• DNSMasq enabled

Like you I also have it enabled. Not sure why though, because I understand that dnsmasq is both "DNS forwarder and DHCP server" - and both is disabled, because there's an upstream DHCP-server that takes care of those things... Anyway...

egc wrote:
• Router kept in the default Gateway mode (the wiki says Router mode but do not do that, Router can break things)
Yes, I've seen this before. And I promise one day I'll turn it off, also just for practicing double-nat router configurations, but at the moment I enjoy/like that I have a single DHCP-server where I can statically assign IP-addresses to all my devices - instead of having some kind of double-NAT with a DHCP-server working on the pfSense-router (upstream router, closest to my ISP) and then another DHCP-server working on the (secondary) DDWRT-router (downstream router). But - my configuration actually works now (see screenshot), I'm very sorry for the confusion.

egc wrote:
If so then you have to add the following rule to the firewall in order to get internet access from the unbridged VAPS/VLANS/BRIDGES.
In the web-interface of the router (the WAP): Administration/Commands save Firewall:
#Always necessary (alternatively set static route on main router):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Yes, I think I understand the concept (although I don't have too much experience with it). I'm very grateful that you tell it, it makes me understand things better, if I later realize that I have to change from router mode to gateway mode - or probably I'll just do it one day, because I want to practice double-nat and improve my networking-skills.

egc wrote:
The above rule should actually not be necessary in your case as the VLANS should do the heavy lifting (I asssume every VLAN has its DHCP server)
Yes, you're right. Every VLAN has its on DHCP-server - pfSense is just an incredible fantastic free piece of software that helps me build a semi-advanced network-configuration without too much hazzle Smile

egc wrote:
When using a WAP with WAN disabled I would assume that all ports should be on VLAN 1 and that VLAN2 is gone.
Yes, this is the funny/interesting part, which I really would like to hear someones opinion about: Remember all that "nvram show", "vlan1ports", "port0vlans", "port1vlans", "vlan1hwname", "vlan2hwname", robocfg etc - it seems all that means *NOTHING* anymore with a recent DDWRT-firmware and I can just completely ignore that and only use the GUI - this is fantastic news for people like me (well, I discovered this a few months ago, but then played mostly with pfSense and now I'm playing again with DDWRT and again see that things has just evolved a lot, for the better, no doubt) Laughing
I remember I was so scared that maybe I had some old "nvram"-garbage values - but luckily it seems they don't mean a thing anymore and things seem to work just perfectly (well I've only been using my new setup for around 1 hour, but in the past hour I haven't noticed unusual problems, see screenshot for changes from my original post to now)...

egc wrote:
However that does not work, the WAN port is a separate port which acts in a way which I have yet to discover.

My advice use port 4 as the trunk port.
I would've tried this - if it wasn't because I've now slept on it and I began going through ALL my settings once again (and then I saw things in the pfSense firewall log that led to understand that this was really just an upstream NAT-issue, not really a DDWRT-issue at all - which is also fantastic news for me, I remember many years ago DDWRT had many problems and I always had to update often to get the latest bug-fixes, which could mean a lot). I now have great confidence in the new/modern/latest DDWRT-releases Smile

egc wrote:
I would reset to defaults first and setup as a proper WAP the way described, use port 4 as the trunk and leave the WAN port alone.

Alternatively and probably better wait for someone with real expertise to chime in
Actually I also did try a hard reset 1-2 times - but as illustrated in the latest screenshot: Luckily everything is working perfectly now - networking is FUN.......... (when it works as we want it to, otherwise it's just frustrating) Smile

I'll leave this thread open and tomorrow mark is as solved and I hope the solution ("check upstream NAT-settings") can help other people in the future Smile



dual_router_VLAN_issue_solved_due_to_wrong_NAT_settings_upstream.png
 Description:
 Filesize:  642.92 KB
 Viewed:  2087 Time(s)

dual_router_VLAN_issue_solved_due_to_wrong_NAT_settings_upstream.png


the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Fri May 20, 2022 10:48    Post subject: Reply with quote
Marked as solved.

Thank you for the detailed post including screenshots, should help others on the same boat.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum