1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tomato shibby + VLAN tagging, core LAN (br0) can't forward

Discussion in 'Tomato Firmware' started by fermulator, Dec 17, 2017.

  1. fermulator

    fermulator New Member Member

    Hello experts!

    Hoping someone has run into this before and might see what is obviously incorrect in the changes to my network. At this point, I'm posting for support.

    I will start by describing my "setup before".

    PRE-CHANGES (BASE)

    This is a simple network, layer2.

    • Wires:
      • <MODEM> <--> <Asus RT-AC3200>[WAN]
      • <Asus RT-AC3200>[PORT1|2|3|4] <--> various systems + layer2 switches throughout the home
    • Wireless:
      • Wireless main enabled on the tomato shibby firmware, bridged from eth0, to br0 (primary wifi SHALL be a member of the main physical network)
    Now, everything worked as expected.

    PROBLEMS TO SOLVE:

    1. For the future, I desired to build a more secure network w.r.t. guests, and IoT (Internet of Things). (trust)
    2. Further, the location of my core tomato router with the WAN connectivity, is in a poor-wifi location reception wise....
    SOLUTION FOR WI-FI SIGNAL STRENGTH

    So a while ago, I went ahead and ran Ethernet to the core of the house (central) to solve the wifi signal strength concerns. At first I used an older wireless access point (disabled DHCP there), and this worked fine integrating with the core network.

    NEW-CHANGES, VLAN ISOLATION


    Now finally, to solve the security concerns with guests and IoT .. I purchased the D-Link DAP-1665. This device is capable of multi-SSID and WiFi-VLANID associations. Sweet!

    My plan, was to simply configure VLAN tagging for whatever port the access point is connected on, bridged to separate subnets w/ DHCP from tomato, and I should be good!

    Ultimately it would look something like:

    • Wires:
    • <MODEM> <--> <Asus RT-AC3200>[WAN]
    • <Asus RT-AC3200>[PORT1|2|3|4] <--> various systems + layer2 switches throughout the home (untagged)
    • <Asus RT-AC3200>[PORT4] <--> to the access point (tagged)
    • Wireless:
    • Wireless main enabled on the tomato shibby firmware, bridged from eth0, to br0 (primary wifi SHALL be a member of the main physical network) - same, no changes here, but this is relegated to the "backup wifi"
    • WAP for primary core wifi is enabled for both 5G+2G, untagged, and connected into the tomato router
    • WAP for guests and IoT each have their own SSID and unique VLAN ID tagging
    THE PROBLEMS

    Well, now I'm here and have been fumbling for an entire afternoon. The GUI of tomato is just failing me here. I'll walk through my configuration, and try to summarize my debug/isolation.

    BASIC SUMMARY: - with VLAN tagging enabled:
    • , tomato seems incapable for FORWARDING packets from PORT4 (untagged) to PORT* (untagged) -- that is, primary wifi can't access core physical network :( -- but it CAN access WAN
    • , tomato blocks primary physical ports (untagged) from accessing itself (management interface, ping, etc.), and thus, all physical network CANNOT access the Internet (ugh)
    • , tomato blocks primary physical ports (untagged) from FORWARDING packets within br0, to br0; across physical ports (i.e. PORT1 <--> PORT2)!!!
    BTW: The VLAN tagging setup WORKS! (access points configured for the VLAN ID tagging, they work fine! as desired, they're isolated from the physical network, and can access the Internet)

    Details of my config;

    Tomato: Basic, Network, LAN:

    base_network_LANs_n_bridges.png

    Tomato: Advanced, VLAN:

    advc_VLAN.png

    Access Point: WiFi VLANs:

    AP_WIFI_VLAN.png

    ------

    So, those are the basic of the basics.

    TEST RESULTS:

    • notebook on tomato wifi: INTERNET = NO, NETWORK = NO
    • notebook on physical network: INTERNET = NO, NETWORK = NO
    • notebook on access point untagged wifi: INTERNET = YES, NETWORK = NO
    • notebook on access point, tagged wifi: INTERNET = YES, NETWORK = NO (as expected)
    DETAILS

    Code:
    Tomato v1.28.0000 -138.13-kille72- K26ARM USB AIO-64K
    size: 42006 bytes (23530 left)
     ========================================================
     Welcome to the Asus RT-AC3200 [SNIP]
     Uptime:  17:18:41 up 3 min
     Load average: 0.19, 0.32, 0.14
     Mem usage: 11.9% (used 29.70 of 249.55 MB)
     WAN : 174.113.224.163/21 @ 70:8B:CD:AD:82:51
     LAN : 1.0.0.1/24 @ DHCP: 1.0.0.102 - 1.0.0.199
     LAN2: 192.168.1.1/24 @ DHCP: 192.168.1.10 - 192.168.1.254
     LAN3: 192.168.2.1/24 @ DHCP: 192.168.2.10 - 192.168.2.254
     WL0 : 2,4GHz @ SNIP-guests @ channel: 6 @ 70:8B:CD:AD:82:50
     WL1 : 5GHz @ SNIP-primary @ channel: 36 @ 70:8B:CD:AD:82:54
     WL2 : 5GHz @ SNIP-IoT @ channel: 104 @ 70:8B:CD:AD:82:58
     ========================================================
    
    (not sure why the WLX interfaces are still showing SSID configurations...)

    Routes are fine to me
    Code:
    # route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    174.113.224.1   *               255.255.255.255 UH    0      0        0 vlan2
    1.0.0.0         *               255.255.255.0   U     0      0        0 br0
    192.168.2.0     *               255.255.255.0   U     0      0        0 br2
    192.168.1.0     *               255.255.255.0   U     0      0        0 br1
    174.113.224.0   *               255.255.248.0   U     0      0        0 vlan2
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         174.113.224.1   0.0.0.0         UG    0      0        0 vlan2
    
    What messes me up here, is that the iptables on the tomato router DOES have a "br0<->br0" ACCEPT FORWARD entry...
    Code:
     iptables --list
    Chain INPUT (policy DROP)
    target     prot opt source               destination       
    DROP       all  --  anywhere             anywhere             state INVALID
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    shlimit    tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     icmp --  anywhere             anywhere             limit: avg 1/sec burst 5
    ACCEPT     udp  --  anywhere             anywhere             udp dpts:33434:33534 limit: avg 5/sec burst 5
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8090
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination       
               all  --  anywhere             anywhere            account: network/netmask: 1.0.0.0/255.255.255.0 name: lan
               all  --  anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan1
               all  --  anywhere             anywhere            account: network/netmask: 192.168.2.0/255.255.255.0 name: lan2
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    DROP       all  --  anywhere             anywhere             state INVALID
    L7in       all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    DROP       all  --  anywhere             anywhere         
    DROP       all  --  anywhere             anywhere         
    DROP       all  --  anywhere             anywhere         
    DROP       all  --  anywhere             anywhere         
    DROP       all  --  anywhere             anywhere         
    DROP       all  --  anywhere             anywhere         
    wanin      all  --  anywhere             anywhere         
    wanout     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    ACCEPT     all  --  anywhere             anywhere         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination       
    
    Chain L7in (1 references)
    target     prot opt source               destination       
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto skypetoskype
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto youtube-2012
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto httpvideo
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto flash
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto rtp
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto rtmp
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto shoutcast
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto rtmpt
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto irc
    
    Chain shlimit (1 references)
    target     prot opt source               destination       
               all  --  anywhere             anywhere             recent: SET name: shlimit side: source
    DROP       all  --  anywhere             anywhere             recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    
    Chain wanin (1 references)
    target     prot opt source               destination       
    (snip) - port forward rules
    
    Chain wanout (1 references)
    target     prot opt source               destination       
    
    woa, so why aren't the iptables stored in `/etc/iptables` the ones running NOW???
    Code:
    # grep FORWARD /etc/iptables
    -A FORWARD -o vlan2 -j QOSO
    -A FORWARD -o vlan2 -m connmark ! --mark 0 -j CONNMARK --save-mark
    -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    :FORWARD DROP [0:0]
    -A FORWARD -m account --aaddr 1.0.0.0/255.255.255.0 --aname lan
    -A FORWARD -m account --aaddr 192.168.1.0/255.255.255.0 --aname lan1
    -A FORWARD -m account --aaddr 192.168.2.0/255.255.255.0 --aname lan2
    -A FORWARD -i br0 -o br0 -j ACCEPT                                                             <--- THIS ONE WE NEED!
    -A FORWARD -i br1 -o br1 -j ACCEPT
    -A FORWARD -i br2 -o br2 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -i vlan2 -j L7in
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i br0 -o br1 -j DROP
    -A FORWARD -i br0 -o br2 -j DROP
    -A FORWARD -i br1 -o br0 -j DROP
    -A FORWARD -i br1 -o br2 -j DROP
    -A FORWARD -i br2 -o br0 -j DROP
    -A FORWARD -i br2 -o br1 -j DROP
    -A FORWARD -i vlan2 -j wanin
    -A FORWARD -o vlan2 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    -A FORWARD -i br1 -j ACCEPT
    -A FORWARD -i br2 -j ACCEPT
    
    REMOVE VLAN TAGGED PORTS

    If I remove the VLAN11/VLAN12 tagged port entries entirely, everything works again (core physical + primary wifis work) - of course, the tagged wi-fi's stop working. So for the time being I've reverted to that state :( ... house needs Internet ;o

    I just diff'd the iptables output WITH vs. WITHOUT the VLAN tagged port entries .. and it's the same ;/, so perhaps I'm no the wrong scent here ..

    WORKAROUND

    TBD
     
    Last edited: Dec 18, 2017
  2. fermulator

    fermulator New Member Member

    (SNIP) - moved reply up into main OP post
     
    Last edited: Dec 18, 2017
  3. Malakai

    Malakai Networkin' Nut Member

    I'm no VLAN expert and don't use it for the moment, but I remember reading something here in the forums about having the port shared by 2 or more VLANs tagged in every VLAN. This means that you will have to also tag port 4 for the VLAN1 (br0).
    It's not guaranteed to be the solution to your problem but it couldn't hurt to try.
     
  4. fermulator

    fermulator New Member Member

    Thanks for the idea, unfortunately it did not work. If one tags VLAN (br0), then the non-VLAN traffic can't pass through. (main trusted wifi)
     

Share This Page