What's new

Is there a limit of number of bridges / vlans?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JensM

Occasional Visitor
After switching to opnsense as my mainrouter, I'm using my AC66U (running Johns Fork) in AP mode. I'm scripting it to tag different SSIDs and LAN-Ports with VLANs and send the traffic via a single connection to the opnsense what worked quite well for some SSIDs. For some others WPA2 authentication was not possible (timeouts). I'm aware of the eapd-restart and some SSIDs work fine, so I'm guessing theres another issue and I did some trial&error. It seems that all SSIDs that are assigned to bridges / lanX_ifnames > 4 (starting with 0) do not work. so my SSIDs br0, br1, ..., br4 and therefore up to:
nvram set lan4_ifnames="vlan50 wl0.3 wl1.3"
nvram set lan4_ifname="br4"
are working but after that, the WPA2 fails begin.

Since everything is working for 5 vlans but not anymore, I wonder, is there a limit to 5 bridges and/or 5 vlans and what is this limit about?
 
After switching to opnsense as my mainrouter, I'm using my AC66U (running Johns Fork) in AP mode. I'm scripting it to tag different SSIDs and LAN-Ports with VLANs and send the traffic via a single connection to the opnsense what worked quite well for some SSIDs. For some others WPA2 authentication was not possible (timeouts). I'm aware of the eapd-restart and some SSIDs work fine, so I'm guessing theres another issue and I did some trial&error. It seems that all SSIDs that are assigned to bridges / lanX_ifnames > 4 (starting with 0) do not work. so my SSIDs br0, br1, ..., br4 and therefore up to:
nvram set lan4_ifnames="vlan50 wl0.3 wl1.3"
nvram set lan4_ifname="br4"
are working but after that, the WPA2 fails begin.

Since everything is working for 5 vlans but not anymore, I wonder, is there a limit to 5 bridges and/or 5 vlans and what is this limit about?

@JensM Could I see your script please, I'm only able to connect to the networks when the encryption is set to open. I'm using values under 5 as well so I'm not super sure what's going on.
Thank You!
 
@JensM
I found some old notes that indicated that vlan 60 was a special case used internally by ASUS, if that's where your problems start.
 
@JensM
I found some old notes that indicated that vlan 60 was a special case used internally by ASUS, if that's where your problems start.
@john9527 sorry to bother you again but is there any way to get a build with a different eapd version. I am sure there are no problems with my services-start script but I'm unable to get WPA2 working on my vlans.
 
@JensM
I found some old notes that indicated that vlan 60 was a special case used internally by ASUS, if that's where your problems start.
Thanks for you answer. Unfortunatly, it doesn't depend on the "vlan"-number, or at least it also doesn't work with the numbers I've tried so far (last time I tried vlan21 and 30). My WPA2 handshakes fail when using bridge br5 / lan5_ifname(s) and above, with 0-4 it is working fine.

Here is the services-start script, I've commented the br5/lan5 stuff, those are the ones which prevent me from using wpa2.

Code:
/usr/sbin/robocfg vlan 1 ports "0 4t 8t"
/usr/sbin/robocfg vlan 10 ports "1 4t 8t"
/usr/sbin/robocfg vlan 12 ports "4t 8t"
/usr/sbin/robocfg vlan 13 ports "4t 8t"
/usr/sbin/robocfg vlan 20 ports "2 3 4t 8t"
#/usr/sbin/robocfg vlan 21 ports "2 3 4t 8t"
#/usr/sbin/robocfg vlan 30 ports "4t 8t"

/sbin/vconfig add eth0 10
/sbin/vconfig add eth0 12
/sbin/vconfig add eth0 13
/sbin/vconfig add eth0 20
#/sbin/vconfig add eth0 21
#/sbin/vconfig add eth0 30

/sbin/ifconfig vlan10 up
/sbin/ifconfig vlan12 up
/sbin/ifconfig vlan13 up
/sbin/ifconfig vlan20 up
#/sbin/ifconfig vlan21 up
#/sbin/ifconfig vlan30 up

/usr/sbin/brctl addbr br1
/usr/sbin/brctl addbr br2
/usr/sbin/brctl addbr br3
/usr/sbin/brctl addbr br4
#/usr/sbin/brctl addbr br5
#/usr/sbin/brctl addbr br6

/usr/sbin/brctl delif br0 eth1
/usr/sbin/brctl delif br0 eth2
/usr/sbin/brctl delif br0 wl0.1
/usr/sbin/brctl delif br0 wl1.1
#/usr/sbin/brctl delif br0 wl0.2
/usr/sbin/brctl delif br0 wl1.2
#/usr/sbin/brctl delif br0 wl0.3
#/usr/sbin/brctl delif br0 wl1.3

/usr/sbin/brctl addif br1 eth1
/usr/sbin/brctl addif br1 eth2
/usr/sbin/brctl addif br2 wl0.1
/usr/sbin/brctl addif br3 wl1.1
#/usr/sbin/brctl addif br5 wl0.2
/usr/sbin/brctl addif br4 wl1.2
#/usr/sbin/brctl addif br6 wl0.3
#/usr/sbin/brctl addif br6 wl1.3

/usr/sbin/brctl addif br1 vlan10
/usr/sbin/brctl addif br2 vlan12
/usr/sbin/brctl addif br3 vlan13
/usr/sbin/brctl addif br4 vlan20
#/usr/sbin/brctl addif br5 vlan21
#/usr/sbin/brctl addif br6 vlan30

#/sbin/ifconfig br0 192.168.11.254 netmask 255.255.255.0
/sbin/ifconfig br1 192.168.10.254 netmask 255.255.255.0

/sbin/ifconfig br1 up
/sbin/ifconfig br2 up
/sbin/ifconfig br3 up
/sbin/ifconfig br4 up
#/sbin/ifconfig br5 up
#/sbin/ifconfig br6 up

/bin/nvram set lan_ifnames="vlan1"
/bin/nvram set lan_ifname="br0"

/bin/nvram set lan1_ifnames="vlan10 eth1 eth2"
/bin/nvram set lan1_ifname="br1"

/bin/nvram set lan2_ifnames="vlan12 wl0.1"
/bin/nvram set lan2_ifname="br2"

/bin/nvram set lan3_ifnames="vlan13 wl1.1"
/bin/nvram set lan3_ifname="br3"

/bin/nvram set lan4_ifnames="vlan20 wl1.2"
/bin/nvram set lan4_ifname="br4"

#/bin/nvram set lan5_ifnames="vlan21 wl0.2"
#/bin/nvram set lan5_ifname="br5"

#/bin/nvram set lan6_ifnames="vlan30 wl0.3 wl1.3"
#/bin/nvram set lan6_ifname="br6"

/usr/bin/killall eapd
/bin/eapd
 
@john9527 sorry to bother you again but is there any way to get a build with a different eapd version. I am sure there are no problems with my services-start script but I'm unable to get WPA2 working on my vlans.

Do you set the lanX_ifname, lanX_ifnames nvram values and reastart eapd after that (like in my script that I just shared)?
For me this works at least for 5 vlans / bridges.
 
Do you set the lanX_ifname, lanX_ifnames nvram values and reastart eapd after that (like in my script that I just shared)?
For me this works at least for 5 vlans / bridges.
Hi! Yes I have done that, I have included my script below.
Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
robocfg vlan 4 ports "0t 5t"
vconfig add eth0 4
ifconfig vlan4 up

brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan4
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan4 wl0.1 wl1.1"
nvram set lan1_ifname="br1"


killall eapd
sleep 5
eapd

@JensM The problem still seems to be with eapd because the only thing that doesn't work is WPA2. Please let me know if you have any ideas, as well as what version of John's fork you are running. Thank you!
 
The problem still seems to be with eapd because the only thing that doesn't work is WPA2. Please let me know if you have any ideas, as well as what version of John's fork you are running. Thank you!
eapd is closed source and tied to the wireless driver release. I went looking to see what router you have, and didn't see where you ever let us know?
I had fired up the script on my AC68P the other day, and had no problem connecting with encryption. The OP is AC66U

One thing I do see.....since you are trying to do this on the primary router vs an AP, I think you need to give an address/subnet for br1 when you bring it up. Then make the changes to dnsmasq to hand out addresses on that subnet. Then make the changes to the firewall iptables/ebtables to allow traffic.
 
eapd is closed source and tied to the wireless driver release. I went looking to see what router you have, and didn't see where you ever let us know?
I had fired up the script on my AC68P the other day, and had no problem connecting with encryption. The OP is AC66U

One thing I do see.....since you are trying to do this on the primary router vs an AP, I think you need to give an address/subnet for br1 when you bring it up. Then make the changes to dnsmasq to hand out addresses on that subnet. Then make the changes to the firewall iptables/ebtables to allow traffic.
@john9527 Hi! Sorry I didn't mention that I have an AC68U, I am also running this as an AP, all routing is handled by pfsense with a trunk going to the AP (AC68U). Could you share with me the script you used on your AC68P? The way its setup is I have untagged VLANs going to the AC68U, this represents my normal LAN network. Then I have a tagged VLAN 4, which represents my guest network. That is why I am bridging (br0) vlan1 with eth0 and eth1 for my normal 2.4 and 5GHz wifi, and I am bridging (br1) vlan4 with wl0.1 and wl1.1 which are the two vap's. This will get me 2 normal LAN networks and 2 Guest Networks.
 
Last edited:
@keshavdaboss
Well....you made me do it. :) I dug out my AC68R and connected it up to my opnsense box as an AP. Used your script, with a couple of changes
- added back the nvram commit
- use vlan 101 instead of 4 (personal preference, I expect 4 would work fine)

Once I got my switch configured correctly, everything works fine (hint here :) ).

I did recreate what you saw with open encryption....has nothing to do with eapd. When you change encryption modes, it also re configures the bridge and puts the guest networks back on br0/vlan1. You can see this if you run
'brctl show'
before and after changing modes.

So, everything looks like it works...I think you need to double check your switch/pfsense configuration. It sounds like you don't have a good route for the new bridge/vlan.
 
@keshavdaboss
Well....you made me do it. :) I dug out my AC68R and connected it up to my opnsense box as an AP. Used your script, with a couple of changes
- added back the nvram commit
- use vlan 101 instead of 4 (personal preference, I expect 4 would work fine)

Once I got my switch configured correctly, everything works fine (hint here :) ).

I did recreate what you saw with open encryption....has nothing to do with eapd. When you change encryption modes, it also re configures the bridge and puts the guest networks back on br0/vlan1. You can see this if you run
'brctl show'
before and after changing modes.

So, everything looks like it works...I think you need to double check your switch/pfsense configuration. It sounds like you don't have a good route for the new bridge/vlan.
Thank you so much for trying it out! Hmm I have saved the script as services-start in the /jffs/scripts folder and have verified it executes. I also tried running it again manually (which will remove wl0.1 and wl1.1 from br0) after changing the encryption type to no avail. I plugged in another router into the same cable and ran rmlerin's firmware and it worked. I'm super confused :/ Sorry for taking up a lot of your time.
 
@keshavdaboss
Very strange indeed....
Have you run
robocfg show
brctl show
ifconfig

to verify everything is really set up the way you think?

Maybe run dos2unix on the services-start script? (grasping at straws)
 
@keshavdaboss
Very strange indeed....
Have you run
robocfg show
brctl show
ifconfig

to verify everything is really set up the way you think?

Maybe run dos2unix on the services-start script? (grasping at straws)
Code:
admin@RT-AC68U-TEST:/jffs/scripts# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: f4:ce:46:a9:b8:65
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 2c:59:e5:bc:08:f4
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5
  10: vlan10: 0t 5t
  20: vlan20: 0t 5t
  56: vlan56: 0t 1t 3
  57: vlan57: 0t 2 4t 5 8u
  58: vlan58: 0t 2 4 8u
  59: vlan59: 0t 1 2 7
  60: vlan60: 1t 4t 5t
  61: vlan61: 1 3t 5t 7 8t
  62: vlan62: 1 3
admin@RT-AC68U-TEST:/jffs/scripts# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.1cb72cc73ad8       no              vlan1
                                                        eth1
                                                        eth2
br1             8000.1cb72cc73ad8       no              wl0.1
                                                        wl1.1
                                                        vlan10
br2             8000.1cb72cc73ad8       no              wl0.2
                                                        vlan20

@john9527 Here is my output for my script, in this setup I have changed to using vlan 10 and 20, vlan 10 will have wl0.1 and wl1.1 bridged to it, and vlan has wl0.2 bridged to it.

Here is my updated script, please let me know if you see anything wrong. Thank You, I really appreciate it!
Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
nvram set ctf_disable_force=1
nvram set ctf_disable=1

robocfg vlan 10 ports "0t 5t"
vconfig add eth0 10
ifconfig vlan10 up

robocfg vlan 20 ports "0t 5t"
vconfig add eth0 20
ifconfig vlan20 up



brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan10
ifconfig br1 up

brctl addbr br2
brctl delif br0 wl0.2
brctl addif br2 wl0.2
brctl addif br2 vlan20
ifconfig br2 up



nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan20 wl0.2"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="vlan10 wl0.1 wl1.1"
nvram set lan2_ifname="br2"
nvram commit

sleep 1
killall eapd
sleep 3
eapd

again as before disabling Wireless Encryption on the vap's allows me to connect to them, and I get an IP on the respective subnet, meaning that the communication of the vlan's are working between pfsense -> managed switch -> AP. I have no problems with the WPA2 encryption on the main wl0 and wl1 (br0) interfaces. I also have been editing all my files in nano on the router itself so I don't think there should be any weird text file things.
 
Last edited:
@john9527 @RMerlin To get vlan's to work on AC68U should I be setting the nvram variable ctf_disable_force=1? I notice this changes the robocfg ports from 8t to 5t, I see it referenced a lot in other threads.

I also dont see Port 5 showing up when I run robocfg show:
Code:
admin@RT-AC68U-3AD8:/jffs/scripts# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
It just goes from Port 4 to 8.
 
Last edited:
@john9527 I figured it out!!!! By taking the eapd binary from rmlerin's firmware and putting it in my bin directory the wifi authentication started working! Is there any way to get this moved into a dev firmware? Thank you very much with your help through this!
 
That's interesting given that /bin is a read-only filesystem.
Yes sorry should have corrected my post, I ran into that so I dropped it in my jffs folder and then had my script directly point to it (ex. /jffs/eapd) I also tried using 7zip to add in the executable into the trx file but that didn't work. If we could get the updated eapd in the dev builds that would be awesome!
 
Last edited:
@john9527 @RMerlin To get vlan's to work on AC68U should I be setting the nvram variable ctf_disable_force=1? I notice this changes the robocfg ports from 8t to 5t, I see it referenced a lot in other threads.

I wonder why you were able to use your pfsense vlan setup before without disabling ctf. With ctf enabled, only 1 ssid/vlan was working correctly for me. DHCP IPs were correctly assigned according to the vlan but traffic was tagged with the same vlan regardlesss which one it should be. I don't know the reason for sure but I guess the ctf-feature takes the first package for analysis and then assumes, that all traffic wants to be tagged with that vlan regardless where it comes from. Maybe this is one of the "optimizations" to increase speed.

Since you are not NATing, you wont need that speedup.

You can find my post about that here: https://www.snbforums.com/threads/nat-acceleration-in-ap-mode.61993/#post-553991
 
Yes sorry should have corrected my post, I ran into that so I dropped it in my jffs folder and then had my script directly point to it (ex. /jffs/eapd) I also tried using 7zip to add in the executable into the trx file but that didn't work. If we could get the updated eapd in the dev builds that would be awesome!
Thats interesting, I'll give it a try, maybe this eapd version is also fixing my problem by supporting more than 5 vlans.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top