Tagged and untagged vlan on port with tomato shibby?

Discussion in 'Tomato Firmware' started by Mindaugas, Dec 7, 2013.

  Mindaugas

    Mindaugas

    I have installed Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB AIO on Asus RT-N16 and have one question about vlans. My ISP gives internet service with untagged packets and IPTV service with tagged VLAN 6. So I wanted to configure on the WAN interface two services: internet with untagged VLAN 2 and IPTV with tagged VLAN 6. But the router doesn't allow to configure tagged and untagged VLANs on the same interface.
    Maybe you have solution for that? I need to configure tagged and untagged packets on the WAN interface.
    On OpenWRT I had this configuration with TP-Link router, but OpenWRT is not supported on Asus RT-N16 yet.
  boboxx

    boboxx

  Mindaugas

    Mindaugas

    Thank's for your comment, but i see that you tagged on wan two vlans. I need one tagged and one untagged vlan on wan. Wen i do this on Tomato Shibby v.115, i get error: WAN port cannot be assigned to more than one VLAN unless frames are tagged on all VLANs WAN port is member. Any more comments ? Thank you.
  Mindaugas

    Mindaugas

    Maybe Shibby has any solution ?
  Mindaugas

    Mindaugas

    Don't forget my problem ! :)
  Mindaugas

    Mindaugas

    I'm trying one more time guys.
    Maybe someone already have any considerations ?
    Im testing openwrt now, but there is so many bugs and it is very unstable.
    Thank you for any help. This is what i need from vlans :
  mw333

    mw333

    Perhaps you could recap your problem. If I understand correctly your ISP is providing you 802.1Q headers, one of the tags=6 and you want to get that traffic on a separate bridge? And if you are VLAN unaware on the WAN side everything works fine and you want to become VLAN aware to see what happens?

    Have you examined the frames? It's possible your ISP modem is passing them on to you but you never know. If your wan port is receiving 802.1Q headers perhaps setting WAN tag=yes will work with a brN with VLAN tag=6.

    Interesting question.
  Mindaugas

    Mindaugas

    I just need to do 1 vlan untagged and 6 vlan tagged ... is it posible on tomato ?
  mw333

    mw333

    Perhaps I still do not understand what you are looking for. Recommend you look at the 802.1Q spec. If VLAN aware it should be able to figure out if the frame has a tag or not and place it on the br you told it to. Please correct me if I am wrong - if brN has an * in the default field the untagged frames will go there.

    Also recommend you take a look at your data stream to ensure you are decoding what you believe you are.
  mw333

    mw333

    Maybe this is what you are trying to achieve. WAN Port has everything. Port 4 has everything. Port 3 will have tag=6.

    wanTrunk.PNG [q
  lollekatt

    lollekatt

    TO boil down what mw333 is trying to tell you in last post... you define a default vlan, where all untagged packets will go. This should never be the wan port obviously, and it is also more secure to not have other vlans on it (a port which belongs to other vlans to further help vs vlan hopping). So I twouldn't have port 4 in both default and vlan 6 as above.

    Finally, if you would however wish to use such a 'trunk port' make sure the trunk port is the only port in it.
  Mindaugas

    Mindaugas

    I just want to say that requirement is tagged 6 (for ip tv) an untagged 1 (for internet) vlans on wan port not on lan. My ISP did that configuration and i have no other way to config my router.
  lollekatt

    lollekatt

    We already explained.. if you wish to experiment a bit more hands on, you could also test a bit with something like this:

    How do I let vlan-tagged traffic go through a vlan bridge port and the other traffic through a non-vlan bridge port?

    Suppose eth0 and eth0.15 are ports of br0. Without countermeasures all traffic, including traffic vlan-tagged with tag 15, entering the physical device eth0 will go through the bridge port eth0. To make the 15-tagged traffic go through the eth0.15 bridge port, use the following ebtables rule:

    ebtables -t broute -A BROUTING -i eth0 --vlan-id 15 -j DROP

    With the above rule, 15-tagged traffic will enter the bridge on the physical device eth0, will then be brouted and enter the bridge port eth0.15, the vlan header will be stripped, after which the packet is bridged. The packet thus enters the BROUTING chain twice, the first time with input device eth0 and the second time with input device eth0.15. The other chains are only traversed once. All other traffic will be bridged with input device eth0.

    From: http://ebtables.sourceforge.net/misc/brnf-faq.html
  mw333

    mw333

    Wow. ebtables. I learned something new. Thank you.
  mw333

    mw333


    We have been trying to figure out what you need. A VLAN trunk is just a way of describing a cable that has several different "channels" (VLANS) on it. It is an aggregation of channels, combining multiple network connections in parallel, analogous to multiplexing. Typically a normal device like your computer is not hooked up to a trunk because it cannot demux (decode) the channels. What you typically do is run a trunk into a vlan aware device such as a managed switch, which demuxes and provides the other ports (on the switch) a single channel/VLAN, which a device such as your computer expects. If you run that trunk into your PC you may get unexepected results because it cannot decode the vlan tags.

    From your 1st post it sounds like your ISP is giving you a trunk. One channel, no tag and a 2nd channel, tag=6. This is multiple channels riding on the wire. Sounds like if you plug this into a device that is not vlan aware you will get unexpected results.

    In the example I provided you (#10 above) the WAN port is expecting a trunk (tagged=on). Port 4 (this is actually Port LAN1 on the back of your router) is also defined as a trunk. It will have what the WAN has. If you wanted to you could run this trunk to another vlan aware switch and decode the VLANs there. Or just leave it alone.

    Ports 1 and 2 (br0) provide connections to what you called "untagged VLAN" and if you hook up your computer to one these ports it should work fine.

    Port 3 (br1) (this is actually Port LAN2 on the back of your router) is what you called VLAN 6.

    Would you happen to know if you IPTV box is vlan aware? Does your IPTV box expect a trunk? Or does it just expect VLAN 6 data?
  sfare

    sfare

    I have a requirement identical to Mindauga's; my broadband provider (telia) delivers incoming traffic in the following way:
    Ideally I would like the WAN port on the router (an Asus RT-N66U running tomato shibby 1.28) to accept the broadband cable directly and route the WAN bort to the LAN bridge as well as forwarding IPTV and VOIP traffic in a trunked connection (on port 1) to my main switch (a Netgear GS724T). I.e. I would like the following setup:
    However, we all know that this is impossible to configure using the tomato UI as a port either is untagged (and belongs to a single vlan) or all member vlans are tagged for the port.

    The way that I have solved this (for now) is to front the router with a Netgear GS105E that can accept the connection from the broadband provider and then separates out WAN, IPTV and VOIP to untagged ports that can be fed into the RT-N66U. There I have the following setup:
    This works just fine, but there is a lot of cabling that would be nice to get rid of by letting the RT-N66U handle everything.

    My question: can I use ebtables to capture tagged frames (IPTV and VOIP) from the WAN port and forward them to VLANS 5 and 6? any other command line trick that can be used?

    Btw, I have noticed that while this setup works fine, ifconfig only lists vlan10 and vlan1, why is that? Why don't vlans 5 and 6 show up?

  aztech

    aztech

    I'm also a Telia subscriber and I'm using their IPTV services. (no VOIP though).

    I acutally thought that I could send both untagged WAN (internet) and tagged VLAN for IPTV to the same port and in the other end separate them using a GS105E.

    The thing is that I've not had the time to try it out. I just bought a E4200 to get rid of the shitty Thomson TG789vn that Telia sent me and this in combination with a GS105E next to my TV could provide both my Raspberry PI and TV with internet, aswell as IPTV for my STB.

    Any idéas of how this could be solved without getting more TP cables to my TV bench?
    (I've replaced the telephony cables in the walls, with cat5e and dont have the possibillity to pull more cables to the TV).
  Mindaugas

    Mindaugas

    Thank's for everybody, You have shown me some light at the end of the tunnel :)
    My problem is solved with tomato shibby v115. It was not so complicated (I'm not a professional, just a bit more than simple user), i had big help form my friend Donatas. So take a look. We just trashed Openwrt and installed Tomato Shibby v115. Like the first time Tomato Gui configuration can't to do what we need (Vlan 1 non tagged and vlan6 tagged on Wan port). We did configuration by CLI :
    content of : nvram show | grep vlan

    lan_ifnames=vlan1 eth1
    landevs=vlan1 wl0
    vlan1ports=2 3 4 8*
    vlan2ports=0 8
    vlan6ports=0t 1 8

    So, i just hope, that Shibby will repair van gui to configure without limits!
    After this CLI configuration, gui shows what we what we expected (good link for vlan config -http://www.seiichiro0185.org/blog:creating_a_seperate_guest_network_with_tomato) :


    SOLVED !!!
  mw333

    mw333

    Opinion - the GUI does not need repair. The rules are good for security.
  humba

    humba

    @Mindaugas: You may also want to post your bridge configuration for reference.
  aztech

    aztech

    "good for security" - care to explain?
    afaik, if you're using Tomato or other 3:d party firmware, you're often after more advanced features.
    If implemented into GUI, maybe this should be accessible after checking a "super advanced" checkbox or something?
  mw333

    mw333

    I would recommend reviewing the things teaman said. Specifically, take a look at the posts in "VLAN Tags: Work for you?" Keep in mind Tomato is very complex and many of the advance features we enjoy were developed before multiple VLANs or SSIDs were available to the "masses." Another good rule of thumb - if you do not fully understand what you are doing, don't do it. ;)

    Many of Tomato's features depend on an initial set of conditions. It was designed and tested that way. If you do not meet these at least some bets are off. The consequences could be severe. The rules help us stay inside the box. From a testing and validation point of view, it limits the possibilities and what you need to test.

    Here's an example - is it safe to bypass the firewall? It can be, if you know about it and design for it.

    I wouldn't be surprised if you could come up with a solution with the rules.
  Mindaugas

    Mindaugas

    So, I don't want to leave you guys :).
    I think that I am also a good guy, and decide to help a very good friend with rt-n66u and tomato-shibby build K26RT AC (important paragon ntfs for him). But after the same VLAN configuration, wan does not work, probably do not understand. The N-K26RT build okay. Maybe you know the differences between these publications in vlan configuration?
  aztech

    aztech

    @Mindaugas You say that the WAN broke ... is the IPTV still working anyway?

    Also, with this setup, does the router act as local DHCP server for the IPTV, or is it just "bridged" så that the STB get a "public" IP via DHCP from the ISP?
  Mindaugas

    Mindaugas

  boboxx

    boboxx

    Yes VLAN tagging with offset is broken in SDK6, not sure about using with no offset :(
  Mindaugas

    Mindaugas

    Yes, IPTV still working anyway, but no internet. WAN trying to renew, but fails - not working.
    There is no need for me to use VID Offset. So it's a SDK6 bug ? No option ?
  dpevunov

    dpevunov

    Hi Mindaugas!
    Could you please post a screen of "Basic" chart? I just wanted to look at your br1 configuration.
    I'm trying to configure the same configuration as you posted. To test it I unplugged my computer from LAN1 port and plugged it to LAN4 (in my configuration LAN4 port is port for tagged iptv). But my computer cannot register in network. And even cannot ping router.
  Mindaugas

    Mindaugas


  dpevunov

    dpevunov

    Thanks! Is something changed in your configuration? I see you have only 1 bridge.
  Kallandros

    Kallandros

    In the GUI screenshot, you have VLAN 1 with Port 1,2,3 untagged and no tagged port. Therefore, the VLAN 1 has no uplink port (tagged/trunk port) and no where to be sent. WAN port needs to be tagged on VLAN 1 in order to pass untagged traffic to VLAN 1.

    WAN port needs to be tagged on every VLAN, otherwise the traffic isn't going in/out of the local network.
  dpevunov

    dpevunov

    Kallandros, you can have ports 1,2 and 3 in one VLAN and port 4 in another VLAN. Both VLANs can be in separate subnets and both can have internet. You do not need to tag WAN port to VLANs to have internet in them. Just 1 default line for WAN VLAN is needed. The only thing you must keep in mind is vlans order. If your first vlan VID is 545 and you want to have network in VLAN VID=550 then you will have to make several empty vlans without ports and bridges.

    Last edited: Jun 1, 2014
  odin2000

    odin2000

    I've been reading this thread as I had the same problem with my ISP Ownit (Sweden). I got an Asus RT-AC66U.

    1. The IPTV was on VLAN 501
    2. The "Internet" was untagged.

    I wanted to send both in the same cable (i.e. trunk). I tried Tomtato but it did not work. The WAN port stopped working for the Internet.

    I also tried DD-WRT but it did not accept VIDs above 15. Probably it was possible to fix this.

    My final solution, however, was more simple: I was able to use the standard Asus FW! I just enabled telnet and used 'robocfg' to set up a port with the VLAN 501 tagged and the Internet untagged. Worked like a charm together with a Netgear GS105E in the other end receiving the trunk.

    I hope this can help anyone else that's searching for a solution to this.
  odin2000

    odin2000

  odin2000

    odin2000

    Oh and here's to output from robocfg show (sorry for the double post btw):

    admin@RT-AC66U:/tmp/home/root# robocfg show
    Switch: enabled gigabit
    Port 0: 100FD enabled stp: none vlan: 2 jumbo: off mac: 00:12:f2:93:87:00
    Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:85:f0:9f
    Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:11:32:14:2a:db
    Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:85:f0:9f
    Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:85:f0:9f
    Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 08:60:6e:bd:18:80
    VLANs: BCM53115 enabled mac_check mac_hash
    1: vlan1: 1 2 3 4t 8t
    2: vlan2: 0 8u
    501: vlan501: 0t 4t

    vlan 1 (LAN) goes to port 4 tagged.
    vlan 501 (IPTV) goes to port 4 tagged.
  zonywhoop

    zonywhoop

    I ran into this same issue recently using Tomato 140 on an RT-N66U. The K26RT-N firmware worked just fine with the following config:
    The outcome being that port 1 or the WAN port could be used to uplink to my main switch with VLAN1 being untagged and VLAN6 being tagged. I then upgraded to K26RT-AC and noticed that I could access the router via WIFI but not via ethernet. I added a VLAN interface on my laptop for VLAN 6 and boom, that worked. So tagged traffic was working, just not untagged. After many hours of research and testing I finally got it working by running the following via ssh:
    After about 10-15 seconds traffic started passing and has been since. I've added this as a startup script for the router as without it traffic will not flow. Per the robocfg help output the `u` specifies that traffic on that VLAN should be sent untagged. Maybe this needs to be added to the startup scripts when a port has both tagged and untagged VLANs? Additionally here is the output of `robocfg showports` before and after the setting change:

    Hopefully this helps somebody else out there that has or is having this same issue.
