Posted: Thu Apr 22, 2010 15:08 Post subject: Multi SSID Multi Tagged VLAN WAP
I have spent the last few days fighting with what I thought would be an easy configuration for a WAP. Tried multiple tutorials and google foo and just can't find what I needed. So I hope someone here can give me a hand.
Hardware
WRT54G2 Ver. 1
Configuration Details
I have three tagged VLAN's on a managed switch. VLAN's 8,9,& 10. VLAN 8 is meant for wireless network "Private". VLAN 9 is meant for wireless network "Public". VLAN 10 is a management VLAN.
I am hoping someone can explain to me how to configure ddwrt to broadcast two SSID's with different encryption that are on separate VLAN's. The ddwrt AP doesn't need to run DHCP, DNS, VLAN routing, or traffic policy because I have a separate, more powerful, router doing that already.
It would be nice if ddwrt did not have an IP address on VLAN 8&9 but has a management IP on VLAN 10. It would also be nice to use the WAN port as the trunk port. Neither of these are deal breakers though.
What I configured and where I'm stuck
I put a check in the checkbox to assign the WAN port to the switch. Disabled DHCP and DNS. I setup the "private" wireless network then added a virtual interface and setup the "public" wireless network. Then I configured the security settings for both networks. This is where things get confused for me. I tried configuring separate bridges and attaching the wireless networks to them. I couldn't get that working. I tried using the VLAN's and couldn't seem to get that working correctly either.
I think my biggest problem is I'm getting confused about the logical setup. Do I need to add two bridges? Do I even need to use bridges? Do I configure VLAN's and then put bridges in them or do I configure a bridge then put VLAN's in it? Do I use the VLAN tab to configure the VLAN's or should I be adding a VLAN in the network tab?
Any information that someone can give me will help. Even if it's a small piece it might help me understand the flow better.
You need to move at least one physical port into each VLAN you wish to use and then bridge each VLAN with a VAP. I'd start out trying to get the VLAN's to work before doing anything with the VAP's because VLAN's can be a PITA to get working because differing hardware has varying levels of support for VLAN's.
Do not use the "assign WAN port to switch" option because that adds it to the br0 bridge but you're going to be using it as a trunk, just make sure you have the WAN disabled in basic setup. Go to the VLAN page and check the "tagged" box for the WAN port and then check VLAN 8, 9 , and 10 for it. Then move 1 port into each of the VLAN's (leave 1 in VLAN 0 for now!), hit Apply, and then reboot the router for the VLAN's to take affect.
You should now be able to see them listed on the networking page and be able to click unbridged and assign them an IP address. I suggest doing so for all the VLAN's so that you can check that they're actually functioning. You can also temporarily give them DHCP pools using the multiple DHCP section, it'll make your testing a lot easier.
If the VLAN's are working then follow this to configure the VAP's and bridge them with the VLAN's.
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Posted: Fri May 21, 2010 15:33 Post subject: Can't seem to get it working
Sorry it took so long for me to reply. I have had things that are much higher priority then this pop up.
So, I followed all of the instructions provided and had great success with most of it. I can get the VLAN's communicating great locally on the switch and they tag and go out to my managed switch flawlessly and everything is working great there. I create two bridges br1 & br2 then two wireless networks and assign wl0.1 to br1 and eth1 to br2. I can ping the bridge IP address when connected to correct wireless network and everything is happy. Unfortunately, it all falls apart past here. When I assign VLAN 8 to br1 and VLAN 9 to br2 the assignments enter fine, save fine, show up after a reboot fine, but never show up in the current bridging table. I for the life of me can't get the bridge to join the VLAN.
Post screenshots of your VLAN and networking pages. What build are you using? _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Posted: Thu Feb 16, 2012 20:19 Post subject: Giving it one more attempt
Sorry to bring back a really old post but I have finally decided to give this another attempt. I figure something might have changed. In my original configuration I was using vlan 8, 9, and 10. This has changed to vlan 8, 9, and 15. I noticed that when issuing commands for vlan15 in a telnet session that none of those commands would stick so I am just trying to get vlan 8 and 9 working for right now.
As before I am able to get the VLAN's working correctly using the GUI or telnet, but I am still unable to get a VAP onto the VLAN. I believe that the bridge is what is not working correctly for me.
I am now running build 14929. The screen shots of my configuration are below.
WRT54G2 V1
\u@\h:\w\$ nvram get wl0_corerev
13
When I use the GUI to configure my vlans everything appears to work as I would expect. I can connect to port 2 and get onto VLAN 8 and I can connect to port 3 or 4 and get onto VLAN 9. If I attach to the test9 wireless network I would expect to be on VLAN 9 but I am not.
I did notice that when using the GUI the nvram vlan*ports variables never change. I can see the nvram port*vlans variables get changed but from what I read in http://www.dd-wrt.com/wiki/index.php/Switched_Ports the port*vlans variables only reflect the GUI selections. Are the port*vlans variables the options that control the vlans? I also tried modifying the nvram variables over telnet. That seemed to work just as well as using the GUI to make changes.
Any help that anyone could give me would be greatly appreciated. If anyone knows that there is a newer build that I should try I am willing to try it out.
If anyone could give me a suggestion on where to look next I really could use a hand getting this working. Even just a firmware recommendation would be helpful.
Try connection to the router with telnet/ssh and run this command to be sure that the VLAN interfaces really aren't being added to the bridges:
brctl show
Then try adding these commands to the startup script on the admin->commands page, reboot, and recheck if they're being added to the bridges:
brctl addif br8 vlan8
brctl addif br9 vlan9
If that doesn't work then try a more recent beta build but check the build thread for any particular build before using it to see if there were any major problems with it. The duplicate bridge settings bug was fixed a while ago, and many improvements have been made to VLAN support although mostly to add support for newer routers. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Pardon me for bumping an old thread, but phuzi0n's first post here is what I used to set up this same scenario on some linksys e3000s. After a few false starts (my fault) it's working great. Depending on which BSSID someone authenticates to, they go onto different VLANs.
A few things I'd appreciate phuzi0n or another knowledgable member to comment on:
1. Is there any way around the requirement to dedicate a wired port to every VLAN you want to assign wirelessly? In my case, one of the VLANs I am using I have set to require 802.1x authentication--including all of the wired ports on my switches. So unless I am understanding this wrong, I will need to assign one of the e3000's wired ports to this VLAN, which would then allow anyone to plug into that port and get on that VLAN without any authentication. While perhaps that's a bit paranoid of me, I would like to know if there's any way to mitigate it or if it's just something I have to accept.
2. When I create the bridge for each VLAN I set up the required IP for each one (each in a different subnet). So say for the example of my Guest VLAN 4 which is in the 192.168.4.0/24 subnet and the bridge IP is 192.168.4.253. When a computer joins the Guest network and receives an IP in that subnet, he is then able to use a web browser to go to 192.168.4.253 and sees the dd-wrt web interface. Is there any way to prevent that? I would prefer the dd-wrt not be configurable from my guest VLAN. Again, paranoid, but wondering if there's anything I can do about it.
3. Similarly, for that guest network, I want to isolate each client that associates from interacting with other clients. I assume I should turn on "AP Isolation" for that BSSID but before doing so I just want to make sure that will accomplish this goal in a VLAN setting or if I need firewall rules instead?
Many thanks for the help. I'm pretty new to all of this but have learned just enough to be dangerous!
2. When I create the bridge for each VLAN I set up the required IP for each one (each in a different subnet). So say for the example of my Guest VLAN 4 which is in the 192.168.4.0/24 subnet and the bridge IP is 192.168.4.253. When a computer joins the Guest network and receives an IP in that subnet, he is then able to use a web browser to go to 192.168.4.253 and sees the dd-wrt web interface. Is there any way to prevent that? I would prefer the dd-wrt not be configurable from my guest VLAN. Again, paranoid, but wondering if there's anything I can do about it.
This iptables command should work for number two
/usr/sbin/iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
These assume that 'br1' is your guest bridge. I'm not sure about number 3. I don't know if AP isolation works for separate bridges. You might have to use ebtables to keep clients separate.
EDIT: Well apparently I was misinformed. This command should stop access to the gui.
Code:
/usr/sbin/iptables -I INPUT -i br1 -m state --state NEW -j DROP
1. Is there any way around the requirement to dedicate a wired port to every VLAN you want to assign wirelessly?
2. When a computer joins the Guest network and receives an IP in that subnet, he is then able to use a web browser to go to 192.168.4.253 and sees the dd-wrt web interface. Is there any way to prevent that?
3. Similarly, for that guest network, I want to isolate each client that associates from interacting with other clients. I assume I should turn on "AP Isolation" for that BSSID but before doing so I just want to make sure that will accomplish this goal in a VLAN setting or if I need firewall rules instead?
1 - I'm not entirely sure why I said that but I think it was just for testing purposes due to the sketchy nature of VLAN support at that time. It should work perfectly fine to just use one port as a trunk and have the rest in any VLAN or none at all. However, if people have physical access then they could always unplug the router from your LAN and connect a PC with VLAN tagging into your LAN.
2 - Just alter the commands at the end of the Multiple WLAN guide to block input on each bridge interface and allow access to any particular ports you need to.
3 - IIRC for Broadcom based hardware, AP isolation is actually a "global" setting for the radio despite the GUI options in the VAP sections. ie. you turn it on for the main interface and it affects all VAP's. AFAIK it will prevent access to all of the subnet but I've never checked. Test both behaviors yourself to be sure. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Thanks a lot for the replies phuzi0n and Bird333. I will certainly do some further testing regarding #3 and post back my findings.
I have a new question though--hopefully a quickie (and it may just be something I am misunderstanding).
On the Wireless->Basic Settings page where I define the SSID(s) there is a radio button for each one for Bridged/Unbridged. My understanding though is that where you tell dd-wrt what bridge you want to use is in the Setup->Networking tab.
OK so that's great for the BSSIDs I have set up (wl0.1, wl0.2, wl1.1, etc.) but what about just plain wl0 and wl1? The way I have these set up with VLANs is that br0 is bridged to my "management" VLAN, where I don't actually want any wifi clients dumped off. I had hoped I could set up four SSIDs per radio (the main SSID plus three BSSIDs which seems to be the max) for wifi clients to go into four different VLANs (none of which being the management VLAN).
But from what I can tell (at least through the GUI) there's no way to tell dd-wrt that wl0 and wl1 should use any bridge other than br0. Is that by design or a limitation of the hardware, or is it possible to change via CLI and just isn't in the GUI? Or maybe it is possible via the GUI and I've just overlooked it somewhere?
Thinking about it, I guess I could work around this by bridging my management VLAN with something other than br0 and then bridge br0 with one of the other VLANs I was hoping to use. But I guess my question still stands just in case there is some way to change the bridge wl0 and wl1 use.
Duhhhhh OK sorry about that I neglected to do enough research.
Apparently wl0 is otherwise known as eth1 and wl1 is otherwise known as eth2. Those are options in the "assign to bridge" section of the GUI so I should be able to move them out of br0/LAN as I had wanted.
If I'm off-base please someone correct me. But otherwise I will give this a shot tonight and see where I get.
Thanks.
Edit: Yup it works fine. I bridged eth1 and eth2 into a different bridge with VLAN4 and now wifi clients on wl0 and wl1 are getting IPs in the proper subnet. Woohoo!
