1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to bridge WLAN (wireless) to VLAN2 Port?

Discussion in 'Tomato Firmware' started by jmcafee, May 9, 2011.

  1. jmcafee

    jmcafee Addicted to LI Member

    This situation is a variant of the commonly discussed "Separate WLAN and LAN" theme.

    WRT54GL router, Tomato 1.28, used only as an AP and switch.

    Ports are configured as follows (from Seiichiro's guide):
    VLAN0 = Ethernet ports 1-3
    VLAN2 = Ethernet port 4

    I want to bridge the WLAN to VLAN2 only, and isolate the WLAN from all other WAN/LAN ports.

    I don't need the router's internet/WAN port, DHCP server, or firewall as these functions are handled by other devices on the network. I do want to enable wireless security.

    Thank you for your suggestions, including the syntax of the scripts.
     
  2. TexasFlood

    TexasFlood Network Guru Member

  3. jmcafee

    jmcafee Addicted to LI Member

    Yup. Read every thread before the original post.
     
  4. TexasFlood

    TexasFlood Network Guru Member

    Well, in a quick overview, seems to be like everything you need is in "Put Wlan in own Subnet" and "Two isolated separate LAN subnets and rate limiting" linked to in that thread. The former (in the linked PDF) describes how to seperate the WLAN from the LAN with it's own Subnet and DHCP. The latter shows how to split out the wired ports to different VLANs. Unless I'm missing something that should get you most of the way to where you want to go. I actually want to do something similar, when I get time to do it justice. So I pasted in that info below, don't have time at the moment to consolidate it to a single script.

    So here is what is in the PDF:
    Here is an extract from the TomatoUSB forum "Multiple LAN sebnet" article. I left out the rate limiting stuff since AFAIK you don't have a requirement for that.

     
  5. jmcafee

    jmcafee Addicted to LI Member

    Thank you. I really appreciate you taking the time for the cut and paste from those threads.

    I had already studied these (and other) posts earlier before I submitted my question, and couldn't see how to make them fit my scenario (though the scripts get me part way). Creating the VLANs and subnets were trivial and done already. As I read the quoted "Separate WLAN from LAN", it isolates the WLAN by breaking the WLAN-LAN bridge br0.

    But here is the trick: I do NOT want to isolate the WLAN from the entire LAN. I've split the LAN into 2 VLANs, and want to bridge to only one of the VLANs.

    I am a newbie at the scripting commands. I studied the iptables command from dd-WRT, but it isn't clear to me if I can use eth1 and VLANs as target interfaces for -i and -o (which I think is where I need to go). Also, I think I still need to keep the eth1 br0 bridge, unless there is a way to bridge eth1 directly to VLAN2 and not VLAN0 (not sure of using virtual rather than physical interfaces).

    I am reluctant to experiment with commands of which I have only rudimentary understanding of the unintended (and potentially ruinous) consequences.
     
  6. TexasFlood

    TexasFlood Network Guru Member

    Well, like I said, I think all the basics are contained in what I cut & pasted above.

    Also as I said, this is something I want to do as well, so thinking out loud, I'm going to take as shot at figuring out what I need to do and perhaps you can follow along and figure out what you need to do.

    So I start by telnet/sshing into my router. First I need to see what I have in place already, so do a "brctl show", "nvram show|grep wl0_ifname" and "nvram show | grep vlan.ports". In my case, think I also need to do a "nvram show|grep wl1_ifname"as this is a simultaneous dual bandE3000. So here is the output of that:
    Code:
    # brctl show
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.687f749ea0e0       no              vlan1
                                                            eth1
                                                            eth2
                                                            wds0.1
                                                            wds0.2
    # nvram show|grep wl0_ifname
    wl0_ifname=eth1
    # nvram show|grep wl1_ifname
    wl1_ifname=eth2
    # nvram show | grep vlan.ports
    new_vlan1ports=1 2 3 4 8*
    new_vlan2ports=0 8
    vlan1ports=1 2 3 4 8*
    vlan2ports=0 8
    So I have bridge br0 with wireless LANs eth1 and eth2, the two WDS links wds0.1 and wds0.2, and vlan1. I know from looking at my status->device list that eth1 is my 2.4GHz radio.

    So I pick up at step 3 of "Separate WLAN from LAN with own Subnet and DHCP Server using Tomato Firmware" above and remove my 2.4GHz radio eth1 from br0, create br1 and add eth1 to it, then all the other steps to make it usable including configuring the IP address and the subnetmask for br1, configure the DHCP Server for the br1, configure the iptables so that br1 get access to the Internet, enable wireless encryption for br1 wireless LAN. If all you need is he security then all you need to add is steps 3, 4 & 7 I think.

    That in a nutshell is the first post on splitting the WLAN off to another bridge. The only thing left to do, if I understand you correctly is to add port 4 to br1 which should be isolated at this point. Again per the above, second post "Multiple LAN subnets", I would do the following, which you may have already done, at a shell prompt do the following:
    Code:
    nvram set vlan1ports="3 2 1 8*"
    nvram set vlan3hwname=et0
    nvram set vlan3ports="4 8*"
    nvram set manual_boot_nv=1
    nvram commit
    As it says above, This will isolate port 4 from the ethernet bridge and it will be assigned to the virtual LAN vlan3. Then you'd add "brctl addif br1 vlan3 to your init tab script.

    At this point I -think- the wireless radio and port 4 should be split off to bridge br1 by themselves, and not talking to anything but each other which is what you're asking for near as I can tell.

    So I tried to go a level deeper and show what I meant by thinking everything you needed was in those posts. I haven't tested it yet so perhaps someone can chime in if I got something wrong.
     
  7. jmcafee

    jmcafee Addicted to LI Member

    Thanks again for thinking through the process.

    Using the CLI via telnet, adding a vlan to a bridge generates "interface vlan2 does not exist!" -- it looks like you cannot add a virtual interface to the bridge (I confirmed that vlan2 does exist).

    Unless you have any other ideas, my next steps to try are:
    1. reconnect eth1 to br0
    2. use iptables to route packets.

    ** EDIT ** I can add vlan1 to br1, so I need to work out the details of why vlan2 cannot be added. Again I'm doing this from the CLI so to make any error non-permanent (until commit).
     
  8. TexasFlood

    TexasFlood Network Guru Member

    As you can see vlan2 already existed on my router, apparently the WAN port, so I used vlan3 like the cut & pasted example to be safe. So I just ran a test and was able to create a new bridge, a new vlan and add the vlan to the bridge.
    Code:
    # brctl show
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.687f749ea0e0       no              vlan1
                                                            eth1
                                                            eth2
                                                            wds0.1
                                                            wds0.2
    # nvram show|grep wl0_ifname
    wl0_ifname=eth1
    # nvram show|grep wl1_ifname
    wl1_ifname=eth2
    # nvram show | grep vlan.ports
    new_vlan1ports=1 2 3 4 8*
    new_vlan2ports=0 8
    vlan1ports=1 2 3 4 8*
    vlan2ports=0 8
    # nvram set vlan1ports="3 2 1 8*"
    # nvram set vlan3hwname=et0
    # nvram set vlan3ports="4 8*"
    # brctl addbr br1
    # brctl addif br1 vlan3
    # brctl show
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.687f749ea0e0       no              vlan1
                                                            eth1
                                                            eth2
                                                            wds0.3
                                                            wds0.1
                                                            wds0.2
    br1             8000.687f749ea0e0       no              vlan3
     
  9. TexasFlood

    TexasFlood Network Guru Member

    FYI, it IS easy to make a mistake doing this sort of stuff. At least it is for me. I was doing some testing on my router yesterday. Have no idea what I did but all of a sudden one of my wired PCs could not connect to the Internet. Can't say for sure if I fat fingered something or just flat out did something wrong.

    I probably could have figured out what I did and backed it out. But I really didn't have the time first thing this morning when I discovered the issue. So, and this is my point, I had made a recent backup. From a PC that could still get to the router, I did a thorough NVRAM reset and reloaded the backup & was back up and working in just a few minutes.

    So I'm not saying don't do some tests and figure out how to do what you need to do. But make a known good state backup before you do, just in case. And perhaps I'm just restating the obvious and preaching to the choir but thought I'd just mention what just happened to me while it was fresh in my mind. {steps down off soap box}
     
  10. jmcafee

    jmcafee Addicted to LI Member

    SUCCESS!!

    Mistakes, indeed, which is why I asked for help when I was venturing into sketchy territory. The few times where I was sure that I bricked the router proved false. A baffling quirk in the creation of the WRT54GL v1.1 vlans consumed many hours until I tried an obscure command which is poorly documented.

    Thank you for your help and troubleshooting. You are correct that a vlan is a valid interface for a bridge -- I must have repeatedly committed the same syntax errors when trying to add it to br1. But that tactic proved unnecessary.

    I ended up taking a much simpler approach that I think is better for several reasons, but I would like any comments, especially with the firewall scripts. My thinking was biased by all of the posts that described moving the wireless to a new bridge and vlan, and forwarding packets through the WAN. It dawned on me that none of that was necessary, and I'm embarrassed that I had to ask for help.

    My goal was to use this single router to provide an isolated AP for guest internet access, and use the WOL tool for hosts on the secure network. The dhcp, vlans and internet routing are provided by a Cisco RVL200.

    I'll put a more detailed description in a separate post after any comments so readers don't have to wade through all of iterations, but here are the basic steps:

    1. Start with the default interfaces and bridge.
    2. Create vlan2 (or whatever doesn't exist), and assign the desired ports to vlan0 and vlan2. Vlan0 will tie the wireless to the guest subnet; vlan2 ties to the secure subnet.
    3. Create an init script that assigns the IP and netmask for vlan2.
    4. Create a firewall script to activate vlan2, and block any routing between vlan0 and vlan2:
    iptables -I INPUT -i vlan2 -j ACCEPT;
    iptables -I FORWARD -i br0 -o vlan2 -j DROP;
    5. Change the router's IP to the same subnet as the guest network.
    6. In my situation, deactivate dhcp (thus no need for custom dnsmasq commands).

    My testing indicates the vlans are isolated. The advantages of this config include:
    1. All of the wireless settings remain addressable though the normal gui, rather than writing scripts or using the CLI if eth1 is deleted from br0.
    2. No complicated firewall scripts.

    My final challenge is to make the WOL tool usable. I believe it only works with hosts on the vlan0 subnet, so I'll borrow some scripts to carefully forward a broadcast to vlan2.
     
  11. TexasFlood

    TexasFlood Network Guru Member

    Cool. Glad you got it working. Got me thinking more about what I need to do was well. As for wake-on-lan, not sure about using it through the gui, but perhaps the ether-wake command? Maybe that's what you were referring to already, not sure.

    One question though, and showing my ignorance here. Where you say "Create a firewall script to activate vlan2, and block any routing between vlan0 and vlan2". Is that really required? I was thinking if you wanted vlan2 isolated then no firewall rules would be required. Did I get that wrong? If bridge br0 is the only other device on the router then do you really need to enable input to vlan2 only to block all input to vlan2? Would it work without that? By definition wouldn't vlan2 be isolated unless you put in a rule stating otherwise? Just trying to understand and I really don't know much about iptables.

     
  12. jmcafee

    jmcafee Addicted to LI Member

    The ignorance is mine, not yours. Just about every source I read on creating VLANs added these firewall rules. I did not question the collective wisdom.

    However, your astute question challenged the group-think. Indeed, I find that neither rule is necessary for VLAN operation or isolation in my configuration. OTOH, I simply cannot come up with any routing rules that enable routing or forwarding between the VLANs, possibly necessary if I'm going to use Tomato's WOL. I will still probably include the DROP rule as a precaution.

    I appreciate any comments regarding enabling or blocking routing between VLANs, particularly using the router's WOL for hosts on the non-default subnet. This continues to be a works-in-progress for me.
     

Share This Page