1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Vlan/2 network question

Discussion in 'Tomato Firmware' started by bazzly, Feb 19, 2009.

  1. bazzly

    bazzly Addicted to LI Member

    I havent used tomato in a while now, and was wondering if it has a tool yet for setting up 2 networks.
    Example:
    port 1: ip 10.8.80.1 - whatever
    ports 2 -4 192.168.1.2 whatever

    I know tomato can do vlans, but I have no idea how to set them up. Is there anything out there yet for this? I have been running ddwrt, but miss tomato very much. I need to have 2 different networks.
     
  2. mstombs

    mstombs Network Guru Member

    It can't be done via the GUI, but can be via the command line - if you want to get in that deep!
     
  3. bazzly

    bazzly Addicted to LI Member

    Bummer there is no gui...can you point me to some documentation to do it by command?
     
  4. mstombs

    mstombs Network Guru Member

    The vlans seem to be configured by the Broadcom switch drivers, so instructions are fairly common between dd-wrt and OpenWrt. They vary in detail between hardware models and WRT54GL needs a special flag set to avoid auto reconfiguration. See

    http://www.linksysinfo.org/forums/showthread.php?p=309537

    for an example of creating a vlan2 for a wrt54gsv1.1 that works under Tomato. There are other threads you can search for doing the opposite - deleting vlan1 when WAN port not used and adding it to the lan for a 5 -port switch.

    You then need to "ifconfig" and "brctrl" and custom config iptables and dnsmasq I guess.
     
  5. bazzly

    bazzly Addicted to LI Member

    Not to be a pain, but could someone help me set it up?

    DDWRT has a GUI so that helps me set it up on my WRT54G-TM.

    I'm looking to try doing this with tomato on my WRTSL54GS, and I dont know how/where to start. Would I start off in Advanced - DHCP/DNS, under DNSmasq Custom Configuration? Would I just ssh into it?

    I tried to do a search but this is new to me, so there is a little learning curve.

    Do you think WRTSL54GS Support VLan? It should.....correct?

    Thanks
     
  6. bazzly

    bazzly Addicted to LI Member

    I'm trying to follow this over here http://forum.openwrt.org/viewtopic.php?id=520
    and see my nvram show | grep vlan is a bit different...should that matter?

    Output below

    # nvram show | grep vlan
    port0vlans=1
    port1vlans=0
    port2vlans=0
    port3vlans=0
    port4vlans=0
    port5vlans=0 1 16
    vlan0hwname=et0
    vlan0ports=1 2 3 4 5*
    vlan1hwname=et0
    vlan1ports=0 5
    vlans=0

    # ifconfig
    br0 Link encap:Ethernet HWaddr 00:16:B6:29:4D:57
    inet addr:172.16.25.12 Bcast:172.16.25.31 Mask:255.255.255.224
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:3050 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4450 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:362496 (354.0 KiB) TX bytes:2705348 (2.5 MiB)

    eth0 Link encap:Ethernet HWaddr 00:16:B6:29:4D:57
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:3050 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4450 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:417396 (407.6 KiB) TX bytes:2705348 (2.5 MiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:0F:B3:C1:37:04
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:182 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:107380 (104.8 KiB)
    Interrupt:5 Base address:0x2000

    eth2 Link encap:Ethernet HWaddr 00:16:B6:29:4D:59
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:10988
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:2 Base address:0x2000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:36 errors:0 dropped:0 overruns:0 frame:0
    TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2556 (2.4 KiB) TX bytes:2556 (2.4 KiB)

    Could someone also translate this to me
    http://forum.openwrt.org/viewtopic.php?id=6967&p=2

    thanks
     
  7. humba

    humba Network Guru Member

    Here's another good thread which I think does precisely what you want to do.. create two subnets via vlans and even has a dhcp server running on each subnet: http://linksysinfo.org/forums/showthread.php?t=55194&highlight=vlan

    As you can see by the link, I simply plugged in the term vlan into the forum's search engine and looked at the results (of course it helps when you know that you've written in the thread in question but the principle remains the same.. search, read through results, see if they apply to your situation, if not, try next result, if it does, try to reproduce in your own setup).
     
  8. bazzly

    bazzly Addicted to LI Member

    Very cool...That is what I was looking for. The only thing is, from what I have read the wrtsl54gs is a little different to configure and I still have not caught on to what I need to do.

    How can I apply what you posted to the info found here
    http://packetprotector.org/forum/viewtopic.php?id=3502
    post 21

    "VLAN 1 is reserved for internal use, so your first additional VLAN needs to be VLAN 2. The WRTSL54GS switch config is a little different than most Broadcom boxes."


    Or would I even need to change anything because in what you posted it is on vlan2.
    Sorry...just dont want a brick.

    I was also wondering how this works....
    What is the brake down of this?

    nvram set "vlan0ports=3 2 1 5*" (so is this saying vlan0 will run on ports 1,2,3 and Wan)
    nvram set "vlan2ports=0 5*" (I know this sets the Vlan2, but what is 0 5*)(0 would be port 1 on the box correct?)
    nvram set "vlan2hwname=et0" (And this is telling it to use eth0 for vlan2)
    nvram commit

    So to set the above would I ssh into the router and run the commands. And for the the rest of the post from your link I would set it from Administration-Scripts?
    Or can I do everything in that section....use the Init for the nvramset.
    Thanks
     
  9. humba

    humba Network Guru Member

    You really cannot brick your router that way... that only happens when you flash firmwares and since you already did that, the worst you can break your router is making it so that you have to factory reset by pressing the reset button at the back of the device.
    I've spent quite some time reading through the http://wiki.openwrt.org/OpenWrtDocs/NetworkInterfaces]OpenWRT wiki and the only thing I could find in reference to hardware difference is that the port numbering can be different.. for some devices port 0 isn't the first lan port but the 4th lan port, and for some it's the first lan port.. but that's easily figured out by putting a port into another vlan, rebooting and seeing if you still get an ip address (assuming you run dhcp (you really ought to at least during the testing phase) and that you didn't configure dnsmasq to serve the second vlan.. or if you did then you'd get a different ip depending on which port you plug into).

    ports 3, 2, 1 (which may or may not be your ports 4, 3, 2 on your switch.. could be 1 2 and 3 depending on the model) will be untagged members of vlan0, and port 5 is a tagged member.

    Before you ask what is tagged and untagged make sure you read the openwrt wiki page I linked to and if that's not enough check wikipedia. Why tagged? Once again, refer to the openwrt wiki. Go untagged and you mix your wan and lan traffic and that is a recipe for a major ****up.

    Ports 0 is an untagged member of vlan 2, port 5 is a tagged member (you want that in order to get to the cpu and have traffic being able to go from one subnet to another and from lan to wan).

    vlan2hwname=et0 tells the switch that vlan2 runs on eth0

    Now that you know that the * after the port number means tagged and you know the vlan basics you realize that you could have ports as members in different vlans.. one port always has one "home" port which is the untagged one, and then you can put the same port as tagged member into other vlans.

    And.. don't forget the firewall rules between the vlans or there's not going to be any communication in between. Tomato only deals in very little that concerns vlan1 (wan) to vlan0 (lan) communication.. you can open ports via gui but the rest has to be commandline. for additional vlans, everything has to be commandline based, including communication in between vlans (my post outlines the rules requires to have internet access from vlan2.. but you'll also need rules to communication between vlan0 and vlan2 (and any other vlans you may create).

    You might also need
    nvram set manual_boot_nv = "1"

    for the vlan config to be sticky.. and yes, "wanup script" and "firewall scripts" refers to the scripts of just those names in the administrative section of the tomato gui.

    I think now it's time for you to try it..

    Last but not least.. didn't the fact that there's no "/etc/config/network" on your router make you think twice about spending any more time trying to follow the thread you linked to? openwrt is closer to a regular linux configuration than openwrt (the whole interface.vlan notation is really standard linux but that doesn't work with tomato).
     
  10. bazzly

    bazzly Addicted to LI Member

    Ok....I want to post what Iv done....

    So under Administration-Scripts-Init I entered

    dhcp-authoritative
    interface=vlan2
    dhcp-range=vlan2,10.8.80.2,10.8.80.4,255.255.255.252,1440m
    dhcp-option=net:vlan2,3,172.16.25.12 (this will be my main networks gatway)
    dhcp-option=net:vlan2,6,172.16.25.12 (Gonna pull dns from the router)

    nvram set vlan0ports="2 1 0 5*"
    ifconfig vlan0 down
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5*"

    Now If I try to do the above in an ssh session I get
    ifconfig: SIOCGIFFLAGS: no such device
    on the second step ifconfig vlan0 down

    So the above if it would work would set port 3 for vlan

    WAN up:
    ifconfig vlan0 up
    ifconfig vlan2 10.8.80.1 netmask 255.255.255.252 up

    Firewall:
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br0 -o vlan2 -j DROP

    Any Ideas?
     
  11. humba

    humba Network Guru Member

    You can't run commands that I run in my init script from a running router. It seems to me you're not quite up to speed on the openwrt wiki page. vlan0 is your regular lan.. you can't just take that interface down.. (it would immediately terminate any and all lan connectivity).

    The followup post by Noodlewad shows the commands you need to enter from the commandline.. you can only take down vlan0 during the initialization scripts. So scratch that line and the other commands will work.. and then you need to reboot the router.

    There's also no need for ifconfig vlan0 up unless you do an ifconfig vlan0 down in the init script.. so leave that out as well (vlan0 is a default interface that always comes up).

    Also note that my last firewall line prevents traffic from vlan0 to vlan2.. in my case I wanted that.. you may want something else (replace DROP with ACCEPT and have another rule where you swap br0 with vlan2 to enable vlan0 to communicate with vlan2) plus you need to enable routing between the two subnets using the gui (advanced - routing).
     
  12. bazzly

    bazzly Addicted to LI Member

    Ok....
    So should I run these

    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5*"

    manually, or place them in the Init?

    Does the DHCP server also go in the Init?

    As for the firewall, that is what I want...same as you.
    Sorry...just trying to learn.

    I tried to enter this in an ssh session
    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5*"
    nvram commit

    ifconfig vlan2 10.8.80.1 netmask 255.255.255.252
    ifconfig vlan2 up
    and I get ifconfig: SIOCSIFADDR: No such device

    I have also tried
    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5*"
    nvram commit
    in an ssh sessions then entered the rules in firewall and wanup, and rebooted the router
    No matter what I do....no 10.8.80 anywhere, or any change that I can tell
     
  13. humba

    humba Network Guru Member

    After
    Code:
    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5*"
    nvram commit
    You need to reboot.
    The ifconfig commands go into the wanup script (as my post from last year says).

    So after your second attempt, run a
    nvram show | grep vlan

    to see what the vlan configuration really is.. chances are it will be the same as with me.. so the router resets the vlan configuration and you need to make sure the vlan config is sticky (and since this is another nvram command you need to commit, you need to reboot again thereafter.

    Also, I'm not sure why you swapped the vlan2hwname and vlan2ports commands.. not sure if it makes any difference but wouldn't you agree that it's best to go with something somebody else has tried and knows its working when you cannot get it to work?
     
  14. bazzly

    bazzly Addicted to LI Member

    Ok so a fresh reset.

    I did:
    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5*"
    nvram commit

    Reboot

    Place scripts in wanup

    nvram show | grep vlan
    # nvram show | grep vlan
    port0vlans=1
    port1vlans=0
    port2vlans=0
    port3vlans=0
    port4vlans=0
    port5vlans=0 1 16
    vlan0hwname=et0
    vlan0ports=2 1 0 5*
    vlan1hwname=et0
    vlan1ports=0 5
    vlan2hwname=et0
    vlan2ports=3 5*
    vlans=0

    in ssh session vlan config sticky
    nvram set manual_boot_nv="1"

    Reboot

    "Also, I'm not sure why you swapped the vlan2hwname and vlan2ports commands.. "
    Thats what was posted in the post.

    So where would I put the DHCP info in? Init?

    thanks
     
  15. humba

    humba Network Guru Member

    The dnsmasq configuration goes where the dnsmasq configuration goes.. (advanced / dhcp/dns server).

    What's the output of ifconfig?

    And, one of your port (4 or 1) should be in the other vlan so if you connect a machine to it, you shouldn't get an ip address (no need to configure dnsmasq for that).

    And turns out I was wrong about the *.. there are 3 options for a number in the vlanXports line.. * means PVID, u means force untagged, f = force tagged.

    And after
    Code:
    nvram set manual_boot_nv="1"
    comes another nvram commit or it won't be around after the reboot.
    Though, it seems in your case the option isn't necessary - if you look at my favorite thread again you'll find that on a GL router, the vlan0ports line is reset after each reboot (unless I set manual_boot_nv=1) whereas in your case the changes you made are preserved after the reboot.

    I'm not sure what the vlans=0 line does.. perhaps you need to set it to 1 on your router (I don't have it on the GL - and if you try don't forget to commit it and reboot) to actually enable vlans and perhaps the portXvlans lines also have something to do with vlans on your box (again the GL don't have it).

    I suppose what you always could do is temporarily go for dd-wrt, configure vlans as you want, then read out the vlan variables and come back to tomato. Very likely both firmwares use the same nvram options for those things since the dd-wrt output I have seen for the GS model match the output for your device.
     
  16. bazzly

    bazzly Addicted to LI Member

    ahhh so after
    nvram set manual_boot_nv="1"
    I should do nvram commit
    I didnt do that..all thought klike you said...doesnt look like i need it

    My ifconfig
    # ifconfig
    br0 Link encap:Ethernet HWaddr 00:16:B6:29:4D:57
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:823 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1737 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:74552 (72.8 KiB) TX bytes:646977 (631.8 KiB)

    eth0 Link encap:Ethernet HWaddr 00:16:B6:29:4D:57
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:823 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1737 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:89366 (87.2 KiB) TX bytes:646977 (631.8 KiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:16:B6:29:4D:58
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:562 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:331580 (323.8 KiB)
    Interrupt:5 Base address:0x2000

    eth2 Link encap:Ethernet HWaddr 00:16:B6:29:4D:59
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:2 Base address:0x2000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:6 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:432 (432.0 B) TX bytes:432 (432.0 B)

    I wonder if I need to set it to vlan1 as per http://forum.openwrt.org/viewtopic.php?id=6967&p=2
    I dont know....
     
  17. bazzly

    bazzly Addicted to LI Member

  18. bazzly

    bazzly Addicted to LI Member

  19. bazzly

    bazzly Addicted to LI Member

    I'm trying to revisit this using Tomato on a WRT54G-tm. I'm not having any luck...could someone help me trouble shoot this?

    I am using the same settings from here

    init
    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports"3 5*"

    nvram set manual_boot_nv="1"

    dhcp-authoritave
    interface=vlan2
    dhcp-range=vlan2,10.8.80.1,10.8.80.3,255.255.255.224,1440m
    dhcp-option=net:vlan2,3,172.16.25.12
    dhcp-option=net:vlan2,6,172.16.25.12

    wan up
    ifconfig vlan0 up
    ifconfig vlan2 10.8.80.1 netmask 255.255.255.224 up

    firewall
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br0 -o vlan2 -j DROP

    # nvram show |grep vlan
    lan_ifnames=vlan0 eth1 eth2 eth3
    script_fire=iptables -I INPUT -i vlan2 -j ACCEPT iptables -I FORWARD -i vlan2 -o
    vlan1 -m state --state NEW -j ACCEPT iptables -I FORWARD -i br0 -o vlan2 -j DRO
    P
    script_init=nvram set vlan0ports="2 1 0 5*" nvram set vlan2hwname=et0 nvram set
    vlan2ports"3 5*" nvram set manual_boot_nv="1" dhcp-authoritave interface=vlan2
    dhcp-range=vlan2,10.8.80.1,10.8.80.3,255.255.255.224,1440m dhcp-option=net:vlan
    2,3,172.16.25.12 dhcp-option=net:vlan2,6,172.16.25.12
    script_wanup=ifconfig vlan0 up ifconfig vlan2 10.8.80.1 netmask 255.255.255.224
    up
    vlan0hwname=et0
    vlan0ports=2 1 0 5*
    vlan1hwname=et0
    vlan1ports=4 5
    vlan2hwname=et0
    wan_iface=vlan1
    wan_ifname=vlan1
    wan_ifnames=vlan1

    I gave up on the other hardware trying to do this.....

    Any ideas?
     

Share This Page