1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with Virtual Wireless

Discussion in 'Tomato Firmware' started by cheops2006, Feb 9, 2014.

  1. cheops2006

    cheops2006 Reformed Router Member

    Hi,

    I am trying to setup a virtual wireless that links to br2 but its failing to connect. It shows up fine but its not connecting just immediately drops when negotiating. Please help!

    My vlans are like this


    Code:
    lan1_ifnames=vlan3
    lan2_ifnames=vlan4 wl0.1
    lan_ifnames=vlan1 eth1 eth2
    landevs=vlan1 wl0 wl1
    trunk_vlan_so=0
    vlan0hwname=
    vlan0ports=
    vlan0tag=0
    vlan0vid=
    vlan10hwname=
    vlan10ports=
    vlan10vid=
    vlan11hwname=
    vlan11ports=
    vlan11vid=
    vlan12hwname=
    vlan12ports=
    vlan12vid=
    vlan13hwname=
    vlan13ports=
    vlan13vid=
    vlan14hwname=
    vlan14ports=
    vlan14vid=
    vlan15hwname=
    vlan15ports=
    vlan15vid=
    vlan1hwname=et0
    vlan1ports=2 3 4 8*
    vlan1vid=
    vlan2hwname=et0
    vlan2ports=0 8
    vlan2vid=
    vlan3hwname=et0
    vlan3ports=1 8
    vlan3vid=3
    vlan4hwname=et0
    vlan4ports=8
    vlan4vid=4
    vlan5hwname=
    vlan5ports=
    vlan5vid=
    vlan6hwname=
    vlan6ports=
    vlan6vid=
    vlan7hwname=
    vlan7ports=
    vlan7vid=
    vlan8hwname=
    vlan8ports=
    vlan8vid=
    vlan9hwname=
    vlan9ports=
    vlan9vid=
    wan_iface=vlan2
    wan_ifname=vlan2
    wan_ifnameX=vlan2
    wan_ifnames=vlan2
    wandevs=vlan2
    wl0_vlan_prio_mode=off
    wl1_vlan_prio_mode=off
    wl_vlan_prio_mode=off
    
    I have assigned
    br0 192.168.2.1 255.255.255.0
    dhcp is 192.168.2.100 - 254

    br1 192.168.3.1 255.255.255.0
    dhcp is 192.168.3.100 - 254

    br2 192.168.4.1 255.255.255.0
    dhcp is 192.168.4.100 - 254


    This is my Iptable dump


    Code:
    Chain INPUT (policy DROP 31 packets, 2467 bytes)
    pkts bytes target     prot opt in     out     source               destination        
    1256  135K ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          
        5   302 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    3678  340K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        1    52 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW
        6   882 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    1161  143K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  br2    *       0.0.0.0/0            0.0.0.0/0          
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination        
    1523 78980 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
        0     0 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          
    24382   11M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.3.0/255.255.255.0 name: lan1
        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.4.0/255.255.255.0 name: lan2
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  br1    br1     0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  br2    br2     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    1523 78980 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    23630   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        0     0 DROP       all  --  br0    br1     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  br0    br2     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  br1    br0     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  br1    br2     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  br2    br0     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  br2    br1     0.0.0.0/0            0.0.0.0/0          
        0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0          
      752 39288 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0          
      752 39288 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  br2    *       0.0.0.0/0            0.0.0.0/0          
        0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0          
    
    Chain OUTPUT (policy ACCEPT 4859 packets, 1549K bytes)
    pkts bytes target     prot opt in     out     source               destination        
      504 39529 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          
    
    Chain shlimit (1 references)
    pkts bytes target     prot opt in     out     source               destination        
        1    52            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    
    Chain upnp (1 references)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain wanin (1 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:8801
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:7001
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:21
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:636
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:5001
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:9008
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:80
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.5         tcp dpt:443
    
    Chain wanout (1 references)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain PREROUTING (policy ACCEPT 1691 packets, 136K bytes)
    pkts bytes target     prot opt in     out     source               destination        
       31  2467 WANPREROUTING  all  --  *      *       0.0.0.0/0            192.168.0.2        
        0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.2.0/24     
        0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.3.0/24     
        0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.4.0/24     
       31  2467 upnp       all  --  *      *       0.0.0.0/0            192.168.0.2        
    
    Chain POSTROUTING (policy ACCEPT 118 packets, 51951 bytes)
    pkts bytes target     prot opt in     out     source               destination        
      757 39618 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0          
       44 15323 SNAT       all  --  *      br0     192.168.2.0/24       192.168.2.0/24      to:192.168.2.1
        0     0 SNAT       all  --  *      br1     192.168.3.0/24       192.168.3.0/24      to:192.168.3.1
        0     0 SNAT       all  --  *      br2     192.168.4.0/24       192.168.4.0/24      to:192.168.4.1
      432 27821 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          
    
    Chain OUTPUT (policy ACCEPT 594 packets, 95095 bytes)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain WANPREROUTING (1 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 DNAT       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.2.1
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8801 to:192.168.2.5:8801
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:7001 to:192.168.2.5:7001
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 to:192.168.2.5:21
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:636 to:192.168.2.5:636
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5001 to:192.168.2.5:5001
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9008 to:192.168.2.5:9008
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.2.5:80
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:192.168.2.5:443
    
    Chain upnp (1 references)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain PREROUTING (policy ACCEPT 30715 packets, 12M bytes)
    pkts bytes target     prot opt in     out     source               destination        
    13699 2835K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0           MARK set 0x1
        0     0 MARK       all  --  br1    *       0.0.0.0/0            0.0.0.0/0           MARK set 0x0
        0     0 MARK       all  --  br2    *       0.0.0.0/0            0.0.0.0/0           MARK set 0x0
    
    Chain INPUT (policy ACCEPT 6133 packets, 621K bytes)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain FORWARD (policy ACCEPT 24383 packets, 11M bytes)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain OUTPUT (policy ACCEPT 5385 packets, 1594K bytes)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain POSTROUTING (policy ACCEPT 29768 packets, 12M bytes)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 MARK       all  --  *      *      !192.168.2.0/24       192.168.2.101       MARK set 0xa 
     
  2. pete48

    pete48 Reformed Router Member

    I've also had the same issue, and have tracked it down to a bug in the source introduced back in Sept 2013. Here is the email I've sent to Shibby, hopefully this trivial fix will be applied for the next release, in the meantime you can recompile libshared.so and apply it if you are determined!

    Hi Shibby (CC'd Victek),

    I've found a bug introduced by your huge commit last September for N/AC co-existence. The bug has the effect of preventing the EAP/NAS daemon (WPA security negotiation) from listening on wireless interfaces attached to br2 and above (only br0 and br1 work). At least one user has independently observed this bug here:

    http://www.linksysinfo.org/index.php?threads/problem-with-virtual-wireless.69635/

    In release 116 (and others?) a wireless interface will only work on br2 and above if security is disabled.


    The fix is one character, so rather than add a branch in repo, how about I show you this way?


    So, here is your 'huge commit':

    http://repo.or.cz/w/tomato.git/commit/80a9b7cd300a64c71f6d2bc701b88e9f1634c6e8

    If you page down to release/src/router/shared/wlif_utils.h, and hit diff, you will see:

    -#define WLIFU_MAX_NO_BRIDGE 4

    +#define WLIFU_MAX_NO_BRIDGE 2


    Revert this back to 4 and the bug is fixed... any idea why you changed the value from 4 to 2 ?

    This value is only used by the get_ifname_by_wlmac() function to map a MAC address back to the wireless interface name.


    I've confirmed this fix on my N66U by replacing /usr/lib/libshared.so with a recompiled version placed at /opt/usr/lib, and linking it dynamically by setting:

    export LD_LIBRARY_PATH=/opt/usr/lib:$LD_LIBRARY_PATH

    type 'ldd eapd' to confirm it will link to the correct version of libshared.so, and then restart eapd I can build the entire Shibby flash image successfully with this fix but I'm a bit too chicken to flash my expensive router with it :) The above method enables me to test the fix and work-around the bug for now.


    BTW, this took me quite a while to figure out the root cause as I had to unravel how NAS and EAP work by recompiling them with the BCMDBG flag and adding further debug. For some time I thought the bug was in NAS as a tcpdump -i wl#.# will show there is no response from NAS to the attempted 4-way WPA handshake on these interfaces, but it really confused me why NAS or the broadcom wireless adaptor would care (or even

    know) which VLAN bridge the wireless adaptor is assigned to. Eventually I realised NAS didn't receive any messages from these interfaces on the local loopback, and the fault lies instead with EAP daemon. Basically EAP daemon listens on all wireless interfaces, and when it identifies EAP frames it passes these to the NAS daemon using UDP transport via the local loopback interface at ports 38000 / 38032. There is rather woeful error handling in EAP and NAS, which doesn't help the matter. For example EAP will return success despite failing to successfully identify and listen on all wireless interfaces.
     
    ledetekst and shibby20 like this.
  3. shibby20

    shibby20 Network Guru Member

    ledetekst likes this.
  4. Black6spdZ

    Black6spdZ Networkin' Nut Member

    Still can't connect to virtual SSID with encrytion enabled in v117, was this change added?
     
  5. kthaddock

    kthaddock Network Guru Member

    only openssl was upgraded. You dont have to erase nvram if you switch from 116 to 117.
     
  6. shibby20

    shibby20 Network Guru Member

    this should be fixed in v117. I applied pete48 patch for K26RT-N and K26RT-AC.
     
  7. ledetekst

    ledetekst Reformed Router Member

    Working again now, with the fix in the 117 release! :)
    Thanks!
     

Share This Page