Posted: Thu Nov 23, 2017 23:17 Post subject: VLAN's - R7000(Kong) + Unifi AP
Been trying to get this to work for a couple days now. I must be missing something. I have DDWRT (kong asus r7000) on my router, wifi disabled. My wifi is all via 2 UniFi AP's. I currently have a kids/guest ssid and adult ssid. I want to have the kids/guest ssid go through opendns to restrict their content. No restriction on the adult ssid. I see how this can be done with dnsmasq options either vlan or different ip range.
1. Have one unifi ssid deliver dhcp to only that ssid (kids) - cant get unifi to only pull from that pool
2. Use vlan tagging, since this is available in both products, but ddwrt is cooperating here either.
How do I create a "virtual" vlan in ddwrt? In unifi, vlan tagging is just a drop-down option. So it would be vlan 3 for kids ssid.
dnsmasq config would be something like this. How to I bridge vlan3 to br1?
Set one of the lan ports to vlan3 by going to GUI VLANs page under Setup Tab. Say you want port 4 as vlan3, unselect vlan1 on port 4 and select vlan3 and apply settings. If you want to tag vlan3 with vlan1 just leave vlan1 checked and select Tagging and add vlan3 to it and apply settings.
Now go to the GUI Networking page (right by the VLANs page). On the Create Bridge press "Add" and enter "br1" (without quotes) in the empty name box and apply settings. Now go to the VLANs page a make sure port 4 is vlan3 and go back to the Networking page this will refresh the page so at the bottom you will see "Network Configuration br1". Enter IP Address 192.168.2.1 and in the Subnet Mask enter 255.255.255.0 and apply settings.
To refresh your Networking GUI screen goto VLANs page and back to the Networking Page. Now under "Assign to Bridge" select Add and under Assignment 0 select br1 and Interface select vlan3 and apply settings.
In the Networking Page under "Current Bridging Tables" you should see your br1 assigned to vlan3.
Your dnsmasq looks fine. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
only one is able to pull ip from dhcp, hardwired stuff in (vlan1) or static ip (vlan1) always work. but the vlan ssid's seem to be alternating which pulls an ip. They pull from the correct pool when they do get and ip.
There is no vlan tagging on vlan 1, so maybe I need to add that?
Interface br5 - vlan5: IP 192.168.5.1/255.255.255.0
Services>Add'l dnsmasq options is commented out for n
It will contain:
Code:
dhcp-option=br5,6,208.67.222.222,208.67.220.220
Looks like the clients are trying to get an ip. This just repeats, client never accepts the ip. I've tried multiple phones and laptops
Code:
Nov 27 19:46:14 lan daemon.info dnsmasq-dhcp[28179]: DHCPDISCOVER(br5) xx:xx:xx:xx:xx:xx
Nov 27 19:46:14 lan daemon.info dnsmasq-dhcp[28179]: DHCPOFFER(br5) 192.168.5.104 xx:xx:xx:xx:xx:xx
Even if I assign a static ip in the range it still doesnt have internet.
All I am trying to do is force all people on a specific ssid (vlan5) to use specific DNS (opendns) servers. This is the kids ssid. I will probably add some bandwidth limiting and other limits once this is working. I also plan to force dns with iptables at some point.
After the Bridge is setup, I only use DNSMasq for seting up the network. I would clear out the Multiple DHCP Server Settings and ONLY use these setting in the DNSMasq Options...
interface=br5
# Set the DHCP range .100 to .200 and default lease time of 24 hours
dhcp-range=br5,191.168.5.100,192.168.5.200,255.255.255.0,24h
# Set the gateway
dhcp-option=br5,3,192.168.5.1
# Set DNS servers
dhcp-option=br5,6,208.67.222.222,208.67.220.220
In your Firewall...
# Force Network to OpenDNS
iptables -t nat -A PREROUTING -p udp -s 192.168.5.0/24 --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -A PREROUTING -p tcp -s 192.168.5.0/24 --dport 53 -j DNAT --to 208.67.222.222
This code is not needed....
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -t nat -I POSTROUTING -o 'get_wanface' -j SNAT --to 'nvram get wan_ipaddr' _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
thanks, but no luck. Restored a backup (from before any vlan stuff), rebooted, still cant successfully get an ip, and testing static, such as 192.168.5.100 dont have internet.
This is all from the same mac address
Code:
Nov 28 08:36:23 lan daemon.info dnsmasq-dhcp[10465]: DHCPDISCOVER(br5) xx:xx:xx:xx:xx:xx
Nov 28 08:36:23 lan daemon.info dnsmasq-dhcp[10465]: DHCPOFFER(br5) 192.168.5.164 xx:xx:xx:xx:xx:xx
Nov 28 08:36:25 lan daemon.info dnsmasq-dhcp[10465]: DHCPDISCOVER(br5) xx:xx:xx:xx:xx:xx
Nov 28 08:36:25 lan daemon.info dnsmasq-dhcp[10465]: DHCPOFFER(br5) 192.168.5.164 xx:xx:xx:xx:xx:xx
Nov 28 08:36:27 lan daemon.info dnsmasq-dhcp[10465]: DHCPDISCOVER(br5) xx:xx:xx:xx:xx:xx
Nov 28 08:36:27 lan daemon.info dnsmasq-dhcp[10465]: DHCPOFFER(br5) 192.168.5.164 xx:xx:xx:xx:xx:xx
Nov 28 08:36:31 lan daemon.warn dnsmasq[10465]: Maximum number of concurrent DNS queries reached (max: 150)
# Select inteface br5
interface=br5
# Set the DHCP range .100 to .200 and default lease time of 24 hours
dhcp-range=br5,192.168.5.100,192.168.5.200,255.255.255.0,24h
# Set the gateway
dhcp-option=br5,3,192.168.5.1
# Set DNS servers
dhcp-option=br5,6,208.67.222.222,208.67.220.220
Other dnsmasq option (in case it helps)
Encrypt DNS > Enble
Cache DNSSEC data > Disable
Validate DNS Replies (DNSSEC) > Disable
Check unsigned DNS replies > Disable
Local DNS > Enable
No DNS Rebind > Enable
Query DNS in Strict Order > Enable
Add Requestor MAC to DNS Query > Disable
SPI Firewall is on (with the following checked)
ARP Spoofing Protection
Block Anonymous WAN Requests (ping)
Filter Multicast
Filter IDENT (Port 113)
Block WAN SNMP access
Limit SSH Access
Can you test an ethernet device on the R7000 that has port setup as untagged vlan5 only? Make sure your ethernet device is setup for DHCP too. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531