Need VLAN help!

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3
Author Message
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Fri Jan 22, 2010 3:03    Post subject: Reply with quote
I am confused with what your are doing, but anyhow you will need to create some iptables rules to get traffic from one vlan to the other.
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Jan 22, 2010 4:45    Post subject: Reply with quote
fggs wrote:
It worked! Can br1 ip be the same as vlan6 ip (192.168.75.2)? If so, will wireless clients still receive vlan4 (192.168.8.0) ips?

br1 needs to have an address in the same subnet that the attached interfaces are using. If you assigned br1 an address in vlan6's subnet range then you'd have two physical segments both using the same logical subnet and it would all break.

Are two PC's able to communicate across vlan's?

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Fri Jan 22, 2010 11:56    Post subject: Reply with quote
Perhaps is better to explain what I want and you suggest the best way to do it.

I have 4 vlans configured on dd-wrt router:

vlan3 - 192.168.4.0 subnet
vlan4 - 192.168.8.0 subnet
vlan5 - 192.168.32.0 subnet
vlan6 - 192.168.75.0 subnet

On linux box I have:

eth0 - 0.0.0.0
eth0.3 - 192.168.4.1
eth0.4 - 192.168.8.1
eth0.5 - 192.168.32.1
eth0.6 - 192.168.75.1

What I want:

- DD-WRT Administration page accessible for all vlans, then if I have to block access for one vlan or so, I will do it from linux box
- Wireless clients to get ips from 192.168.8.0 subnet and dhcp managed by linux box, also have access to DD-WRT Administration page.

What I did:

- Unbridged vlan6 and set ip to 192.168.75.2 in order to have dd-wrt administration page on that ip for all vlans
- Unbridged Wireless and created a new bridge (br1) and assigned eth1 (wireless) and vlan4 to it, in order to clients get 192.168.8.0 subnet ips.

So, this is it.. what's wrong?

Thanks for all the help!
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Fri Jan 22, 2010 15:12    Post subject: Reply with quote
This maybe over my head. Smile It's hard to understand/visualize what's going on if you are not the one doing it. Smile Anyhoo.

One thing I am pretty sure of is that you need to put wireless and vlan4 into a bridge and get the linux DHCP server to assign IPs to the bridge not the interfaces in the bridge.

I guess the main thing that I am confused about is how you get a DHCP server on another box to assign IPs to the vlans and bridge that are on another device. I think I may need to bow out before I possibly cause more confusion. Good luck!
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Jan 22, 2010 18:51    Post subject: Reply with quote
phuzi0n wrote:
Are two PC's able to communicate across vlan's?

I need to know just how functional your trunk really is before postulating how to fix it.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Fri Jan 22, 2010 21:29    Post subject: Reply with quote
Clients:

Client 1 (wireless) - 192.168.8.26
Client 2 (wired) - 192.168.8.25
Client 3 (wired) - 192.168.75.10
Client 4 (wired) - 192.168.4.10
Client 5 (wired) - 192.168.32.10

Linux box:

eth0.3 - 192.168.4.1
eth0.4 - 192.168.8.1
eth0.5 - 192.168.32.1
eth0.6 - 192.168.75.1

DD-WRT:

eth1 bridged to vlan4 (br1) - 192.168.8.2
vlan6 unbridged - 192.168.75.2

Ping response:

Client 1 -> Client 2 (OK)
Client 1 -> Client 3 (OK)
Client 1 -> Client 4 (OK)
Client 1 -> Client 5 (OK)
Client 1 -> Linux box (eth0.3, .4, .5, .6) (OK)
Client 1 -> 192.168.75.2 (FAIL)
Client 1 -> 192.168.8.2 (OK)

Client 2 -> Client 1 (OK)
Client 2 -> Client 3 (OK)
Client 2 -> Client 4 (OK)
Client 2 -> Client 5 (OK)
Client 2 -> Linux box (eth0.3, .4, .5, .6) (OK)
Client 2 -> 192.168.75.2 (FAIL)
Client 2 -> 192.168.8.2 (OK)

Client 3 -> Client 1 (OK)
Client 3 -> Client 2 (OK)
Client 3 -> Client 4 (OK)
Client 3 -> Client 5 (OK)
Client 3 -> Linux box (eth0.3, .4, .5, .6) (OK)
Client 3 -> 192.168.75.2 (OK)
Client 3 -> 192.168.8.2 (FAIL)

Client 4 -> Client 1 (OK)
Client 4 -> Client 2 (OK)
Client 4 -> Client 3 (OK)
Client 4 -> Client 5 (OK)
Client 4 -> Linux box (eth0.3, .4, .5, .6) (OK)
Client 4 -> 192.168.75.2 (FAIL)
Client 4 -> 192.168.8.2 (FAIL)

Client 5 -> Client 1 (OK)
Client 5 -> Client 2 (OK)
Client 5 -> Client 3 (OK)
Client 5 -> Client 4 (OK)
Client 5 -> Linux box (eth0.3, .4, .5, .6) (OK)
Client 5 -> 192.168.75.2 (FAIL)
Client 5 -> 192.168.8.2 (FAIL)

If I missed any test you want, just ask!
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Jan 22, 2010 21:44    Post subject: Reply with quote
Nice and verbose. It looks like a firewall problem on the dd-wrt box. Make sure that the firewall is off and that the routing mode is set to 'Router'. If that doesn't fix it then check that the linux box can ping each of the dd-wrt IP's.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Fri Jan 22, 2010 21:58    Post subject: Reply with quote
Well, unchecked everything on Firewall tab except "Filter multicast" and disabled firewall, rebooted router, didn't worked. Set Routing mode to Router, rebooted router, didn't worked.

Linux box can ping 192.168.75.2 and 192.168.8.2.

This might be useful:

iptables -vnL (inside dd-wrt router)

root@DD-WRT:~# iptables -vnL
Chain INPUT (policy ACCEPT 341 packets, 33397 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:69
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 DROP tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- vlan6 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- br1 vlan1 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 454 packets, 396K bytes)
pkts bytes target prot opt in out source destination

Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination

Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination

Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination

Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset

Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination


iptables -t nat -vnL (inside dd-wrt router)

root@DD-WRT:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 132 packets, 11516 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0 to:192.168.1.1

Chain POSTROUTING (policy ACCEPT 1 packets, 58 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1 packets, 58 bytes)
pkts bytes target prot opt in out source destination

Routing table (inside dd-wrt router)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.75.0 * 255.255.255.0 U 0 0 0 vlan6
192.168.8.0 * 255.255.255.0 U 0 0 0 br1
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sat Jan 23, 2010 2:04    Post subject: Reply with quote
I don't know then. I can't see any reason why it's not working but it isn't. IMO it isn't worth persuing. Just leave an IP assigned to the router for each vlan and if you ever want to block access then remove the IP from the interface or create an iptables rule on the dd-wrt router.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Sat Jan 23, 2010 2:19    Post subject: Reply with quote
I'm having two ideas but I need some input:

1) Tag all vlans

or

2) Unbridge all vlans and put them as .1, example vlan4 192.168.8.1

or.. I don't know either.. can't figure out what's wrong.. perhaps create a bridge with all interfaces?
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Sat Jan 23, 2010 2:47    Post subject: Reply with quote
I've just realized that dd-wrt router can't ping 192.168.32.1 or 192.168.4.1 and that could be part of the problem. It can ping 192.168.8.1 and 192.168.75.1, but I thought 192.168.8.0 subnet clients would be able to ping 192.168.75.2 (vlan6 ip) and vice-versa..

Sorry phuzi0n, I've tested all the clients and forgot to test dd-wrt router from inside (ssh).

Look at dd-wrt's routing table:

I prefer to put it into this pastebin because pasting here would screw formatation: http://pastebin.org/80713
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sat Jan 23, 2010 4:17    Post subject: Reply with quote
fggs wrote:
or.. I don't know either.. can't figure out what's wrong.. perhaps create a bridge with all interfaces?

If you do this then you no longer have virtual LAN's, you have a switch chip that is bridging and wasting cpu cycles. ie. it would put them all on the same LAN again, but with the cpu doing the work instead of the internal switch.

fggs wrote:
I've just realized that dd-wrt router can't ping 192.168.32.1 or 192.168.4.1 and that could be part of the problem. It can ping 192.168.8.1 and 192.168.75.1, but I thought 192.168.8.0 subnet clients would be able to ping 192.168.75.2 (vlan6 ip) and vice-versa..

You don't have routes to either subnet because you didn't assign an IP address to their interfaces, and there's no default route for it to fall back on. This is a different problem than what's happening to vlan4 and vlan6.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Sat Jan 23, 2010 10:03    Post subject: Reply with quote
As I'm asking for help in several places, some people are advising me to try openwrt and it could be doable with it, but I don't want to leave dd-wrt just because a tiny problem..

I've never used openwrt, seems hard..

Anyway, thanks for your help.. if you have any new idea, I will be happy to try..
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Sun Jan 24, 2010 4:01    Post subject: Reply with quote
Great progress!

I've added this line and it solved everything: route add default gw 192.168.75.1 dev vlan5

All vlans can ping 192.168.75.2!

Only thing is: Linux box can't ping 192.168.75.2 if I use source ip from subnet other than 192.168.75.0, but I think this is to be expected. Example: eth0.2 has 192.168.4.1, if I type "ping -I eth0.2 192.168.75.2" it won't respond.. but "ping 192.168.75.2" responds fine.

You should notice that I said vlan5, was not a typo, I've reseted dd-wrt router and started from scratch: Followed this wiki: http://www.dd-wrt.com/wiki/index.php/Switch

I just didn't disabled wireless, 802.1x and routing. New vlans are: vlan2, vlan3, vlan4, vlan5.

Minor bugs (build 12548):

1) I couldn't set Wireless to none on VLANs tab because it would stop broadcasting SSID. I had to leave Wireless set to LAN, but created bridge br1 and assigned vlan3 and eth1, it automatically removed eth1 from br0 (dd-wrt's defaults)

2) My LAN MAC shows as 00:00:00:00:00:00 on Status->Sys Info, but it has correct MAC via ifconfig on ssh.

If you guys want me to test anything, just ask, because now I can do my setup within 5 minutes tops!
lrrpie
DD-WRT Novice


Joined: 09 May 2012
Posts: 2

PostPosted: Wed May 09, 2012 12:43    Post subject: Reply with quote
Hi fggs,

After reading your inputs, I still do not understand how to configure the vlan on dd-wrt.

Are you able to show the procedure in screen captures?
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum