1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

All switch ports on their own vlan

Discussion in 'Tomato Firmware' started by koter84, Oct 26, 2007.

  1. koter84

    koter84 Guest

    Hi All !!!

    I have a question with which someone here might be able to help me.

    I have an existing network with DHCP server and a internet connection, now i want my WRT54GL v1.1 to work as just an AP. I've managed to set this up.

    Now step two is that i would like to add the WAN-port to the switch. This way i could still use the WAN-port as the connection to the network.

    Then i would like to give every port their own vlan and connect all of those to the WAN-port, giving every port access to the network and each-other. This way i could separate and log the traffic that is generated on each port.

    I've been working on some things and changing some of the scripts i found on this forum.

    ( does anybody know why there is a "*" with vlan0ports ?? )
    ( http://www.linksysinfo.org/forums/showthread.php?t=51888 )
    Code:
    led amber on
    sleep 1
    
    nvram set vlan0hwname=et0
    nvram set vlan0ports="4 5*"
    nvram set vlan1hwname=et0
    nvram set vlan1ports="3 5"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="2 5"
    nvram set vlan3hwname=et0
    nvram set vlan3ports="1 5"
    nvram set vlan4hwname=et0
    nvram set vlan4ports="0 5"
    
    ifconfig vlan0 down
    ifconfig vlan1 down
    
    vconfig add eth0 2
    vconfig add eth0 3
    vconfig add eth0 4
    
    ifconfig vlan0 up
    ifconfig vlan1 up
    ifconfig vlan2 up
    ifconfig vlan3 up
    ifconfig vlan4 up
    
    ifconfig br0 down
    brctl del br0
    
    brctl add br1
    brctl addif vlan0
    brctl addif vlan1
    brctl add br2
    brctl addif vlan0
    brctl addif vlan2
    brctl add br3
    brctl addif vlan0
    brctl addif vlan3
    brctl add br4
    brctl addif vlan0
    brctl addif vlan4
    
    ifconfig br1 up
    ifconfig br2 up
    ifconfig br3 up
    ifconfig br4 up
    
    led amber off
    
    I want to put this code in the firewall-script, but i cant get it to work correctly.

    The code just above does work, and apparently the vlans are linked. I keep my internet connection when i put the network-plug in port 4 (so i need to edit the vlanXports) but i cant reach the router anymore, so i cant do any more stuff.

    i've also tried to use this part instead of the current bridging part:
    Code:
    ifconfig br0 down
    brctl addif br0 eth1
    brctl addif br0 vlan0
    brctl addif br0 vlan1
    brctl addif br0 vlan2
    brctl addif br0 vlan3
    brctl addif br0 vlan4
    ifconfig br0 up
    
    but that doesnt seem to work either....

    can anybody please help me a bit, i use Linux quite a lot, but i'm not really into this bridging/networking stuff
     
  2. mstombs

    mstombs Network Guru Member

    I have a vlan2 under Tomato, which I defined committed and it sticks across reboot, but note there is an issue with the WRT54GL - the vlan ports seem to be reassigned on reboot with Tomato. I think you may have an issue that the vlan code is actually in the Broadcom kernel and the switch is configured before you try to make changes?

    My vlan2 config detailed here

    http://www.linksysinfo.org/forums/showthread.php?t=54665

    Have since seen the vlan code is in Tomato interface.c, and can be redone later using the vconfig command.
     
  3. humba

    humba Network Guru Member

    @mstombs: would you mind sharing the commands you used to create the vlan2?
    I'm trying to map one port to a separate vlan2 which would have its own dhcp server and everything but in the end share Internet access with the default vlan0 but I seem to be unable to get the vlan working.

    By just setting the vlan2ports variable in the init script, I don't have a vlan2 interface in ifconfig yet (ifconfig vlan2 something) just returns that the interface is unknown.

    Even if I add vlan2 using vconfig eth0 2, I still cannot access vlan2 via ifconfig.

    Even if I modify lan_ifname to also include vlan2, my vlan2 is nowhere to be found.
     
  4. roadkill

    roadkill Super Moderator Staff Member Member

  5. humba

    humba Network Guru Member

    Hmm.. you're detaching eth1 from br0, and then use iptables to pass traffic back and forth between the wireless and the wan.
    Unfortunately, this doesn't translate into lan ports - they're all eth0 and you can't detach eth0 from br0 or you detach every single port.

    Here's what I've tried so far:

    init-script:
    Code:
    vconfig add eth0 2
    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5"
    (I also tried adding
    nvram set lan_ifnames="vlan0 vlan2 eth1 eth2 eth3"

    at the bottom, and

    brctl addif br0 vlan2

    (the latter made things a lot worse and killed my perfectly working openvpn config).

    I then bring up vlan2 by adding the following to the wanup script:

    Code:
    ifconfig vlan2 10.10.10.2 netmask 255.255.255.0 up
    When the router is back up after a reboot, vlan2 shows up with the assigned configuration (mac being equal to the mac of vlan0 / eth0) - but the port I moved still appears to be a member of vlan0 - if you plug a machine there, it gets connected to the network to which the router is attached on the lan side via port1 (which is in vlan0).
    As a first step, I figure I need proper detachment so that if I plug in a machine to the port, I won't be connected to vlan0 (there's a domain with everything behind it - so if I'm still on vlan0 I get an IP address.. in vlan2 I should either get an IP address from the router's own dhcp, or in case I messed up the config.. I shouldn't get any IP address at all which would at least tell me the port is no longer in vlan0.

    Unfortunately, the router with dd-wrt is at home (iirc I managed to detach a port there using the GUI) so I cannot compare nvram variables and how the whole vlan thingie looks like.
     
  6. humba

    humba Network Guru Member

    Hmm - I think I finally figured it out. The vlan config reset hardcoded into Tomato is the culprit (@roadkill: could you take that out from your next vpn release? It really shouldn't be there - and the new ethernet port experiments you see on this board all looked pretty bleak - most likely due to this problem and nobody mentioning a workaround).

    I did some experiments with my dd-wrt router, where changing the vlanXports variables then rebooting did the trick. I then tried to replicate my init script and by combining various information I found online I arrived at:

    Code:
    nvram set vlan0ports="2 1 0 5*"
    ifconfig vlan0 down
    ifconfig vlan0 up
    nvram set vlan2ports="3 5"
    nvram set vlan2hwname=et0
    That separated port 3. I then tried putting the same stuff into Tomato's init script which didn't work. But when I moved ifconfig vlan0 up to the wanup script (after the 5 second wait for openvpn), port 3 would finally no longer serve an IP address from the dhcp server on vlan0. Now on to the separate dhcp thing...
     
  7. humba

    humba Network Guru Member

    Alright.. except for the VPN part I'm there now. My biggest problem was Tomato's resetting the vlan0ports variable and reassigning all the ports to vlan0 - that is hardcoded and cannot be changed.

    Even changing them in the Init script won't do the trick - the variables might be correct, but the port you want to break out is still in vlan0.

    The only way I could get my changes to stick was taking the vlan0 interface down for a bit, then putting it up again.

    So in scripts this translates as follows:

    Init script
    Code:
    nvram set vlan0ports="2 1 0 5*"
    ifconfig vlan0 down
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5"
    WAN UP
    Code:
    ifconfig vlan0 up
    ifconfig vlan2 192.168.3.1 netmask 255.255.255.0 up
    If I take vlan0 again in the Init script, port 3 remains stuck in vlan0 (in dd-wrt this is not the case) - but putting the up command in the WANUp did the trick. Since this is apparently timing sensitive, you might be able to get it working in the Init script with a sleep command as well or might even have to resort to a sleep command in the WANUp script.

    The WANUP Script brings vlan2 up with IP address 192.168.3.1 and mask 255.255.255.0

    The next step is adapting the firewall rules - you won't be able to even ping your vlan if you connect a machine behind it.

    The simplest way to get this done is adding the following 3 lines to the Firewall script:
    Code:
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br0 -o vlan2 -j DROP
    The script accepts input from vlan2, allows forwarding of new connections from vlan2 to vlan1 (wan), and drops anything that attempts to get from br0 to vlan2 (so incoming traffic is blocked, and you cannot hop from vlan0 to vlan2.

    Now if you attach a machine at port 3 (you have to manually assign an IP address of course), you should be able to ping the vlan2 ip address, and connect to the outside (assuming you configured the default gateway and you have a dns that can be reached).

    If you want to be a little more advanced, look at how roadkill adapted his firewall rules to separate wlan and lan here

    If you'd like to run a separate dhcp server on your vlan, then you need to make some configuration changes to the dhcp server as well:

    Code:
    dhcp-authoritative
    interface=vlan2
    dhcp-range=vlan2,192.168.3.50,192.168.3.60,255.255.255.0,1440m
    dhcp-option=net:vlan2,3,192.168.3.1
    dhcp-option=net:vlan2,6,192.168.1.1
    Note that I'm not convinced we need the first line (especially if you have the standard dhcp server running on vlan0). Either way, line2 makes the dhcp server listen on vlan2, line 3 defines the address range and lease duration (1400 minutes), line4 sets the default gateway to 192.168.3.1 and the final line sets the dns server address (I put the Tomato where I tried this all behind my real outside router so that one acts as DNS server. This won't be necessary for a normal setup where vlan1 knows its DNS server (I configured the WAN port statically and unfortunately Tomato doesn't allow to enter DNS servers in that configuration).

    There is definitely no need for vconfig - if the vlanXports variable is defined, the appropriate vlan is automatically created (which is completely different from how vlans work in a standard linux installation.. there you need vconfig, and it won't add interfaces named vlanx but instead create copies of the physical interfaces you add the vlan to.. so e.g. vlan2 for eth0 would result in an interface eth0.2).

    The only thing I don't like yet in this solution is that clients on vlan0 can connect to the IP address of vlan2, and vice versa (connections between clients in different vlans are not possible though). If anybody more experienced with iptables has an idea - I wouldn't mind hearing it :)
     
  8. Noodlewad

    Noodlewad LI Guru Member

    I am currently running a similar setup, maybe even the same, and have been for months 4 or 5 at least. We use it at our office to provide wireless internet access to clients but keep them off of our main network. The isolated Ethernet port (#4 in this case) runs to another wireless router to handle the client wireless access.

    nvram paramaters:
    Code:
    nvram set "vlan0ports=3 2 1 5*"
    nvram set "vlan2ports=0 5*"
    nvram set "vlan2hwname=et0"
    nvram commit
    WAN Up script:
    Code:
    ifconfig vlan2 192.168.5.1 netmask 255.255.255.252
    ifconfig vlan2 up
    Firewall script:
    Code:
    iptables -A INPUT -i vlan2 -j ACCEPT
    iptables -A FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
    #iptables -A FORWARD -i br0 -o vlan2 -j DROP
    I forget why I commented out the last DROP rule, I think it was so I could ping and configure the router from my main LAN, it doesn't seem to hurt not having it there, maybe someone can tell me if that is wrong.

    I haven't posted this b/c I wasn't sure if it was all working properly at the time. I figure I'll contribute this now and see if there are ways to improve upon it.
     

Share This Page