Posted: Wed Feb 15, 2023 2:58 Post subject: Routing problem - specific to Marvell ? (maybe about vlan )
I have 2 different installations - in two different locations (actually in different countries). For simplicity of my life I try to keep the network configurations as close to identical as (reasonably) possible. However one difference is the router - one is a Netgear R7000 and the other one is a Linksys WRT1900ACSv2 (on 51306) . The R7000 location has no problem. The Linksys location has problem.
I use vlans, in both locations. The R7000 has been running for over a year. I just setup the Linksys over the last week or two. Yes, I know about the vlan differences for Marvell. And I have studied every line in this thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199
And let me offer my ETERNAL thanks to @SurprisedItWorks and @TheDude1864 . Thank you and wow !.
My startup commands, only for the Linksys site:
Code:
# vlans do not work by the gui for marvell cpu routers - like wrt1900acs
# https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199&postdays=0&postorder=asc&start=30
# SJS modified Feb 2023, to just have 1 port on vlan3.
# note: ports 5 and 6 are virtual ports representing the 2 cpu's in the router
#
# split the LAN on the port 6 cpu into eth1 (untagged) and vlan3 (tagged)
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
# vlans 1 and 2 connect eth1 and eth0 to the correct ports
swconfig dev switch0 vlan 1 set ports "6 0 1 2"
swconfig dev switch0 vlan 2 set ports "5 4"
# a new vlan 3 interface will handle the remaining ports
swconfig dev switch0 vlan 3 set ports "6t 3"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 3
ifconfig vlan3 up
brctl addif br1 vlan3
My vlans are working - no problems with the vlans in either location. All devices on each vlan can be pinged, and can access the internet. I mention the vlans because, although the IP addresses are identical in my 2 locations, the way the vlans were setup are different (as per the link and code above).
Here is the problem:
My router is 192.168.9.1. one of the ethernet devices connected to at 192.168.33.11, which is setup on vlan3. The 33.11 device can be pinged, ssh to it, can serve up http pages - for any device on the 9.x subnet, including the router. All good so far. The 33.11 device also shows as connected in the Router's Status->LAN tab. The 33.11 device can access the internet. It seems the 33.11 (it is the only device on vlan3) is connected and working fine....
I need the 192.168.33.11 device to serve out to the internet, via a wireguard tunnel and some port-forwarding. Note: this is working in my R7000 location (same addresses) for last 18 months. The wireguard tunnel (oet2) is delivering the incoming IP packets.traffic.
Here are the routes, first PREROUTING with DNAT, then the FORWARD.
But in the Linksys site, the packets NEVER get to the FORWARD chain.
Code:
root@magnest:~# iptables -v -t filter -L FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
6 0 0 ACCEPT tcp -- any any anywhere 192.168.33.11 tcp dpt:8011
At Linksys site, the counter in the FORWARD chain stays at zero, in the R7000 site that rule in the FORWARD chain gets hit (counter increases) and the packets get delivered to 33.11. In Linksys site no packets get to 33.11. All routes are IDENTICAL in both sites. However they work in the R7000 site, but they do not work in the Linksys site .
Is there some reason with the manually created vlans in Linksys that the routes need to be different ? The only difference I can see is that vlan3 is "tagged" in the Linksys site.
Assigning a tagged VLAN to a port adds that port to the VLAN, but all ingress and egress traffic must be tagged with the VLAN ID in order to be forwarded.
That could potentially explain it. I mean, if the incoming traffic (on oet2) is not getting tagged, then according to that quote above, it will not FORWARD to vlan3. I am not explicitly "tagging" anything. And what I am seeing it that it does not get forwarded..... So it seems like it
But I have not enough expertise to comment much further, or to take that above information, and somehow apply it to solve my problem. Anyone who does, please help
After a quick conversation about it with my friend ChatGPT, I am testing with this addition to my routes. :
With respect, I do not need a different IP addressing plan.
Site A and Site B are completely 100% unrelated to each other. They never route to each other. The tunnels are NOT from Site A to Site B. The two sites are unaware of the existence of the other. The only common thing is - me. That is, I set up both and I support the IT in both.... think of it as both are "my clients"... even though it is more as a favor and no money exchanges hands.
The only problem is in the Linksys site. And the only problem in the Linksys site is that - incoming packets (that come from the internet via the oet2 tunnel ) - in step 1 of 2 - they DO correctly hit the PREROUTING rule in the nat table (changes destination address to 192.168.33.11). But then in step 2 of 2 they do NOT hit the FORWARD rule after that.
In the other site, only described here for comparison, the incoming packets (via oet2 tunnel ) first hit - step 1 of 2 - the rule in the nat table, and then they also - step 2 of 2 - hit the FORWARD rule.
So , as it works in one site but not in the other, what are the differences ?? The answer is : the destination address 192.168.33.11 exists on vlan3 in both sites, BUT vlan3 and the other vlans, are setup differently in each of the two sites. One site is Marvell router.
For some unknown reason, the incoming packets, after successfully getting DNAT-ed in the nat table, I cannot find those packets anywhere. I cannot find them being DROPped anywhere. They are not dropped in FORWARD. And they hit no other rules, I mean rules that they should hit.... It is doing my head in... What am I missing here ?