Using router's built in switch to create vlan tagged subnet

[FalconB]

In my quest to separate some of my devices (ie IoT-stuff) from the rest of my network, I have (yet again) reached a point where I am stuck :-(

At the moment I want to use my router's built in switch to create a separate subnet with dhcp and vlan-tag on a specific lan port (port #4). I want this subnet to use the 192.168.4.0 ip address range (my orginal home network uses 192.168.1.0 address). I have succesfully been able to create a VLAN, vlan2004 for the router's lan port #4. I have also been able to create a bridge, br4 including the vlan2004 interface.

Now, here's where I get stuck despite trying to read up on the forum.

* Devices connected on lan port #4 (ie vlan2004), with a manually assigned 192.168.4.x ip address, are not able to reach either internet or my original home network. Probably some routing rules missing (ie ebtables or iptables)?

* I can assign an ip address to both the VLAN and the bridge but I don't know which one to use, ie which one should be set as the gateway and have the address 192.168.4.1? It's not possible to ping either ip address of the vlan or the bridge from a connected device.

* Also, I can't get DHCP to work on the subnet, even though I tried using dnsmasq.conf.add as described in the wiki, followed by a "service restart_dnsmasq". Should the dnsmasq.conf.add use the VLAN tag or the bridge in it?

 

[schmerg]

In my quest to separate some of my devices (ie IoT-stuff) from the rest of my network, I have (yet again) reached a point where I am stuck :-(

At the moment I want to use my router's built in switch to create a separate subnet with dhcp and vlan-tag on a specific lan port (port #4). I want this subnet to use the 192.168.4.0 ip address range (my orginal home network uses 192.168.1.0 address). I have succesfully been able to create a VLAN, vlan2004 for the router's lan port #4. I have also been able to create a bridge, br4 including the vlan2004 interface.

Now, here's where I get stuck despite trying to read up on the forum.

My thread about how I set up a tagged VLAN for a wireless access point (ie the AP broadcast 2 SSIDs, traffic from each SSID gets a different VLAN tag - one is a guest SSID, the other is "normal") may be of some use as to configuring dnsmasq etc (in the 1st few posts I tried doing the VLANs with a smart switch and a tagged port, but by about the 3rd post I discarded the smart switch and simply recognise VLAN tags on any port - have a look at the scripts and configs from that point on).

I'm no expert mind, but the scripts are there with the config files etc in case it's of any use.

If all else fails, post the scripts/configs you've got so far and I can have a look according to my limited understanding... and the smarter people here may also find it easier to identify what you're missing.

Regards

Tim

 

[FalconB]

First of all, thank you for taking your time helping me with my problems!

So, like many of the users here the idea of restarting internet all the time isn't very popular among other family members, hence I can't test too much during daytime and evening. Anyways, below is the scripts I've created (a copy/paste from what I've read on the forum and internet):

/jffs/scripts/nat-start.sh

#!/bin/sh

##########################
# Remove LAN port 4 from VLAN1  #
##########################
robocfg vlan 1 ports "1 2 3 5t"

################
# Create VLAN 2004 #
################
robocfg show | grep -i vlan2004 > /dev/null 2>&1 || \
(
  # setup VLAN 2004 on LAN port 4
  robocfg vlan 2004 ports "4 5t"
  vconfig add eth0 2004
  ifconfig vlan2004 192.168.4.1 netmask 255.255.255.0 up
)

###########
# Create rules #
###########
iptables -I FORWARD -i vlan2004 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan2004 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan2004 -m state --state NEW -j DROP
iptables -I INPUT -i vlan2004 -j ACCEPT

/jffs/configs/dnsmasq.conf.add

interface=vlan2004
dhcp-range=vlan2004,192.168.4.230,192.168.4.250,255.255.255.0,24h
dhcp-option=vlan2004,3,192.168.4.1
dhcp-option=vlan2004,6,192.168.4.1,0.0.0.0

What I end up with is that when I reboot my router none of the scripts seem to run, which is kind of strange since all other scripts in the /jffs/scripts/-folder seem to run, even a separate one I made myself (!). I have AB-Solution with pixelserv and DNSCrypt running fine. However, if I run the nat-start.sh script from the command line it will configure my router, creating the VLAN, but I still don't get DHCP, even if I do a "service restart_dnsmasq".

But, despite the fact that I can't get the scripts to run at startup, I still can't get it work. I can connect a switch to LAN port #4 (a.k.a vlan2004) and connect the devices I want to move from 192.168.1.x to 192.168.4.x. I can manually assign (since I don't get DHCP to work) 192.168.4.10 to a computer connected to the switch (@LAN port #4) and from there ping 192.168.4.1 and 192.168.1.1. I can also ping the devices that I physically moved over to the 192.168.4.x-switch even though I haven't changed there IP addresses (yet! I will change their IP-address to 192.168.4.x later), so they are still on the 192.168.1.x-address range. I cannot connect to the internet from the computer.

So it boils down to two questions:

1. Why won't the scripts run at startup?
2. Why am I not able to reach the Internet from the vlan2004/192.168.4.x/LAN port #4?

Any help is much appreciated!

 

[barzot]

It's "nat-start", without the ".sh".

 

[FalconB]

It's "nat-start", without the ".sh".

Ahh! Thank you for pointing that out. Will try next week when I'm back home. I'll let you know how it goes.

Again, thank you for helping out!