VLAN on ASUS RT-AC87U

[AstroIT]

Hi there

I have been lurking for a few weeks now and have been impressed with both the width and depth of knowledge on here

I have recently bought an Asus RT-AC87U router and have installed the Merlin firmware on it (v 380.62_1). I am trying to get my head around VLAN configuration (which is a topic pretty new to me).

The end goal is to configure the Asus in conjunction with some wireless access points from Ubiquiti and some Netgear smart switches. I want to establish 3 wireless networks on the Ubiquiti kit, each on a separate VLAN (so VLAN1 for a "staff" network, VLAN10 for a paying guest network and VLAN20 for a free guest network). I know that Ubiquiti can do this without VLANs, but I know that at some point in future, the client are going to want to share printers with the paying guests but not the free ones, etc, and so I think VLANs will support the sort of things I want.

So far, I have managed with help from a few threads on SNB to set up one of the LAN ports on the Asus to tag traffic to VLAN10 (I am leaving the Netgear switches and Ubiquiti APs out of the picture for now, and am connecting my laptop to the LAN port). I have then been able to configure dnsmasq to issue DHCP IP addresses in a separate subnet on VLAN10 (192.168.10.1/24) as opposed to VLAN1 (192.168.1.1/22).

The problem comes when I want to allow clients on VLAN10 access to the internet. I know from other threads that this is where things like iptables and ebtables probably come into play (full disclosure: I am a Windows guy and know very little about Linux command line stuff )

With a few iptables rules, I can get m laptop to reach the DHCP server in the VLAN10 subnet and get an IP address, and I can access the internet. However, internet access is not very reliable. Some sites load fine, others seem to "hang" on some requests (often for CSS, JS files, etc) which is weird. The same sites are OK on VLAN1, either via LAN ports or Asus WiFi.

This seems counter-intuitive to me, and I can't see why some HTTP traffic would work and some not just because of firewall rules. My config is posted below - I am not 100% sure what the iptables commands do, and have patched them together from several other threads. Any help or advice would be much appreciated

Thanks in advance,

Trev

Standard config for the router via the UI:
IP address: 192.168.1.1
Subnet mask: 255.255.252.0

DHCP starting address: 192.168.1.2
DHCP ending address: 192.168.2.254

DNS: 208.67.222.222 (OpenDNS)

I am issuing these commands via telnet when the router starts up (I know ultimately I need to put them in services-start or similar, but for now it is nice to know that rebooting the box will clear all my config in case I lock myself out...)

I have tried to comment on what I *think* each command does - if I am mistaken, please let me know - as I said, I am a newbie to Linux networking...

# remove port 2 from VLAN1
robocfg vlan 1 ports "1 3 4 5u 7t"
# add port 2 to VLAN10
# untagged if connecting laptop - when connecting switch or AP, it should be "2t 7t"
robocfg vlan 10 ports "2u 7t"

# create device vlan10
vconfig add eth0 10

# create interface vlan10 with IP, netmask and start it
ifconfig vlan10 192.168.10.1 netmask 255.255.255.0 up

Output from robocfg show:
Switch: enabled
Port 0: 100FD enabled stp: none vlan: 2 jumbo: off mac: a0:f3:e4:35:55:8e
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:11:32:51:c6:ed
Port 2: 100FD enabled stp: none vlan: 10 jumbo: off mac: 00:0e:c6:c3:16:9d
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 3 4 5 7t
2: vlan2: 0 7
10: vlan10: 2 7t

Add the following to /jffs/configs/dnsmasq.conf.add:
interface=vlan10
dhcp-range=vlan10,192.168.10.100,192.168.10.200,255.255.255.0,8h
dhcp-option=vlan10,3,192.168.10.1
dhcp-option=vlan10,6,208.67.222.222,0.0.0.0
dhcp-option=vlan10,252,"\n"

(I am not sure what the last line does, but the existing config for the VLAN1 DHCP has that too, so this mimics it)

Issue the following commands:
iptables -I FORWARD -i vlan10 -j ACCEPT
iptables -I INPUT 1 -i vlan10 -j ACCEPT

(I believe this should allow all traffic between vlan10 and the internet - probably the internal network too, but that's the next problem )

After connecting my laptop to LAN port 2, I am assigned an IP in 192.168.10.xxx via DHCP as expected, and I can ping hosts on the internet. However, some internet web sites do not load.

For example:
https://mail.office365.com works
http://www.bbc.co.uk/news does not (using Fiddler, I can see it hanging on requests to bbci.co.uk)

 

[AstroIT]

OK, bit of a change of tack. Today, I added the VLAN10 interface to the default bridge "br0", based on the config from "Fitz Mutch" here http://www.snbforums.com/threads/fo...network-for-asus-merlin-rt-ac68u.18969/page-2.

This has restored proper internet access (all web sites now load completely as you would expect), but I am having DHCP problems. Clients connecting to VLAN10 are issued IP addresses on the VLAN1 subnet, and I can't for the life of me work out how to get dnsmasq to recognise they are from the vlan10 interface.

The configuration is now:

robocfg vlan 1 ports "1 3 4 5u 7t"
untagged if connecting laptop
vconfig add eth0 10
ifconfig vlan10 192.168.10.1 netmask 255.255.255.0 up
brctl addif br0 vlan14

# this rule allows TCP traffic to a single host on the internal network (ultimately for the Ubiquiti kit, but nice to prove this is working - if I remove this, it is easy to see that a client is on VLAN10 when they lose access)
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.0.50 --ip-proto tcp -j ACCEPT

# 192.168.0.0/22 is VLAN1
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.0.0/22 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.0.0/22 --ip-proto tcp -j DROP

ebtables -t filter -I FORWARD -o vlan10 -j DROP
ebtables -t filter -I FORWARD -i vlan10 -j DROP

My dnsmasq.conf.add still contains:

interface=vlan10
dhcp-range=vlan10,192.168.10.100,192.168.10.200,255.255.255.0,8h
dhcp-option=vlan10,3,192.168.10.1
dhcp-option=vlan10,6,8.8.8.8,8.8.4.4

Clients connected to port 2 on the router (VLAN10) are firewalled appropriately, but they always get a DHCP lease from dnsmasq on 192.168.1.1 rather than 192.168.10.1 as they were yesterday.

Having turned on request logging in dnsmasq, I see entries like this:

Oct 14 14:34:53 dnsmasq-dhcp[8732]: DHCPREQUEST(br0) 192.168.2.148 38:b1:db:e2:73:25
Oct 14 14:34:53 dnsmasq-dhcp[8732]: DHCPACK(br0) 192.168.2.148 38:b1:db:e2:73:25 Yoga

Which look like dnsmasq is identifying the client as being on br0 (which I guess is correct in some sense since vlan10 now belongs to br0 too). How can I separate these? The default dnsmasq.conf file generated by the router is:

 

[AstroIT]

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
dhcp-range=lan,192.168.1.2,192.168.2.254,255.255.252.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,6,208.67.222.222,0.0.0.0
dhcp-option=lan,252,"\n"
dhcp-authoritative
read-ethers

Which obviously binds to interface "br0" rather than the individual interfaces in the bridge, and I guess that overrides the lower level vlan10? I don't understand where the "dhcp-range=lan" comes from - "lan" is not referenced elsewhere in the config - is that some internal dnsmasq value?

Is there any way to get dnsmasq to recognise vlan10 separately in this scenario, or was my previous approach better (despite the internet access issues)?

Someone please help...

Thanks in advance

Trev

 

[AstroIT]

No-one?