1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Traffic from router not going out with VLANs configured

Discussion in 'Tomato Firmware' started by fiwiman, Nov 14, 2017.

  1. fiwiman

    fiwiman Network Newbie Member

    Hi Guys,

    I'm basically struggling with some odd issues here. This is the setup on the router (see photo as well)

    - 192.168.3.0 is my normal LAN + wifi
    - 192.168.5.0 is my guest wifi (virtual wireless interface)

    Also, I have two bridges setup on my tomato shibby router (RT-N66U)

    br0 has an address of 192.168.3.2 (which is the router's ip),
    br1 has an address 192.168.5.2

    Upstream of this router is a pfsense vm on 192.168.3.1.

    Furthermore, Port 2 of the router is plugged into a VLAN capable switch (where it's tagged with VLAN ID 5) and a second truck port connected on this switch is connected to my pfsense vm (192.168.3.1) lan interface where I manage DHCP for both of these networks. Alsom Port 1 from the router is plugged into the same switch on another port for untagged traffic.

    All works as it should, wifi devices on both networks get out and all. But if I ssh into the router (192.168.3.2) traffic does not go out via the default gateway. I cannot ping IPs on the internet and interestingly enough I can't ping the pfsense vm at 192.168.3.1 (default gateway), but wifi devices connected can..

    I'm assuming this is also preventing the router's time from updating, as it always boots with dec 1969... as the current time.

    Any thoughts on what's going on here?

    Please see photo.

    Many thanks
     

    Attached Files:

    • lan.png
      lan.png
      File size:
      97.1 KB
      Views:
      15
    Last edited: Nov 15, 2017
  2. fiwiman

    fiwiman Network Newbie Member

    Any thoughts on this?
     
  3. ruggerof

    ruggerof LI Guru Member

    Too difficult to follow your topology, you should consider a more visual one.
     

    Attached Files:

  4. fiwiman

    fiwiman Network Newbie Member

    You're right. Here's a diagram.

    As I said, all works as it should, wifi devices on both networks get out and all.

    But if I ssh into the router (192.168.3.2) traffic does not go out via the default gateway. I cannot ping IPs on the internet and interestingly enough I can't ping the pfsense vm at 192.168.3.1 (default gateway) nor vice versa, but wifi devices connected can...

    I just don't understand why this is the case really..
     

    Attached Files:

    Last edited: Nov 16, 2017
  5. ruggerof

    ruggerof LI Guru Member

    Much better.

    What I think would work.

    Netgear Switch:
    • Port 1: Should be tagged and member of VLAN id 1 and VLAN id 5.
    • Port 2: Should be tagged and member of VLAN id 1 and VLAN id 5.
    • Port 4: Disconnect it.
    • Port 5: OK, untagged and member of VLAN id 1

    RT-N66U
    • Port 2: Should be tagged and member of VLAN id 1 and VLAN id 5.
    • Port 4 Disconnect 1.
    • PS: Your physical port 2 might be in reality your logical port 3 so you will have to test.

    pfsense VM
    • The "LAN" NIC should also be tagged for VLAN id 1 and VLAN id 5.


    You can keep Netgear Port 4 connected to RT-N66U Port 4 as they are now but it is completely redundant and will only cause you confusion. Apply the KISS philosophy.

    As core concept, there is no such thing as interface br0 untagged (as you wrote in the RT-N66U), there are ports which can be tagged or untagged and wifi interfaces that are bridged to interface br0 or br1.
     
    fiwiman likes this.
  6. fiwiman

    fiwiman Network Newbie Member

    Thanks for the help. Appreciate it. This vlan stuff is rather new to me.

    Concerning the Netgear switch, I found this video describing a setup where the user uses trunk (T) and (U) for the ports.

    When you say that both Ports 1 & 2 should be a member of VLAN 1 & 5, how is that done with this switch, a bit confused...
     
  7. ruggerof

    ruggerof LI Guru Member

    Unfortunately I don't know this switch but watching the video it is clear that (T) is Tagged and (U) is Untagged.

    As per the video, you select VLAN1 and in the Port 1 and 2 you put "T", if any other port should also be a member of VLAN1 but Untagged, you should put "U". Repeat the same procedure for VLAN5 and you should be good to go.

    When a port is a member of more than one VLAN it should be tagged for these VLANs.
     
    Last edited: Nov 16, 2017
  8. fiwiman

    fiwiman Network Newbie Member

    From what I understand in pfsense I can't tag LAN for id 1 as it is the default. So I hope I don't have to do anything on the pfsense side of things to get this to work properly.
     
  9. ruggerof

    ruggerof LI Guru Member

    I am also not familiar with pfsense but it is strange that it does not allow a Port to be tagged for VLAN1. Other people familiar with pfsense can provide you with more information on this.
     
  10. fiwiman

    fiwiman Network Newbie Member

    I implemented what you suggested and removed the redundant cable from Port 4, works like before.

    But I still cannot ping my default gateway (192.168.3.1) while ssh'ed into the router and vice versa. Don't understand what's going on...
     
  11. ruggerof

    ruggerof LI Guru Member


    Strange.

    Were you able to tag pfsense port for Vlan1 and Vlan5?

    Are you sure there is no IP conflict? Is your N66U showing in pfsense as with IP 192.168.3.2?

    Or a MAC Address conflict?
     
  12. fiwiman

    fiwiman Network Newbie Member

    Well, I went over to the pfSense forums and the general consensus is that you shouldn't/need to tag vlan1, as it could introduce other problems. At this point, I only tagged vlan5 on port 1 & 2 of the switch and port 2 of the router and let untagged traffic pass by default on all other ports. That could very well be the problem, but I don't want to create another vlan other than vlan1 specifically for my lan traffic.

    And no, from pfSense's point of view, it doesn't see 192.168.3.2 and is not in its arp cache as well. Mind you, 192.168.3.2 is accessible from every else on my LAN except from pfSense.

    In a similar fashion, my netgear switch, which I gave an ip of 192.168.3.3 is also not pingable from pfSense but fine elsewhere on my LAN.
     
  13. ruggerof

    ruggerof LI Guru Member

    That's because any host "elsewhere on your LAN" is either wired in one of your switches, including the ports of N66U or wireless, i.e. N66U. As your Netgear switch and your N66U both have static IP's, they are discoverable by these hosts, traffic does not need to pass through pfsense. At least this is my interpretation of what is going on.
     
    fiwiman likes this.
  14. Sean B.

    Sean B. LI Guru Member

    Check the routing tables of the router ( 192.168.3.2 ) and the pfsense box. Post them here. I didn't fully read everything, but from what I caught I believe only LAN ports from the router ( 192.168.3.2 ) are being used for its connectivity? If that's the case, have you disabled the WAN and manually set the pfsense box as the default gateway ( an option to set the default gateway for the routers interface rather than it's LAN and clients will appear when the disabled option is selected for the WAN )? The router itself will not receive DHCP or routing information via a LAN port is it would through the WAN. And the pfsense box will not know of it's existence either as they won't communicate ( same LAN vs WAN issue ) and you've likely configured the router with a static IP that pfsense knows nothing about. However, clients connected to the router's LAN ports or wifi will receive DHCP/routing information as normal, therefor having no connectivity issues.
     
    Last edited: Nov 18, 2017 at 10:27 AM
  15. fiwiman

    fiwiman Network Newbie Member

    Thanks for the help guys. Appreciate it.

    I finally realized what's going here (I'm an idiot apparently)...

    There was an option that I turned on some time ago in pfSense that was preventing me from pinging the gateway from the router and vice versa. The option in question is:

    It was only until I explicitly added a static entry for the router, that it all started to work and made it possible to ping the router from pfsense and back.

    Another couple of questions (please):

    1. After adding a rule in pfSense, my guest wifi network (vlan5) is isolated from my regular lan, including untagged wifi - which is what I wanted in the first place (yay!). But I notice that clients on the guest wifi 192.168.5.0/24 can access the router's admin page at 192.168.5.2 - which is something I don't want in a perfect world. Thinking about, I guess that makes sense as traffic never leaves the router hence a pfSense would not apply here and rules would not work (I tried). Thoughts on how I can block the admin page from vlan5?

    2. Conceptually I'm having a problem understanding why / how the vlan tagging works in general (see diagrams). If I tag vlan5 from the router's port 2, why would I need to tag both port 1 & 2 on the netgear switch? Is it to properly pass vlan5 traffic to pfSense? Isn't it simply fine to have both ports be a member of vlan5 instead and not be tagged? And why wouldn't normal untagged traffic (that goes through those same ports) not be mistakeningly tagged vlan5? Don't get me wrong it works, I just don't understand why. I uploaded shots of netgear/router settings. Sorry I'm a bit stupid.
     

    Attached Files:

    Last edited: Nov 18, 2017 at 5:51 PM
  16. Sean B.

    Sean B. LI Guru Member

    To prevent access to the admin page on either 192.168.5.2 or 192.168.3.2 from the 5.2 network ( the 3.2 admin page is likely still accessible from the 5.2 network due to a loophole in the LAN access restrictions ) add this to the Scripts->firewall tab in the routers GUI:

    Code:
    iptables -t filter -I INPUT 1 -p tcp -i br1 -m multiport --dports 80,443 -j DROP
    This will prevent any http or ssl connection to the router from the guest LAN.

    VLAN tagging/trunking isn't tagging the VLAN itself. You're setting the port to allow multiple VLAN traffic through it ( normally, a port is a part of a VLAN.. and therefor by design can only handle traffic for that VLAN. ). Tagging/trunking a port turns it into a pipeline for multiple VLANS to pass through it.. linking the ends together so VLANS can be used across network topology.
     
    Last edited: Nov 18, 2017 at 10:06 PM
    fiwiman likes this.

Share This Page