Posted: Wed Jun 28, 2017 19:19 Post subject: VLan + vWifi = oddities ?
Basic info:
Router: ASUS RT-N66U (B1) and
Firmware: DD-WRT v3.0-r32170 big (06/01/17) [dd-wrt.v24-32170_NEWD-2_K3.x-big-RT-N66U.trx]
Hi all,
basically because I moved into a new house combined with the fact that networking in general and particularly iot security has generally become a big pile of poo I decided to replace my trusty RT-N66U with a proper pfsense appliance in the basement and put the RT-N66U to good use as a powerful WiFi extender right in the center of the building. I created 5 vLans:
1: management vLan (no wireless)
2: Parents
3: Kids
4: Guests
5: ioT & china crap
The RT-N66U is supposed to simply bridge wl0 to vLan 2 and wl0.[123] to vLan[345] and leave all management and routing to the basement appliance. To achieve that I first read a lot, then flashed the router with tomato, cursed a lot, read a lot again, then flashed with dd-wrt.
I created 5 bridge interfaces br0-br4 for the five vLans, respectively, as well as vlan1 to vlan5 interfaces. I configured the bridges to IP 2 in each subnet whereas the basement router lives on IP 1. I then assigned the vlan interfaces to the appropriate bridge along with the desired wl device, set switchport 1 to tagged in the VLan Admin tab and assigned all vLans to it. Since the WAN port settings in different places confused me and I dont need all the wired ports, I deactivated the WAN completely (I hope). I connected the trunked port1 to my switch and had access.
Code:
Current Bridging Table
Bridge STP Interfaces
br0 no vlan1 eth0
br1 no eth1 eth2 vlan2
br2 no wl0.1 vlan3
br3 no wl0.2 vlan4
br4 no wl0.3 vlan5
Now we get to the oddities. At first, I could only connect the "physical" SSID on vLan2 via Wifi.
All "virtual wireless" interfaces (wl0.1-3) failed the "4way handshake" when trying to connect using WPA2 security protocol.
I had already wondered about an unexplained (no help or docs) column in the vLan GUI tab named "Assigned to Bridge". This column has dropdowns, which - theoretically - allow you to either choose "None" or "LAN" (which corresponds to the management br0 by name) - even though all assignments are already made in the networking tab. Moreover, no other bridge name but "LAN" shows up in the dropdown. Someone care to explain? :o
However, vLan 1 and 2 were assigned to "LAN" and the wifi on vLan2 worked - the others where on "None" and did not connect. So that appeared suspicious. I made a config backup and tried to set all those dropdowns to "LAN". Et voila, suddenly all WiFi networks connected fine! BUT: Interesting enough, the "LAN" setting on Tag 3-5 only survived until I had switched tabs in the GUI and got back. Then the dropdowns for vlan3-5 had snapped back to "None" - but Wifi still ontinued to associate, nonetheless.
No explanation found here :? - on to the next problem: Devices do now associate to wl0.* as expected, plus they get an IP from the basement router (IP 1) via DHCP - but that is it. No other traffic seems to pass across the bridge. Ping to the ASUS on IP .2: works, but NO ping to the router on IP .1 for example. Of course DNS does not resolve and all outbound traffic fails. Whereas the "physical" Wifi wl0 / eth1 with an exactly similarly configured bridged does exactly what it is supposed to do; its wireless clients are routed properly. ALSO, to eliminate a potential misconfiguration in the basement, I assigned a wired port (4) of the ASUS eth0 switch to vLan5 and put a device on it which happily networks along, as opposed to the wireless clients on the same bridge and vLan (can be seen in the picture below).
Now I am somewhat confused about what might go wrong and what else to try. Frankly, repurposing the router to the current point, reading time and flashing included, has already eaten up about a week's worth of my spare time and I begin to wonder if I should just have left sentimental feelings aside and bought some proper business AP in the first place :-)
So maybe you can help me along by asking the right questions or finding general conceptual mistakes in my setup. I would appreciate any idea. Thank you! :-)
Posted: Wed Jul 05, 2017 9:44 Post subject: Did I miss something?
Hi all,
due to the lack of response I'd like to ask for feedback to my OP. Are you missing something in my problem description? What do you suggest could I have done better?
Well, thank you very much!
From what you are writing I must conclude that the vLan GUI is actually some sort of mockup, designed to confuse the unsuspecting beginner?
Pretty disturbing. Does that apply to other parts of the GUI as well? :-)
Where can I find a reference to the nvram commands?
Back to OT, I tried your commands and instantly lost all wired connectivity. I double checked the switch; vLan 1-5 are correctly trunked on the port where dd-wrt connects.
Since it is very late over here I have reset the nvram settings to their previous values and will get back to the problem tomorrow. After all I do now have a clue how to move on. I'll keep you posted.
