I am attempting to introduce a new VLAN (VLAN4, 192.168.4.0/24) to my ASUS RT-AC68U running Merlin 386.2_4. At the moment, I do not want to isolate or otherwise prevent any traffic between this new VLAN4 and the default VLAN1. Please note VLAN1 has the router's default DHCP configuration and in VLAN4, for the time being, I am manually setting IP addresses on the devices.
Everything I have read, including Merlin articles and forums as well as basic Linux kernel and iptables articles and forums, indicate that the kernel should automatically forward packets between interfaces as long as kernel IP forwarding is on. The Internet has commanded to me that if traffic is not making it from one interface to another, it is due to iptables or whatever firewall on the device preventing this from happening.
I've introduced VLAN4. Both VLAN1 and VLAN4 can access the Internet without problem. Originally VLAN1 and VLAN4 could not speak to each other. Based on what the Internet has commanded me, iptables must be the culprit. Sure enough, I spotted what I assume was the problem:
This was easily remedied by using the UI: Firewall > General > Enable Firewall > No. This removed the two lines above (among others of course). To keep complications out of this situation, I've kept the firewall off throughout the duration of these attempts.
Attempts
The most basic situation I can configure that gets any type of communication between the two VLANs is by using the following:
In the most complicated situation, I attempted to duplicate the br0 and vlan1 interfaces with the following. As far as how this new device appears, it seems to be a mirror image of br0, vlan1--aside from a different IP and MAC address. I'm realizing as I type this post, these are doing the same thing as above, just with extra steps and a new interface br4.
Result
In both of the above situations, pings are making it through between the devices. Anything substantial is failing. Originally I was attempting to access file shares, but to simplify the situation I've installed Plex Media Server on a machine in VLAN4. It pops up a small web server on port 80, automatically makes adjustments to the local Windows Firewall (which I later disabled altogether), and can send a reasonable amount of traffic between the two clients.
I clearly connect to the web server, but after the very first request the connection drops. So I pulled out Wireshark. Rather than further explain, I've attached a screen shot.
192.168.1.117 is a device in the default VLAN1
192.168.4.11 is a device in new VLAN4
I suspect I'm missing something obvious that is glaring me in the face.
Everything I have read, including Merlin articles and forums as well as basic Linux kernel and iptables articles and forums, indicate that the kernel should automatically forward packets between interfaces as long as kernel IP forwarding is on. The Internet has commanded to me that if traffic is not making it from one interface to another, it is due to iptables or whatever firewall on the device preventing this from happening.
I've introduced VLAN4. Both VLAN1 and VLAN4 can access the Internet without problem. Originally VLAN1 and VLAN4 could not speak to each other. Based on what the Internet has commanded me, iptables must be the culprit. Sure enough, I spotted what I assume was the problem:
Bash:
user@router:/tmp/home/root# iptables-save
--- redacted ---
*filter
--- redacted ---
-A INPUT -j DROP
--- redacted ---
-A FORWARD -j DROP
--- redacted ---This was easily remedied by using the UI: Firewall > General > Enable Firewall > No. This removed the two lines above (among others of course). To keep complications out of this situation, I've kept the firewall off throughout the duration of these attempts.
Attempts
The most basic situation I can configure that gets any type of communication between the two VLANs is by using the following:
Bash:
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 4 ports "4 8t"
vconfig add eth0 4
ifconfig vlan4 192.168.4.1 netmask 255.255.255.0 upIn the most complicated situation, I attempted to duplicate the br0 and vlan1 interfaces with the following. As far as how this new device appears, it seems to be a mirror image of br0, vlan1--aside from a different IP and MAC address. I'm realizing as I type this post, these are doing the same thing as above, just with extra steps and a new interface br4.
Bash:
ip link add link eth0 name vlan4 address <HW MAC + 1> type vlan id 4
ip link set dev vlan4 up allmulticast on
brctl addbr br4
brctl addif br4 vlan4
ip addr add 192.168.4.1/24 dev br4
ip link set dev br4 up allmulticast on
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 4 ports "4 8t"Result
In both of the above situations, pings are making it through between the devices. Anything substantial is failing. Originally I was attempting to access file shares, but to simplify the situation I've installed Plex Media Server on a machine in VLAN4. It pops up a small web server on port 80, automatically makes adjustments to the local Windows Firewall (which I later disabled altogether), and can send a reasonable amount of traffic between the two clients.
I clearly connect to the web server, but after the very first request the connection drops. So I pulled out Wireshark. Rather than further explain, I've attached a screen shot.
192.168.1.117 is a device in the default VLAN1
192.168.4.11 is a device in new VLAN4
I suspect I'm missing something obvious that is glaring me in the face.
Last edited:
