Posted: Mon Feb 06, 2023 0:14 Post subject: [SOLVED] Frustration VLAN Asus RT-AC68R v3.0-r51576
This has been running the kong build from 2018 for a long time, but of course that's gone so I thought I'd update it.
Unfortunately I didn't realize I had to copy everything out of both the setup screens and NVRAM before I did it, and have lost my secondary VLAN -- attempting to restore it "best as I remember" has been a ridiculous exercise in frustration leading to lockups and repeated failures.
The configuration I need is a primary SSID on both 2.4g and 5g, which works fine -- its the secondary "Guest" network that's the problem.
The guest network has a different SSID and PW (of course) and should show up on the same wire as VLAN 3; the gateway has an interface listening there (and the switch knows what to do with it as well.)
I have my own DHCP server and firewall; the local network is on 192.168.10.x for the primary and 192.168.4.x for the guest. The gateway for both is at .200 (along with the DHCP and DNS servers.) No firewall or other services are needed; the AP is connected to a switch which knows about VLAN 3 which is the guest, and it has been working fine.
So basically as long as the AP emits the packets from the secondary SSID on VLAN 3 all is well; both can go over one wire and its been on LAN port 1 of the AP forever. But the GUI appears to hose this up good, and I've been unable to figure out the proper incantations (either via nvset commands or via the gui) to get it to work, and what I've tried has locked me out 'hard' and forced me to do a hard reset and start over multiple times.
I've searched through the VLAN configuration stuff I can find but am lost as to what I had set up on Kong's builds and has been working for a long time.
Any pointers on where to start looking appreciated - I'm reasonably sure this was doable without anything other than the GUI config on Kong's stuff, but its been nearly five years so I could easily be wrong.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Feb 06, 2023 0:48 Post subject:
its easy, either use swconfig start up commands or try via GUI...on Broadcom routers works via GUI but best is via commands..and you'd need and extra dhcp on the vlan or on the br...
more to come later, now bed time for me : P
post as many details you can, it helps a lot... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
its easy, either use swconfig start up commands or try via GUI...on Broadcom routers works via GUI but best is via commands..and you'd need and extra dhcp on the vlan or on the br...
more to come later, now bed time for me : P
post as many details you can, it helps a lot...
Do not need DHCP on the router itself (for either the primary or guest); topology looks like this:
Gateway/firewall [Base and & Vlan 3] == Switch [Base and Vlan 3] == Asus AP
The gateway/firewall assigns addresses on both the base and VLAN 3 (as well as handling NAT outbound to the Internet as a whole with appropriate filtering; the Asus box is just an AP, no routing.)
wl0.1 SSID is set for the guest, Masqerade/NAT enabled, unbridged, IP address set to 192.168.4.252/24, AP isolation on.
On the switch configuration page I added the VLAN 3 ID, but if I turn on "tagged" for the LAN port that is in use along with 1 and 3 all communications (not just for the guest network) ceases immediately. I can recover if I only turn it on for the one LAN port I'm using for the uplink by moving the cable to one of the others, but obviously that does me no good in terms of it actually working.
On networking I defined "Tagging" for wl0.1 as tag number 3.
I defined br1 and assigned both vlan3 and wl0.1 to it. The bridging table looks like this:
Bridge Name STP Interface
br0 no eth1 eth2 vlan1 vlan2
br1 no vlan3 wl0.1
I'm missing something from what I had that was working before on the Kong build and when I have br1 up the router locks on me intermittently -- I suspect its crashing and rebooting but not sure.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Mon Feb 06, 2023 11:01 Post subject:
Moved this thread to the appropriate Broadcom forum.
Attached my personal notes about using VLAN's, maybe they are useful, I use a Broadcom router more or less the same as you are and setting things up has never been easier
I was (massively) overthinking it which is where I got tied up in knots putting an address on the secondary interface and such. The one thing that DID have me seriously confused is that I couldn't figure out how to get the trunk port to run untagged for vlan1, as my switch is set up that way (untag primary member, tag everything else), but that's an easy change in the switch config for this specific port. This is something the GUI should support (a "this is primary" checkbox would do it, if the hardware can.)
Thanks; the PDF made it clear enough to figure it out.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Mon Feb 06, 2023 13:31 Post subject:
Glad you solved it.
The DDWRT GUI actually needs to show the CPU port(s) and should have the ability to have a VLAN with one untagged and one or more tagged ports.
This has been extensively discussed but as it is easy to use swconfig to manually accomplish all this and the GUI needs a whole rewrite I fear it is not going to happen anytime soon.