Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Thu Sep 08, 2022 10:15 Post subject: [SOLVED] Single/simple(?) VLAN on R7800?
I have four Raspberry Pi4's running some BOINC projects and Folding@HOME. They're all 4 connected to my LAN through an unmanaged 5-port Zyxel PoE switch. These mostly take care of themselves.
Elsewhere on my LAN there are also two managed 8-port TP-Link switches of which one is an PoE switch.
There are already two 2.4 GHz VAP's on my network where clients are isolated from each other and the main LAN. They both have internet access. I set them up by myself, so I have some practical experience with bridges on the networking page.
The task for this autumn would be as follows:
Isolate the 4 Pi's from my main LAN to their own VLAN.
If it would lead to an easier solution for the task I'd like to carry out, I could rearrange the switches and cable connections.
The unmanaged PoE switch that the 4 Pi's are connected to is connected to port 3 of my main and only router R7800. According to what I've read this would correspond to port 2 in any VLAN setup commands. OTOH, I also vaguely remember reading this 'misnumbering' was corrected in a recent f/w update.
As usual there's a lot of information about VLAN's and DD-WRT on the internet and much of it is undoubtedly obsolete since DD-WRT evolves constantly.
I am aware the switch setup page of the GUI is not to be touched in case of the R7800.
It's running the latest f/w, currently 50057.
Would it be enough to move router port 3 to a new VLAN and set up a DHCP server for that VLAN? The unmanaged Zyxel switch would take care of the rest?
Is that more or less correct?
What would, roughly or more detailed, be the steps I need to perform on the R7800 to get this done?
Thanks for any comments!
ArjenR49
Last edited by ArjenR49 on Wed Sep 14, 2022 11:02; edited 1 time in total
Posted: Thu Sep 08, 2022 10:59 Post subject: Re: Single/simple(?) VLAN on R7800?
ArjenR49 wrote:
The unmanaged PoE switch that the 4 Pi's are connected to is connected to port 3 of my main and only router R7800. According to what I've read this would correspond to port 2 in any VLAN setup commands. OTOH, I also vaguely remember reading this 'misnumbering' was corrected in a recent f/w update.
The numbering on the R7800 remains backwards. You are correct, port 3 of the 7800 would correspond to port 2 in the VLAN setup.
ArjenR49 wrote:
Would it be enough to move router port 3 to a new VLAN and set up a DHCP server for that VLAN? The unmanaged Zyxel switch would take care of the rest?
Is that more or less correct?
Yes, more or less. It depends on whether you need to tag the vlan or not. Odds are the Zyxel will not pass the trunk through. However, if you stay away from tagging, and just put your 7800's port 3 on an isolated IP w/dhcp server, it should work just fine. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r53562
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r53562
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port.
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
You can try it like this (seems to work but I am not a VLAN expert)
1. Add a new bridge in the Networking tab (br1)
2. configure br1 (see screenshot)
3. add a new DHCP server for br1
4. add startup commands
Code:
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "2 6t"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 3
brctl addif br1 vlan3
ifconfig vlan3 up
5. assign VLAN3 to bridge br1 in the "Networking" tab.
so for me it works like this (but I still have a VLAN tagged on the WAN port)
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Thu Sep 08, 2022 15:11 Post subject:
put this in save start up script
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 6"
swconfig dev switch0 vlan 10 set ports "4 6t"
swconfig dev switch0 set apply
vconfig add eth1 10
brctl addif br1 eth1.10
ifconfig eth1.10 192.168.2.1 netmask 255.255.255.0
ifconfig eth1.10 up
and than you have to go and assign vlan10 to br 1 and add a DHCPd to the br1
in my case my vlan is bridged for better control over it..
p.s. there was a new twist on the new builds where
eth1.10 must be the name of your lets say vlan10
but im using bridged vlan as it is, so i guess script still remains the same as i posted it...
I haven't done reset and manually reconfigure yet, so i still carry on with this script and its working..as it should...but you can fiddle with it...
as well, as the others said port 1 on the router is port 4 on the script...
good luck.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Thu Sep 08, 2022 21:25 Post subject:
Thanks for all the help. Sorry, I couldn't get it to work.
I tried all afternoon and evening, but no dice.
Inserted in the startup script with slight variations during testing:
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 30 set ports "2 6t"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 30
ifconfig eth1.30 192.168.30.1 netmask 255.255.255.224
Tried with a bridge (br30) and without as well.
Set up the required DHCP server for 192.168.30.1/27 in the GUI without problems.
Yet, I couldn't get a spare Linux laptop connected to VLAN port 3 through the Zyxel PoE switch to get an IP in the VLAN subnet ...
The output from swconfig dev switch0 show:
root@R7800:~# swconfig dev switch0 show
Global attributes:
enable_vlan: 1
enable_mirror_rx: 0
enable_mirror_tx: 0
mirror_monitor_port: 0
mirror_source_port: 0
disable_all_leds: ???
arl_age_time: 300
arl_table: address resolution table
...
Port 2: MAC 00:26:55:xx:xx:xx <---- the MAC of the laptop connected to router port 3 through the Zyxel switch.
....
In the end I had to remove all changes and do a hard reset on almost all of my Raspberry Pi clients to make everything work again (I do also have a backup from right before the VLAN trial, which I can use if there are problems).
Next time I'd better shut down all clients before starting any VLAN trial. They obviously didn't like the frequent network restarts.
The FS's of the thumbdrive on the R7800 with a jffs and an optware partition required cleaning (disks utility in Linux). It occasionally doesn't survive restarts of the router without the FS's becoming damaged despite an unmount script.
Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Fri Sep 09, 2022 8:12 Post subject:
Thanks both. Per Yngve's correction should be very helpful. I can see how omitting that would break the network. It may have been missing from examples that I went by but I suppose adding the reset command made it necessary.
ho1Aetoo wrote:
This can also not work if the one firewall rule is missing.
What I posted above definitely works.
However, it is missing the two firewall rules for NAT and isolation.
I use the following rules
Code:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
first line is to give a NAT to the vlan
second line is to deny access br to br
I already have two bridges in use (for two VAP's) and no explicit FORWARD rules for bridges like you give above. In the GUI one can choose net isolation. I haven't checked what rule that adds, but I did check using a Network app on my phone connected to the respective VAP's that it works. At least that was my conclusion.
I get the idea of the -D FORWARD. In my current firewall rules there's one for every rule.
I'll try adding using your rules, of course, next time I try. There's another user on this network and breaking it causes issues with TV reception using Chromecast and more.
My attempts faltered when I couldn't get a test client connected to port 2 via a switch to get an IP from the VLAN's DHCP server, even though its MAC was listed for port 2. I expected DHCP to work despite firewall rules and internet connectivity. And then take care of the rest later.
You say the first rule is to give a nat to the vlan. However, as the rule doesn't even mention vlan, I don't get it, or how my network currently works without it.
There's a lot in my firewall script already. FWIW, omitting the -D equivalents (DNS0_IPv4 is my PiHole & Unbound DNS server):
# Allow DNS requests from 'ValIoT' VLAN to DNS server on main LAN
iptables -I FORWARD -i br1 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT
# Allow DNS requests from 'Gasten' VLAN to DNS server on main LAN
iptables -I FORWARD -i br2 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br2 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT
# PREROUTING: Force DNS requests (port 53) by any LAN client to any target address
# - other than to the PiHole DNS server itself -
# to the PiHole DNS server, where ! -s $DNS0_IPv4 is to prevent looping.
iptables -t nat -I PREROUTING -i br0 -p tcp ! -s $DNS0_IPv4 ! -d $DNS0_IPv4 --dport 53 -j DNAT --to $DNS0_IPv4
iptables -t nat -I PREROUTING -i br0 -p udp ! -s $DNS0_IPv4 ! -d $DNS0_IPv4 --dport 53 -j DNAT --to $DNS0_IPv4
# Block DoH requests to Cloudflare and Google DNS servers
iptables -I FORWARD -p tcp -d 1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 --dport 443 -j REJECT --reject-with tcp-reset
I have not seen any need to reset, except for Marvell devices.
vkan 2 is missing.
swconfig dev switch0 vlan 2 set ports "0 5"
vlan 2 is automatically there by default, or at least should be. I think what may be happening in this case is the vlan reset is destroying it right off the bat.
Try removing this line from your startup.
Code:
swconfig dev switch0 set reset
_________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r53562
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r53562
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port.
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
The problem is not the switch reset but that the command was not taken over 1 to 1.
In my example I have configured all VLANs and port correctly.
If ArjenR49 did not configure a WAN port, it was done on his own initiative and not based on my example.
ho1Aetoo wrote:
Code:
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "2 6t"
swconfig dev switch0 set apply
and I use switch reset because I personally don't need VLAN2 and reconfigure that as VLAN7
Also, this is so much clearer because you can see the complete switch configuration without having to search for the information in other posts
@ArjenR49
you are right the line "iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE" is not needed.
Thought it is needed because I have it anyway in my firewall rules and when I disabled it DHCP no longer worked.
But that had another reason.
Without "bridge assignment" in the networking tab it always deletes the VLAN assignment when you save something in the Command tab.
Therefore the assignment in the GUI is important (if it should work stable).
And without extra bridge I didn't get any DHCP addresses.
Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Fri Sep 09, 2022 12:50 Post subject:
ho1Aetoo wrote:
If ArjenR49 did not configure a WAN port, it was done on his own initiative and not based on my example.
True, but there were also other examples here and there on the forum that I tried to go by.
Today I tried again and follow your steps more exactly, but didn't succeed these times either. There must be something problematic in the order of things as I executed them which leads to a lock up of the router. I then had to restore working settings from a backup. I tried a few times.
I did use vlan30 instead of vlan3. Maybe that is a problem? As it is, it's not necessary for me to use vlan30, because there was no VLAN3 yet, but I saw others naming VLANs according to the IP space they are to use. For clarity, I assume.
I also used br30 instead of br1 in the commands. The br1 name is free, though, as I renamed the earlier br1 and br2 into brIoT and brGst (which turned out well).
Unfortunately it's not possible to put all changes into place in one go and then reboot.
After a change in one command script, the f/w runs some code. At that moment the other script is still lacking something, and I got locked out half-way.
I'll keep trying later using names vlan3 and br1. At the moment the internet is needed for foreign radio listening ...
My R7800 uses dnsMASQ only for DHCP, as I understand it. Disabled on Setup, Basic Setup page, but enabled on the Services, Services page. Instead, DNS is by a Pi Zero (with a PiVoyager UPS) running PiHole/Unbound.
Maybe the next public build after 50057 will change something. It's no problem reverting the router to a working state if my future attempts at VLAN setup still bring problems, so I'll keep trying when I get a chance.
Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Tue Sep 13, 2022 22:43 Post subject:
After trying many times in the GUI, 'apply settings' and rebooting in different phases and order, I got my VLAN on port marked #3 working.
The bridge for eth1.3 and other required settings are done in the GUI. The bridge is called brVL3.
The relevant commands in my startup script are:
# Switch setup commands for VLAN on port marked #3 (i.e. port 2)
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 3 set ports "2 6t"
swconfig dev switch0 set apply
vconfig add eth1 3
brctl addif brVL3 eth1.3
ifconfig eth1.3 up
EDIT 15-9-2022 ---
The last command in the above I added today after upgrading to 50176 when upgrading caused the access to my VLAN to break and remain so after reboot. All settings in the Setup, Networking page looked correct, esp. the Current Bridging Table.
Apply settings made the access to VLAN work again. Applying settings in this page visibly causes the Current Bridging Table to be rebuilt.
As some sources do not include the ifconfig eth1.3 up, nor the brctl addif brVL3 eth1.3, I had taken the liberty to try without first.
Without the brctl the VLAN worked but the bridging table sometimes lost the line for brVL3 and needed rebuilding by apply settings when changes are made elsewhere in the GUI. The brctl line appeared to solve that problem.
END EDIT ---
EDIT 23-09-2022:
After setting up the R7800 anew from scratch (after nvram erase), eth1.30 was to be changed to VLAN30. So the relevant lines in the startup script are now as follows:
# Switch setup commands for VLAN on port marked #3 (i.e. port 2)
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 3 4 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 30 set ports "2 6t"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 30
brctl addif brVL3 vlan30
ifconfig vlan30 up
# Allow DNS requests from eth1.3 VLAN to DNS server on main LAN
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT
This setup appears successful, however ...
whenever Net isolation for brVL3 is enabled, I cannot access the servers on the VLAN from my laptop on the main network. The 4 servers, btw, run distributed scientific computing tasks folding@home and several BOINC projects.
Of course this is how it is supposed to be, but I'd like to make an exception for my laptop for administrative purposes. The PoE switch connected to port 3 of the router only has 5 ports, so I cannot just plug in my laptop into a spare port on the PoE switch.
Currently I have to disable net isolation to gain access to the servers.
I'm planning to find out and try the proper iptables rule to allow the laptop on 192.168.1.2 access to the VLAN (192.168.30.1/27), but in the mean time I will gladly take suggestions
As a minimum I need realvnc access, which uses tcp on port 5900.
In an ssh session to the router I should be able to execute and test iptables commands (and delete them if they don't work), without having to reboot the router for each change.
Last edited by ArjenR49 on Fri Sep 23, 2022 19:15; edited 2 times in total