Posted: Fri Jul 16, 2010 15:25 Post subject: 802.1q help
I have an existing network of 3 switches with 802.1q turned on. I have a Linksys WRT610N (V1) running DD-WRT V24 pre2 that's the primary egress for several PCs on the LAN and a passthrough via port forwarding for a mail server. Long story short, I have 3 VLANs set up- VLAN 1 is the private network (192.168.0.0/24), VLAN 2 is the public network (a /29), VLAN 3 is a separate private network ( 10.0.0.0/8 ) added later.
Currently, my router is plugged into two ports (one wan (VLAN 2), one lan (VLAN 1)) on the same switch with those ports having 802.1q tagging turned off. I'd very much like to consolidate down to 1 port. As my total pipe is a T3, going gigabit for combined ingress/egress shouldn't be a problem.
At first glance in the panel, it looks like things are generally set up right to just turn on tagging on my wan port, but I wanted to make sure I do it right. Would someone be kind enough to help me work out some specific instructions given the above?
edit: worked around auto smiley on 10.0.0.0/8 rt parens.
You'll have to play around a lot and it may not work at all... Theoretically you would just need to enable tagging on the port and then put it into both VLAN's. However, VLAN support is sketchy, especially with Broadcom's gigabit switches. The VLAN page in the GUI doesn't set the nvram variables correctly when creating new VLAN's on gigabit switches but people have been able to do so with the nvram variables, and so I'm not sure if enabling tagging in the GUI will set them correctly or not.
A few people have gotten trunking working with Fast Ethernet models but it takes a lot of work. I've tried getting a trunk between two Fast Ethernet models and played around a lot with it but couldn't get the trunk to work.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=64265 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
before you wrote I tried playing with it a bit and under the networking tab I tried to add the 3 vlans but it wouldn't save the IDs, and tagging didn't seem to be working at all. Too many variables for me to work out. I think I'll just leave it with the wasted port for now. I may end up going to a beefier (read small linux pc) router sooner or later anyway.
I'm trying to do something very similar and wouldn't mind bashing some ideas around. I've got a WRT610Nv2 and a bunch of ASUS RT-N16s that I'm working with.
We'd like our routers configured so that port 1 (or the WAN port if that's possible) trunks VLANs 1 and one other, say, 4. VLAN 1 would be for management of the router, and ideally would be the only way of getting to the GUI or getting SSH access to the router.
Any wireless traffic or traffic on ports 2-4 would be put on VLAN 4. This would be "user" traffic.
Of course, just to make things more fun, we'd like the wireless to work so that a user could walk around a building carrying a notebook and not even notice as they switch from one wireless router's coverage to another.
That's the dream. Reality may be different.
I've been clicking away on the GUI and reading the HOWTOs and not getting very far. I'm just beginning to dive into the command-line.
loconut wrote:
before you wrote I tried playing with it a bit and under the networking tab I tried to add the 3 vlans but it wouldn't save the IDs, and tagging didn't seem to be working at all. Too many variables for me to work out. I think I'll just leave it with the wasted port for now. I may end up going to a beefier (read small linux pc) router sooner or later anyway.
Well, this is a router I only have one of and its live and has my mail server behind it. I may be willing to play with it late at night, but I don't want to get into a state where I can't do anything to the router and perhaps even a reset button hold in doesn't do anything.
I'd otherwise like very much for it to work out.
BTW, I think WDS does some/all of what you're looking for on the access point side of things....
The most important part is to set vlan#hwname=et0 when you're trying to create new VLAN's. I've noticed that even on one of my 100mbps devices the GUI fails to set it but on another it does. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I got a bit of time to mess with this today, but not much. Tomorrow, I should have the bulk of the day.
Configuring the switch is a challenge for me. I'm used to Linux boxes (ifconfig, vconfig, etc.) and Cisco routers, but the switch in the WRT610N is a different beast.
Navigating the DD-WRT scripts is also kind of overwhelming. For example, I noticed that there is a line "trunking=0" in the output of "nvram show", but can I find a reference to the word "trunking" anywhere in the scripts? Nope. Of course, "find / -type f -exec grep trunking {} \;" doesn't work like I'd expect either.
Man, phuzi0n wasn't kidding about this being involved and buggy. I've completely given up on the web interface for setting anything to do with VLANs. It hasn't worked for me at all.
I've been able to get port 3 (which is labelled as port 2 on the outside of the ASUS RT-N16) configured as untagged VLAN 3. Got it set up with an IP on the subnet we use on VLAN 3.
This was easy enough:
Code:
nvram set vlan3ports="3 8*"
# VLANs 18 and 19 added below because it seemed right
nvram set port3vlans="3 18 19"
nvram commit
reboot
# Then after we can SSH back in
# Use your own address and netmask
ifconfig vlan3 192.168.49.17 netmask 255.255.255.128
That's all it takes to get a VLAN that is constrained to a port and within the router (ie. almost useless).
If I could get VLAN 1 and VLAN 3 trunked (ie. tagged) on a port, I'd be getting close.
I've also noticed that the web interface seems to add vlans 18 and 19 to everything when you play with it. (Haven't narrowed down exactly what it is that triggers that.) Here are the relevant nvram variables on a virgin DD-WRT install:
The goal was to get VLANs 1 and 3 trunked on port 3. So I did the following:
Code:
nvram set vlan3ports="1 3t 8*"
nvram set port3vlans="1 3 18 19"
reboot
Generally, that's how I set up our servers, with VLAN 1 (the default or native VLAN) being untagged and additional VLANs being tagged.
With a link between port 3 on the RT-N16 and a port on a switch with VLAN 1 untagged and VLAN 3 tagged, I could reach our subnet on VLAN 3. Yes!
Unfortunately, I couldn't reach the subnet that lives on VLAN 1. No!
So I tried tagging both VLANs 1 and 3 on the RT-N16:
Code:
nvram set vlan3ports="1t 3t 8*"
nvram set port3vlans="1 3 18 19"
reboot
No difference.
With both VLANs tagged on the RT-N16, I enabled tagging on both VLANs 1 and 3 on the switch. Bam! It worked.
In all honesty, it is my preference to tag all VLANs on a port, if any. The only reason I haven't done this on our Linux servers is that I haven't figured out how.
So things are looking good. I'll set things up so that the vlan3 device is configured with an IP at boot, then it's just a matter of bridging the wireless with vlan3. (At least, I think so.)
Nice, I'll have to play with my routers and see if enabling tagging on both ports gets the trunk to work between 2 routers.
You can create the bridge, add vlan3 and the wireless interface to the bridge, and assign the bridge's IP/netmask all on the networking page. The steps are explained in either of these guides.
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
So I tried tagging both VLANs 1 and 3 on the RT-N16:
Code:
nvram set vlan3ports="1t 3t 8*"
nvram set port3vlans="1 3 18 19"
reboot
So I was finally able to get a trunk between my wrt54gs v2.0 and wrt300n v1.1 and I've explored quite a bit of combinations of settings. Here's a list of my results which took several hours of swapping cables between ports to verify. I always mirrored the same nvram variables on both models.
#didn't work
vlan0ports=1 2 4t 5*
vlan1ports=0 5
vlan2ports=3 5
My port#vlans variables were always set to this:
port0vlans=1 18 19
port1vlans=0 18 19
port2vlans=0 18 19
port3vlans=2 18 19
port4vlans=0 2 16 18 19
port5vlans=0 1 2 16
So I think that your nvram settings may be excessive and that the key to getting it to work was to set your other switch to tag both VLAN's. Could you post the output from these commands please.
nvram show | grep vlan.port | sort
nvram show | grep port.vlan | sort
And when you have time could you try this and check if the trunk still works afterwards.
nvram set vlan3ports="1 3t 8"
nvram commit
reboot _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I'm sorry. My (much needed) vacation began shortly after you posted the query for more information. Unfortunately, I almost completely unplug while on vacation.
This is all as I left it after it started working.
As you can see from the above, vlan3ports is already set as you requested. I'm not sure if I erroneously reported what I originally did (1 3t 8*) or if the software ignored/corrected the asterisk.
In any case, I'm glad that my bungling helped shed some light on 802.1q.
When I get some time later this week, I'm going to continue to work on this with the goal of getting all the wireless traffic leaving the RT-16 on VLAN 3.
Hmm, okay. It seems that having the tagged port in every vlan#ports variable is the important part. Buddee is giving me a wrt320n so I'll be able to play around with a gigabit model myself in a few days.
Rural wrote:
When I get some time later this week, I'm going to continue to work on this with the goal of getting all the wireless traffic leaving the RT-16 on VLAN 3.
This part is easy and I set up both models in my trunk tests with 2 WLAN's, separate subnets for all 4 bridge interfaces, routing, and firewalling. I'll be writing it up as a sort of extension to the multiple WLAN article.
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=464533#464533 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
So I was finally able to get a trunk between my wrt54gs v2.0 and wrt300n v1.1 and I've explored quite a bit of combinations of settings. Here's a list of my results which took several hours of swapping cables between ports to verify. I always mirrored the same nvram variables on both models.
snip...
I have reviewed the Broadcom driver source in order to understand how the VLAN's work in our routers, lets see if this make sense:
There is a limit of VLAN ID's, set by
Code:
#define VLAN_MAXVID 15 /* Max. VLAN ID supported/allowed */
ie 16 ID's from 0-15.
There is also a limit of ports that can be a member of a VLAN, set by
Code:
#define DEV_NUMIFS 16 /* Max. # of devices/interfaces supported */
ie a VLAN can not have more than 16 members.
Port tagging is another thing though, the port tag register is 12 bits wide allowing tags 0-4095.
Do I understand it right if I say that we are not able to change the port tag number, enabling port tagging gives us a port tag number which equals the VLAN ID? _________________ Kernel panic: Aiee, killing interrupt handler!
It still doesn't explain how tagging multiple VID's on a single port works within the driver like you've been trying to figure out.
LOM wrote:
Do I understand it right if I say that we are not able to change the port tag number, enabling port tagging gives us a port tag number which equals the VLAN ID?
When you tag a port then it can be put into multiple VLAN's and it tags traffic from all of those VLAN's. For instance, I tagged port 4 on both devices and put it into VLAN0 and VLAN2. I was then able to send traffic between devices in VLAN2 from one router to the other through port 4, and the same goes for devices in VLAN0. Devices in VLAN0 couldn't talk to devices in VLAN2 and vice versa until after I set up routing and the firewall which is exactly how trunking is supposed to work.
Note: I'm presuming that the reason the combination below worked is only because the * denotes the default VLAN to put untagged traffic into. I'll investigate it soon.
#worked
vlan0ports=1 2 4 5*
vlan1ports=0 5
vlan2ports=3 4t 5 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)