Bridging a VLAN to a VAP works perfectly if I disable all authentication..
I'm trying to get my shiny new Rt-AC66U working as multiple access points and a switch, bridged to 4 separate VLANs. The basic idea is:
Once I have this all working, I'll probably add one more VLAN / vAP just for devices like printers and TVs.
I'm running Merlin's firmware build because Tomato and DD-WRT's VLAN support doesn't seem QUITE compatible with the switch in this router. There's more info on that here, along with the script upon which my approach is based: http://www.smallnetbuilder.com/forums/showthread.php?t=8801
NOTE: it appears blargh is incorrect about the VLANs greater than 16 thing, at least on this router.
I have everything above working except for 2 small considerations:
here's my /jffs/scripts/services-start:
I really need to secure my APs, so any help on why that might not be working is greatly appreciated!
I'm trying to get my shiny new Rt-AC66U working as multiple access points and a switch, bridged to 4 separate VLANs. The basic idea is:
- One ethernet cable coming from my home router, to the AP's WAN port.
- WAN cable carries 4 VLANs, 42, 44, 47, and 48.
- 42 is admin traffic only. This VLAN gets an IP on the Rt-AC66U, and goes to a witch port.
- 44 is LAN traffic, and is bridged to some of the switch ports on the back of the RT-AC66U. No access inside the RT-AC66U at all.
- 47 is trusted WLAN traffic, and bridges to a secured virtual AP.
- 48 is untrusted guest WLAN traffic, and bridges to an insecure open virtual AP. My pfsense router makes this a captive portal, logs certain traffic, and restricts access to any other network.
Once I have this all working, I'll probably add one more VLAN / vAP just for devices like printers and TVs.
I'm running Merlin's firmware build because Tomato and DD-WRT's VLAN support doesn't seem QUITE compatible with the switch in this router. There's more info on that here, along with the script upon which my approach is based: http://www.smallnetbuilder.com/forums/showthread.php?t=8801
NOTE: it appears blargh is incorrect about the VLANs greater than 16 thing, at least on this router.
I have everything above working except for 2 small considerations:
- I can't set any of the APs to anything but "Open Network" without clients failing to connect.
- The RT-AC66U doesn't seem to respond on VLAN42, though it can ping TO that VLAN just fine. There are no iptables rules that look relevant, but I might try clearing them all out and defaulting to ACCEPT on everything.
here's my /jffs/scripts/services-start:
Code:
#!/bin/sh
# 0x83 format:
# UNTAGGED PORTS
#..87 6543 210 8 7654 3210
#..00 0000 010 1 0000 0010
#0 0 5 0 2
# Remove ports 2 3 and 4 from VLAN 1
et robowr 0x05 0x81 0x01
et robowr 0x05 0x83 0x0502
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
# Remove port 0 from VLAN 2
#et robowr 0x05 0x81 0x0002
#et robowr 0x05 0x83 0x0000
#et robowr 0x05 0x80 0x0000
#et robowr 0x05 0x80 0x0080
# vlan 42 is management. this VLAN gets an IP on the router, and port 4 just in case.
# Create VLAN 42 with port 0 tagged, port 4 untagged, and port 8 tagged
et robowr 0x05 0x81 0x002A
et robowr 0x05 0x83 0x2111
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
# vlan 44 is normal LAN access. this is for desktop and other access, not wlan. ports 2 and 3.
# Create VLAN 44 with port 0 tagged, port 3 untagged
et robowr 0x05 0x81 0x002C
et robowr 0x05 0x83 0x180D
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
# vlan 47 is secure wifi. bridged directly to eth1 and eth2.
# Create VLAN 47 with port 0 tagged, port 8 tagged
et robowr 0x05 0x81 0x002F
et robowr 0x05 0x83 0x0101
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
# vlan 48 is insecure wifi. bridged directly to wl0.1 and wl1.1.
# Create VLAN 47 with port 0 tagged, port 8 tagged
et robowr 0x05 0x81 0x002F
et robowr 0x05 0x83 0x0101
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
#### Set Defaults ####
# Set port 3's default VLAN to 44
et robowr 0x34 0x16 0x002C
# Set port 2's default VLAN to 44
et robowr 0x34 0x14 0x002C
# Set port 4's default VLAN to 42
et robowr 0x34 0x18 0x002A
#remove all the wifi interfaces from their current bridge
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
# Remove VLAN 2
vconfig rem vlan2
# Create the interfaces
vconfig add eth0 42
ifconfig vlan42 192.168.42.12 netmask 255.255.255.0 up
vconfig add eth0 47
ifconfig vlan47 up
brctl addbr br47
brctl addif br47 vlan47
brctl addif br47 eth1
brctl addif br47 eth2
ifconfig br47 192.168.47.12 netmask 255.255.255.0 up
vconfig add eth0 48
ifconfig vlan48 up
brctl addbr br48
brctl addif br48 vlan48
brctl addif br48 wl0.1
brctl addif br48 wl1.1
ifconfig br48 192.168.48.12 netmask 255.255.255.0 up
# We allow these VLANs to access the AP
iptables -I INPUT 1 -i vlan42 -j ACCEPT
iptables -I INPUT 1 -i br47 -j ACCEPT
iptables -I INPUT 1 -i br48 -j ACCEPT
#routing for the gateway itself
route add default gateway 192.168.47.1
# Remove ebtables rules
ebtables -F
I really need to secure my APs, so any help on why that might not be working is greatly appreciated!
Last edited: