[SOLVED] Single/simple(?) VLAN on R7800?

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Thu Sep 08, 2022 10:15    Post subject: [SOLVED] Single/simple(?) VLAN on R7800? Reply with quote
I have four Raspberry Pi4's running some BOINC projects and Folding@HOME. They're all 4 connected to my LAN through an unmanaged 5-port Zyxel PoE switch. These mostly take care of themselves.

Elsewhere on my LAN there are also two managed 8-port TP-Link switches of which one is an PoE switch.

There are already two 2.4 GHz VAP's on my network where clients are isolated from each other and the main LAN. They both have internet access. I set them up by myself, so I have some practical experience with bridges on the networking page.

The task for this autumn Wink would be as follows:
Isolate the 4 Pi's from my main LAN to their own VLAN.
If it would lead to an easier solution for the task I'd like to carry out, I could rearrange the switches and cable connections.

The unmanaged PoE switch that the 4 Pi's are connected to is connected to port 3 of my main and only router R7800. According to what I've read this would correspond to port 2 in any VLAN setup commands. OTOH, I also vaguely remember reading this 'misnumbering' was corrected in a recent f/w update.

As usual there's a lot of information about VLAN's and DD-WRT on the internet and much of it is undoubtedly obsolete since DD-WRT evolves constantly.
I am aware the switch setup page of the GUI is not to be touched in case of the R7800.
It's running the latest f/w, currently 50057.

Would it be enough to move router port 3 to a new VLAN and set up a DHCP server for that VLAN? The unmanaged Zyxel switch would take care of the rest?

Is that more or less correct?

What would, roughly or more detailed, be the steps I need to perform on the R7800 to get this done?

Thanks for any comments!
ArjenR49


Last edited by ArjenR49 on Wed Sep 14, 2022 11:02; edited 1 time in total
Sponsor
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 962
Location: WV, USA

PostPosted: Thu Sep 08, 2022 10:59    Post subject: Re: Single/simple(?) VLAN on R7800? Reply with quote
ArjenR49 wrote:

The unmanaged PoE switch that the 4 Pi's are connected to is connected to port 3 of my main and only router R7800. According to what I've read this would correspond to port 2 in any VLAN setup commands. OTOH, I also vaguely remember reading this 'misnumbering' was corrected in a recent f/w update.


The numbering on the R7800 remains backwards. You are correct, port 3 of the 7800 would correspond to port 2 in the VLAN setup.

ArjenR49 wrote:

Would it be enough to move router port 3 to a new VLAN and set up a DHCP server for that VLAN? The unmanaged Zyxel switch would take care of the rest?

Is that more or less correct?

Yes, more or less. It depends on whether you need to tag the vlan or not. Odds are the Zyxel will not pass the trunk through. However, if you stay away from tagging, and just put your 7800's port 3 on an isolated IP w/dhcp server, it should work just fine.

_________________
Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate

Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r53562
Features in use: multiple VLANs over single trunk port

Linksys EA8500 WDS Station x2 - DD-WRT r53562

Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port.

OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.

Forum member #248
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Sep 08, 2022 14:27    Post subject: Reply with quote
You can try it like this (seems to work but I am not a VLAN expert)

1. Add a new bridge in the Networking tab (br1)
2. configure br1 (see screenshot)
3. add a new DHCP server for br1

4. add startup commands


Code:
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "2 6t"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 3
brctl addif br1 vlan3
ifconfig vlan3 up


5. assign VLAN3 to bridge br1 in the "Networking" tab.

so for me it works like this (but I still have a VLAN tagged on the WAN port)


Code:
ho1Aetoo@ho1Aetoo:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) Bytes Daten.
^C
--- 192.168.1.1 ping-Statistik ---
12 Pakete übertragen, 0 empfangen, 100% Paketverlust, Zeit 11244ms

ho1Aetoo@ho1Aetoo:~$ ping google.com
PING google.com (142.250.186.110) 56(84) Bytes Daten.
64 Bytes von fra24s06-in-f14.1e100.net (142.250.186.110): icmp_seq=1 ttl=60 Zeit=12.7 ms
64 Bytes von fra24s06-in-f14.1e100.net (142.250.186.110): icmp_seq=2 ttl=60 Zeit=12.8 ms
64 Bytes von fra24s06-in-f14.1e100.net (142.250.186.110): icmp_seq=3 ttl=60 Zeit=12.6 ms
^C
--- google.com ping-Statistik ---
3 Pakete übertragen, 3 empfangen, 0% Paketverlust, Zeit 2003ms
rtt min/avg/max/mdev = 12.573/12.698/12.783/0.090 ms


if anything is wrong please correct it

Edit: and I forgot to mention the 2 firewall rules you also need (see Alozaros post)


Last edited by ho1Aetoo on Thu Sep 08, 2022 16:28; edited 5 times in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Sep 08, 2022 15:11    Post subject: Reply with quote
put this in save start up script
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 10 set ports "4 6t"
swconfig dev switch0 set apply
vconfig add eth1 10
brctl addif br1 eth1.10
ifconfig eth1.10 192.168.2.1 netmask 255.255.255.0
ifconfig eth1.10 up

and than you have to go and assign vlan10 to br 1 and add a DHCPd to the br1

in my case my vlan is bridged for better control over it..

also in save firewall you need this 2 lines too.

iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT

first line is to give a NAT to the vlan
second line is to deny access br to br

my bridge/vlan has a nat and ip isolation too...

here is the main vlan thread for R7800 that i followed
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1122223

p.s. there was a new twist on the new builds where
eth1.10 must be the name of your lets say vlan10
but im using bridged vlan as it is, so i guess script still remains the same as i posted it...
I haven't done reset and manually reconfigure yet, so i still carry on with this script and its working..as it should...but you can fiddle with it...

as well, as the others said port 1 on the router is port 4 on the script...

good luck.. Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Thu Sep 08, 2022 21:25    Post subject: Reply with quote
Thanks for all the help. Sorry, I couldn't get it to work.
I tried all afternoon and evening, but no dice.


Inserted in the startup script with slight variations during testing:

swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 30 set ports "2 6t"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 30
ifconfig eth1.30 192.168.30.1 netmask 255.255.255.224

Tried with a bridge (br30) and without as well.

Set up the required DHCP server for 192.168.30.1/27 in the GUI without problems.
Yet, I couldn't get a spare Linux laptop connected to VLAN port 3 through the Zyxel PoE switch to get an IP in the VLAN subnet ...
The output from swconfig dev switch0 show:
root@R7800:~# swconfig dev switch0 show
Global attributes:
enable_vlan: 1
enable_mirror_rx: 0
enable_mirror_tx: 0
mirror_monitor_port: 0
mirror_source_port: 0
disable_all_leds: ???
arl_age_time: 300
arl_table: address resolution table
...
Port 2: MAC 00:26:55:xx:xx:xx <---- the MAC of the laptop connected to router port 3 through the Zyxel switch.
....

igmp_snooping: 0
igmp_v3: 1
Port 0:
mib: ???
enable_eee: ???
igmp_snooping: 0
vlan_prio: 0
pvid: 0
link: port:0 link:up speed:1000baseT full-duplex
Port 1:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 1
link: port:1 link:up speed:100baseT full-duplex auto
Port 2:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 30
link: port:2 link:up speed:1000baseT full-duplex txflow rxflow auto
Port 3:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 1
link: port:3 link:up speed:1000baseT full-duplex txflow rxflow auto
Port 4:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 1
link: port:4 link:up speed:1000baseT full-duplex auto
Port 5:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 0
link: port:5 link:up speed:100baseT full-duplex txflow rxflow auto
Port 6:
mib: ???
enable_eee: ???
igmp_snooping: 0
vlan_prio: 0
pvid: 1
link: port:6 link:up speed:1000baseT full-duplex
VLAN 1:
vid: 1
ports: 1 3 4 6
VLAN 30:
vid: 30
ports: 2 6t
root@R7800:~# Connection to r7800.mdnet closed by remote host.


In the end I had to remove all changes and do a hard reset on almost all of my Raspberry Pi clients to make everything work again (I do also have a backup from right before the VLAN trial, which I can use if there are problems).

Next time I'd better shut down all clients before starting any VLAN trial. They obviously didn't like the frequent network restarts.
The FS's of the thumbdrive on the R7800 with a jffs and an optware partition required cleaning (disks utility in Linux). It occasionally doesn't survive restarts of the router without the FS's becoming damaged despite an unmount script.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Sep 09, 2022 6:37    Post subject: Reply with quote
This can also not work if the one firewall rule is missing.

What I posted above definitely works.
However, it is missing the two firewall rules for NAT and isolation.

I use the following rules

Code:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT


respectively

Alozaros wrote:
also in save firewall you need this 2 lines too.

iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT

first line is to give a NAT to the vlan
second line is to deny access br to br
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri Sep 09, 2022 7:03    Post subject: Reply with quote
I have not seen any need to reset, except for Marvell devices.

vkan 2 is missing.

swconfig dev switch0 vlan 2 set ports "0 5"
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Fri Sep 09, 2022 8:12    Post subject: Reply with quote
Thanks both. Per Yngve's correction should be very helpful. I can see how omitting that would break the network. It may have been missing from examples that I went by but I suppose adding the reset command made it necessary.

ho1Aetoo wrote:
This can also not work if the one firewall rule is missing.

What I posted above definitely works.
However, it is missing the two firewall rules for NAT and isolation.

I use the following rules

Code:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT


respectively

Alozaros wrote:
also in save firewall you need this 2 lines too.

iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT

first line is to give a NAT to the vlan
second line is to deny access br to br


I already have two bridges in use (for two VAP's) and no explicit FORWARD rules for bridges like you give above. In the GUI one can choose net isolation. I haven't checked what rule that adds, but I did check using a Network app on my phone connected to the respective VAP's that it works. At least that was my conclusion.
I get the idea of the -D FORWARD. In my current firewall rules there's one for every rule.

I'll try adding using your rules, of course, next time I try. There's another user on this network and breaking it causes issues with TV reception using Chromecast and more.

My attempts faltered when I couldn't get a test client connected to port 2 via a switch to get an IP from the VLAN's DHCP server, even though its MAC was listed for port 2. I expected DHCP to work despite firewall rules and internet connectivity. And then take care of the rest later.

You say the first rule is to give a nat to the vlan. However, as the rule doesn't even mention vlan, I don't get it, or how my network currently works without it.

There's a lot in my firewall script already. FWIW, omitting the -D equivalents (DNS0_IPv4 is my PiHole & Unbound DNS server):

## Filter unbridged VAP wlan1.1 (voorbeeld; br1_ipaddr bestaat ook!)
#iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53
#iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53

# Allow DNS requests from 'ValIoT' VLAN to DNS server on main LAN
iptables -I FORWARD -i br1 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT

# Allow DNS requests from 'Gasten' VLAN to DNS server on main LAN
iptables -I FORWARD -i br2 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br2 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT

# PREROUTING: Force DNS requests (port 53) by any LAN client to any target address
# - other than to the PiHole DNS server itself -
# to the PiHole DNS server, where ! -s $DNS0_IPv4 is to prevent looping.
iptables -t nat -I PREROUTING -i br0 -p tcp ! -s $DNS0_IPv4 ! -d $DNS0_IPv4 --dport 53 -j DNAT --to $DNS0_IPv4
iptables -t nat -I PREROUTING -i br0 -p udp ! -s $DNS0_IPv4 ! -d $DNS0_IPv4 --dport 53 -j DNAT --to $DNS0_IPv4

# Block DoH requests to Cloudflare and Google DNS servers
iptables -I FORWARD -p tcp -d 1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 --dport 443 -j REJECT --reject-with tcp-reset

# Block outgoing packets to ports 853 & 5353 (DoT & alt. DNS port)
iptables -I FORWARD -p tcp --match multiport --dports 853,5353 -j REJECT --reject-with tcp-reset
iptables -I FORWARD -p udp --match multiport --dports 853,5353 -j REJECT --reject-with icmp-port-unreachable

# Improve 'Gasten' network security:
# - block access to 'Gasten' network from main network
# - block telnet, ssh, GUI and https access from 'Gasten' network
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j DROP
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 962
Location: WV, USA

PostPosted: Fri Sep 09, 2022 11:52    Post subject: Reply with quote
Per Yngve Berg wrote:
I have not seen any need to reset, except for Marvell devices.

vkan 2 is missing.

swconfig dev switch0 vlan 2 set ports "0 5"


vlan 2 is automatically there by default, or at least should be. I think what may be happening in this case is the vlan reset is destroying it right off the bat.

Try removing this line from your startup.
Code:

swconfig dev switch0 set reset

_________________
Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate

Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r53562
Features in use: multiple VLANs over single trunk port

Linksys EA8500 WDS Station x2 - DD-WRT r53562

Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port.

OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.

Forum member #248
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Sep 09, 2022 11:58    Post subject: Reply with quote
The problem is not the switch reset but that the command was not taken over 1 to 1.

In my example I have configured all VLANs and port correctly.

If ArjenR49 did not configure a WAN port, it was done on his own initiative and not based on my example.

ho1Aetoo wrote:

Code:
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "2 6t"
swconfig dev switch0 set apply



and I use switch reset because I personally don't need VLAN2 and reconfigure that as VLAN7
Also, this is so much clearer because you can see the complete switch configuration without having to search for the information in other posts Smile



@ArjenR49

you are right the line "iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE" is not needed.

Thought it is needed because I have it anyway in my firewall rules and when I disabled it DHCP no longer worked.
But that had another reason.
Without "bridge assignment" in the networking tab it always deletes the VLAN assignment when you save something in the Command tab.

Therefore the assignment in the GUI is important (if it should work stable).
And without extra bridge I didn't get any DHCP addresses.

Just tested the setup again and it still works.



Code:
Sep 9 14:07:37 DD-WRT daemon.info dnsmasq-dhcp[1002]: DHCPDISCOVER(br1) 192.168.5.135 xxx.xxx.xxx.xxx
Sep 9 14:07:37 DD-WRT daemon.info dnsmasq-dhcp[1002]: DHCPOFFER(br1) 192.168.5.135 xxx.xxx.xxx.xxx
Sep 9 14:07:37 DD-WRT daemon.info dnsmasq-dhcp[1002]: DHCPREQUEST(br1) 192.168.5.135 xxx.xxx.xxx.xxx
Sep 9 14:07:37 DD-WRT daemon.info dnsmasq-dhcp[1002]: DHCPACK(br1) 192.168.5.135 xxx.xxx.xxx.xxx


ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.5.135  netmask 255.255.255.0  broadcast 192.168.5.255

ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) Bytes Daten.
^C
--- 192.168.1.1 ping-Statistik ---
11 Pakete übertragen, 0 empfangen, 100% Paketverlust, Zeit 10218ms

ping 192.168.1.110
PING 192.168.1.110 (192.168.1.110) 56(84) Bytes Daten.
Von 192.168.5.1 icmp_seq=1 Zielport nicht erreichbar
Von 192.168.5.1 icmp_seq=2 Zielport nicht erreichbar
Von 192.168.5.1 icmp_seq=3 Zielport nicht erreichbar
^C
--- 192.168.1.110 ping-Statistik ---
3 Pakete übertragen, 0 empfangen, +3 Fehler, 100% Paketverlust, Zeit 2027ms

ping google.com
PING google.com (142.250.74.206) 56(84) Bytes Daten.
64 Bytes von fra24s02-in-f14.1e100.net (142.250.74.206): icmp_seq=1 ttl=60 Zeit=15.3 ms
64 Bytes von fra24s02-in-f14.1e100.net (142.250.74.206): icmp_seq=2 ttl=60 Zeit=15.0 ms
64 Bytes von fra24s02-in-f14.1e100.net (142.250.74.206): icmp_seq=3 ttl=60 Zeit=15.5 ms
^C
--- google.com ping-Statistik ---
3 Pakete übertragen, 3 empfangen, 0% Paketverlust, Zeit 2002ms
rtt min/avg/max/mdev = 15.005/15.257/15.473/0.192 ms


Maybe take 1 to 1 and test? and if necessary without switch in between?


Last edited by ho1Aetoo on Fri Sep 09, 2022 16:33; edited 1 time in total
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Fri Sep 09, 2022 12:50    Post subject: Reply with quote
ho1Aetoo wrote:

If ArjenR49 did not configure a WAN port, it was done on his own initiative and not based on my example.



True, but there were also other examples here and there on the forum that I tried to go by.

Today I tried again and follow your steps more exactly, but didn't succeed these times either. There must be something problematic in the order of things as I executed them which leads to a lock up of the router. I then had to restore working settings from a backup. I tried a few times.

I did use vlan30 instead of vlan3. Maybe that is a problem? As it is, it's not necessary for me to use vlan30, because there was no VLAN3 yet, but I saw others naming VLANs according to the IP space they are to use. For clarity, I assume.
I also used br30 instead of br1 in the commands. The br1 name is free, though, as I renamed the earlier br1 and br2 into brIoT and brGst (which turned out well).

Unfortunately it's not possible to put all changes into place in one go and then reboot.
After a change in one command script, the f/w runs some code. At that moment the other script is still lacking something, and I got locked out half-way.

I'll keep trying later using names vlan3 and br1. At the moment the internet is needed for foreign radio listening ...
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Sep 09, 2022 13:24    Post subject: Reply with quote
I must add that I am currently using build DD-WRT v3.0-r50116 std (09/08/22).
Since dnsmasq had a bug in the last versions.

But do not know if that plays a role in your case.
(it can in any case if you change configurations after the router has been started).

https://svn.dd-wrt.com/changeset/50101
https://svn.dd-wrt.com/changeset/50126
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Sat Sep 10, 2022 12:41    Post subject: Reply with quote
ho1Aetoo wrote:
I must add that I am currently using build DD-WRT v3.0-r50116 std (09/08/22).
Since dnsmasq had a bug in the last versions.

But do not know if that plays a role in your case.
(it can in any case if you change configurations after the router has been started).

https://svn.dd-wrt.com/changeset/50101
https://svn.dd-wrt.com/changeset/50126


My R7800 uses dnsMASQ only for DHCP, as I understand it. Disabled on Setup, Basic Setup page, but enabled on the Services, Services page. Instead, DNS is by a Pi Zero (with a PiVoyager UPS) running PiHole/Unbound.

Maybe the next public build after 50057 will change something. It's no problem reverting the router to a working state if my future attempts at VLAN setup still bring problems, so I'll keep trying when I get a chance.
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Tue Sep 13, 2022 22:43    Post subject: Reply with quote
After trying many times in the GUI, 'apply settings' and rebooting in different phases and order, I got my VLAN on port marked #3 working.
The bridge for eth1.3 and other required settings are done in the GUI. The bridge is called brVL3.

The relevant commands in my startup script are:

# Switch setup commands for VLAN on port marked #3 (i.e. port 2)
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "2 6t"
swconfig dev switch0 set apply
vconfig add eth1 3
brctl addif brVL3 eth1.3
ifconfig eth1.3 up

EDIT 15-9-2022 ---
The last command in the above I added today after upgrading to 50176 when upgrading caused the access to my VLAN to break and remain so after reboot. All settings in the Setup, Networking page looked correct, esp. the Current Bridging Table.
Apply settings made the access to VLAN work again. Applying settings in this page visibly causes the Current Bridging Table to be rebuilt.

As some sources do not include the ifconfig eth1.3 up, nor the brctl addif brVL3 eth1.3, I had taken the liberty to try without first.
Without the brctl the VLAN worked but the bridging table sometimes lost the line for brVL3 and needed rebuilding by apply settings when changes are made elsewhere in the GUI. The brctl line appeared to solve that problem.
END EDIT ---

EDIT 23-09-2022:

After setting up the R7800 anew from scratch (after nvram erase), eth1.30 was to be changed to VLAN30. So the relevant lines in the startup script are now as follows:

# Switch setup commands for VLAN on port marked #3 (i.e. port 2)
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 30 set ports "2 6t"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 30
brctl addif brVL3 vlan30
ifconfig vlan30 up

END EDIT 23-09-2022


and in the firewall script:

iptables -D FORWARD -i brVL3 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -D FORWARD -i brVL3 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT

# Allow DNS requests from eth1.3 VLAN to DNS server on main LAN
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT


This setup appears successful, however ...
whenever Net isolation for brVL3 is enabled, I cannot access the servers on the VLAN from my laptop on the main network. The 4 servers, btw, run distributed scientific computing tasks folding@home and several BOINC projects.

Of course this is how it is supposed to be, but I'd like to make an exception for my laptop for administrative purposes. The PoE switch connected to port 3 of the router only has 5 ports, so I cannot just plug in my laptop into a spare port on the PoE switch.
Currently I have to disable net isolation to gain access to the servers.

I'm planning to find out and try the proper iptables rule to allow the laptop on 192.168.1.2 access to the VLAN (192.168.30.1/27), but in the mean time I will gladly take suggestions Wink
As a minimum I need realvnc access, which uses tcp on port 5900.

In an ssh session to the router I should be able to execute and test iptables commands (and delete them if they don't work), without having to reboot the router for each change.


Last edited by ArjenR49 on Fri Sep 23, 2022 19:15; edited 2 times in total
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Tue Sep 13, 2022 22:51    Post subject: Reply with quote
I tried the following rules, but they must be the wrong approach, and probably just show how little idea I have how to go about it:

iptables -A INPUT -i $NetworkAdmin -d brVL3 -p tcp -j ACCEPT
iptables -A INPUT -i $NetworkAdmin -d brVL3 -p udp -j ACCEPT
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum