WDS grants access to wrong VLAN

Discussion in 'Tomato Firmware' started by mcbsys, Mar 23, 2012.

  1. mcbsys

    mcbsys Networkin' Nut Member


    I have a Linksys E2000 running tomato-E2000-NVRAM60K-1.28.4407.1MIPSR2-Toastman-VLAN-RT-VPN.

    VLAN 1: Wired LAN1 (br0). DHCP is OFF (DHCP comes from an internal Widnows server).

    VLAN 2: WAN.

    VLAN 3: Wireless LAN1 (br1). DHCP is ON.

    More details on my setup here. With help from Teaman and Toastman, I got VPN working to a remote E3000 by adding this to my firewall script:

    iptables -A FORWARD -i br0 -o tun21 -j ACCEPT

    That has all been stable for several months.

    Yesterday, I tried to set up WDS and add a second local wireless router as a bridge. The router is a Netgear WGT624v3. With security off or set to WEP, I got the bridge working. The problem is, when I connect a machine to the Netgear, it gets an IP from the _wired_ network, i.e. from VLAN 1.

    Since the purpose of VLAN 3 is to isolate the (less secure) wireless network, I was concerned to see that just adding a bridge granted direct access, through the wireless connection, to my supposedly separate VLAN 1.

    Is there something I need to do to get the bridged router to connect to VLAN 3 instead of VLAN 1?

  2. teaman

    teaman LI Guru Member

    Yes, definitively! What exactly? I'm afraid I'm not quite sure just yet - sorry :/

    While haven't did much experimenting with WDS myself, I think I might have a few ideas that might be worth exploring :)

    So first of all, there's this thing I've learned while looking at the Tomato sources: there seems to be quite a lot of code that usually/simply assumes there will be only two 'sides' of things - one WAN connection and just one LAN interface.

    With that in mind, I've taken a brief look in the code and found two possibly-relevant pieces of code:

    * void notify_nas(const char *ifname)

    * void hotplug_net(void)

    That first function seems to call "nas4not" at some point and one of its arguments seems to be always "lan", which is not much of a surprise, considering that statement about WAN/LAN interfaces above :). So, with some experimenting... it might be still possible to get some kind of WPAx going. Bad news is... "nas4not" is actually a symlink for "nas", which is a proprietary binary from Broadcom and unfortunately, not much of documentation available is available - so there's no way of knowing if such thing would eventually work - but if it does, please let us know how it was done ;)
    On that second function we find a call to "brctl" and yet another reference to that "lan" interface. You might wanna run something like "brctl show" - if you do find your WDS iface as part of br0... then you could perhaps try using things like "brctl delif/addif brX XX" and see how things work out.
    Best of luck!
  3. mcbsys

    mcbsys Networkin' Nut Member

    Thank you, thank you, thank you!

    I have to confess, my first reaction was to look in my attic to see if I couldn't string a network cable instead :). But it turned out to be pretty easy to move the WDS interface to the same VLAN used by the wireless:

    # Delete WDS bridge interface from br0
    brctl delif br0 wds0.1
    # Add WDS bridge interface to br1
    brctl addif br1 wds0.1

    I blogged the details here:

    Configure a WDS Bridge on a Tomato Guess VLAN

    Thanks again,
  4. teaman

    teaman LI Guru Member

    I sense we just might need a small clarification in there: I'm not actually the author of Tomato’s VLAN functionality - that was already in there! I did, however, write a VLAN GUI so it would be useable/easier for everyone else out there ;)

  5. mcbsys

    mcbsys Networkin' Nut Member

    Awesome, thanks for that clarification--and for making the GUI! Post updated.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice