What's new

vlan problem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bgsmith

Occasional Visitor
I am following the guidance in this thread on vlans (http://www.snbforums.com/threads/fo...k-for-asus-merlin-rt-ac68u.18969/#post-143931) to accomplish the same goal: that is isolate the computers on port 4 on their own vlan that cannot access the other vlans except for the WAN gateway to the internet.

Hardware ASUS RT-N66; Merlin 380.63_2.

The result from robocfg show prior to any changes is:
Code:
admin@RT-N66R:/jffs/scripts# robocfg show
Switch: enabled gigabit
Port 0:  100FD enabled stp: none vlan: 2 jumbo: off mac: xxx
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: cccc
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: vvv
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:  100FD enabled stp: none vlan: 1 jumbo: off mac: bbb
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: nnn
VLANs: BCM53115 enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 8t
   2: vlan2: 0 8u
When put the following in firewall-start and reboot the router, all wired access stops working. Wireless access is fine.
Code:
#!/bin/sh
#
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.100.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
If I enter these commands manually via ssh, the wired network fails at
Code:
brctl addif br0 vlan10
.

Any insights on where my mistake is at?

thanks

Brad
 
Last edited:
I am following the guidance in this thread on vlans (http://www.snbforums.com/threads/fo...k-for-asus-merlin-rt-ac68u.18969/#post-143931) to accomplish the same goal: that is isolate the computers on port 4 on their own vlan that cannot access the other vlans except for the WAN gateway to the internet.

Hardware ASUS RT-N66; Merlin 380.63_2.

The result from robocfg show prior to any changes is:
Code:
admin@RT-N66R:/jffs/scripts# robocfg show
Switch: enabled gigabit
Port 0:  100FD enabled stp: none vlan: 2 jumbo: off mac: xxx
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: cccc
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: vvv
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:  100FD enabled stp: none vlan: 1 jumbo: off mac: bbb
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: nnn
VLANs: BCM53115 enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 8t
   2: vlan2: 0 8u
When put the following in firewall-start and reboot the router, all wired access stops working. Wireless access is fine.
Code:
#!/bin/sh
#
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.100.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
If I enter these commands manually via ssh, the wired network fails at
Code:
brctl addif br0 vlan10
.

Any insights on where my mistake is at?

thanks

Brad


Why are you bridging VLAN10 to Br0? VLAN10 should be isolated right? Now you merge them with VLAN1 and WIFI.
 
Why are you bridging VLAN10 to Br0? VLAN10 should be isolated right? Now you merge them with VLAN1 and WIFI.

I am far from expert with vlan configuration. My understanding is that the bridge br0 is needed to get the vlan10 traffic connected to the WAN with the ebtables statements in place to route the packets appropriately.

Is there a better approach?

brad
 
Not needed to add to br0. Keep vlan10 separated, with its own subnet, different than the rest. If you want clients to have internet on vlan10, setup iptables masquerade for the subnet of vlan10. If you want traffic routed between vlans than setup rules with iptables.
 
Not needed to add to br0. Keep vlan10 separated, with its own subnet, different than the rest. If you want clients to have internet on vlan10, setup iptables masquerade for the subnet of vlan10. If you want traffic routed between vlans than setup rules with iptables.

Thanks for the information. I have been looking for specific information on iptables masquerade for vlans and not finding what i need. Would you by chance have a link to a suitable reference or example?

thanks

Brad
 
You can start with these 2 rules, this enables traffic from vlan10 -> router and allow forwarding of traffic coming from vlan10. Masquerade is not needed i guess. Normally its enabled for all source interfaces.

iptables -I INPUT -i vlan10 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan10 -j ACCEPT

For more info: google iptables. There is a lot of information

But before use iptables, first setup ip address and netmask on interface vlan10. You can use ifconfig
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top