Switched Ports

From DD-WRT Wiki

Jump to: navigation, search

Contents

[edit] Introduction

This page explains how to configure VLAN's properly by setting the nvram variables to configure them because the GUI does not always do so correctly. As far as I know this only applies to Broadcom based hardware.

Note: The WLAN is a separate interface from the switch and it does not support VLANs although it can create virtual interfaces which are similar in some aspects. The WLAN interface is bridged to the LAN VLAN by default. It is possible to bridge VLAN's to different physical or virtual wireless interfaces using Multiple WLANs.

[edit] Before you start

Telnet/SSH to the router (don't use the web UI!!!) and run these commands to check the nvram variables for your default vlan configuration before you start so that you know the default configuration if you need to revert your changes without hard resetting.

nvram show | grep vlan.*ports
nvram show | grep port.*vlans
nvram show | grep vlan.*hwname

These commands will output a bunch of lines that have a name, an equal sign (=), and then some more text which is the value of the variable like so:

vlan0ports=1 2 3 4 5*

To revert your changes you will have to put nvram set in front of each line and encapsulate each value with quotes to turn it into a command to set the nvram variable to the original value. You will also have to commit the data to nvram and reboot to finish reverting like so:

nvram set vlan0ports="1 2 3 4 5*"
[more variables you're reverting]
nvram commit
reboot

[edit] NVRAM Variables Explained

[edit] vlan#ports

The vlan#ports variables are the main variables to configure to place ports into different VLAN's and to enable 802.1q tagging.

With 100 mbps ports the vlan#ports variables typically appear like this:

nvram show | grep vlan.*ports
vlan0ports=1 2 3 4 5*
vlan1ports=0 5 

With gigabit ports the vlan#ports variables typically appear like this:

nvram show | grep vlan.*ports
vlan1ports=1 2 3 4 8*
vlan2ports=0 8

For 100mbps routers the variable vlan0ports is the VLAN for LAN ports while vlan1ports is for the WAN ports. For gigabit routers the variable vlan1ports is the VLAN for LAN ports while vlan2ports is for the WAN ports.

The numbers mean the following:

  • WRT54G v4, WRT54GS v3, WRT54GL v1.1
0  = port 4
1  = port 3
2  = port 2
3  = port 1
4  = WAN
5  = CPU internal
5* = CPU internal default
  • WRT54G v2/v3, WRT54GS v1/v2
0  = WAN
1  = port 1
2  = port 2
3  = port 3
4  = port 4
5  = CPU internal
5* = CPU internal default
  • Gigabit routers
[0-4] = Can be forward or reverse like above
8 = CPU internal
8* = CPU internal default

A little extra explanation regarding the CPU internal port:

The switch that is built into 100 mbps routers is a 6 port switch. The sixth port (numbered 5) is the only port not connected to an outside connector. Instead, it is directly connected to the et0 interface on the motherboard. On gigabit routers the CPU internal port is number 8 but I do not know what ports 5-7 are for on these models. The CPU internal port must be included on any VLAN that must be visible to the CPU. The asterisk (*) signifies that the VLAN it is attached to is the default VLAN (only put this in one VLAN). If the switch receives a packet on the CPU internal port that is not tagged then it is put into the VLAN where the * is configured; always make sure this is the LAN VLAN.

A "t" after a port number means to tag the VLAN ID using 802.1q spec. See the usage examples below for more explanation.

[edit] port#vlans

The port#vlans variables primarily control what the GUI displays and don't seem to have much other effect; however, the port5vlans variables is important. While the previous vlan#ports variables contained a list of ports that are in the VLAN, the port#vlans variables contain a list of VLAN's that the port is in.

With 100 mbps ports the port#vlans variables typically appear like this:

port0vlans=1
port1vlans=0
port2vlans=0
port3vlans=0
port4vlans=0
port5vlans=0 1 16

With gigabit ports the port#vlans variables typically appear like this:

port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 16

If you've ever pressed the save or apply buttons on the VLANs GUI page then you'll also see 18 and 19 in the values for port[0-4]vlans.

The numbers mean the following:

0 = VLAN 0 is checked
1 = VLAN 1 is checked
...
15 = VLAN 15 is checked
16 = Tagged is checked
17 = Auto-Negotiate is unchecked
18 = 100 Mbit is unchecked or greyed because Auto-Negotiate is checked
19 = Full-Duplex is unchecked or greyed because Auto-Negotiate is checked
20 = Enabled is unchecked.

The port5vlans is a bit odd. It corresponds to the internal port regardless of whether you have 100mbit or gigabit ports. ie. gigabit models do not have a port8vlans variable. It is also essential to set it correctly if you are enabling additional VLAN's. It must be set to include every active VLAN and be tagged.

For instance, if you had ports in VLAN 1, 2, and 3 then you would set it like so:

nvram set port5vlans="1 2 3 16"

[edit] vlan#hwname

These are the simplest variables. If you are enabling additional VLAN's then you simply need to set the vlan#hwname variables to et0 for each VLAN # you're enabling.

For instance, if you were enabling VLAN 3 you would set:

nvram set vlan3hwname=et0

[edit] Finishing up

After you've set all your nvram variables you need to make sure to commit them so that they will be saved! Then you need to reboot to have your new configuration take effect.

nvram commit
reboot


[edit] Usage examples

Note: Only VLAN's 0-15 are usable on 100mbit models and VLAN's 1-15 on gigabit models.

[edit] Second WAN port

You can move ports to the WAN VLAN to make them act as WAN ports residing outside the router's NAT or to just replace a damaged WAN port. Devices attached to these ports will request their IP addresses from the ISP instead of getting a private IP address from your router. One might want to have such behavior when having unsorted firewall issues with a SIP operator.

nvram set vlan0ports="1 2 3 5*" 
nvram set vlan1ports="0 4 5" 
nvram commit 
reboot

[edit] Disable LAN ports

Another use is to disable all LAN ports except the one that connects you to the rest of the world. You can use your router as an access point and no one can plug in a network cable to get around your Radius authentication (requested in the German DD-WRT forum http://www.dd-wrt.com/phpBB2/viewtopic.php?p=26821).

Tested with a WRT54G v5

nvram set vlan0ports="3 5*"
nvram set vlan1ports="5"
nvram commit
reboot 

will only enable LAN port 1. You can plug cables into the other ports and try to hijack the internet connection but you will not even get to the firewall.

[edit] Separate LAN ports (into another subnet)

You can create new VLAN's to separate LAN ports into different subnets. After you have them separated you can use iptables to restrict access between the VLAN's/subnets.

nvram set vlan0ports="1 2 3 5*" 
nvram set vlan1ports="0 5" 
nvram set vlan3ports="4 5"
nvram set vlan3hwname=et0
nvram set port4vlans="3 18 19"
nvram set port5vlans="0 1 3 16"
nvram commit 
reboot

[edit] 802.1q VLAN trunk

VLAN trunking allows you to connect VLAN's across multiple devices without having to use a cable for each VLAN. For instance, if you had VLAN 1 and VLAN 3 on two different devices then you can create a trunk port on both devices to tag the Ethernet frames with an 802.1q header. Then devices in VLAN 1 on router 1 can communicate with devices in VLAN 1 on router 2 and devices in VLAN 3 on router 1 can communicate with devices in VLAN 3 on router 2.

Note: Broadcom's 100mbit switches use VLAN 0 as the default LAN VLAN but 802.1q specifies that a tag of "0" means that the frame doesn't belong to any VLAN. This is the reason gigabit models use VLAN 1 for their LAN and you should avoid using VLAN 0 in a trunk because of this.

For every VLAN that you want to be trunked you must put the trunk port into the VLAN and add a "t" after the port number to indicate that it will be tagged.

Here is an example of how to put three LAN ports into separate VLAN's and use the fourth LAN port as a trunk on a gigabit model. The commands that are commented out should already be set by default.

nvram set vlan1ports="3 4t 8*"
#nvram set vlan2ports="0 8"
nvram set vlan3ports="2 4t 8"
nvram set vlan4ports="1 4t 8"
#nvram set port0vlans="2 18 19"
nvram set port1vlans="4 18 19"
nvram set port2vlans="3 18 19"
#nvram set port3vlans="1 18 19"
nvram set port4vlans="1 3 4 16 18 19"
nvram set port5vlans="1 2 3 4 16"
#nvram set vlan1hwname=et0
#nvram set vlan2hwname=et0
nvram set vlan3hwname=et0
nvram set vlan4hwname=et0
nvram commit
reboot

It is also possible to have only the trunk port in a VLAN. This is useful for connecting VAP's on different devices together by bridging an 'empty' VLAN with the VAP.

nvram set vlan1ports="1 2 3 4t 8*"
nvram set vlan3ports="4t 8"
nvram set port4vlans="1 3 16 18 19"
nvram set port5vlans="1 2 3 16"
nvram set vlan3hwname=et0
nvram commit
reboot

On some models it is also possible to create a default VLAN (untagged VLAN on a trunk port) which is not possible at all in the GUI even if the GUI works for your model. This example makes VLAN 1 the default VLAN for port 4 while also tagging VLAN 3 on port 4.

nvram set vlan1ports="1 2 3 4 8*"
nvram set vlan3ports="4t 8"
nvram set port4vlans="1 3 16 18 19"
nvram set port5vlans="1 2 3 16"
nvram set vlan3hwname=et0
nvram commit
reboot

[edit] References