Joined: 03 Jan 2013 Posts: 10 Location: Hamburg/Germany
Posted: Fri Jan 04, 2013 11:13 Post subject: [solved] Help needed for tagged VLAN's on Asus RT-66U
Hello to All,
I having an ASUS RT-66U running dd-wrt.v24-20363_NEWD_2_K2.6_mega-RT-N66_64K.trx. It's set up as WAP using the DHCP server on my central firewall (Juniper SGS-5). All access rules are also maintained centrally on that firewall.
I try to set up a tagged VLAN for a guest wlan, also with a DHCP server on my central firewall and struggle a lot with that. Even if I read almost all available treads and tutorials, some things are still not fully clear for me, so it could be easily a misconfiguration on my side.
What I did:
(1) Basis WAP setup with WAN disabled and static IP for the LAN interface, WAN port used as part of the switch
(2) Configure a WLAN with same security on wl0 and wl1, WPA2 personal, bridged
(3) Configure a virtual WLAN interface on wl0 (wl0.1) with same security as for wl0 and wl1, bridged
(4) Created a bridge (br1) with it's own static IP on a separate network as for br0, with the GUI interface
All following steps I did via the command interface
(5) Created a VLAN (15) and assigned all necessary ports to it with:
nvram set vlan15hwname=et0
nvram set vlan1ports="1 2 3 4 8*"
nvram set vlan2ports="0 8"
nvram set vlan15ports="1t 8"
nvram set port0vlans="1 2 15"
nvram set port1vlans="1 15"
nvram set port2vlans=1
nvram set port3vlans=1
nvram set port4vlans=1
nvram set port5vlans="1 15"
nvram set probe_blacklist=vlan1 vlan2 vlan15
brctl addif br1 wl0.1
brctl addif br1 vlan15
nvram commit
I verified all step and settings via command interface and it looks OK for me, even if not all values are displayed correctly through the GUI.
The normal WLAN's, that one set up as wl0 and wl1, are functioning fine, DHCP addresses are assigned by the central firewall, traffic is routed and filtered also through the central firewall.
What is not functioning is the guest WLAN. Clients on that WLAN can connect wireless, but didn't not get an IP address assigned. They also not get routed out to the Internet. For me it seems as the traffic is not tagged correctly.
I set up a test environment with a laptop and connected the RT-66U by wire. With the same laptop I connected to the guest WLAN wireless and used Wireshark to capture the traffic on the wired interface. The packets are all without any VLAN tag in the ethernet header, but with a small DHCP server on the laptop the client was able to get a DHCP address. So out from this, the configuration in general seems to be OK. Both NIC's in the laptop are 802.1Q aware, if I trust the manuals.
This results in some open questions:
(1) Do I have to tag the VLAN explizit, means put on tags via the networking page in the GUI and if yes, what do I have to tag, the interface wl0.1, the vlan (15) or the bridge (br1) ?
(2) Must the CPU port in the VLAN assignment be tagged or untagged, means nvram set vlan15ports="1t 8" or nvram set vlan15ports="1t 8t" ?
(3) Is there something else I missed or seems the configuration be correct ?
Another strange thing I found out during testing is the behavior of the WAN port. First I wanted to use this port as switch port and used this port also in my VLAN configuration instead of port 1 now, but after putting the port into vlan1 and rebooting the port was again in vlan2.
Before boot:
vlan1ports="0 1 2 3 4 8*"
vlan2ports="8"
port0vlans="1 15"
After boot:
vlan1ports="1 2 3 4 8*"
vlan2ports="0 8"
port0vlans="1 15"
Is there a explanation for that ?
Any help would be greatly appreciated. Thanks
Last edited by Crumb1910 on Sun Jan 06, 2013 19:28; edited 1 time in total
Crumb1910,
I am also running a DD-WRT access point with a guest, virtual WLAN. Both the guest WLAN and the main WLAN are tagged (VLANs 1 and 2) and isolated from one another at the access point.
In my setup, the access point is a Buffalo WHR-HP-G54, running build 14929. Granted, that system is an 802.11b/g access point, but the basics should still apply.
From the access point, traffic is trunked to a smart switch (8-port D-Link DGS-1100) that is VLAN-aware and breaks out VLANs to various ports for availability of services. The tagged VLAN traffic is also trunked out of the switch to the gateway router.
The gateway router is an RT-N66U, also running DD-WRT (Fractal build 20363) that provides all DHCP services, does NAT for the guest VLAN to the main network, provides internet services, and isolates the main and guest VLANs.
I did my configuration entirely from the GUI (screenshots below). Hopefully, something from it may be useful.
AP_Wireless.jpg
Description:
Filesize:
152.19 KB
Viewed:
17309 Time(s)
AP_VLANs.jpg
Description:
Filesize:
134.14 KB
Viewed:
17309 Time(s)
AP_Networking.jpg
Description:
Filesize:
184.02 KB
Viewed:
17309 Time(s)
Last edited by Jonathan on Fri Jan 04, 2013 18:44; edited 2 times in total
Joined: 03 Jan 2013 Posts: 10 Location: Hamburg/Germany
Posted: Sat Jan 05, 2013 19:32 Post subject:
Hi Jonathan,
thanks for your help. Yes, your hints were helpful, but with my device and firmware it seems not to work that way.
The settings in the VLAN page I do via the GUI are not reflected correctly to the NVRAM parameters, e.g I put port 1 or 0 tagged into VLAN 15, but there is no NVRAM port15vlans parameter or NVRAM port15hwname=et0 afterwards to see, when I look into the paramater via command level.
Until the moment I do something with the VLAN, my normal, non-guest WLAN works fine, but if I put the ports in the VLAN the non-guest WLAN stop working, means a client do not longer get a DHCP address from my central firewall. The strange thing is, that then the guest VLAN is able to require a correct IP and also have access to the internet.
I'm clueless what this can cause and think, I nearly tried everything to get this to work.
Any additional ideas are welcome.
thanks for your help. Yes, your hints were helpful, but with my device and firmware it seems not to work that way.
The settings in the VLAN page I do via the GUI are not reflected correctly to the NVRAM parameters, e.g I put port 1 or 0 tagged into VLAN 15, but there is no NVRAM port15vlans parameter or NVRAM port15hwname=et0 afterwards to see, when I look into the paramater via command level.
Until the moment I do something with the VLAN, my normal, non-guest WLAN works fine, but if I put the ports in the VLAN the non-guest WLAN stop working, means a client do not longer get a DHCP address from my central firewall. The strange thing is, that then the guest VLAN is able to require a correct IP and also have access to the internet.
I'm clueless what this can cause and think, I nearly tried everything to get this to work.
Any additional ideas are welcome.
crumb, you need to add iptables rule for your guest wl0.x to accress the wan.
Joined: 03 Jan 2013 Posts: 10 Location: Hamburg/Germany
Posted: Sat Jan 05, 2013 20:59 Post subject:
Hi Fractal,
thanks for your reply. Yes, I know I have to do some access rules. I started with:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
I did not:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
because I disabled the WAN interface
I also did no rules regarding BOOTP and DNS, because this should be delivered by my central firewall, not the RT-66U.
I stayed with two rules as a first try, because this should be enough to test the functionality. Later one I will surely restrict the access between the two bridges, but in the moment I just want to have as less as possible to struggle with.
thanks for your reply. Yes, I know I have to do some access rules. I started with:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
I did not:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
because I disabled the WAN interface
I also did no rules regarding BOOTP and DNS, because this should be delivered by my central firewall, not the RT-66U.
I stayed with two rules as a first try, because this should be enough to test the functionality. Later one I will surely restrict the access between the two bridges, but in the moment I just want to have as less as possible to struggle with.
thanks for your help. Yes, your hints were helpful, but with my device and firmware it seems not to work that way.
The settings in the VLAN page I do via the GUI are not reflected correctly to the NVRAM parameters, e.g I put port 1 or 0 tagged into VLAN 15, but there is no NVRAM port15vlans parameter or NVRAM port15hwname=et0 afterwards to see, when I look into the paramater via command level.
Until the moment I do something with the VLAN, my normal, non-guest WLAN works fine, but if I put the ports in the VLAN the non-guest WLAN stop working, means a client do not longer get a DHCP address from my central firewall. The strange thing is, that then the guest VLAN is able to require a correct IP and also have access to the internet.
I'm clueless what this can cause and think, I nearly tried everything to get this to work.
Any additional ideas are welcome.
Crumb,
For reference, here are the relevant nvram values for my access point, as described in the Wiki (none set directly - again, only GUI used):
root@Wireless Access Point:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0016012e353a no vlan0
vlan1
eth1
br1 8000.0016012e353a no wl0.1
vlan2
I'll admit I am no expert on setting the nvram values for VLANs directly. But all efforts on my part to do so by following the Wiki recommendations resulted in lockups, requiring hard flash resets on the router.
In particular, changing the "vlan*ports" parameters caused endless headaches--especially when trying to indicate some ports as "tagged"--and at least from the above, doesn't seem to be necessary in current builds.
I verified VLAN tagging for both the main and guest networks accessed through the access point were working via packet counts on relevant VLAN interfaces at a connected Linux host.
For reference, my gateway router (my RT-N66U), also running DD-WRT (thanks, Fractal), is set up as described here:
Joined: 03 Jan 2013 Posts: 10 Location: Hamburg/Germany
Posted: Sun Jan 06, 2013 9:49 Post subject:
Hi Jonathan,
I tried it "your" way this morning and ended up with the same problems I had before with my "manual" configuration. It seems, that the GUI is setting all necessary things, even if the NVRAM parameters are not reflecting this settings in the expecting way.
I still have my guest WLAN working the way it should, but the clients on the main WLAN not getting an IP. From my understanding I do not need IPTABLES for the traffic on the br0 interface as this interface belongs to LAN and is transparent for all interfaces within that bridge, but, it's not working that way. I can't even ping the LAN interface connected from a separate network direct from the firewall. The ping are going out, but the LAN interface is not replying, really strange.
Claudia,
This is an interesting problem. What does wireshark now show of the wired traffic to and from the access point? Does it have VLAN tagging (I assume you're still running with VLANs 1 and 15 out of the LAN 1 port)?
Also, did you reset nvram to defaults at some point? Even though the GUI may be set correctly, previous attempts to modify nvram directly might be interfering with your current setup...
From what I can tell of my own setup and what you've described from yours, you should NOT need to modify any iptables rules on your DD-WRT access point. The access point is simply providing two WLANs, each with its own bridge to its own VLAN, and on the VLAN page, your output port should be in both VLANs with tagging set. Granted, I used the WAN port instead of a LAN port, but it should work either way.
All access rules/routing should be taking place on your Juniper firewall/gateway, and that device should be the one to provide DHCP on a per-VLAN basis and route traffic (I'm not familiar with Juniper programming, unfortunately).
I apologize that you're still having trouble, and if I'm suggesting the obvious. I'm just not sure what could be causing the problem.
If it's helpful, I'm attaching a copy of my own Putty log with outputs from the same commands you ran, for comparison. There are some obvious differences due to setup (and perhaps DD-WRT builds), but the biggest ones I see are 1) the iptables rules and 2) the vlan1ports and vlan15ports nvram values.
I believe the vlan*ports nvram values, if they include the "t" addon, may correspond with the "tagging" settings on the "Setup-Networking" page, which some have indicated may cause problems. It seems to me this is at odds with what the "switched ports" Wiki page recommends.
Joined: 21 Nov 2010 Posts: 278 Location: North America
Posted: Sun Jan 06, 2013 16:41 Post subject:
Crumb1910 wrote:
Hi Jonathan,
I tried it "your" way this morning and ended up with the same problems I had before with my "manual" configuration. It seems, that the GUI is setting all necessary things, even if the NVRAM parameters are not reflecting this settings in the expecting way.
I still have my guest WLAN working the way it should, but the clients on the main WLAN not getting an IP. From my understanding I do not need IPTABLES for the traffic on the br0 interface as this interface belongs to LAN and is transparent for all interfaces within that bridge, but, it's not working that way. I can't even ping the LAN interface connected from a separate network direct from the firewall. The ping are going out, but the LAN interface is not replying, really strange.
I have no idea about what's going on there.
Thanks,
Claudia
Could you dump the iptables to a file again but this time use the following syntax:
iptables -t nat -nvL iptables -t filter -nvL<<= If the "-t" option isn't used the filter table (the most important one) is the default
Joined: 03 Jan 2013 Posts: 10 Location: Hamburg/Germany
Posted: Sun Jan 06, 2013 19:26 Post subject:
GOTCHA !!!
I got it to work.
After endless testing I found out why it was not working. The reason was the missing switch between the RT-66U and my firewall. The switch, a HP 1700-8, is 802.1q aware AND uses VLAN 1 as default network. I removed the switch in my testing environment to have as few devices as possible to handle.
Without the switch, all packets went tagged to my firewall, which means VLAN 15 AND VLAN 1 both got tagged, but the firewall only was aware of tags for VLAN 15, not for packets with a tag for VLAN 1.
With the switch in place, the tags for VLAN 1 were removed by the switch and the packets went to the firewall with NO tag or untagged. Untagged, the packets reached the right interface and a DHCP address was assigned correctly.
Conclusion:
It seems that all traffic is tagged, independent of the port setting (tagged or untagged) in a VLAN group, and what you see might not be what you get in regards to the vlan[0-15]ports NVRAM parameter.
Thanks to everybody.
@Magnetron1.1:
I actually using this access rules
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
I admit, I actually thought you WANTED it that way (both VLANs tagged), and run it that way, myself. Like you, I use a switch that does some VLAN tagging removal. I haven't tried to set up a WAP with both tagged and untagged networks out of the same port.