TP-Link ARCHER-A7 v5 with Vlan

Post new topic   Reply to topic    DD-WRT Forum Index -> Qualcomm Atheros based Hardware
Goto page 1, 2  Next
Author Message
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Mon Jan 13, 2025 19:56    Post subject: TP-Link ARCHER-A7 v5 with Vlan Reply with quote
Hi, I was out of the game for a few years, back yesterday and made an error: flashed the router with pulled FW DD-WRT v3.0-r59156 std (01/12/25).
I'd like to configure Vlans on it.
Can you please point me to the best FW for this purpose? And any specific to roll back from r59156 ?
Thank you.
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15535
Location: Texas, USA

PostPosted: Mon Jan 13, 2025 20:19    Post subject: Reply with quote
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2025/01-10-2025-r59093/tplink_archer-a7-v5/

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=335568

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Tue Jan 14, 2025 2:59    Post subject: TpLink A7 V5 Vlan fierwall commands Reply with quote
Hi, I created br1, br0 is the default bridge. Reading forums I collected these commands. Firewall settings is not cap of tea, Please, can you see if these are correct and may be something is missing. Thank you!

iptables -I FORWARD -i br+ -o br+ -j DROP
iptables -I FORWARD -i br1 -o br+ -j DROP
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1837
Location: WV, USA

PostPosted: Tue Jan 14, 2025 4:20    Post subject: Re: TpLink A7 V5 Vlan fierwall commands Reply with quote
strobes wrote:
Hi, I created br1, br0 is the default bridge. Reading forums I collected these commands. Firewall settings is not cap of tea, Please, can you see if these are correct and may be something is missing. Thank you!


Those may work fine but you will probably need DNS and DHCP allowed. Here are mine and I have three vlans assigned to br1-3
Code:
iptables -I INPUT -i br+ -j REJECT
iptables -I INPUT -i br3 -j ACCEPT
iptables -I INPUT -i br0 -j ACCEPT
# Allow DNS and DHCP
iptables -I INPUT -i br+ -p udp -m multiport --dports 53,67 -j ACCEPT
iptables -I INPUT -i br+ -p tcp -m multiport --dports 53,67 -j ACCEPT
# Block all communications between bridges except br0->* and br3->br0
iptables -I FORWARD -i br+ -o br+ -j REJECT
iptables -I FORWARD -i br3 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -j ACCEPT


I assume you created a vlan already and it is assigned to br1?

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r59429
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r59171
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r59171
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r59451
- Linksys MR7350: WDS Station for extended Ethernet r59451
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Tue Jan 14, 2025 19:09    Post subject: Re: TpLink A7 V5 Vlan fierwall commands Reply with quote
lexridge wrote:
I assume you created a vlan already and it is assigned to br1?


Yes I created br1 with dedicated DHCP. This should be exclusively for IoT
br0 is the default bridge.
The idea that bro0 and br1 have access to internet. But all communication between br0 and bro1 blocked unless initiated from br0.
My router is connected to WAN, only router on network. Do I want to drop ports 53, 67 for all bridges? I guess I missing something, sorry.

Here is my interpretation of the collected firewall rules.

block anything
iptables -I FORWARD -i br+ -o br+ -j DROP

deny iot network access to any other networks, br0 in my case
iptables -I FORWARD -i br1 -o br+ -j DROP

allow br0 (private network) access to any other networks, br0 in my case
iptables -I FORWARD -i br0 -o br+ -j ACCEPT

push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Still working to understand last to lines that push established rules on top.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3452
Location: Germany

PostPosted: Tue Jan 14, 2025 19:25    Post subject: Reply with quote
Your rules are redudant and unnecessary
the first rule blocks traffic between all bridges
The second rule blocks again what is already blocked and the third allows traffic again.

One rule is enough:
iptables -I FORWARD -i br1 -o br+ -j DROP

does exactly the same in just one rule...

Incidentally, common firewall rules are also explained in the VLAN sticky

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Thu Jan 16, 2025 21:10    Post subject: Reply with quote
ho1Aetoo wrote:
Incidentally, common firewall rules are also explained in the VLAN sticky


Thank you I found the sticky. Testing rules now based on these commands below. Just to mention: look like I need to "Edit" + "Save Firewall" twice before I"ll see 5Gh WiFi SSID broadcasted. Otherwise only 2.4Gh SSID visible?

## isolate bridges from the router itself (prevents WebIF/GUI access)
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -m state --state NEW -j REJECT
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT

## block connections from br1 to br0
## connection from br0 to br1 possible
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT

## block connections from br2 to br0
## connection from br0 to br2 possible
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT

## block connections from br1 to br2
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
## block connections from br2 to br1
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3452
Location: Germany

PostPosted: Fri Jan 17, 2025 9:12    Post subject: Reply with quote
I have no idea.
Has nothing to do with the SSID.
The hostapd process runs directly on the router and cannot be influenced with iptable rules.

Are you sure that the WLAN is configured correctly and no auto-channel or similar garbage is configured?

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Fri Jan 17, 2025 17:31    Post subject: Reply with quote
ho1Aetoo wrote:

Are you sure that the WLAN is configured correctly and no auto-channel or similar garbage is configured?


My changes were were specific to Vlan and WiFi SSID /WiFi security to enable wireless network on appropriate bridges with intention to keep defaults as much as possible.
I can tell that Saving Firewall rules would cause all radios go OFF and returning back with 5Gh SSIDs or without.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3452
Location: Germany

PostPosted: Fri Jan 17, 2025 20:27    Post subject: Reply with quote
Well, this probably happens because all kinds of services are restarted when you press "apply" somewhere or edit firewall rules in the administration tab.

As I said, these iptable rules have no influence on the hostapd process that starts and controls the radios.
If the radios do not start reliably, this is due to something else

Smile

And we don't know your exact settings - so who knows

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Fri Jan 17, 2025 20:56    Post subject: Reply with quote
ho1Aetoo wrote:
And we don't know your exact settings - so who knows

Well, I dont mind to send my configuration in private. Just to figure out if it's me or gremlins in the code. Cool
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15535
Location: Texas, USA

PostPosted: Fri Jan 17, 2025 21:22    Post subject: Reply with quote
Post them in this thread, not in PM. Public discussion helps everyone.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Fri Jan 17, 2025 21:36    Post subject: Reply with quote
kernel-panic69 wrote:
Post them in this thread, not in PM. Public discussion helps everyone.

Well, I have 3 bridges and 5 SSIDs, Firewall settings and other staff. I can piecemeal it publicly but to be effective in checking for bugs does it make scene to dump entire config file if existed? but in private. It's my network after all.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 3452
Location: Germany

PostPosted: Sat Jan 18, 2025 9:57    Post subject: Reply with quote
The configuration entries in the nvram are not sorted and you can search for everything from several thousand lines and I'm not bored.

Configurations are usually posted as screenshots here in the forum.

The only private settings are MAC addresses, passwords, SSIDs and access data and these are usually not needed and can be masked

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
strobes
DD-WRT Novice


Joined: 17 Aug 2007
Posts: 31

PostPosted: Mon Jan 20, 2025 0:36    Post subject: Reply with quote
ho1Aetoo wrote:
The configuration entries in the nvram are not sorted and you can search for everything from several thousand lines and I'm not bored.
Configurations are usually posted as screenshots here in the forum.
The only private settings are MAC addresses, passwords, SSIDs and access data and these are usually not needed and can be masked


Wondering in case I want to move to a next build, is it possible to export / import config?
Any way here is my config related to Switch config, Vlans: 3 bridhes, Wifi setup: two 2.4 and three 5 gh.
And firewall:

iptables -I FORWARD -i br1 -s 192.168.xxx.xxx -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -m state --state NEW -j REJECT
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT

iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Qualcomm Atheros based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum