What's new

Works perfectly if I disable all authentication..

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

benklop

New Around Here
Bridging a VLAN to a VAP works perfectly if I disable all authentication..

I'm trying to get my shiny new Rt-AC66U working as multiple access points and a switch, bridged to 4 separate VLANs. The basic idea is:
  • One ethernet cable coming from my home router, to the AP's WAN port.
  • WAN cable carries 4 VLANs, 42, 44, 47, and 48.
  • 42 is admin traffic only. This VLAN gets an IP on the Rt-AC66U, and goes to a witch port.
  • 44 is LAN traffic, and is bridged to some of the switch ports on the back of the RT-AC66U. No access inside the RT-AC66U at all.
  • 47 is trusted WLAN traffic, and bridges to a secured virtual AP.
  • 48 is untrusted guest WLAN traffic, and bridges to an insecure open virtual AP. My pfsense router makes this a captive portal, logs certain traffic, and restricts access to any other network.

Once I have this all working, I'll probably add one more VLAN / vAP just for devices like printers and TVs.

I'm running Merlin's firmware build because Tomato and DD-WRT's VLAN support doesn't seem QUITE compatible with the switch in this router. There's more info on that here, along with the script upon which my approach is based: http://www.smallnetbuilder.com/forums/showthread.php?t=8801

NOTE: it appears blargh is incorrect about the VLANs greater than 16 thing, at least on this router.

I have everything above working except for 2 small considerations:
  • I can't set any of the APs to anything but "Open Network" without clients failing to connect.
  • The RT-AC66U doesn't seem to respond on VLAN42, though it can ping TO that VLAN just fine. There are no iptables rules that look relevant, but I might try clearing them all out and defaulting to ACCEPT on everything.

here's my /jffs/scripts/services-start:

Code:
#!/bin/sh

# 0x83 format:
#    UNTAGGED    PORTS
#..87 6543 210 8 7654 3210
#..00 0000 010 1 0000 0010
#0    0    5     0    2    


# Remove ports 2 3 and 4 from VLAN 1
et robowr 0x05 0x81 0x01
et robowr 0x05 0x83 0x0502
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080

# Remove port 0 from VLAN 2
#et robowr 0x05 0x81 0x0002
#et robowr 0x05 0x83 0x0000
#et robowr 0x05 0x80 0x0000
#et robowr 0x05 0x80 0x0080

# vlan 42 is management. this VLAN gets an IP on the router, and port 4 just in case.
# Create VLAN 42 with port 0 tagged, port 4 untagged, and port 8 tagged
et robowr 0x05 0x81 0x002A
et robowr 0x05 0x83 0x2111
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080

# vlan 44 is normal LAN access. this is for desktop and other access, not wlan. ports 2 and 3.
# Create VLAN 44 with port 0 tagged, port 3 untagged
et robowr 0x05 0x81 0x002C
et robowr 0x05 0x83 0x180D
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080

# vlan 47 is secure wifi. bridged directly to eth1 and eth2.
# Create VLAN 47 with port 0 tagged, port 8 tagged
et robowr 0x05 0x81 0x002F
et robowr 0x05 0x83 0x0101
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080

# vlan 48 is insecure wifi. bridged directly to wl0.1 and wl1.1.
# Create VLAN 47 with port 0 tagged, port 8 tagged
et robowr 0x05 0x81 0x002F
et robowr 0x05 0x83 0x0101
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080

#### Set Defaults ####

# Set port 3's default VLAN to 44
et robowr 0x34 0x16 0x002C

# Set port 2's default VLAN to 44
et robowr 0x34 0x14 0x002C

# Set port 4's default VLAN to 42
et robowr 0x34 0x18 0x002A

#remove all the wifi interfaces from their current bridge
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2

# Remove VLAN 2
vconfig rem vlan2

# Create the interfaces
vconfig add eth0 42
ifconfig vlan42 192.168.42.12 netmask 255.255.255.0 up

vconfig add eth0 47
ifconfig vlan47 up
brctl addbr br47
brctl addif br47 vlan47
brctl addif br47 eth1
brctl addif br47 eth2
ifconfig br47 192.168.47.12 netmask 255.255.255.0 up

vconfig add eth0 48
ifconfig vlan48 up
brctl addbr br48
brctl addif br48 vlan48
brctl addif br48 wl0.1
brctl addif br48 wl1.1
ifconfig br48 192.168.48.12 netmask 255.255.255.0 up

# We allow these VLANs to access the AP
iptables -I INPUT 1 -i vlan42 -j ACCEPT
iptables -I INPUT 1 -i br47 -j ACCEPT
iptables -I INPUT 1 -i br48 -j ACCEPT

#routing for the gateway itself
route add default gateway 192.168.47.1

# Remove ebtables rules
ebtables -F

I really need to secure my APs, so any help on why that might not be working is greatly appreciated!
 
Last edited:
it turns out enabling authentication for APs on nonstandard bridges requires tweaking some settings in nvram, then restarting the 'eapd' service.

Running the following commands will make WPA2 work with the startup script I posted earlier. I will probably just add these to the end of the script so that the web interface can't change them back on me whenever I update an AP's settings.
Code:
admin@RT-AC66U:/tmp/home/root# nvram set lan_ifnames="vlan47 eth1 eth2"
admin@RT-AC66U:/tmp/home/root# nvram set lan_ifname="br47"
admin@RT-AC66U:/tmp/home/root# nvram save
admin@RT-AC66U:/tmp/home/root# killall eapd
admin@RT-AC66U:/tmp/home/root# eapd

I'm still trying to determine if I can do this with multiple APs on multiple bridges.
 
eapd fun

I can tell you that what it is looking for is generally something in the form of

Code:
nvram set lan_ifnames="vlan18 eth1 eth2"
nvram set lan_ifname="br18"

nvram set lan1_ifnames="vlan102 wl0.1 wl1.1"
nvram set lan1_ifname="br102"

nvram set lan2_ifnames="vlan106 wl0.3 wl1.3"
nvram set lan2_ifname="br106"

based on a reading of eapd.c I found over at

http://repo.or.cz/w/tomato.git/blob...61a287b6c01683:/release/src-rt/wl/eapd/eapd.c

But this is sadly not sufficient to make it work. I don't believe that the debug code is compiled into the distributed eapd, which would probably be helpful. It appears that it may be necessary to hand eapd some flags, such as "-nas <interfaces>" but I have not been able to determine the specifics.
 
it turns out enabling authentication for APs on nonstandard bridges requires tweaking some settings in nvram, then restarting the 'eapd' service.

Running the following commands will make WPA2 work with the startup script I posted earlier. I will probably just add these to the end of the script so that the web interface can't change them back on me whenever I update an AP's settings.
Code:
admin@RT-AC66U:/tmp/home/root# nvram set lan_ifnames="vlan47 eth1 eth2"
admin@RT-AC66U:/tmp/home/root# nvram set lan_ifname="br47"
admin@RT-AC66U:/tmp/home/root# nvram save
admin@RT-AC66U:/tmp/home/root# killall eapd
admin@RT-AC66U:/tmp/home/root# eapd

I'm still trying to determine if I can do this with multiple APs on multiple bridges.

You'll kill me! Running multiple vlans on consumer equipment... :)
 
Rt-ac68u

Thanks, this is fairly similar to what I want to run in my environment, except I am running an rt-ac68.

each port on the RT-AC68 will be connected to a managed switch, which in turn is connected to a juniper fw. DHCP, NAT and firewalling will all be done from that device.

I'm wondering if the commands will be the same for the RT-AC68?

Update:
I tried running my script last night, but it didn't work. I might configure it manually, step by step, so I can see what's going on. I'll post an update and my script once that's done (if it works).
 
Last edited:
it turns out enabling authentication for APs on nonstandard bridges requires tweaking some settings in nvram, then restarting the 'eapd' service.

Running the following commands will make WPA2 work with the startup script I posted earlier. I will probably just add these to the end of the script so that the web interface can't change them back on me whenever I update an AP's settings.
Code:
admin@RT-AC66U:/tmp/home/root# nvram set lan_ifnames="vlan47 eth1 eth2"
admin@RT-AC66U:/tmp/home/root# nvram set lan_ifname="br47"
admin@RT-AC66U:/tmp/home/root# nvram save
admin@RT-AC66U:/tmp/home/root# killall eapd
admin@RT-AC66U:/tmp/home/root# eapd

I'm still trying to determine if I can do this with multiple APs on multiple bridges.

Did you get this working with multiple APs running on multiple bridges?
 
Latest Merlin build (3.0.0.4.374.37) now supports up to 5 bridges with WLAN and authentication.
Before, only 2 bridges where supported, due to code limitations in the asus code.


Works perfect for me.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top