Hi all,
Please help me understand some of the settings behind VLAN tagging and bridging...
I have an AC68U rev1 (running Merlin 386.5_2)
Am trying to config as a WAP with:
- tagged VLAN50 for WLAN users
- tagged VLAN60 for WLAN guests
- LAN ports disabled
- Web GUI & SSH on the WAN port
- WAN port is connected to a Palo Alto firewall to sort out the tagged VLAN traffic and handle security
I've switched to Router mode because I wasn't getting anywhere in AP mode but that doesn't seem to help, just confused me more by adding interfaces eth0.501, eth0.502, eth1.501, eth1.502, eth2.501, eth2.502.
I assigned an IP address to each VLAN
When I try to ping, only lo and lo:0 interfaces get replies... not even when I ping from the respective VLAN or bridge on which they're on.
Here's some config output:
Port 5 is all traffic destined to the CPU, right? Are ports 7 & 8 useful for anything?
How do I set the WAN port (0) to be the trunk port and ensure traffic from VLANs 50 & 60 are properly tagged?
For debug purposes I tried setting Port 3 to VLAN50 and Port 4 to VLAN60 and then doing a packet capture on the PA FW but while packets come in from the WAN port, all traffic appears untagged. What am I missing, please?
My target IP Schema:
I understand VLAN1 is for LAN, so eventually ports 1-4 will be removed, right?
VLAN2 is for internet access, so no planned changes there, yes?
So should Port 0 be removed from VLAN1?
Thanks in advance
Please help me understand some of the settings behind VLAN tagging and bridging...
I have an AC68U rev1 (running Merlin 386.5_2)
Am trying to config as a WAP with:
- tagged VLAN50 for WLAN users
- tagged VLAN60 for WLAN guests
- LAN ports disabled
- Web GUI & SSH on the WAN port
- WAN port is connected to a Palo Alto firewall to sort out the tagged VLAN traffic and handle security
I've switched to Router mode because I wasn't getting anywhere in AP mode but that doesn't seem to help, just confused me more by adding interfaces eth0.501, eth0.502, eth1.501, eth1.502, eth2.501, eth2.502.
I assigned an IP address to each VLAN
Code:
ifconfig vlan50 10.0.50.2 netmask 255.255.255.0
ifconfig vlan60 10.0.60.2 netmask 255.255.255.0
Here's some config output:
Code:
brctl show
bridge name bridge id STP enabled interfaces
br0 800.3497f65e3900 yes vlan1
br1 800.3497f65e3901 yes vlan50
eth1
eth2
br2 800.3497f65e3905 yes vlan60
eth0.501
eth0.502
wl0.1
Code:
robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 5c:58:e6:3a:ee:31
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 98:e7:43:df:2f:5c
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 9c:eb:e8:39:8b:21
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 34:97:f6:5e:39:00
Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 4 5t
2: vlan2: 0 5
50: vlan50: 0t 1t 2t 3t 4t 5t
60: vlan60: 0t 1t 2t 3t 4t 5t
501: vlan501: 0t 1t 2t 3t 4t 5t
502: vlan502: 0t 1t 2t 3t 4t 5t
Port 5 is all traffic destined to the CPU, right? Are ports 7 & 8 useful for anything?
How do I set the WAN port (0) to be the trunk port and ensure traffic from VLANs 50 & 60 are properly tagged?
For debug purposes I tried setting Port 3 to VLAN50 and Port 4 to VLAN60 and then doing a packet capture on the PA FW but while packets come in from the WAN port, all traffic appears untagged. What am I missing, please?
My target IP Schema:
Code:
VLAN50 (also tried as eth0.50) - ip: 10.0.50.2/24 gateway: 10.0.50.1 (sub-interface on PA FW)
VLAN60 (also tried as eth0.60) - ip: 10.0.60.2/24 gateway: 10.0.60.1 (sub-interface on PA FW)
VLAN1 - ip: 192.168.1.1/24 gateway: 192.168.100.129
I understand VLAN1 is for LAN, so eventually ports 1-4 will be removed, right?
VLAN2 is for internet access, so no planned changes there, yes?
So should Port 0 be removed from VLAN1?
Thanks in advance