Use LAN port 4 as private network

[Iceberg]

In that case I would consider changing the line vconfig add eth0 4 in the 1st script to vconfig add ppp0 4 Mind ya, I have been know to be wrong before.

Unfortunately it is not working.

I tried several times.

With this mod I receive no errors trying to execute it manually, so its better than before, but I cant access to powerline wifi.

As soon as I switch Ethernet cable to lan 3 port it works.

Any other idea where the problem could be located?

 

[Iceberg]

I don't know how but with a series of reboots it seems I have activated vlan4 as private network.

Clients are able to connect on powerline wifi and on system log I see them on vlan4.

I didn't see no more clients on network map even if they are connected and are having access to internet.

 

[mrhappydude]

I got vlan4 working it is giving out ip addresses on the new ip range but unable to access the internet.

There is something missing in the instructions, because I have tried various and none seem to work properly.

this should be easy to do but clearly we are not setting something properly in the iptables section or another bridge needs to be created.

I also read the the is that the order of the iptables statements matter.

 

[sinshiva]

I got vlan4 working it is giving out ip addresses on the new ip range but unable to access the internet.

There is something missing in the instructions, because I have tried various and none seem to work properly.

this should be easy to do but clearly we are not setting something properly in the iptables section or another bridge needs to be created.

I also read the the is that the order of the iptables statements matter.

hi, what kind of internet connection do you have? and router?

 

[mrhappydude]

admin@RT-AC66U:/jffs/scripts# robocfg show
Switch: enabled gigabit
Port 0:  100FD enabled stp: none vlan: 2 jumbo: on mac: 00:23:3e:76:43:a2
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: on mac: c8:60:00:9a:d1:71
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 00:30:18:a5:9d:22
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 8c:c8:cd:2d:98:1a
Port 4: 1000FD enabled stp: none vlan: 4 jumbo: on mac: 48:44:87:27:47:5e
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:1e:65:de:bc:aa
VLANs: BCM53115 enabled mac_check mac_hash
   1: vlan1: 1 2 3 8t
   2: vlan2: 0 8u
   4: vlan4: 4 8t
admin@RT-AC66U:/jffs/scripts#

nat-start

#!/bin/sh
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 4 ports "4 8t"
vconfig add eth0 4
ifconfig vlan4 192.168.3.1 netmask 255.255.255.0 up
iptables -I INPUT -i vlan4 -j ACCEPT
iptables -I FORWARD -i vlan4 -o vlan2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o vlan4 -j logdrop

dnsmasq.conf.add

interface=vlan4
dhcp-range=vlan4,192.168.3.100,192.168.3.200,255.255.255.0,86400s
dhcp-option=vlan4,3,192.168.3.1

admin@RT-AC66U:/tmp/home/root# iptables --list -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  vlan4  any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
  309 19676 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            state NEW
   24  1611 ACCEPT     all  --  br0    any     anywhere             anywhere            state NEW
    2    64 ACCEPT     igmp --  any    any     anywhere             base-address.mcast.net/4
    0     0 ACCEPT     udp  --  any    any     anywhere             base-address.mcast.net/4 udp dpt:!upnp
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 logdrop    all  --  br0    vlan4   anywhere             anywhere
    0     0 ACCEPT     all  --  vlan4  vlan2   anywhere             anywhere            state NEW
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            TIME on all days WEBSTR match url serve.popads.net reject-with tcp-reset
    0     0 ACCEPT     udp  --  any    any     anywhere             base-address.mcast.net/4
    4   186 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    6   304 DROP       all  --  !br0   eth0    anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
    0     0 DROP       icmp --  eth0   any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            ctstate DNAT
    0     0 ACCEPT     all  --  br0    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 217 packets, 328K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logdrop (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
    0     0 DROP       all  --  any    any     anywhere             anywhere
admin@RT-AC66U:/tmp/home/root#

 

[mrhappydude]

hi, what kind of internet connection do you have? and router?

Telus (DHCP)
Modem no idea it has no brand name other than Telus written on it.
Router is RT-AC66U

 

[sinshiva]

your configuration is obviously different than mine, but...

the first thing that i'd try is changing

iptables -I FORWARD -i vlan4 -o vlan2 -m state --state NEW -j ACCEPT

to

iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT

vlan2 isn't the actual svi, so it's probably breaking your connection

[edit/] though, changing it to eth0 may do the trick

 

[mrhappydude]

what does the below actually do ?

iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT

 

[mrhappydude]

Making that change worked. I now how ip range I want and internet access. now let us see if iptv works properly.

 

[mrhappydude]

No go, tv plays for a minute then stops.

 

[sinshiva]

No go, tv plays for a minute then stops.

with your configuration, did you try;

iptables -I FORWARD -i vlan4 -o eth0 -m state --state NEW -j ACCEPT

or

iptables -I FORWARD -i vlan4 -o ppp0 -m state --state NEW -j ACCEPT

for PPP connections

 

[mrhappydude]

no i did not, the wife wanted her tv back. So i have to wait until tomorrow.

 

[delle]

Thanks for these clear instructions on setting up a vlan. Before running these scripts i want to have more info on the robocfg command. It seems this command is deprecated and I cannot find any details. Can somebody point me to more information on robocfg?

I appreciate your help

 

[jmelan]

Thanks!

just wanted to say thanks for posting this example - worked perfectly for me (n66u)!

was able to create a vlan on port 4 to connect through a cisco sg200 switch to a ubiquiti uap-ac with multiple SSIDs for guest network purposes

 

[MatsLoof]

Thanks and dnsmasq

Very good information here about how to set up VLAN on ASUS n66u.

I followed this and it works fine while everything is up. However during reboot of ASUS router, machines on the VLAN are on DHCP and requests new lease of their current IP address when router is back up again. This happens before nat-start and then they get "DHCPNack Wrong Network" back and will get a 192.168.1.x adress instead of the vlan 192.168.2.x adress.

This is logical since vlan4 is not configured at the time they request new lease. I am looking into how to solve this. Since it probably is not possible to do any modifications earlier in the startup sequence before nat-start perhaps it can be a possibility to try to force all clients to renew DHCP leases in the end of the nat-start script or similar. I wanted to share this info and if you experience the same it would be nice to see how you solve it. An alternative is to run static addresses on the vlan and not use dhcp but I would like to avoid that. See log below for example:

Jan 1 01:00:07 syslogd started: BusyBox v1.20.2
..
Jan 1 01:00:08 kernel: eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.30.163.2002 (r382208)
Jan 1 01:00:09 kernel: device eth0 entered promiscuous mode
..
Jan 1 01:00:10 kernel: br0: port 1(vlan1) entering forwarding state
Jan 1 01:00:10 dnsmasq[342]: started, version 2.72test3 cachesize 1500
Jan 1 01:00:10 dnsmasq[342]: warning: interface vlan4 does not currently exist
..
Jan 1 01:00:10 dropbear[353]: Running in background
Jan 1 01:00:10 dnsmasq-dhcp[342]: DHCPREQUEST(br0) 192.168.2.100 00:11:22:33:44:55
Jan 1 01:00:10 dnsmasq-dhcp[342]: DHCPNACK(br0) 192.168.2.100 00:11:22:33:44:55 MyMachine Wrong Network
..
Jan 1 01:00:18 admin: Customized services start
Jan 1 01:00:19 kernel: Ebtables v2.0 registered
..
Jan 1 01:00:26 admin: Customized wan-start starts
..
Jan 1 01:00:26 dnsmasq[489]: started, version 2.72test3 cachesize 1500
Jan 1 01:00:26 dnsmasq[489]: warning: interface vlan4 does not currently exist
..
Jan 1 01:00:26 admin: Customized nat-start starts
Jan 1 01:00:26 admin: Setting vlan 1 ports
Jan 1 01:00:26 admin: Setting vlan 4 ports
Jan 1 01:00:26 admin: Adding eth0 to vlan 4
Jan 1 01:00:26 admin: Starting vlan4 on 192.168.2.1
Jan 1 01:00:26 admin: firewall-start initializing
Jan 1 01:00:27 admin: disabling all routing traffic trying to create connections from vlan4 to br0

 

[Gill]

No go, tv plays for a minute then stops.

You actually don't need Vlan for Optik tv to work. Your tv stops because of the multicast gets flooded to All the ports and WIFI. It works for a minute because of the unicast packets. For that to work you just have to turn on IGMP proxy(Multicast Routing) under LAN > IPTV. and it will work. Hope this helps.

 

[bbito-g]

/jffs/scripts/nat-start
...

Thanks a lot for this!
I modded my n66u as specified in the first post and although I did not get a connection immediately, I saw that another user had multiple reboots before getting WAN on 192.168.85.x so I persisted and rebooted a couple more times and Voila!
One thing I find a little strange is that I can ping 192.168.85.1 from 192.168.0.x and 192.168.0.1 from 192.168.85.x (vice-versa) - the good thing is that I cannot ping any other addresses between the 2 VLANs.

The impetus for this was to segregate a Clover Mini credit card processing terminal from the rest of our network in the hope of increasing security and simplifying PCI compliance. The Clover now appears to be isolated.

Thanks again to @sinshiva!

Asus RT-n66u HW Ver.: B1
Merlin: RT-N66U_380.63_2

 

[fantom]

Hi, I followed the instruction in the first post verbatim and everything worked the first time except DNS. The client computer cannot finish loading pages or just says that the name cannot be resolved. I am obviously missing something here. Can anyone suggest what I should look into to make DNS work on vlan4 devices?

Update: I did check "Connection Information" on the client and IP , router, DNS are all set properly. I can even ping google, yahoo, etc by IP and by name (I guess their IPs are stored in local cache). But I cannot browse any website: the pages just never finish loading.

Update #2: I checked on the router that dnsmasq listens on port 53 for both tcp and udp. The client computer can ping the router fine. Restarted the router several times as well.

 

[fantom]

I kept trying to figure out what is going on. Some web sites load but slow, some never load. One that does not load is www.speedtest.net. I remove vlan4 and reboot the router and everything goes back to normal. Enable vlan4, reboot the router and www.speedtest.net no longer loads. This shows that this is not a cable/hw issue
Youtube loads but a little slow and then can play the videos; cnn.com load and I can browse it, but slow.
Is it possible that some slow external DNS servers are being used for vlan4 instead of those configured on the WAN page?

I would appreciate any feedback on how to troubleshoot this "somewhat working" setup...

 

[swetoast]

Might have use for this in the future when im gonna reorganize my lan got a plan to isolate my IoT devices and this seems like a valid plan for that.