vlan with internet access for 1 wireless client and 1 lan-port

[JensM]

Hi,

this is yet another vlan question. I'm using the latest Merlin (380.59) on my Asus RT-AC66U and I want to achieve a somehow trivial thing compared with other threads here. I don't need any iptv stuff and I don't need tagged vlans for other devices. Yet I fail configuring it.

The goal is to create a VLAN and assign port 4 to it. Also one of the wifi-(guest)networks should be in the same vlan. Both devices (a wired and a wireless) should see each other and access the internet. But they shall not see my main network.

My testings are based on some other threads here, most importantly this one: http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/

Here are my commands used so far:

#remove port4 from vlan1
robocfg vlan 1 ports "1 2 3 8t"

#add port4 to vlan10
robocfg vlan 10 ports "4 8t"

#create and up vlan
vconfig add eth0 10
ifconfig vlan10 up

#create new bridge br1
brctl addbr br1

#put guest 5G->#3 and vlan10 to br1
brctl delif br0 wl1.3
brctl addif br1 wl1.3
brctl addif br1 vlan10

#why should vlan2 be bound to a bridge? and why solely to br0?
#brctl addif br0 vlan2

#create interface in other ip range
ifconfig br1 192.168.100.1 netmask 255.255.255.0
ifconfig br1 up

For all tests, I use static DNS server (8.8.8.8) and are testing ping and http to domains and ipadresses, locally and in the internet.

When I put my computer to port4, without doing "brctl addif br0 vlan2", the network is dead. Cannot reach anything, neighter 192.168.1.1 nor 192.168.100.1 (and I'm also setting a random ip in the needed range manually to my network adapter) nor the internet. Yet the main network keeps working.

Things go worse when I do "brctl addif br0 vlan2". I read that from the mentioned link but don't think this is necessary since the router should NAT between WAN and LAN? However, after issuing this command, the main network also fails working. I can still ping internet-servers and the router, but only 192.168.1.1 router interface HTTP is only working, no google.com etc.

What am I doing wrong? Is there anything else I need to activate / create to have data flowing as excepted?

 

[Fitz Mutch]

Please correct me if I'm wrong, but I think only Ethernet ports may be members of a VLAN? Therefore, a new bridge interface is what you want?

 

[JensM]

Please correct me if I'm wrong, but I think only Ethernet ports may be members of a VLAN? Therefore, a new bridge interface is what you want?

I was hoping that above steps are enough to create another bridge (br1). It is created and ifconfig shows 192.168.100.1 and this ip is also pingable but from main network (both pings work, 192.168.1.1 and 192.168.100.1) but my port4 and wl1.3 are dead.

Edit: Also it doesn't even work for the port4 so there is something wrong in my setup. But trial and error and being offline again and again is very frustrating. At least a reboot is enough to revert everything.

 

[Fitz Mutch]

I bet you there is additional things to configure, like firewall rules and dnsmasq settings. The Asus factory configuration assumes there is only ever one bridge interface (br0). So I think you'd have to replicate how all that works for your new bridge interface (br1).

 

[JensM]

I bet you there is additional things to configure, like firewall rules and dnsmasq settings. The Asus factory configuration assumes there is only ever one bridge interface (br0). So I think you'd have to replicate how all that works for your new bridge interface (br1).

But the guys in that old thread I linked seem to got it working and in fact I created working vlans in tomato on my router that also needed 2 steps: create a bridge and create a vlan.
Maybe I just need to activate NAT routing to this new bridge somehow?

 

[JensM]

After hours of searching in this forums I found some more lines to add to my script. Still no luck, port4 and the wifi (now wl0.1, configured WITH intranet access) are deadends, they can't ping anything nor access the internet. Maybe I need iptable-entries additionally? Yet in all those howtos at dd-wrt-, tomato forums and my linked thread they don't need iptables to accomplish a second bridge.

Here is my current, still not working script:

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

nvram set vlan1ports="1 2 3 8*"
nvram set vlan9ports="4 8"
nvram set vlan9hwname=et0

robocfg vlan 1 ports "1 2 3 8t"

robocfg vlan 9 ports "4 8t"
vconfig add eth0 9
ifconfig vlan9 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan9
ifconfig br1 192.168.9.254 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan9 wl0.1"
nvram set lan1_ifname="br1"

#nvram commit
killall eapd
eapd

Anyone has an idea what I am missing?

 

[Fitz Mutch]

Maybe I need iptable-entries additionally?

Could it be that easy? I just created two firewall rules for "br1" that mimic the behavior of "br0". Please do let us know how it turns out.

/jffs/scripts/firewall-start

#!/bin/sh

RuleNum=$(/usr/sbin/iptables -nvL INPUT --line-numbers | /bin/grep -F "ACCEPT  all  --  br0  *  0.0.0.0/0  0.0.0.0/0  state NEW" | /usr/bin/tail -n 1 | /usr/bin/cut -f1 -d' ')
if [ "$RuleNum" != "" ]; then
  /usr/sbin/iptables -I INPUT $RuleNum -i br1 -m state --state NEW -j ACCEPT
fi

RuleNum=$(/usr/sbin/iptables -nvL FORWARD --line-numbers | /bin/grep -F "DROP  all  --  !br0  eth0  0.0.0.0/0  0.0.0.0/0" | /usr/bin/tail -n 1 | /usr/bin/cut -f1 -d' ')
if [ "$RuleNum" != "" ]; then
  /usr/sbin/iptables -I FORWARD $RuleNum -i br1 -j ACCEPT
fi

 

[JensM]

Could it be that easy? I just created two firewall rules for "br1" that mimic the behavior of "br0". Please do let us know how it turns out.

This was a good hint. I've analysed the existing iptable-entries from asus / merlin and copied and changed stuff. First two things to note to your approach:
1. br1 should not be allowwed to forward to everywhere because then br1 can connect to br0 as well. So I decided to remove !br0 eth0 and replaced it with * eth0 so nobody can access eth0, additionally i added two rules br0 and br1 to eth0, removed br0 to * also (and no br1 to * for sure).

2. since the thing should be a NAT-router it seems to be necessary to also add a thing like: iptables -t nat -A POSTROUTING -o br1 -s 192.168.9.0/24 -d 192.168.9.0/24 -j MASQUERADE

I'll put everything together if everything is working. So far port4 is working great, access the internet but not 192.168.1.x. But I have trouble with wifi. As soon as I assign wl0.1 to br1 it stopps working. All my clients refuse to connect to this network. This seems to be a special case that is another topic than this one so I'll open a new thread for that.

However if the other thread will solve my last blocking issue, I'll try to put everything together here. At least I'm able now to use a workaround: put another cheap wifi AP to port4 of the main router. But I would love to use wl0.1 and/or 1.1 in that vlan.

 

[ShaMAD]

This was a good hint. I've analysed the existing iptable-entries from asus / merlin and copied and changed stuff. First two things to note to your approach:
1. br1 should not be allowwed to forward to everywhere because then br1 can connect to br0 as well. So I decided to remove !br0 eth0 and replaced it with * eth0 so nobody can access eth0, additionally i added two rules br0 and br1 to eth0, removed br0 to * also (and no br1 to * for sure).

2. since the thing should be a NAT-router it seems to be necessary to also add a thing like: iptables -t nat -A POSTROUTING -o br1 -s 192.168.9.0/24 -d 192.168.9.0/24 -j MASQUERADE

I'll put everything together if everything is working. So far port4 is working great, access the internet but not 192.168.1.x. But I have trouble with wifi. As soon as I assign wl0.1 to br1 it stopps working. All my clients refuse to connect to this network. This seems to be a special case that is another topic than this one so I'll open a new thread for that.

However if the other thread will solve my last blocking issue, I'll try to put everything together here. At least I'm able now to use a workaround: put another cheap wifi AP to port4 of the main router. But I would love to use wl0.1 and/or 1.1 in that vlan.

Have you solved your problem?
I want to make a similar solution for IPTV with the wifi wl0.1 guest bridge with vlan 10 from the provider's network.
Please write your final config if you can.

 

[JensM]

Have you solved your problem?
I want to make a similar solution for IPTV with the wifi wl0.1 guest bridge with vlan 10 from the provider's network.
Please write your final config if you can.

I'm not sure if you really need the same that I did. I don't have IPTV but what I read in the forums people mostly want to tag the traffic of a device with a vlan tag so that the internet provider thinks it is the correct IPTV device or something like that? Thats not what I did, I needed to separate devices so they can't see each other but have access to the internet.

However, maybe I'm wrong and you want to do the same (network separation). Indeed I was able to do everything that I planned to achieve. It was a lot more complicated than I thought before.

Unfortunately, the iptable rules are individual, they will differ between router models and also the firmware version so I'll try to explain what I needed to do and how I did it. Feel free to ask if something is unclear. If you paste your configuration I may be able to help you finding the correct rules. But I wont past everything and explain it for now, because it wont help you if you don't have the exact same setup and use case and it would be just a useless wall of text.

Basically, in your service-start, you need to setup the bridge and vlan, assign lan ports and wl* interfaces to it. You also need to set those lan_ifname(s) and lan1_ifname(s) nvram values. To get WPA2 working you also need to killall eapd and start eapd again.

Then in iptables (firewall-start), you have to study the existing rules (and understand what changes in future firmwares). Then try to close all the rules for your main vlan and add the rules for the new vlan and also prevent those wildcard rules that allow the out-of-the-box vlan from accessing everything.

Then, you most likely also want an additional DHCP server (dnsmasq.conf.add) on your new IP range for the new vlan, this is the most rivial thing.

If you really want to do this, let me know, I can tell you which parameters you all need to check and if you send me your outputs, I think I could manage to show you how to create the additional vlan.