Posted: Wed Dec 13, 2023 9:13 Post subject: VLAN configuration via GUI - 1 CPU port
You must be registered in the forum and logged in to see the attachments!
The thread is valid for all newer firmware builds ≥ 54429
At the moment the thread is mainly for Broadcom routers with 1 CPU port, but the settings also work for other routers with 1 CPU port.
Note: on Broadcom routers the interfaces eth1 + eth2 are the WLAN radios and not LAN interfaces
The VAPs (Virtual Access Points) on this router are called wl0.1 wl0.2 etc
If you have old CLI VLAN settings then remove them first or reset the router.
It is advantageous if you have a working WLAN connection when configuring the switch.
If you lock yourself out and the LAN ports no longer work, you can still connect to the router via WiFi.
The screenshots are from egc's E2000, so the port assignment shown via "swconfig dev switch0 show" may differ on other devices.
The "switch config tab" received a small update and the CPU port is now configurable.
The screenshot shows the "default configuration"
Last edited by ho1Aetoo on Sun Jan 07, 2024 11:29; edited 12 times in total
The settings shown in the screenshots are sufficient.
The GUI setting "Net Isolation" isolates interfaces from br0
This means that no connection between br0 <-> br1 is possible.
However, if you have created several new bridges and want a more finely controlled isolation, manual firewall settings are necessary.
As already mentioned, "Net Isolation" only isolates against br0, which means that br1 and br2 are not isolated from each other, for example
Manual firewall rules for isolation.
Insert the firewall rules in the "Diagnostics.asp" tab. (for a trunk port setup with a WAP, the rules are placed on the main router!).
## block connections from br1 to br0
## connection from br0 to br1 possible
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
## block connections from br2 to br0
## connection from br0 to br2 possible
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
## block connections from br1 to br2
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
## block connections from br2 to br1
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
Last edited by ho1Aetoo on Wed Dec 20, 2023 12:46; edited 2 times in total