Can't connect to new virtual SSID

Discussion in 'Tomato Firmware' started by Miltos, Dec 4, 2016.

  1. Miltos

    Miltos Serious Server Member

    I've got an ASUS RT-N66U running Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB AIO-64K. This thing has been rock solid for me for several years.

    I only use the 2.4Ghz radio. I have a main VLAN bridged to our main wifi that my wife and I use. I have a second VLAN bridged to a second virtual SSID for our son, which gives me some control over his internet access and keeps him and his friends off of our network.

    I am trying to create a third virtual SSID as a segregated network for our growing internet of things. I followed the exact same process that I followed when I created the VLAN and virtual SSID for our son's wifi. I can see the SSID, but both my phone (Galaxy S7) and Windows 7 laptop won't connect to it. I don't get any errors. My phone just says "connecting" for a bit, then stops, then says "connecting" again, then stops and connects back to our primary wifi. My laptop just tells me that it is unable to connect to the SSID. The troubleshooter offers no information.

    I've spent a good chunk of time googling and searching these forums. The most likely explanation is that I'm just completely missing something obvious. Though I'm starting to wonder if there is a Tomato bug. I did find one older post that said there is (was?) a known VLAN bug if you did not have the Virtual Wireless interfaces in the right numerical order; but, from what I can tell mine or in the correct order.

    Here are some relevant screenshots:
    Basic>>Network>>LAN: https://snag.gy/5Sbnev.jpg
    Advanced>>VLAN: https://snag.gy/0e4hYz.jpg
    Advanced>>Virtual Wireless: https://snag.gy/Rr62Ws.jpg

    I've tried entering an incorrect password but I still don't get an error, so I'm not even getting to the step of authenticating.

    I'd appreciate any suggestions. Like I said, I am probably missing something obvious.
     
    Last edited: Dec 4, 2016
  2. eibgrad

    eibgrad Network Guru Member

    The Virtual Wireless Interfaces screen shows Enabled = No for wl0.2.
     
  3. Miltos

    Miltos Serious Server Member

    I updated the Virtual Wireless screenshot to show the Wl0.2 interface being on. I initially took the screenshot after I had given up troubleshooting and turned it off.
     
    Last edited: Dec 4, 2016
  4. Mr9v9

    Mr9v9 Serious Server Member

    Do you use any Static DHCP Routes on any of your devices? Did you clear out your other device's leases before trying to connect to the other SSID's?

    Have you tried keeping the network class to a C (192.168.x.x) standard? Try making br2 (192.168.3.1) same as br0 and br1?

    Any different encryption settings for wl0.2?

    The other devices may also benefit from flushing and renewing the IP and DNS Cache.
     
  5. Marcin R.

    Marcin R. Connected Client Member

    I've been debugging this on my system too. Tomato was running rock solid on my RT-N66U for years, then that router broke, got a new router and installed Tomato v138 on it, and a bunch of stuff broke - DDNS, Virtual Wireless.

    It turns out that there's some kind of bug accessing the wrong password field in the database. For me, the Virtual Wireless interface ignores the wireless password I put into that text field and uses my router's administration password instead! It does the same thing for DDNS - when it submits a DDNS update, it doesn't use the configured password, but my admin password as well. This is bad because it leaks the admin password to your router to the internet.
     
  6. koitsu

    koitsu Network Guru Member

  7. Miltos

    Miltos Serious Server Member

    I thought @Mr9v9 had nailed with the static IPs, which I assign to all devices on my network. I did the following:
    1. Deleted the lease and removed the static entry for my HP wifi printer
    2. Changed the IP range for the new VLAN to 192.168.3.2-51
    3. Rebooted the router
    4. Reset my printer to defaults; rebooted it
    5. Attempted to connect my printer to the new SSID. I can see it show up in the Tomato device list by MAC address, but it never gets an IP address. I tried using both DCHP and assigning it a static IP on the new SSID, but the router would never let it on and give it an IP. The printer has a network diagnostics report which states that the "No Filtering" test fails, implying that it's MAC address is being filtered by the router, but MAC filtering is completely disabled.

    Is there another step I need to take to clear the printer out of the router so it stops remembering its MAC address? The router can clearly see the printer and vice versa, it just never gives it an IP address, so something is still preventing it from doing that.

    I checked the password on the new SSID and it is what I expect it to be - not my admin password.

    I must still be missing something obvious, but I have been through every Tomato settings screen and googled more, but am unable to figure it out. Any additional thoughts are greatly appreciated.
     
  8. Mr9v9

    Mr9v9 Serious Server Member

    This is going to be retarded but what happens if you lower your IP range on br2 to something like 7 instead of 51?

    Do you want your third wireless SSID users to access your private network? To forward traffic on said interface you would use:
    Code:
    iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to nvram get lan_ipaddr
    
    The rules above are the main minimum for guest devices to access internet. They will also be able to access your main network devices (if anyone knows your IPs or scans for them). The next rules block such accesses (only permitting them to 192.168.1.1 and 192.168.1.251-254):
    Code:
    iptables -I FORWARD -i br2 -m iprange --dst-range 192.168.1.2-192.168.1.250 -j REJECT

    Also are the said devices compatible with the bands you are handing out? For example you would choose ‘wl0.1’ (to use the 2.4 GHz band), and ‘wl1.1’ (to use the 5GHz band).
     
  9. Miltos

    Miltos Serious Server Member

    Thanks for the further suggestions. I just need to find a chunk of time to try them out.

    One thing is confusing. M49v9, you said, "The rules above are the main minimum for guest devices to access internet.". I didn't have to add any iptables rules for my second ssid, that my son uses, to get internet access and I have had no problems with that one.

    This third SSID will just be for "Internet of Things" devices like wifi printers and smart home stuff. To-date I have just used the Advanced>>LAN Access page for settings to allow my son to access our wifi printers from his network and that has worked fine.
     
  10. Sean B.

    Sean B. Network Guru Member

    If you want to run though the steps I'm happy to continue along with ya an try to get this tracked down. If not or have other avenues you wish to explore, all good. I'd recommend the following to start:

    Any "commands" I reference can be run in the GUI at Tools->System Commands or at a command prompt via telnet/ssh connection to the router.

    A:
    With all your interfaces configured as they were in your screenshots, except lets stick with br2 being configured as 192.168.3.1 for now. Run these commands:

    cat /etc/dnsmasq.conf
    ifconfig wl0.2
    ifconfig br2

    and post the output here. Please put it in a code box, click the Insert icon above (to the left of the disk) and select code. This will allow to confirm dnsmasq ( the program that handles dhcp and dns service on the router ) is being passed the proper configuration by the GUI, as well as the configuration of the wl0.2 and br2 interfaces. None should contain any reference to your WAN IP ( unless br2 is IPv6 enabled ), only information that some may consider sensitive in those is MAC addresses.. if you feel compelled to sanitize them please leave at least the first 2 and last 4 characters.

    B:
    Run the command:

    logger ****MARK****

    repeat that command at least 5 times. This will give you an easy reference point to find in the system logs for the next step. Run the command:

    service dnsmasq restart

    Then go to GUI Status->Logs->View last 100 lines. Look for the multiple ****MARK**** 's . Post the lines after your reference marks here, again in a code box. This will show dnsmasq being restarted and it's process of configuring the dhcp ranges for the bridges, a long with any errors it encounters.

    C:
    Remove br2 from your configuration in Basic->Network. Then in Advanced->Virtual Wireless change wl0.2 to the br1 bridge. Attempt a client connection to wl0.2's SSID.. preferably a Windows 7+ computer. If no changes in issue are noted go back to Advanced->Virtual Wireless.. select the wl0.1 tab and un-check enable, effectively using a known functioning network setup and swapping out the virtual interfaces. Attempt client connection again, note any changes in functionality.

    We'll go from there and hopefully start gaining some ground. Considering you don't get any errors such as incorrect user/password, login failed, connection denied, or "no internet connection" warning but maintaining a functional LAN connection etc on the client that's attempting to connect to wl0.2's SSID.. implies to me either the login attempt of the client is working but once the client starts requesting configuration information from the network it's getting nothing, waits a bit while repeating the requests, then says screw it I'm out. Or there's absolutely no return communication at all, not even the initial credentials request ( as in the router hears/sees the attempt from the client via MAC.. but traffic is all one-way ). This would likely be between dnsmasq and the dhcp setup for br2, or an issue with your router handling multiple virtual wireless AP's.. IMHO.
     
    Last edited: Dec 8, 2016
  11. Miltos

    Miltos Serious Server Member

    Thank you very much, Sean B.! I will carve out some time this weekend to run through everything in your post and report back. I really appreciate the help.
     
  12. Mr9v9

    Mr9v9 Serious Server Member

    Sorry I wasn't clear, that is usually the way I have to configure it on Advanced Tomato to allow a guest SSID to work. The firewall rules in the tutorial perform NAT to the WAN port.
    There may not be a need for you to use
    Code:
    iptables -I FORWARD -i br2 -m state –state NEW -j
    in Shibby. Instead try something like
    Code:
    iptables -t nat -I POSTROUTING -o br0 -j SNAT –to $(nvram get lan_ipaddr)
    It wouldn't hurt to try out.
     
  13. Miltos

    Miltos Serious Server Member

    @Sean B. - here are the results of your recommended steps:

    A.
    Code:
    root@unknown:/tmp/home/root# cat /etc/dnsmasq.conf
    pid-file=/var/run/dnsmasq.pid
    resolv-file=/etc/resolv.dnsmasq
    addn-hosts=/etc/dnsmasq/hosts
    dhcp-hostsfile=/etc/dnsmasq/dhcp
    expand-hosts
    min-port=4096
    stop-dns-rebind
    rebind-localhost-ok
    interface=br0
    dhcp-range=tag:br0,192.168.1.2,192.168.1.51,255.255.255.0,1440m
    dhcp-option=tag:br0,3,192.168.1.1
    interface=br1
    dhcp-range=tag:br1,192.168.2.2,192.168.2.15,255.255.255.0,1440m
    dhcp-option=tag:br1,3,192.168.2.1
    interface=br2
    dhcp-range=tag:br2,192.168.3.2,192.168.3.51,255.255.255.0,1440m
    dhcp-option=tag:br2,3,192.168.3.1
    dhcp-host=00:**:**:**:04:EC,192.168.1.2
    dhcp-host=08:**:**:**:C1:C6,192.168.1.3
    dhcp-host=AC:**:**:**:BE:BD,192.168.1.4
    dhcp-host=B8:**:**:**:E3:24,192.168.1.5
    dhcp-host=A4:**:**:**:BB:8C,192.168.1.6
    dhcp-host=00:**:**:**:81:CB,192.168.1.7
    dhcp-host=F0:**:**:**:B8:6F,192.168.1.8
    dhcp-host=B4:**:**:**:87:BD,192.168.1.9
    dhcp-host=94:**:**:**:10:74,192.168.1.10
    dhcp-host=F8:**:**:**:74:09,192.168.1.12
    dhcp-host=E0:**:**:**:13:42,192.168.1.13
    dhcp-host=40:**:**:**:4D:4C,192.168.1.14
    dhcp-host=A4:**:**:**:DA:52,192.168.1.15
    dhcp-host=00:**:**:**:4B:93,192.168.1.16
    dhcp-host=9C:**:**:**:6A:BF,192.168.2.3
    dhcp-host=28:**:**:**:30:EE,192.168.2.4
    dhcp-host=8C:**:**:**:0F:A7,192.168.2.5
    dhcp-host=74:**:**:**:31:38,192.168.2.7
    dhcp-host=E8:**:**:**:B7:4A,192.168.2.9
    dhcp-host=8C:**:**:**:16:1B,192.168.2.11
    dhcp-host=00:**:**:**:EA:C9,192.168.1.11
    dhcp-lease-max=255
    dhcp-authoritative
    # Setup Alternate DNS for Guest Network
    dhcp-option=tag:br1,option:dns-server,208.67.222.222,208.67.220.220
    B.
    Code:
    Dec 12 22:04:17 unknown daemon.info dnsmasq[2398]: exiting on receipt of SIGTERM
    Dec 12 22:04:17 unknown user.debug init[1]: 182: pptp peerdns disabled
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: started, version 2.67 cachesize 1500
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: asynchronous logging enabled, queue limit is 5 messages
    Dec 12 22:04:17 unknown daemon.info dnsmasq-dhcp[6035]: DHCP, IP range 192.168.3.2 -- 192.168.3.51, lease time 1d
    Dec 12 22:04:17 unknown daemon.info dnsmasq-dhcp[6035]: DHCP, IP range 192.168.2.2 -- 192.168.2.15, lease time 1d
    Dec 12 22:04:17 unknown daemon.info dnsmasq-dhcp[6035]: DHCP, IP range 192.168.1.2 -- 192.168.1.51, lease time 1d
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: reading /etc/resolv.dnsmasq
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: using nameserver 75.75.76.76#53
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: using nameserver 75.75.75.75#53
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: read /etc/hosts - 4 addresses
    Dec 12 22:04:17 unknown daemon.info dnsmasq[6035]: read /etc/dnsmasq/hosts/hosts - 24 addresses
    Dec 12 22:04:17 unknown daemon.info dnsmasq-dhcp[6035]: read /etc/dnsmasq/dhcp/dhcp-hosts
    C.
    No change in problem after bridging wl0.2 to br1. No change in problem after disabling wl0.1 while wl0.2 is bridged to br1.

    I don't know if this is relevant. But at some point after doing "C" I checked the logs again and found:
    Code:
    Dec 12 22:29:06 unknown daemon.info dnsmasq[1912]: exiting on receipt of SIGTERM
    Dec 12 22:29:06 unknown user.debug init[1]: 182: pptp peerdns disabled
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: started, version 2.67 cachesize 1500
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: asynchronous logging enabled, queue limit is 5 messages
    Dec 12 22:29:06 unknown daemon.info dnsmasq-dhcp[2641]: DHCP, IP range 192.168.2.2 -- 192.168.2.15, lease time 1d
    Dec 12 22:29:06 unknown daemon.info dnsmasq-dhcp[2641]: DHCP, IP range 192.168.1.2 -- 192.168.1.51, lease time 1d
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: reading /etc/resolv.dnsmasq
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: using nameserver 75.75.76.76#53
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: using nameserver 75.75.75.75#53
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: read /etc/hosts - 3 addresses
    Dec 12 22:29:06 unknown daemon.info dnsmasq[2641]: read /etc/dnsmasq/hosts/hosts - 22 addresses
    Dec 12 22:29:06 unknown daemon.info dnsmasq-dhcp[2641]: read /etc/dnsmasq/dhcp/dhcp-hosts
    Dec 12 22:29:07 unknown user.debug init[1]: cstats stopped.
    Dec 12 22:29:07 unknown user.debug init[1]: starting cstats.
    I noticed there at the 192.168.3.x range did not get a lease.

    I was trying to connect from a Windows 7 laptop that had previously been assigned a static IP on the wl0.0 SSID. It did not have an active lease, but I deleted the static entry and rebooted the router. Is there anything else needed to clear a static IP assignment out? Would it be worth it to borrow a device that has never connected to my network or assigned a static IP address before for testing?

    Thank you again for offering to help.
     
  14. Miltos

    Miltos Serious Server Member

    @Mr9v9 , I tried entering your recommended line to the firewall rules:
    Code:
    iptables -t nat -I POSTROUTING -o br0 -j SNAT –to $(nvram get lan_ipaddr)
    It did not change the problem I am having. Thank you for the suggestion, though.
     
  15. Sean B.

    Sean B. Network Guru Member

    I get the feeling, as your last statement touched on, that your issue may be stemming from a static dhcp/arp givin the extent of static configs you're running. As in the case of a client with a MAC matching a static configured IP set to a subnet of which is NOT the one it's trying to connect to, you'd get a plain failed connection. Just to confirm: You've verified the MAC address of the Windows 7 laptop you're using is no longer in the list of static configurations on the router? And verified the Windows 7 laptop does not still have the static IP of a different subnet defined under its wireless device configuration?

    ***EDIT***
    Also, any chance you're using the Wireless Filter access control in allow-only configuration and the client's MAC got removed from there as well? Or have "Ignore requests from unknown clients" enabled in static/arp?
     
    Last edited: Dec 13, 2016
  16. Sean B.

    Sean B. Network Guru Member

    Just realized, your configuration isn't sound in regards to the dhcp range vs your static leases. The ip-range you define in Basic->Network is the pool of addresses dhcp can hand out dynamically.. not the overall allowed addresses for that network segment. The overall valid address range is defined by your netmask.. which as 255.255.255.0 gives you 192.168.1.1-254 . You want to use IP's that are OUTSIDE of the dhcp ip-range for your statics, but within the network segment. Otherwise dhcp can end up without any addresses to hand out dynamically.. and also risks conflicts if dhcp fails a check of address use and attempts to issue an IP from it's dynamic pool that's already spoken for by a static assignment. I assume you're not trying to run static only, as you stated you removed the static assignment for the Win7 client you've been trying to connect with.
     
    Last edited: Dec 13, 2016
  17. Miltos

    Miltos Serious Server Member

    I did a little more testing this morning. I have not been able to recreate this, but at one point, when trying to connect my laptop to the wl0.2 SSID I saw my laptop show up int the Devices list with a 192.168.1.6 IP address, which is from our wl0.0 SSID. I don't know why it happened that once, but has not happened again.

    To address your questions:
    1. Yes, I verified that the MAC address of my laptop is no longer in the list of static configs
    2. Yes, I did an ipconfig /release on my lapotp and verified with ipconfig and under the adapter settings that it did not have an IP address before trying to connect.
    3. I am NOT using wireless filter control and I do NOT have "Ignore requests from unknown clients" enabled.
    4. I am not trying to run static only. I give static IPs to all the devices we own and use at home, as it makes it easier for me to see who is doing what and control access, but other non-static devices have never had a problem getting on wl0.0 or wl0.1.

    My next thought is to borrow a device from a neighbor that has never been on my router and see if that can connect to wl0.2. If that works, then I wonder how I go about "flushing" the cache of static IP configs on the router, since it seems to be remembering them.
     
  18. Sean B.

    Sean B. Network Guru Member

    There is no cache in the router, in the context you're implying anyway. Unlike a computer/phone etc which use physical or non-volatile (NV) storage for its complete OS and file system, the router does not. When booted, the firmware builds the file system and OS in standard flash memory from a "picture" so to speak of it's initial state and configures it via saved settings in a much smaller ( around 64kb ) of NVRAM. So unless a setting is specifically set in ( or not specifically removed from ) your saved settings.. it will not survive a reboot. If there was no reference to the MAC of the Win7 laptop saved in the settings, and dhcp ranges vs interfaces are properly configured, the only source for the IP appearing on an interface from the wrong subnet would be the client computer itself requesting that IP.. and Windows does bury references to IPs/routes etc in many places. Usually this will result in a DHCPNACK reply to the client stating "Wrong address" in the logs.. but it could very well cause an appearance in the GUI devices list sense that GUI list is sourced from many places ( not just valid/active leases from dnsmasq's hosts ).
     
    Last edited: Dec 13, 2016
  19. Sean B.

    Sean B. Network Guru Member

    The shortest and most accurate way to diagnose this type of problem is to capture the communication traffic at the packet level when the client computer tries to connect to the AP. Any chance you've used, or feel you could figure out how to use, Wireshark?
     
  20. Mr9v9

    Mr9v9 Serious Server Member

    I will throw out some more ideas:

    Do you have anything DHCP going on after it leaves your Asus router? Any interference from your Comcast Modem? Sometimes when using Wireless Ethernet Bridge mode you need to use Router Mode instead of Gateway in Advanced> Routing> Misc.

    To try spoofing your MAC you could try and change it for the Router (which could be messy) or you could try changing the MAC of the device using any number of little utilities. You can leave the MAC blank (all zeroes) and just fill in the IP as well for truly static IP's.

    It may have gotten mentioned before but have you played around with the Restricting unlisted devices settings some more? Maybe the reverse logic needs to be applied and only allowed devices are allowed to connect.

    Try using a different DNS provider with your set up instead of Comcast and flush your DNS.
    Code:
    ipconfig /flushdns
    in Windows CMD. I know that sounds silly but they (Comcast) have been known to block sites and have slower traffic throughput. This is mostly cosmetic and for speeding up your connections when on WiFi.

    Try setting your DHCP/Static lease times to something small like 30 minutes.

    Look over some old guides maybe there is something else that may have gotten overlooked:
    VLAN Multi-SSID
    Multi-SSID-E3000

    Last bit of advice (annoying and time consuming) would be to fully erase everything and configure the Router from scratch, creating all the VLAN and bridging rules all step by step with reboots in order. Connecting all the devices to their respective locations at the last step.
     
  21. Miltos

    Miltos Serious Server Member

    OK. I finally had some time at home today with no one around so I got wireshark going. I don't feel closer to solving it, but I did find some interesting behavior.

    When I have everything configured like this:
    Basic>>Network>>LAN: https://snag.gy/VZ4YHB.jpg
    Advanced>>VLAN: https://snag.gy/CZW1l5.jpg
    Advanced>>Virtual Wireless>>Overview: https://snag.gy/OHNmUz.jpg
    Advanced>>Virtual Wireless>>wl0.2: https://snag.gy/lQNkTP.jpg

    I get nothing. This is configured as I think it should be, with wl0.2 bridged to br2. When I attempt to connect to IslandOfMisfitToys (wl0.2) Windows 10 says "Checking network requirements" for a few seconds, then "Can't connect to this network". Wireshark captures no packets, so the router is not even completing a handshake here it seems.

    When I have things configured like this, bridging wl0.2 to br1:
    Basic>>Network>>LAN: https://snag.gy/OIwZLG.jpg
    Advanced>>VLAN: same as above
    Advanced>>Virtual Wireless>>Overview: https://snag.gy/b6hsun.jpg
    Advanced>>Virtual Wireless>>wl0.2: https://snag.gy/Y7dyZg.jpg

    I get instant connectivity. So, does this mean something is wrong with my br2 setup? I've been googling to see if anyone mentions having three or more SSIDs working, or not working, but I'm only finding reference to two SSIDs (guest network). The setup does not seem that complicated, but I can't figure out what could be wrong.
     
  22. Sean B.

    Sean B. Network Guru Member

    Do you have Wireshark actively capturing on the interface prior to attempting to connect to the AP? Do you have promiscuous mode enabled or disabled?

    What does instant connectivity mean? You see packets in Wireshark but no usable connection? Packets seen in Wireshark with accessible LAN connection without internet access? Or are all 3 functioning as expected?

    If Wireshark is not capturing any packets at all when you attempt to connect to wl0.2 while bridged to br2 this means you're not reaching the network level at all. The problem is at the 802.11 level. An issue with the radio/driver configuration, or your MAC is being filtered. Even if you set the completely wrong IP in the settings of the Win7 laptop and tried to connect you would still see the exchange in Wireshark. Or if the settings for br2 were completely screwed up, you'd still see completely screwed up packets in Wireshark. Considering your conflicting configuration of static assignments vs dynamic address pool, and extensive use of MACs in saved NVRAM settings. I would suggest at this point to take screen shots etc of all your settings and then do an NVRAM thorough erase in Administration->configuration and reconfigure. Without any access control/Static MAC assignments etc.. just the same bridges/APS with standard wifi wpa/wpa2 personal security + dynamic dhcp and give it a try. If there isn't a stuck setting or lingering trace of MAC's in the NVRAM, then I'd venture to say there's an issue at the hardware/driver level of your router or it won't handle multiple virutal APs at one time. But, that's a guess. I haven't hit 802.11 direct issues much in my experience.
     
    Last edited: Dec 17, 2016
  23. Sean B.

    Sean B. Network Guru Member

    Unless I'm overlooking it repeatedly, it doesn't appear you included the output from ifconfig for the br1 br2 and wl0.1/2 interfaces. The specific configuration the interfaces are set with may reveal something.
     
  24. Miltos

    Miltos Serious Server Member

    Sorry @Sean B. I'll clarify some things.

    Yes, I have wireshark capturing on my wifi interface before I attempt to connect and I have promiscuous mode turned on. I also did "ipconfig /release" and "ipconfig /dnsflush" on my computer and deleted the static IP entry before connecting.

    By instant connectivity, I mean all is well. I instantly get an IP address and can connect to the internet and packets are flowing in wireshark when I bridge wl0.2 to br1.

    I have looked everywhere I know to look for any MAC address filtering and haven't found any. And if my MAC address was being filtered, wouldn't I be unable to connect to any SSID? I can connect to wl0 and wl0.1 with no problem. It's only the wl0.2 that won't connect, and only when it is bridged to br2.

    You are absolutely right that I failed to run and post the other commands you recommended. Here they are:

    Code:
    root@unknown:/tmp/home/root# ifconfig wl0.1
    wl0.1      Link encap:Ethernet  HWaddr BE:EE:7B:C5:56:F9
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:149058 errors:0 dropped:0 overruns:0 frame:0
               TX packets:222594 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:1000
               RX bytes:34310050 (32.7 MiB)  TX bytes:217576510 (207.4 MiB)
    Code:
    root@unknown:/tmp/home/root# ifconfig wl0.2
    wl0.2      Link encap:Ethernet  HWaddr BE:EE:7B:C5:56:FA
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:0 errors:0 dropped:0 overruns:0 frame:0
               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:1000
               RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    Code:
    root@unknown:/tmp/home/root# ifconfig br1
    br1        Link encap:Ethernet  HWaddr BC:EE:7B:C5:56:F8
               inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:61884 errors:0 dropped:0 overruns:0 frame:0
               TX packets:158075 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:15703687 (14.9 MiB)  TX bytes:199483294 (190.2 MiB)
    Code:
    root@unknown:/tmp/home/root# ifconfig br2
    br2        Link encap:Ethernet  HWaddr BC:EE:7B:C5:56:F8
               inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:6 errors:0 dropped:0 overruns:0 frame:0
               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:491 (491.0 B)  TX bytes:0 (0.0 B)
     
  25. Sean B.

    Sean B. Network Guru Member

    When on a client that is connected to wl0.1 on br1, can you ping the br2 interface at 192.168.3.1?

    As far as the access restriction filter, yes. But if still associated to a different network IP via missed or phantom NVRAM setting then LAN access restriction filters ( iptables ) can also be a factor, also being able to get an IP if the MAC is stuck as bound to a different network as well. If you've already checked carefully that it doesn't show in your settings then the only way to be sure it's not glitched into somewhere else is an NVRAM thorough erase. But, that's an unlikely issue.. not impossible though. You haven't set any custom iptables rules or anything like that in the scripts section have you?
     
    Last edited: Dec 17, 2016
  26. Sean B.

    Sean B. Network Guru Member

    And just for the sake of it, if you haven't already, on the Win7 laptop goto the network adapters section and right click your wireless adapter and select properties, click ipv4 and then properties at the bottom, select "use following ip" and for IP address enter 192.168.3.5 , netmask 255.255.255.0 , default gateway 192.168.3.1 , then try connecting to wl0.2 when it's bridges to br2.
     
  27. Sean B.

    Sean B. Network Guru Member

    To recap, both wl0.1 and wl0.2 virtual access points will function normally if they are bridged to br1 at separate times, correct? What I'm curious on is if it's a hardware limitation of your model of router. as in does the problem follow the virtual AP's being enabled at the same time? Or is the problem isolated to the br2 interface regardless of 1 or 2 or which one of the AP's is bridged to it.
     
  28. Sean B.

    Sean B. Network Guru Member

    Oh, also, while you may have already checked this.. it could slip by. Under Advanced->Wiresless do you happen to have the "Maximum clients" number set to a lowered level on the 2.4ghz radio? The virutal AP's off the radio will combine clients into that set number. If your client was connected to wl0.1 on br1 and then attempts to connect to wl0.2 being a different subnet will require a new lease and therfor count as another client connection until the lease on br1 expires. As well as Advanced->DHCP/DNS Maximum leases number. The fact you're getting no captures with Wireshark of tcp/udp/icmp/broadcast or any network layer traffic when connecting really implies you're not getting past the 802.11 connection/authentication. Aside from some iptables custom rules being set that would drop all packets incoming our outgoing on that interface there's nothing else I can think of that would result in "zero" traffic seen on the wire.
     
  29. Miltos

    Miltos Serious Server Member

    @Sean B. , thanks for your continued support and suggestions. I'm starting to wonder if it's a bug in the build I'm on (1.28.0000). I know the Asus RTN-66U that I'm using was long considered one of the best, so I'd be surprised if it was a hardware limitation, but anything is possible.

    1. Yes, when my laptop is connected to wl0.1 (br1) I can ping 192.169.3.1

    2. All the tabs under Scripts are blank.

    3. Setting my wireless adapter to those settings (192.168.3.5 , netmask 255.255.255.0 , default gateway 192.168.3.1) I got the same result, "Windows is unable to connect to this network".

    4. I feel like I tried bridging wl0.1 to br2 and it did not work, but I'm not positive. I will try that as soon as I get some time when no one is home and using the internet.

    5. "Maximum Clients" is set to the default 128 for both the 2.4 and 5 GHz radios. There are currently 22 devices on the router. I definitely don't ever come anywhere near 128.

    I've done a ton of searching, trying to find evidence of someone successfully running three SSIDs on shibby on the RTN-66U. All the posts I can find are about just running a main and guest network.

    I think I have three options at this point:
    1. Try the NVRAM wipe
    2. Try upgrading to the latest version of Shibby for my router
    3. Get a new router

    I have been thinking about upgrading to a Netgear R7000. If I see a price drop on it in the next few weeks I may just go this route and see if I can get my desired setup working there. I don't really need it, but it's a good enough excuse for a new toy. If I decide not to drop the cash then I will probably try upgrading to the latest Shibby build and doing an NVRAM wipe in that process.

    Thanks again for sticking with me and trying to figure this out. I really appreciate it.
     
  30. Sean B.

    Sean B. Network Guru Member

    You're welcome. Sorry I don't have a solution for ya. While I don't have a ton of experience running virtual AP's myself, their setup is rather straight forward. That combined with zero traffic on Wireshark when connecting, makes the cause of this issue really rather puzzling. Let me know if I can be of any further assistance, and if you try the NVRAM erase give an update as to any results. :)
     
  31. Mr9v9

    Mr9v9 Serious Server Member

    Try the first two options first, then number three. :)
     
  32. Miltos

    Miltos Serious Server Member

    Just to follow up and close this thread out, I recently purchased a Netgear R7000. I put Advanced Tomato on it, setup my three VLANs and SSIDs and it works like a charm. Either the version of tomato I was running on my ASUS RT-N66U had a problem, or the router itself couldn't handle the three SSIDs, or some combination of both. Thanks again for all the great help that was offered here, though!
     
    Mr9v9 likes this.
  33. Fab Five Freddy

    Fab Five Freddy Serious Server Member

    Might want to check something....

    I added 2 SSIDS per radio (so 4 in all). (1 that gets routed through my VPN, and one for guests). I had a lot of flakiness (it would work most of the time, then flake out for 2 minutes, then be fine for a long time, repeat) until I figured out that some of the MAC addresses that tomato had programmatically created for the VLANS were duplicates. You can check under 'Advanced->MAC Address'. They should all be unique.

    FFF
     
  34. Miltos

    Miltos Serious Server Member

    Thanks @Fab Five Freddy. I bought a new router, put the latest Advanced Tomato on it and have had no problems, so I'm all set. I think it was most likely the old version of tomato I was running, but it could have also been a limitation of the N66U.
     
  35. Mr9v9

    Mr9v9 Serious Server Member

    How frustrating and time consuming right? I am very glad you got this figured out, but the question will remain for other owners who search this forum in the future.
     
  36. Miltos

    Miltos Serious Server Member

    My guess is that it was the old version of Tomato I was running. I did upgrade my N66U to the latest Advanced Tomato and it seems to broadcast 3 SSIDs just fine, with the same configuration I was trying before. I am currently trying to configure the N66U as a repeater for all three SSIDs, so we'll see if I can get that going and get different IP subnets assigned for the different SSIDs.
     
  37. thepagedude

    thepagedude New Member Member

    I have encountered this exact same issue on the following:
    Asus RT-AC66U : 1.28.0000 MIPSR2-116 K26AC USB AIO-64K
    Netgear R6250 : freshtomato-R6250-ARM-2019.1-AIO-64K
    Netgear R6250 : tomato-R6250-ARM--140-AIO-64K

    I was either unable to connect to the second virtual SSID, or *all* the wifi connections (both physical and virtual) became unstable i.e. frequent disconnects, SSID's disappearing etc.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice