VLANs and internal DNS Server

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Tue Dec 26, 2017 16:06    Post subject: VLANs and internal DNS Server Reply with quote
I'm using the R7000 with a vlans and 3 APs, I'm unable to get my guest network (vlan3) to talk to the internal dns server on my main lan (vlan1).

When I was using the wifi on the R7000 I used the below firewall command, but now it's not working.

any ideas?

Code:
iptables -I FORWARD -i br1 -p tcp -d dns.ip.address -m multiport --dport 53,80,443 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d dns.ip.address -m multiport --dport 53,80,443 -j ACCEPT


I didn't use DNSMasq to setup the dhcp server for vlan3 instead used DHCPD found in the Networking tab.

Under the additional dnsmaq options i have the below which worked when i used wifi on the r7000

Code:
dhcp-option=br0,6,dns1.ip.address,dns2.ip.address
dhcp-option=br1,6,dns1.ip.address,dns2.ip.address


EDIT

It seems as soon as I tag vlan3 and vlan1 on port 1 I start to have DNS issues on all my wired devices, oddly wifi seems to be okay.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Tue Dec 26, 2017 18:52    Post subject: Reply with quote
i had a believe m multiport is stripped of or it has very limited use as it does not work with different ports
than 443,53,80... try with one rule per port spelled,
yep i know many rules needed...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Tue Dec 26, 2017 19:15    Post subject: Reply with quote
Actually my major issue now is I'm having DNS issues on all my wired devices.

I have port 1 on the R7000 going to a netgear 16 port unmanaged switch, everything is plugged into the switch so ports 2,3,4 are unused on the R7000.

As soon as I check the tagged box and then tag port 1 to vlan1 and vlan3 I start having DNS issues.

All wired/wireless devices are getting the proper vlan1 subnet as is all wireless devices on vlan3, when on wifi both vlan1 and vlan3 devices have no issues with DNS. It's only wired devices that have DNS issues.

What makes this weirder my APs are plugged into the 16 port switch so wireless should also have DNS issues but they do not.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Tue Dec 26, 2017 20:18    Post subject: Reply with quote
You cannot tag the port connected to an unmanaged switch. You need a managed or smart switch to support vlans.
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Tue Dec 26, 2017 20:41    Post subject: Reply with quote
Ohh I guess that makes sense explains why the APs are working, would another ddwrt router with dhcp disabled work instead of buying a managed switch?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Wed Dec 27, 2017 4:05    Post subject: Reply with quote
Can't you connect the 3 APs to the free ports on R7000?
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed Dec 27, 2017 7:29    Post subject: Reply with quote
you most certainly can tag a port connected to an unmanaged switch. tag will pass through to all ports.

it's a technique some use here to split iptv & internet served on separate vlans to different routers. yes a managed switch is a better solution for many reasons but that does not invalidate the use of vlans and unmanaged switches
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Wed Dec 27, 2017 8:47    Post subject: Reply with quote
The solution is to keep VLAN1 untagged and tag VLAN3, so the switch still can communicate with the R7000 on VLAN1.
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Thu Dec 28, 2017 0:09    Post subject: Reply with quote
well I bought a managed switch which i'd rather return if I can get away without it. As I'm struggling to understand how to set it up correctly with DDWRT. Most tutorials use the same brand router, switch and AP but with DDWRT it a bit challenging without proper documentation.

Anyways how am I suppose to tag vlan3 but not tag vlan1 on port 1 or any other port for that matter?

Is this not correct?
https://imgur.com/a/HL0GN

A bit more in dept explanation of my setup, note I do not have any managed switches on the network.

Bold is the items in the basement
Modem > R7000 > switch > Ground floor > Switch > AP and other devices
Modem > R7000 > switch > 2nd floor > Room 1 > AP
Modem > R7000 > switch > 2nd floor > Room 2 > Switch > AP and other devices.

using ports 2,3,4 will not help in this case (unless I'm missing the obvious?) as I want all my devices on the main lan, but want the APs to use Vlan1 for my main wifi and VLAN3 as my guest wifi. The APs work without issues on both VLANs its all other wired devices that start to have DNS issue yet get the proper subnet for VLAN1, I'm able to ping and do other things but all report DNS errors for whatever reason.
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Thu Dec 28, 2017 4:53    Post subject: Reply with quote
Now I'm even more confused after adding the managed switch. Prior I was able to get the proper subnet on all devices including the guest wifi but now even that is not working, everything is routed to vlan1.

Most of my devices are still on port 1 on the R7000 and using the 16 dumb switch.

R7000 port 2 is set too tagged and I checked marked vlan1 and vlan3, port 2 is plugged into port 1 on the managed switch.

Now on the managed switch, ports 2,3,4 are my APs. Vlan1 is untagged (default) for all ports, on vlan3 I set port 1 as untagged and ports 2,3,4 as tagged. Does port 1 need to be set as tagged as well?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Thu Dec 28, 2017 14:04    Post subject: Reply with quote
To use tagged/untagged on individual VLSNs for a port, the CLI must be used.

To get the current setup.

nvram show | grep vlan.*ports


A t indicsates tagging

nvram set vlan1.ports="1t 2 3 4 7"
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Thu Dec 28, 2017 22:39    Post subject: Reply with quote
From CLI i see the below, so I guess it hasn't tagged the ports even though tagged is selected in webui. Also I was able to get the managed switch to work by setting ports 1,2,3,4 as tagged ports.

vlan2ports=0 5u
vlan1ports=1 2 3 4 5*

So do I use the below to tag port 1 to vlan1 and vlan3?

nvram set vlan1.ports="1t 2 3 4 5"
nvram set vlan3.ports="1t 2 3 4 5"
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Fri Dec 29, 2017 4:30    Post subject: Reply with quote
Set only one VLAN on an untagged port.

nvram set vlan1.ports="1t 2 3 4 5*"
nvram set vlan3.ports="1t 5"


Last edited by Per Yngve Berg on Mon Jan 01, 2018 10:42; edited 1 time in total
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Sat Dec 30, 2017 1:02    Post subject: Reply with quote
So what is the webui doing then? When I check tagged and placed a check mark on both vlan1 and vlan3 for port 1?
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Sat Dec 30, 2017 4:20    Post subject: Reply with quote
well i give up getting ddwrt to work for both vlan1 and vlan3 on port 1. I either get no ip address or everything is on the proper vlan with working wifi including my guest wifi but none of my other wired devices can get online.

I guess i stick with a managed switch plus tagging the vlans on the webui in ddwrt, at least this works properly.

Now last thing i need to figure out is how make vlan1 invisible to vlan3.

Any pointers?
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum