Joined: 29 Nov 2016 Posts: 55 Location: New Mexico
Posted: Wed Jan 01, 2025 23:31 Post subject:
Thanks for the walk-through on mesh. I have mesh working EXCEPT one main issue I want to fix.
- I can't get WAN (internet) access on a "guest/unbridged" VAP on the secondary node. Main effort is to isolate IoT devices, which connect to the secondary node.
I followed the settings on the related wiki. Added the IP table command, rebooted, but still do not have WAN on unbridged VAP and not sure what else to try.
Code:
-iptables -I FORWARD -i wlan1.2 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Background
I am testing mesh between MR7350 (primary) and R7500v2 (secondary); both on mid-Dec 2024 builds. Soon to be 2x MR7350s when the 2nd one arrives. The mesh is working with WAN access from secondary. I tinkered with 5G, 2G backhauls (individual and simultaneous), and with and without VAPs on backhaul band. Besides the expected performance hits, everything seems OK except unbridged VAP WAN. Minor bug I don't want to chase right now, 5G radio sometimes went MIA on the r7500v2 but since I'm ditching that router soon I don't want to chase down a root cause.
-Updates:
1. I mis-configured the unbridged VAP's DCHP; now it's fixed and assigns IP's to clients from the new subnet; unfortunatly, still no WAN access.
Last edited by hatcreek68 on Thu Jan 02, 2025 2:20; edited 1 time in total
I am not sure why you would be using the WAN port on the secondary node. Perhaps more details about your setup and what you are trying to achieve is warranted. Usually the WAN would only be used on the primary node if it is also your main gateway to Internet. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Joined: 29 Nov 2016 Posts: 55 Location: New Mexico
Posted: Thu Jan 02, 2025 2:16 Post subject:
To clarify my issue - I made an unbridged VAP on the 2nd node, but clients have no internet (WAN) access. Bridged VAPs are working fine w/ internet (WAN) access. It's a "typical" setup w/ primary node as the gateway and 2nd node as the router/extender mesh node.
Maybe it's the wrong phrasing, but was just using WAN as in LAN vs. WAN. I'm not using the WAN ethernet port on the 2nd node.
Okay, thanks. That is more clear now. I am no expert on 802.11s but I think unbridged VAPs would not be able to "see" the mesh as they are now disconnected from it (hence, unbridged). I think you probably may need to go with vlans instead, which is one nice advantage 802.11s has over WDS. It's covered in one of the first 3 posts above. It is more complicated to set up but sure simplifies things in the long run.
In this scenario you would not run any dhcp server on the secondary node for the VAPs. You would create additional dhcp servers on your main dhcp server (ie gateway).
EDIT: Not completely sure, but you MAY be able to add a manual route for the unbridged VAPs to the secondary mesh gateway and vise-versa. You will have to experiment with this however as I have not tried it. Not sure if this would even be secure for that matter. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
A VAP is not at all necessary. I am not using any VAPs over 802.11s, but I did test briefly with VAPs to make sure it worked, which it did.
Beyond testing, I am presently only using 802.11s to extend VLANs wirelessly which are then assigned to the switch ports. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
I tried to enable the Avoid Multi-Hop Path Discovery on my primary node but it was not retained. Tried twice. I have no idea what to do with HWMP Rootmode - my guess is it should be enabled on the primary node only?
I tried to enable the Avoid Multi-Hop Path Discovery on my primary node but it was not retained. Tried twice. I have no idea what to do with HWMP Rootmode - my guess is it should be enabled on the primary node only?
Sorry, when I edited this is the OP today, I forgot to mention the fix for this has not been published yet, but if you follow the link provided by @kp69, it tells you how to enable it with current firmware. Sorry for the oversight. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Thank you lexridge for the guide! I was able to get a 2 node mesh setup working between 2 MX4300s utilizing VLANs.
I do have one issue I need some help with. I'm running build 59171 and my setup is:
Code:
Node 1
bridge name bridge id STP enabled interfaces
br0 8000.80691a1ded9d no eth2
eth3
wlan0
wlan1
wlan2
br1 8000.80691a1ded9d no wlan0.10
wlan1.1
br2 8000.80691a1ded9d no wlan0.20
wlan2.1
br3 8000.80691a1ded9d no eth1
wlan0.30
Node 2
bridge name bridge id STP enabled interfaces
br0 8000.80691a228e1a no eth0
eth2
eth3
wlan0
wlan1
wlan2
br1 8000.80691a228e1a no wlan0.10
wlan1.1
br2 8000.80691a228e1a no wlan0.20
wlan2.1
br3 8000.80691a228e1a no eth1
wlan0.30
wlan0: 5GHz Mesh Backhaul
wlan1: 2.4GHz Primary network
wlan1.1: 2.4GHz VAP for Guest Network (VLAN tag 10)
wlan2: 5GHz Primary Network
wlan2.1: 5GHz VAP for Guest Network (VLAN tag 20)
eth1: port configured to behave similar to Guest network. (VLAN tag 30)
2.4GHz and 5GHz radios share the same SSID on respective Primary and Guest networks, along with same WPA2/CCMP128 security settings. The Guest network has AP Isolation/Net Isolation enabled, so that clients cannot see each other (or if they can due to mDNS enabled, they can't establish communication with each other). Node 1 handles DHCP and Firewall rules for both nodes.
For my Guest network, I had to separate wlan1.1 and wlan2.1 onto their own bridges, since having them both on the same bridge did not isolate the traffic between the two radios, i.e. client on 2.4GHz Guest could see/ping client on 5GHz guest, and vice versa.
The issue I am having is that once I extended this setup to the 2nd node, a similar thing is occurring. A client on node 1, br2, is able to see/ping a client on node 2, br2, and vice versa. Guest traffic is isolated WITHIN a node, but not ACROSS nodes. The same happens on br1 as well.
I have tried multiple variations of iptables and even ebtables rules to block this cross-node guest traffic, but have had no success:
Code:
iptables -I FORWARD -i br2 -o br2 -m state --state NEW -j REJECT
ebtables -I FORWARD -i br2 -o br2 -j DROP
ebtables -I FORWARD --logical-in br2 --logical-out br2 -j DROP
ebtables -I FORWARD -i wlan2.1 -o wlan1.1 -j DROP
ebtables -I FORWARD -i wlan1.1 -o wlan2.1 -j DROP
ebtables -I FORWARD -s 82:69:1A:1D:ED:9F -d 82:69:1A:1D:ED:A0 -j DROP
ebtables -I FORWARD -d 82:69:1A:1D:ED:9F -s 82:69:1A:1D:ED:A0 -j DROP
Has anyone else experienced this, or have any clue how to resolve it? Apart from this, the setup seems stable and I have everything else working that I need. Appreciate any input!
I'm not sure you need any ebtables rules. iptables should do the job. My main gateway handles all these rules and the main vlan trunk, but here are mine:
Do NOT assign IP addresses to any bridges with the sole exception of the Main Trunk device (ie Gateway). This will create an insecure vlan environment.
Also, you need to update to a newer version. The interface names have changed from eth0-eth3 to lan1- lan4. You will need to adjust your Networking tab settings once you update because they have changed. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
I did try to reset my firewall rules to just have something similar to yours, but my issue still persisted. I have read on other forum threads that sometimes the "AP Isolation" or "Net Isolation" features are baked-in to the driver, so I tried disabling those to allow the firewall to control everything. That didn't help either.
As you suggested, I will update to a newer firmware and try again. This time I will build out a limited setup to see if the problem reappears, or can be further isolated to specific configurations.
Have you by chance ever tested my scenario on your setup, i.e. wireless clients on same untrusted VLAN but different nodes being able to ping each other?
I have not tested your scenario simply because I see a few issues with it. It looks like you are making it way more complicated than needed.
Quote:
wlan0: 5GHz Mesh Backhaul
wlan1: 2.4GHz Primary network
wlan1.1: 2.4GHz VAP for Guest Network (VLAN tag 10)
wlan2: 5GHz Primary Network
wlan2.1: 5GHz VAP for Guest Network (VLAN tag 20)
eth1: port configured to behave similar to Guest network. (VLAN tag 30)
So Primary wlan1 and wlan2 look fine. I am not at all sure why you have separate vlans for 2.4 and 5ghz Guests. Those can and SHOULD share the same vlan10. No need for vlan20. Also, no need for your tagged vlan30 on eth1. That should be an untagged vlan10 since it's not part (or so it seems) of a trunk port (not more than one vlan assigned to it, so why tag it?). _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
I am not at all sure why you have separate vlans for 2.4 and 5ghz Guests. Those can and SHOULD share the same vlan10. No need for vlan20.
I initially wanted them on the same bridge to keep a simple setup, as you noted. With my pre-mesh setup using only 1 node, I noticed that if 2 guest clients are connected, one on 2.4GHz and one on 5GHz, with both wlans assigned to the same bridge, any attempt at isolating the clients from each other did not work. AP Isolation, Net Isolation, IPTABLES rules to block the bridge from itself, or to block interfaces within the bridge from each other, none of those worked.
I wasn't able to get ebtables rules to make any difference either.
Quote:
Also, no need for your tagged vlan30 on eth1. That should be an untagged vlan10 since it's not part (or so it seems) of a trunk port (not more than one vlan assigned to it, so why tag it?).
My thinking here is to reserve that ethernet port on each node to behave like a Guest network, where if the need arises I can plug in a device to it (Printer, TV, etc.) and have it isolated from my trusted network. Ideally it would be nice to just add it to the same VLAN I am already using for the guest wlans, but due to the isolation issues I am having I decided to keep it separate.
