1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Virtual Wireless not getting DNS

Discussion in 'Tomato Firmware' started by crimsy, Oct 8, 2017.

  1. crimsy

    crimsy New Member Member

    Ok, long story short,

    Tomato Firmware 1.28.0000 MIPSR2-140 K26 Mini
    I am using a Linksys E1000 v2.0 to create an Ethernet Bridge to my network (via a LAN port).

    I have configured everything correctly, and I can get an internal IP from my main network (10.10.10.1). I can connect on the Tomato router via WIFI ([testwifi]*), or any of the LAN ports and I get a DHCP address from my main. Life is good on that end.

    I wanted to create a Virtual Wireless network (for guests) that they can connect to, but not get access to anything in my internal network, EXCEPT INTERNET.

    This is where I am having one issue, everything works, the wifi exists (in this case [testwifi2]*) (10.11.10.100 - 200) I can connect to it, get a separate IP from it, not see any of the other devices on the main network, but the internet does not work.

    I have a raspberrypi running pihole for my DNS queries at 10.10.10.150.

    It can see any queries coming in from any part of the network, that is internally, or over the guest wifi, but for some reason they just don't get back to the device. For example I tested going to "myspace com", I can see the DNS request at the PiHole, I can see the request being sent to the pihole, and answered in the Tomato logs, but for some reason they just don't make it to the device at the guest wifi and it just "times out"

    What am I missing?



    [​IMG]
    ---
    [​IMG]
    ---
    [​IMG]
    ---
    [​IMG]
     
  2. crimsy

    crimsy New Member Member

    Summary:


    Linksys E1000 v2.0
    Tomato Firmware 1.28.0000 MIPSR2-140 K26 Mini


    Main network
    10.10.10.1 (TP Link)

    LAN Bridge
    TomatoRouter (residing at 10.10.10.2)
    DHCP Disabled
    connected to main via LAN.
    Wifi running on it [testwifi]*
    eth1 (wl0) bridged to LAN (br0)
    Works

    Guest wifi:
    wl0.1 bridged to VLAN3 LAN1 (br1)
    [testwifi2]*
    DHCP Enabled
    10.11.10.100 - 200
    Can connect, get an IP address on device (10.11.10.112)
    Cannot connect to internet.


    I do not need the "testwifi" the tp link already has a wifi running, is there any way I can make the Tomato's wifi it's own separate network, or a Virtual Wifi it's own network separate from mine?
     
    Last edited: Oct 8, 2017
  3. Sean B.

    Sean B. LI Guru Member

    Please draw out the topology of your network. IE: Lines connecting the devices starting at the gateway which is connected to the modem. Note the devices with their IP's and which port they are connected by if connected to ethernet ( WAN or LAN ).
     
    crimsy likes this.
  4. crimsy

    crimsy New Member Member

    Here it is as requested.

    Only things not listed on there are the wifi devices already connected to homewifi, which didn't think would matter in this case.

    Dotted lines to represent wifi signals.

    Long cable to represent the distance between once side of the house and the other, like I said, I have no need for the Tomato router to have two wifi networks, just need the guest to work (side of the house where visitors will be)

    [​IMG]
     
  5. Sean B.

    Sean B. LI Guru Member

    Under the VLAN page you need to enable tagging on port 1 ( I think port 1, maybe 4.. the one that is connected to the TP-Link ) which is the check box for "tagged" and also enable the port in the guest VLAN. LAN ports in their default state are configured as end points and can only be part of/carry one VLAN. To use it as a link you enable tagging ( also known as trunking ) which turns it into a pipe for multiple VLANS.. and then you enable the port in each VLAN you want going through it. The TP-LINK may need to have a matching VLAN ID configured on it as well.. but not sure if that's only required when you want to be a part of a LAN that is on the TP-Link or if it's also needed to use it as a gateway.. we'll find out. Verify that works, as it's best to only change what's needed at first rather than risk fighting multiple issues. If it does, eliminate the extra access point by simply deleting the virtual one you made, then in the VLAN page change "Bridge eth1 to" from br0 to br1 and reconfigure eth1's properties ( SSID, password etc ) to the settings you want for the guest access.


    ***NOTE*** The port #'s on some routers can be reversed in Tomato.. so what would be port 1 when looking at the routers numbering would actually be port 4 when looking at the Tomato GUI. It would be wise to check by having the Tomato status page up on a computer and disconnect the port going to the TP-Link. Make sure the port # you'd expect it to be is the one that goes dead, as this will confirm the correct port is enabled/tagged in the VLANs.
     
    Last edited: Oct 8, 2017
  6. crimsy

    crimsy New Member Member

    Thanks for the suggestion, unfortunately it did not work.

    Using my android device to test,

    From what I understand you said; I did this and brought down the tomato router LAN part of things, if I connected via WiFi to it, it would act as if my android was on a wired network (according to TP link) and I would get a local IP of 10.10.10.18, the Tomato attached computer dissapeared off the network completely. I was able to use the internet, but at that point it was because I was inside my own network.

    (I recovered by attaching the PC to port 1, and getting a Tomato DHCP address from br1 (10.11.10.112) going to config and undoing the changes.)
    [​IMG]

    So then I tried:
    Which only did the exact same thing as if I hadn't enabled it to begin with. (Able to connect, no internet)
    [​IMG]

    Maybe I am misunderstanding?
     
  7. Sean B.

    Sean B. LI Guru Member

    This is indicative of my aforementioned concern that for tagging/multiple VLANs to work the TP-Link would have to be configured with matching VLAN ID's and tagging. What model of TP-Link is it, and do you know if it supports these options?
     
  8. crimsy

    crimsy New Member Member

    It's an TP Link Archer C9, it has some options... tp-link com/lk/faq-1584.html and some options for Virtual servers?
     
  9. Sean B.

    Sean B. LI Guru Member

    Doesn't appear to support user configuration of these options. So we'll have to do this in a different fashion, and maintain segregation via iptables rules on the tomato router. Do you require any devices ( Wi-Fi or cable connected ) on the tomato router to be part of your main network, as in have an IP address within the 10.10.10.x block ( I see a PC connected to the tomato router under main network IP block )? Or is it entirely for guest access and that PC is just for testing/config? The approach taken will be determined by this.
     
    crimsy likes this.
  10. Sean B.

    Sean B. LI Guru Member

    With VLAN port tagging turned off.. and the port connected to the TP-Link only enabled on the br0 bridge, try setting a static default route for the br1 interface using 10.10.10.2 as the gateway. If that works it would be the simplest way. Sense the TP Link doesn't support the VLANs or tagging then the network of 10.11.10.x has to end on the tomato router. And with the TP-link in control of the tomato routers LAN ports ( the dhcp server on the tplink is handling addressing for br0 ) we can't include the link port into the guest network. Therefor, rather than using the same gateway as configured in the GUI of 10.10.10.1 ( which is required for the br0 interface ) we have to manually configure the br0 interface, which has the link port, as the gateway for br1.
     
    Last edited: Oct 9, 2017
    crimsy likes this.
  11. crimsy

    crimsy New Member Member

    The PC is part of my network, I initially set the Tomato router up for this computer to be part of the LAN (it's a desktop) So literally at this point the LAN ports of the router (at least the one) are for internal use, and the wireless can be completely guest use.

    This makes a lot of sense, but could you please tell me if this would be under Routing? Or how I would have to add it as a iptables rule?
     
    Last edited: Oct 9, 2017
  12. Sean B.

    Sean B. LI Guru Member

    Could you post the output from these commands, run in either an ssh/telnet shell or in the GUI under Tools->System Commands:

    Code:
    ip rule show
    ip route show table all
    I want to verify how Tomato currently defines the interfaces/gateway under you configuration before giving you a line for changing it, as I'm used to the router being in gateway mode and neither interface using a LAN port as the gateway.
     
  13. crimsy

    crimsy New Member Member

    Sure thing, thanks

    Code:
    0:    from all lookup local
    32766:    from all lookup main
    32767:    from all lookup default
    10.11.10.0/24 dev br1  proto kernel  scope link  src 10.11.10.1
    10.10.10.0/24 dev br0  proto kernel  scope link  src 10.10.10.2
    127.0.0.0/8 dev lo  scope link
    default via 10.10.10.1 dev br0
    local 10.11.10.1 dev br1  table local  proto kernel  scope host  src 10.11.10.1
    broadcast 10.11.10.0 dev br1  table local  proto kernel  scope link  src 10.11.10.1
    broadcast 10.11.10.255 dev br1  table local  proto kernel  scope link  src 10.11.10.1
    local 10.10.10.2 dev br0  table local  proto kernel  scope host  src 10.10.10.2
    broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    broadcast 10.10.10.0 dev br0  table local  proto kernel  scope link  src 10.10.10.2
    broadcast 10.10.10.255 dev br0  table local  proto kernel  scope link  src 10.10.10.2
    broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
    local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
    local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1  
     
  14. Sean B.

    Sean B. LI Guru Member

    Let's check something first, just in case. Run these commands:

    Code:
    iptables -t filter -I FORWARD 1 -i br1 -o br0 -j ACCEPT
    iptables -t filter -I FORWARD 2 -i br0 -o br1 -j ACCEPT
    And see if internet access changes at all from the guest Wi-Fi.
     
  15. Sean B.

    Sean B. LI Guru Member

    Oh, and put the router back into Gateway mode. Running in router mode isn't needed, and it disables NAT, which I believe could cause issues with your setup.
     
  16. crimsy

    crimsy New Member Member

    I put the router back to Gateway mode, and I ran the commands, tho I get no change at all. :(
     
  17. Sean B.

    Sean B. LI Guru Member

    Leave in Gateway mode, so it doesn't bite us later. Give this a try:

    Code:
    ip route add 10.10.10.0/24 via 10.10.10.2 dev br0
     
  18. crimsy

    crimsy New Member Member

    I get:

    Code:
    RTNETLINK answers: File exists 
     
  19. Sean B.

    Sean B. LI Guru Member

    Your br0 interface is in vlan1 correct? Try changing the default route to the vlan instead of the interface:

    Code:
    ip route change default via 10.10.10.1 dev vlan1
    As this is how the WAN port is routed. If this breaks connectivity, reboot the router to return to prior config.
     
  20. Sean B.

    Sean B. LI Guru Member

    Scratch the RIPv1&2 question. I had an idea of a very different configuration, if you're willing to guinea pig for it it would be interesting to see what it does. It would be as follows:

    Under Basic->Network:
    • For WAN/Internet
      • Set Type to static
      • Set IP Address to 10.10.10.2
      • Set Subnet Mask to 255.255.255.0
      • Set Gateway to 10.10.10.1
    • For LAN
      • Delete the br1 bridge
      • Set the br0 IP Address to 10.10.11.1 with netmask 255.255.255.0
      • Set DHCP to Enabled
      • Set your IP range for the 10.10.11.x guest network.
    Under Advanced->VLAN:
    • For VLAN
      • Delete VLAN 3
      • Uncheck ( remove ) all LAN ports from the br0 bridge
      • Check ( add ) all LAN ports to the WAN bridge
    • For Wireless
      • Bridge eth1 to LAN1/br0
    Under Advanced->Routing:
    • For Miscellaneous
      • Set Mode to Router
    _________

    Remove the TP-Link connection from the LAN port of the Tomato router and put it into the WAN port. On the TP-Link, it would be good to set a static IP/ARP binding for the Tomato Routers WAN MAC address to the 10.10.10.2 IP address. Reboot the Tomato, then see if it works or if the router explodes :).
     
    Last edited: Oct 10, 2017
  21. crimsy

    crimsy New Member Member

    Just saw you edited the post, will try that first


    br0 is the default (vlan1), br1 is the Virtual (vlan3)

    upload_2017-10-9_22-16-37.png upload_2017-10-9_22-17-33.png
    ----

    And for the second question, no I only have MAN, WAN, WA2, the LAN's routing2.PNG

    Running that just returns
    Code:
    RTNETLINK answers: No such process 
    But I believe that's already defined in

    Code:
    default via 10.10.10.1 dev br0
    from running ip route show table all
     
  22. Sean B.

    Sean B. LI Guru Member

    If you haven't already started trying out everything for the other config, I think it just hit me what the problem likely was before. If you're still in the prior configuration:

    On the TP-Link goto Network->Advanced Routing and add a static route as follows:

    Network Destination: 10.10.11.0
    Subnet: 255.255.255.0
    Gateway: 10.10.10.2
    Interface: LAN
    Description: Guest network

    And if you haven't already done so, add an address reservation in the TP-Link's DHCP server for the Tomato Routers LAN MAC address to the 10.10.10.2 IP.


    We were focused on the Tomato router, however it should already know of the 2 networks sense they are both configured on it.. but the TP-Link doesn't.. and with not using NAT over a WAN port.. the Tomato router isn't NAT'ing the guest network so the TP-Link will need to know how to send packets back.

    I think.. hah.. without having this type of configuration physically in front of me to test on it's hard keeping it straight in my head. Sorry for bouncing around ideas.
     
  23. crimsy

    crimsy New Member Member

    Well, that's not exactly true, the problem resides at the Tomato router since they requests ARE getting back to it, I can see the DNS logs requesting addresses and getting a response (test.com is at xx.xx.xx.xxx).

    This works, in a backwards version of what I had before, for some reason I am unable to connect to the router itself (ERR_CONNECTION_TIMED_OUT) but I can still reach it from the wifi network (10.10.11.x address)

    But, still no internet from it. :(

    The PC on the Tomato router is getting a local IP from internal.
     
  24. Sean B.

    Sean B. LI Guru Member

    You see responses from 10.10.10.x to queries that originated in the 10.10.11.x subnet arriving back to that subnet?

    Internal? 11.x or 10.x? Or are you referring to the 169. default IP assignment?

    I'm getting the feeling this may be rooted in policy. What's the output of:

    Code:
    iptables -t filter --list-rules
    Do you use IRC by chance? This could use some real-time diag.
     
    Last edited: Oct 10, 2017
  25. crimsy

    crimsy New Member Member

    The queries originated at 11, went to 10, traveled back to Tomato, but didn't make it back to 11.

    Currently DNS queries are getting to my Pihole but NOT returning to Tomato, tomato requests from Pihole, doesn't get an answer and asks OpenDNS (DNS2 Entry I placed in)
    Tomato shows as 10.10.10.2, PC attached to it shows as 10.10.10.112, which is good....

    However, when i go to a browser to try to connect to 10.10.10.2 (Tomato) I can't, nor can I ping it... lol from either PC...

    I can still connect to the Tomato GUI from wireless if I connect to the testwifi...
    I have in the past, I could probably use a web based IRC.
     
    Last edited: Oct 11, 2017
  26. crimsy

    crimsy New Member Member

    Code:
    iptables -t filter --list-rules
    Returns:
    Code:
    iptables v1.3.8: Unknown arg '(null)'
    Try 'iptables -h' or 'iptables --help' for more information.
     
  27. Sean B.

    Sean B. LI Guru Member

    This implies my theory of the TP-Link having no return route may be correct. If queries from the .11 bridge on Tomato are making it to your Pihole then the routing is working correctly on the Tomato side. Unless there's an inbound issue.. but it makes more sense that the TP-Link simply doesn't know how to send them back. The only reason the Tomato router knows how to send packets out from .11 is because both interfaces are local. I'd highly recommend configuring a static route back to the .11 network on the TP-Link as process of elimination:

    On the TP-Link under Network->Advanced routing and click add:

    Network destination: 10.10.11.1
    Subnet: 255.255.255.0
    Default gateway: 10.10.10.2
    Interface: LAN


    I would run this with your original configuration, being the routers connect to eachother by LAN ports on both ends, br0 and br1 bridges configured as before etc. As my WAN idea was a left-field attempt at removing the need for fighting routes on the Tomato router. But if it's the TP-Link that needs a route, no need to toss in that iffy configuration on the Tomato.

    Are you familiar with/used WireShark? If so, it would be easy to spot which direction is having the problem. If you have a computer with a network card that allows for promiscuous mode, take a capture from a LAN port on the TP-Link and then a LAN port on the Tomato router using a capture filter of "dst port 53". When either capture is started, perform a few dns queries from a client on the guest network, then compare the captures from both sides. It should be clear on which router, and which direction, the communication breakdown occurs.

    If you don't have a card that supports promiscuous mode, then take a capture while connected to a LAN port of the TP-Link using a capture filter of "icmp and src or dst X" where X is the IP address of the computer performing the capture. Then from a client connected to the guest network, ping the IP address of the capturing computer while the capture is running.

    If setting the static route on the TP-Link doesn't work, then this would be the best method for us to get away from tossing around theories and start nailing down some facts of what's going on.
     
    Last edited: Oct 11, 2017
  28. crimsy

    crimsy New Member Member

    With the current configuration that you had me set now DNS entries aren't even getting back to Tomato. With the old one THEY AT LEAST DID, they just didn't go to the 11 subnet.

    Refer to first post:
    Code:
    I can see the DNS request at the PiHole, 
    I can see the request being sent to the pihole, 
    and answered in the Tomato logs, 
    but for some reason they just don't make it to the device
    at the guest wifi and it just "times out"
    I understand, you don't have to help me but I am tired of going in circles. Just forget about it.

    It doesn't work, not something Tomato can handle.

    For whoever gets to read this tread in the future, don't try.
     
  29. KyleS

    KyleS Addicted to LI Member

    Nice try, you forgot a step. :) Go back to what you had initially.

    https://tomato/advanced-access.asp
    upload_2017-10-12_18-44-38.png
     
  30. crimsy

    crimsy New Member Member

  31. Sean B.

    Sean B. LI Guru Member

    Don't know what you're not reading, but as soon as you told me the packets were making it out from the .11 but not back in, I told you to return to your initial configuration and put the static route into the TP-Link. And this:

    Verifies the filter table is empty, due to router mode. No policy rules blocking inbound. It's clear the issue is rooted elsewhere than the Tomato router, as the .11 packets make it out but not back. I'm not sure what you have again'st setting the route in the TP-Link, as I suggested it twice already with you saying that's just not the problem, yet you don't know what the problem is. So good luck.
     
  32. KyleS

    KyleS Addicted to LI Member

    Yeah, the issue is on your tp-link... I'd even pull the IPs off of the Tomato device and just use it as a WAP and L2 switch... The network seems ridiculous at the moment, you typically only want a single L3 leg into the network which acts as your router.
     
    Sean B. likes this.
  33. crimsy

    crimsy New Member Member

    I guess I didn't mention that I did already set the rule on the TP link and it didn't work. Which leads me to believe it's just not going to work.

    I guess when I have a chance I'll reset the E1000 and start over.
     

Share This Page