Posted: Mon Jan 13, 2025 19:56 Post subject: TP-Link ARCHER-A7 v5 with Vlan
Hi, I was out of the game for a few years, back yesterday and made an error: flashed the router with pulled FW DD-WRT v3.0-r59156 std (01/12/25).
I'd like to configure Vlans on it.
Can you please point me to the best FW for this purpose? And any specific to roll back from r59156 ?
Thank you.
Posted: Tue Jan 14, 2025 2:59 Post subject: TpLink A7 V5 Vlan fierwall commands
Hi, I created br1, br0 is the default bridge. Reading forums I collected these commands. Firewall settings is not cap of tea, Please, can you see if these are correct and may be something is missing. Thank you!
Posted: Tue Jan 14, 2025 4:20 Post subject: Re: TpLink A7 V5 Vlan fierwall commands
strobes wrote:
Hi, I created br1, br0 is the default bridge. Reading forums I collected these commands. Firewall settings is not cap of tea, Please, can you see if these are correct and may be something is missing. Thank you!
Those may work fine but you will probably need DNS and DHCP allowed. Here are mine and I have three vlans assigned to br1-3
I assume you created a vlan already and it is assigned to br1? _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r59429
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r59171
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r59171
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r59451
- Linksys MR7350: WDS Station for extended Ethernet r59451
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
Posted: Tue Jan 14, 2025 19:09 Post subject: Re: TpLink A7 V5 Vlan fierwall commands
lexridge wrote:
I assume you created a vlan already and it is assigned to br1?
Yes I created br1 with dedicated DHCP. This should be exclusively for IoT
br0 is the default bridge.
The idea that bro0 and br1 have access to internet. But all communication between br0 and bro1 blocked unless initiated from br0.
My router is connected to WAN, only router on network. Do I want to drop ports 53, 67 for all bridges? I guess I missing something, sorry.
Here is my interpretation of the collected firewall rules.
deny iot network access to any other networks, br0 in my case
iptables -I FORWARD -i br1 -o br+ -j DROP
allow br0 (private network) access to any other networks, br0 in my case
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Still working to understand last to lines that push established rules on top.
Your rules are redudant and unnecessary
the first rule blocks traffic between all bridges
The second rule blocks again what is already blocked and the third allows traffic again.
One rule is enough:
iptables -I FORWARD -i br1 -o br+ -j DROP
Incidentally, common firewall rules are also explained in the VLAN sticky
Thank you I found the sticky. Testing rules now based on these commands below. Just to mention: look like I need to "Edit" + "Save Firewall" twice before I"ll see 5Gh WiFi SSID broadcasted. Otherwise only 2.4Gh SSID visible?
## block connections from br1 to br0
## connection from br0 to br1 possible
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
## block connections from br2 to br0
## connection from br0 to br2 possible
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
## block connections from br1 to br2
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
## block connections from br2 to br1
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
Are you sure that the WLAN is configured correctly and no auto-channel or similar garbage is configured?
My changes were were specific to Vlan and WiFi SSID /WiFi security to enable wireless network on appropriate bridges with intention to keep defaults as much as possible.
I can tell that Saving Firewall rules would cause all radios go OFF and returning back with 5Gh SSIDs or without.
Well, this probably happens because all kinds of services are restarted when you press "apply" somewhere or edit firewall rules in the administration tab.
As I said, these iptable rules have no influence on the hostapd process that starts and controls the radios.
If the radios do not start reliably, this is due to something else
Well, I have 3 bridges and 5 SSIDs, Firewall settings and other staff. I can piecemeal it publicly but to be effective in checking for bugs does it make scene to dump entire config file if existed? but in private. It's my network after all.
The configuration entries in the nvram are not sorted and you can search for everything from several thousand lines and I'm not bored.
Configurations are usually posted as screenshots here in the forum.
The only private settings are MAC addresses, passwords, SSIDs and access data and these are usually not needed and can be masked
Wondering in case I want to move to a next build, is it possible to export / import config?
Any way here is my config related to Switch config, Vlans: 3 bridhes, Wifi setup: two 2.4 and three 5 gh.
And firewall: