Posted: Sat Mar 17, 2018 21:58 Post subject: VAPs + VLANs
Hi,
I've configured my DDWRT by setting the WAN interface to disabled and I've also disabled the DHCP server, so all ports on the router get their IP addresses from external DHCP server. Also the WAN port has been set as LAN port, which makes this router a managed switch (essentially). This works fine for both wired and wireless networks.
However, now I would like to segment the router's network as follows:
- VLAN 2: All the LAN ports + "mywifi" ESSID (wireless aP)
- VLAN 3: Only "mywifi-guest" ESSID (wireless AP)
This would essentially tag every packet sent by clients connected to "mywifi-guest" AP with VLAN 3, while all the other packets are tagged with VLAN 2. This is already configured by the external devices, but I'm having issues with DD-WRT.
So far I've done the following. Note that the LAN PORT 1 is the one that is connected to the VLAN-enabled upstream switch, which provides DHCP and is already configured to support VLAN 2/3 tags.
The problem is that I don't know what to do next in order to be able to tag all packets coming from "mywifi-guest" as VLAN 3 - this also goes for DHCP packets. DHCP packets are forwarded to the upstream network device, which returns different IP addresses based on whether the packets are tagged with VLAN 2 or VLAN 3.
Does anybody know how can I configure the VAPs that work together with VLANs, so that appropriate VLAN is added to packets based on which AP they're connected?
The br0 contains the LAN ports and the "mywifi" wireless interfaces (ath0 ath1), while the br1 contains the "mywifi-guest" wireless interfaces (ath0.1 ath1.1). There are two of each for 2.4/5 Ghz.
However, when logging into the router via SSH and issueing the tcpdump command to view the DHCP requests on the mywifi-guest interface, I can see that only DHCP requests are sent, but there are no responses.
Quote:
# tcpdump -i ath0.1 port 67 or port 68 -e -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0.1, link-type EN10MB (Ethernet), capture size 262144 bytes
The problem is that the ath0.1 is added to the br1 bridge, which doesn't contain the eth1 interface - this is the interface that is connected to the outside world to obtain the DHCP responses (based on VLAN tags).
Quote:
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.1491822a67c8 no eth0
eth1
ath0
ath1
vlan2
br1 8000.1491822a67c8 no ath0.1
ath1.1
vlan3
However, the problem goes further, because the DHCP packets are not even VLAN-tagged.
1. How can I get the packets from APs to be VLAN tagged. The "mywifi-guest" should have a VLAN ID 3, while the "mywifi" should have VLAN ID 2. The vlan2 in br0 nad vlan3 in br1 do not VLAN tag the packages that are seen in that bridge.
2. How can I assign the eth1 (external) interface to the br1 bridge. The GUI interface doesn't support assigning eth1 to the br1 also, but I need eth1 in both bridges - since the eth1 must be in the broadcast domain to obtain the DHCP responses (from outside DHCP server).
3. Do I even need multiple bridges: can I just have br0 bridges and assign all interfaces to that bridge - that would essentially solve number 2. above, but not sure how the packets would be VLAN tagged.
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Sun Mar 18, 2018 10:16 Post subject:
I must admit I have not studied your post in detail, but if I am correct you are setting up a Virtual Acces Point on a Wireless Access Point ( a simplification of your setup)
For that you always need a source natting rule, something like:
I must admit I have not studied your post in detail, but if I am correct you are setting up a Virtual Acces Point on a Wireless Access Point ( a simplification of your setup)
For that you always need a source natting rule, something like:
The following are DHCP packets on "mywifi" ESSID, which is capable of obtaining the IP:
Quote:
# tcpdump -i any -n port 67 or port 68
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:56:27.550651 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:27.551516 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:27.552380 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:27.554235 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:27.555297 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:27.556161 IP 192.168.1.1.67 > 192.168.1.71.68: BOOTP/DHCP, Reply, length 300
The following are DHCP packets on "mywifi-guest" ESSID, which does NOT obtain an IP:
Quote:
11:56:41.430691 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:41.431556 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:41.432421 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
11:56:41.433285 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:c9:45:90, length 304
The tagging options in the GUI do work. Otherwise I have not heard of anyone with a successful VLAN set-up on Marvell.
The SWCONFIG utility is present dough.
If anyone knows, I would be glad to hear how I can set everything up using GUI (or CLI for that matter). I think - as I've posted above - that VLAN tagging is not even enabled at the current state (I've run tcpdump and there is no indication of VLANs even being used).
As such, I'm interested in whether I should enable "VLAN tagging" in the GUI and what this option even does. There is no clear documentation about what this option is used for.