What's new

VLAN Configuration

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Blargh

New Around Here
Good afternoon,

I'm using RMerlin's 3.0.0.4.246.20 Merlin build software on my new RT-AC66U, and playing around with trying to get VLANs working.

What I want to do is:
WAN - Internet access, untagged
LAN 1, 2, 3, wifi - VLAN A, bridged together (ala fairly normal)
LAN 4 - VLAN B

I'm wanting separate address pools on VLAN A and VLAN B, plus needing some specialized NAT configuration. I'm very familiar with Linux in general (so have no problems building the route rules, iptables configs, etc.)

My problem is getting the Broadcom switch onboard to actually do the VLAN setup.

I've been poking at the robocfg utility, however it seems to be just slightly incompatible with the newer BCM53125 chipset that's onboard the RT-AC66U - it doesn't quite do VLAN configuration correctly (it looks like the tagging method is getting changed from 802.1Q to something else) and can't even reset the stock settings correctly (comparing robocfg dump before and after - there's a few registers different in page 0x05 - and afterwards no traffic is flowing correctly across the LAN ports).

I've looked through the init-broadcom.c source code as part of the firmware, and it is doing VLAN configuration with 'et robowr' calls and not using robocfg.

I don't doubt I'll figure this out eventually with a combination of the source code to the driver and init-broadcom.c, but before I burn a lot of time to do so, I figured I'd ask if anyone here has gotten this to successfully work (either a newer version of robocfg, or some example scripts using 'et robowr' to do it)?
 
Last edited:
Alright, so after reading some source code and a little poking, here's a little info on how to do this. I'm fairly sure this is the ugly, brutish way, but it worked for what I needed.

Keep in mind internally you apparently can only use up to VLAN ID 16 (I see warnings about that in the source) - I didn't care for my purpose, so didn't see if there was a way around this.

To set up the switching portion takes four commands:

  1. Set the VLAN ID you want to modify in page 0x05, register 0x81, in hex. So for VLAN 3:
    et robowr 0x05 0x81 0x03
  2. Set a bit flag specifying what ports to have in this VLAN in page 0x05, register 0x083, and if they are untagged. There are 18 bits in this - one for each of the 8 ports on the chip (remember port 0 is your WAN port, ports 1-4 are your LAN ports, and port 8 is the CPU aka eth0). The most significant 9 bits get a 1 if that port is untagged (going from 8 at MSB to 0 at LSB), then the least significant 9 bits get a 1 if that port is joined to the VLAN. For my example, I want port 4 untagged and port 8 tagged:
    et robowr 0x05 0x83 0x02110
    (02110 = ..00 0010 0001 0001 0000, or (..87 6543 210) (8 7654 3210) with first grouping marking untagged and second marking membership
  3. Trigger the write. This takes two calls:
    et robowr 0x05 0x80 0x0000
    et robowr 0x05 0x80 0x0080
  4. Set the VLAN untagged frames coming in on a port are assigned to by default in page 0x34, register 0x10+(2*portNumber). You need to set this for every untagged port you change.. For my port 4 to go into VLAN 3:
    et robowr 0x34 0x18 0x03

After doing this and resetting all VLANs, I was able to add VLAN 3 to eth0 and set it up:

vconfig add eth0 3
ifconfig vlan3 192.168.20.1 netmask 255.255.255.0 up

As a note, "robocfg show" *does* show the correct information, but its VLAN set capability doesn't work (I'm guessing it's using the old set of registers for doing VLAN sets - they changed them in 53115 it looks like).

Hopefully a bit of info to help folks out. I've been experimenting a fair bit and haven't blown anything up (had to reboot a couple times though), but of course I'm not liable if you turn your router into a steaming pile of slag somehow :)
 
One thing I haven't quite figured out - it LOOKS like the et command's robowr option only allows up to 16 bits, so how to mark port 8 (the CPU) untagged is a bit of a mystery through that interface.
 
So, putting a few more pieces together, and using Merlins scripting abilities, here's what I have in /jffs/scripts/services-start (obviously I need to do some fine tuning and such, but this at least gets everything I care about working):

#!/bin/sh

# 0x83 format:
# Untag? Ports
# (87 6543 2108 7654 3210)

# Remove ports 3 and 4 from VLAN 1
et robowr 0x05 0x81 0x01
et robowr 0x05 0x83 0x0D06
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
# Create VLAN 3 with port 3 untagged and port 8 tagged
et robowr 0x05 0x81 0x03
et robowr 0x05 0x83 0x1108
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
# Set port 3's default VLAN to 3
et robowr 0x34 0x16 0x03
# Create VLAN 4 with port 4 untagged and port 8 tagged
et robowr 0x05 0x81 0x04
et robowr 0x05 0x83 0x2110
et robowr 0x05 0x80 0x0000
et robowr 0x05 0x80 0x0080
# Set port 4's default VLAN to 4
et robowr 0x34 0x18 0x04
# Create the interfaces
vconfig add eth0 3
ifconfig vlan3 XXX.XXX.XXX.XXX netmask 255.255.255.248 up
vconfig add eth0 4
ifconfig vlan4 XXX.XXX.XXX.XXX netmask 255.255.255.248 up
# We allow these two VLANs to do whatever they want
iptables -I INPUT 1 -i vlan3 -j ACCEPT
iptables -I INPUT 1 -i vlan4 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o vlan3 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o vlan4 -j ACCEPT
iptables -I FORWARD 1 -i vlan3 -o eth0 -j ACCEPT
iptables -I FORWARD 1 -i vlan4 -o eth0 -j ACCEPT
ip6tables -I INPUT 1 -i vlan3 -j ACCEPT
ip6tables -I INPUT 1 -i vlan4 -j ACCEPT
ip6tables -I FORWARD 1 -i v6in4 -o vlan3 -j ACCEPT
ip6tables -I FORWARD 1 -i v6in4 -o vlan4 -j ACCEPT
ip6tables -I FORWARD 1 -i vlan3 -o v6in4 -j ACCEPT
ip6tables -I FORWARD 1 -i vlan4 -o v6in4 -j ACCEPT
ip addr add 2001:470:XXXX:XXXX::1/64 dev vlan3
ip addr add 2001:470:XXXX:XXXX::1/64 dev vlan4


And also, in /jffs/configs/radvd.conf.add:

interface vlan3
{
IgnoreIfMissing on;
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvHomeAgentFlag off;
AdvManagedFlag off;
AdvOtherConfigFlag on;
AdvLinkMTU 1480;
prefix 2001:470:XXXX:XXXX::/64
{
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
};

interface vlan4
{
IgnoreIfMissing on;
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvHomeAgentFlag off;
AdvManagedFlag off;
AdvOtherConfigFlag on;
AdvLinkMTU 1480;
prefix 2001:470:XXXX:XXXX::/64
{
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
};
 
Very interested in VLAN capability, as well. I don't have an AC66U yet, but if VLANs can be accommodated (both port-based and trunking), either in stock firmware or an upgrade such as Merlin's version or DD-WRT, I'll be a happy camper.

In my case, I'll need to bridge together tagged VLANs 1 & 2 coming in through one LAN port for common internet access.
 
Last edited:
These instuctions helped me a lot

Thanks for posting your discoveries here. With this information I was able to make my router do nearly everything I needed - I've got 4 VLANs being routed through the switch in this router, and everything switch-wise is working perfectly.

I've posted deatils about my setup based on yours here: http://forums.smallnetbuilder.com/showthread.php?t=12281

I'm having a few problems with bridging wireless interfaces to VLANs, however.
 
Thanks for Your post

I tried to get a separate guest network with robocfg. Didn't work for me. Perhaps I did something wrong, but using Your et commands made my ac66u run like I wanted it to. I connected my pfSense to VLAN3 and VLAN1 to a switch with the rest of my home network. By doing so I could control the access to my home network by dropping unwanted frame with ebtables:
ebtables -D FORWARD 1
ebtables -D FORWARD 1
ebtables -I FORWARD -o wl0.1 -i eth2 -j DROP
ebtables -I FORWARD -o wl0.1 -i eth1 -j DROP
ebtables -I FORWARD -o eth1 -i wl0.1 -j DROP
ebtables -I FORWARD -o eth2 -i wl0.1 -j DROP
ebtables -I FORWARD -o vlan1 -i wl0.1 -j DROP
ebtables -I FORWARD -o wl0.1 -i vlan1 -j DROP
I am using the GUI to setup one guest WLAN. I put this code into the services-start script.

My configuration: ac66u in wireless router mode but using as AP, pfsense connected to lan3, switch connected to lan 1, firmware 3.0.0.4.374.35_2, changed resolv.conf for nameserver pfsense and added a default route to the pfsense
CP
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top