802.1q help

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
loconut
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 3

PostPosted: Fri Jul 16, 2010 15:25    Post subject: 802.1q help Reply with quote
I have an existing network of 3 switches with 802.1q turned on. I have a Linksys WRT610N (V1) running DD-WRT V24 pre2 that's the primary egress for several PCs on the LAN and a passthrough via port forwarding for a mail server. Long story short, I have 3 VLANs set up- VLAN 1 is the private network (192.168.0.0/24), VLAN 2 is the public network (a /29), VLAN 3 is a separate private network ( 10.0.0.0/8 ) added later.

Currently, my router is plugged into two ports (one wan (VLAN 2), one lan (VLAN 1)) on the same switch with those ports having 802.1q tagging turned off. I'd very much like to consolidate down to 1 port. As my total pipe is a T3, going gigabit for combined ingress/egress shouldn't be a problem.

At first glance in the panel, it looks like things are generally set up right to just turn on tagging on my wan port, but I wanted to make sure I do it right. Would someone be kind enough to help me work out some specific instructions given the above?

edit: worked around auto smiley on 10.0.0.0/8 rt parens.
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Jul 16, 2010 16:22    Post subject: Reply with quote
You'll have to play around a lot and it may not work at all... Theoretically you would just need to enable tagging on the port and then put it into both VLAN's. However, VLAN support is sketchy, especially with Broadcom's gigabit switches. The VLAN page in the GUI doesn't set the nvram variables correctly when creating new VLAN's on gigabit switches but people have been able to do so with the nvram variables, and so I'm not sure if enabling tagging in the GUI will set them correctly or not.

A few people have gotten trunking working with Fast Ethernet models but it takes a lot of work. I've tried getting a trunk between two Fast Ethernet models and played around a lot with it but couldn't get the trunk to work.

See these links and search more yourself.

http://www.dd-wrt.com/wiki/index.php/Switched_Ports

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=75400

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=64265

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
loconut
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 3

PostPosted: Fri Jul 16, 2010 18:01    Post subject: Reply with quote
before you wrote I tried playing with it a bit and under the networking tab I tried to add the 3 vlans but it wouldn't save the IDs, and tagging didn't seem to be working at all. Too many variables for me to work out. I think I'll just leave it with the wasted port for now. I may end up going to a beefier (read small linux pc) router sooner or later anyway.

Thanks for the great reply.
Rural
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 5

PostPosted: Fri Jul 16, 2010 22:06    Post subject: Reply with quote
Awww... Don't give up so soon.

I'm trying to do something very similar and wouldn't mind bashing some ideas around. I've got a WRT610Nv2 and a bunch of ASUS RT-N16s that I'm working with.

We'd like our routers configured so that port 1 (or the WAN port if that's possible) trunks VLANs 1 and one other, say, 4. VLAN 1 would be for management of the router, and ideally would be the only way of getting to the GUI or getting SSH access to the router.

Any wireless traffic or traffic on ports 2-4 would be put on VLAN 4. This would be "user" traffic.

Of course, just to make things more fun, we'd like the wireless to work so that a user could walk around a building carrying a notebook and not even notice as they switch from one wireless router's coverage to another.

That's the dream. Reality may be different.

I've been clicking away on the GUI and reading the HOWTOs and not getting very far. I'm just beginning to dive into the command-line.

loconut wrote:
before you wrote I tried playing with it a bit and under the networking tab I tried to add the 3 vlans but it wouldn't save the IDs, and tagging didn't seem to be working at all. Too many variables for me to work out. I think I'll just leave it with the wasted port for now. I may end up going to a beefier (read small linux pc) router sooner or later anyway.

Thanks for the great reply.
loconut
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 3

PostPosted: Fri Jul 16, 2010 22:40    Post subject: Reply with quote
Rural wrote:
Awww... Don't give up so soon.

Well, this is a router I only have one of and its live and has my mail server behind it. I may be willing to play with it late at night, but I don't want to get into a state where I can't do anything to the router and perhaps even a reset button hold in doesn't do anything.

I'd otherwise like very much for it to work out.

BTW, I think WDS does some/all of what you're looking for on the access point side of things....
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Jul 16, 2010 22:46    Post subject: Reply with quote
The most important part is to set vlan#hwname=et0 when you're trying to create new VLAN's. I've noticed that even on one of my 100mbps devices the GUI fails to set it but on another it does.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Rural
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 5

PostPosted: Mon Jul 19, 2010 22:52    Post subject: Reply with quote
I got a bit of time to mess with this today, but not much. Tomorrow, I should have the bulk of the day.

Configuring the switch is a challenge for me. I'm used to Linux boxes (ifconfig, vconfig, etc.) and Cisco routers, but the switch in the WRT610N is a different beast.

Navigating the DD-WRT scripts is also kind of overwhelming. For example, I noticed that there is a line "trunking=0" in the output of "nvram show", but can I find a reference to the word "trunking" anywhere in the scripts? Nope. Of course, "find / -type f -exec grep trunking {} \;" doesn't work like I'd expect either.

There's a fish out of water here.
Rural
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 5

PostPosted: Tue Jul 20, 2010 22:00    Post subject: Reply with quote
Man, phuzi0n wasn't kidding about this being involved and buggy. I've completely given up on the web interface for setting anything to do with VLANs. It hasn't worked for me at all.

I've been able to get port 3 (which is labelled as port 2 on the outside of the ASUS RT-N16) configured as untagged VLAN 3. Got it set up with an IP on the subnet we use on VLAN 3.

This was easy enough:

Code:
nvram set vlan3ports="3 8*"
# VLANs 18 and 19 added below because it seemed right
nvram set port3vlans="3 18 19"
nvram commit
reboot

# Then after we can SSH back in
# Use your own address and netmask
ifconfig vlan3 192.168.49.17 netmask 255.255.255.128


That's all it takes to get a VLAN that is constrained to a port and within the router (ie. almost useless).

If I could get VLAN 1 and VLAN 3 trunked (ie. tagged) on a port, I'd be getting close.

I've also noticed that the web interface seems to add vlans 18 and 19 to everything when you play with it. (Haven't narrowed down exactly what it is that triggers that.) Here are the relevant nvram variables on a virgin DD-WRT install:

Code:
root@DD-WRT:~# nvram show | grep vlan.ports
vlan2ports=0 8
vlan0ports=1 2 3 4 5*
vlan1ports=4 3 2 1 8*
size: 24298 bytes (8470 left)

root@DD-WRT:~# nvram show | grep port.vlans
port5vlans=1 2 16
port3vlans=1
port1vlans=1
port4vlans=1
port2vlans=1
port0vlans=2
size: 24298 bytes (8470 left)


And after changing the name of the router, clicking a few buttons on the VLAN page, and applying the settings:

Code:
root@wrtb:~# nvram show | grep vlan.ports
vlan2ports=0 8
vlan0ports=1 2 3 4 5*
size: 24465 bytes (8303 left)
vlan1ports=4 3 2 1 8*
root@wrtb:~# nvram show | grep port.vlans
port5vlans=1 2 16
port1vlans=1 18 19
port4vlans=1 18 19
port2vlans=1 18 19
port0vlans=2 18 19
size: 24465 bytes (8303 left)


I wonder why that would be.
Rural
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 5

PostPosted: Tue Jul 20, 2010 23:18    Post subject: Reply with quote
Tried to get trunking working. Partial success.

The goal was to get VLANs 1 and 3 trunked on port 3. So I did the following:

Code:
nvram set vlan3ports="1 3t 8*"
nvram set port3vlans="1 3 18 19"
reboot


Generally, that's how I set up our servers, with VLAN 1 (the default or native VLAN) being untagged and additional VLANs being tagged.

With a link between port 3 on the RT-N16 and a port on a switch with VLAN 1 untagged and VLAN 3 tagged, I could reach our subnet on VLAN 3. Yes!

Unfortunately, I couldn't reach the subnet that lives on VLAN 1. No!

So I tried tagging both VLANs 1 and 3 on the RT-N16:

Code:
nvram set vlan3ports="1t 3t 8*"
nvram set port3vlans="1 3 18 19"
reboot


No difference.

With both VLANs tagged on the RT-N16, I enabled tagging on both VLANs 1 and 3 on the switch. Bam! It worked.

In all honesty, it is my preference to tag all VLANs on a port, if any. The only reason I haven't done this on our Linux servers is that I haven't figured out how.

So things are looking good. I'll set things up so that the vlan3 device is configured with an IP at boot, then it's just a matter of bridging the wireless with vlan3. (At least, I think so.)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 21, 2010 1:18    Post subject: Reply with quote
Nice, I'll have to play with my routers and see if enabling tagging on both ports gets the trunk to work between 2 routers.

You can create the bridge, add vlan3 and the wireless interface to the bridge, and assign the bridge's IP/netmask all on the networking page. The steps are explained in either of these guides.

http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN

http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Jul 23, 2010 12:19    Post subject: Reply with quote
Rural wrote:
So I tried tagging both VLANs 1 and 3 on the RT-N16:

Code:
nvram set vlan3ports="1t 3t 8*"
nvram set port3vlans="1 3 18 19"
reboot


So I was finally able to get a trunk between my wrt54gs v2.0 and wrt300n v1.1 and I've explored quite a bit of combinations of settings. Here's a list of my results which took several hours of swapping cables between ports to verify. I always mirrored the same nvram variables on both models.

#didn't work
vlan0ports=1 2 4t 5*
vlan1ports=0 5
vlan2ports=3 5

#didn't work
vlan0ports=1 2 4 5*
vlan1ports=0 5
vlan2ports=3 4 5

#didn't work
vlan0ports=1 2 4t 5*
vlan1ports=0 5
vlan2ports=3t 5

#worked
vlan0ports=1 2 4t 5*
vlan1ports=0 5
vlan2ports=3t 4t 5

#worked
vlan0ports=1 2 4t 5*
vlan1ports=0 5
vlan2ports=3 4t 5

#worked
vlan0ports=1 2 4 5*
vlan1ports=0 5
vlan2ports=3 4t 5

My port#vlans variables were always set to this:
port0vlans=1 18 19
port1vlans=0 18 19
port2vlans=0 18 19
port3vlans=2 18 19
port4vlans=0 2 16 18 19
port5vlans=0 1 2 16

So I think that your nvram settings may be excessive and that the key to getting it to work was to set your other switch to tag both VLAN's. Could you post the output from these commands please.

nvram show | grep vlan.port | sort
nvram show | grep port.vlan | sort


And when you have time could you try this and check if the trunk still works afterwards.

nvram set vlan3ports="1 3t 8"
nvram commit
reboot

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Rural
DD-WRT Novice


Joined: 16 Jul 2010
Posts: 5

PostPosted: Tue Aug 03, 2010 15:34    Post subject: Reply with quote
I'm sorry. My (much needed) vacation began shortly after you posted the query for more information. Unfortunately, I almost completely unplug while on vacation.

As requested:

Code:
root@wrtb:~# nvram show | grep vlan.port | sort
size: 24486 bytes (8282 left)
vlan0ports=1 2 3 4 5*
vlan1ports=4 3t 2 1 8*
vlan2ports=0 8
vlan3ports=1 3t 8


And:

Code:
root@wrtb:~# nvram show | grep port.vlan | sort
size: 24486 bytes (8282 left)
port0vlans=2 18 19
port1vlans=1 18 19
port2vlans=1 18 19
port3vlans=1 3 18 19
port4vlans=1 18 19
port5vlans=1 2 3 16


This is all as I left it after it started working.

As you can see from the above, vlan3ports is already set as you requested. I'm not sure if I erroneously reported what I originally did (1 3t 8*) or if the software ignored/corrected the asterisk.

In any case, I'm glad that my bungling helped shed some light on 802.1q.

When I get some time later this week, I'm going to continue to work on this with the goal of getting all the wireless traffic leaving the RT-16 on VLAN 3.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Aug 03, 2010 16:51    Post subject: Reply with quote
Hmm, okay. It seems that having the tagged port in every vlan#ports variable is the important part. Buddee is giving me a wrt320n so I'll be able to play around with a gigabit model myself in a few days.

Rural wrote:
When I get some time later this week, I'm going to continue to work on this with the goal of getting all the wireless traffic leaving the RT-16 on VLAN 3.

This part is easy and I set up both models in my trunk tests with 2 WLAN's, separate subnets for all 4 bridge interfaces, routing, and firewalling. I'll be writing it up as a sort of extension to the multiple WLAN article.

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=464533#464533

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Tue Aug 03, 2010 17:34    Post subject: Reply with quote
phuzi0n wrote:

So I was finally able to get a trunk between my wrt54gs v2.0 and wrt300n v1.1 and I've explored quite a bit of combinations of settings. Here's a list of my results which took several hours of swapping cables between ports to verify. I always mirrored the same nvram variables on both models.

snip...


I have reviewed the Broadcom driver source in order to understand how the VLAN's work in our routers, lets see if this make sense:

There is a limit of VLAN ID's, set by
Code:
 #define VLAN_MAXVID   15   /* Max. VLAN ID supported/allowed */

ie 16 ID's from 0-15.

There is also a limit of ports that can be a member of a VLAN, set by
Code:
 #define DEV_NUMIFS   16   /* Max. # of devices/interfaces supported */

ie a VLAN can not have more than 16 members.

Port tagging is another thing though, the port tag register is 12 bits wide allowing tags 0-4095.

Do I understand it right if I say that we are not able to change the port tag number, enabling port tagging gives us a port tag number which equals the VLAN ID?

_________________
Kernel panic: Aiee, killing interrupt handler!
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Aug 03, 2010 18:42    Post subject: Reply with quote
LOM wrote:
I have reviewed the Broadcom driver source in order to understand how the VLAN's work in our routers, lets see if this make sense:

There is a limit of VLAN ID's, set by
Code:
 #define VLAN_MAXVID   15   /* Max. VLAN ID supported/allowed */

ie 16 ID's from 0-15.

There is also a limit of ports that can be a member of a VLAN, set by
Code:
 #define DEV_NUMIFS   16   /* Max. # of devices/interfaces supported */

ie a VLAN can not have more than 16 members.

Port tagging is another thing though, the port tag register is 12 bits wide allowing tags 0-4095.

Well, this much makes sense because the hardware is limited to VID's 0-15 but 802.11q specifies that the VID field is 12 bits.

http://en.wikipedia.org/wiki/IEEE_802.1Q#Frame_format

It still doesn't explain how tagging multiple VID's on a single port works within the driver like you've been trying to figure out.

LOM wrote:
Do I understand it right if I say that we are not able to change the port tag number, enabling port tagging gives us a port tag number which equals the VLAN ID?

When you tag a port then it can be put into multiple VLAN's and it tags traffic from all of those VLAN's. For instance, I tagged port 4 on both devices and put it into VLAN0 and VLAN2. I was then able to send traffic between devices in VLAN2 from one router to the other through port 4, and the same goes for devices in VLAN0. Devices in VLAN0 couldn't talk to devices in VLAN2 and vice versa until after I set up routing and the firewall which is exactly how trunking is supposed to work.

Note: I'm presuming that the reason the combination below worked is only because the * denotes the default VLAN to put untagged traffic into. I'll investigate it soon.

#worked
vlan0ports=1 2 4 5*
vlan1ports=0 5
vlan2ports=3 4t 5

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum