wrong VLAN tags going out

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Frantisek Brabec

Occasional Visitor
Hi all, I'll try to be brief.

I have AC3100 in AP mode with 2 guest WIFIs. I want each guest WIFI to go out over on WAN port on its own VLAN (I am using IDs 9 and 10). To that end, I have /jffs/scripts/services-start script as shown below. When a client connects to WIFI wl0.2, it is assigned 192.168.11.11 in the example below but its traffic is sometimes tagged with 9 and sometimes with 10 as shown by wireshark (the last number is the VLAN ID):

192.168.11.11 192.168.1.251 TCP 64 53542 → 80 [SYN] Seq=0 Win=5744 Len=0 MSS=1436 10
... then fraction of a second later ...
192.168.11.11 192.168.1.251 TCP 64 53542 → 80 [ACK] Seq=151 Ack=280 Win=5465 Len=0 9

Correspondingly, routing/FW based on VLAN on the other end (pfSense) doesn't work. Does anyone know how to correct this? Thanks.

===

robocfg vlan 9 ports "4t 8t"
vconfig add eth0 9
ifconfig vlan9 up

robocfg vlan 10 ports "4t 8t"
vconfig add eth0 10
ifconfig vlan10 up

brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl0.2

brctl addif br1 wl0.1
brctl addif br1 vlan9
ifconfig br1 up

brctl addbr br2
brctl addif br2 wl0.2
brctl addif br2 vlan10
ifconfig br2 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan9 wl0.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="vlan10 wl0.2"
nvram set lan2_ifname="br2"
nvram commit
killall eapd
eapd
 

grifo

Senior Member
Try to disabe HW NAT acceleration (CTF), see this post and the ones following.
 

Frantisek Brabec

Occasional Visitor
Thanks, I tried

nvram set ctf_disable_force=1
nvram set ctf_disable=1

and then even some of the voodoo from the last post in that thread (move killall eapd around, ap_isolate, etc) but to no avail.
 

grifo

Senior Member
Have you rebooted the AP after the change?
 

Frantisek Brabec

Occasional Visitor
Have you rebooted the AP after the change?
I did after adding the ctf disable lines and moving the killall command around. Not after the ap_isolate, etc that only appeared out of the blue in the last post and that nobody talked about before that, for that I just restarted eapd. Thanks.
 

grifo

Senior Member
OK, the important line is "nvram set ctf_disable_force=1" and it needs a reboot. CTF turned on in AP mode with multiple VLANs causes exactly the type of problem you are seeing.

Can you post "robocfg show" and "brctl show"?
 

Frantisek Brabec

Occasional Visitor
OK, the important line is "nvram set ctf_disable_force=1" and it needs a reboot. CTF turned on in AP mode with multiple VLANs causes exactly the type of problem you are seeing.

Can you post "robocfg show" and "brctl show"?
Thanks so much for trying to take me through this.

I have added

nvram set ctf_disable_force=1

to the script I posted earlier, I also triggered this command in shell, restarted eapd and then rebooted the whole router. The good news is that it did something because now none of my clients want to connect to any of the SSIDs. I guess it's also the bad news...

Edit a few mins later:

So trying to bring things back to where they were I removed the line from the startup script and rebooted the Asus again. I guess the value was still committed to nvram at that point though so when it came back up, it was still set to =1. However, this time around the connectivity looks much better, dare I say it works? Too early to tell long term. Also, don't know why after one reboot it doesn't work at all and after two it's running like a champ (for now).

Will keep an eye on it but so far so good (knock on wood!). Thanks again.

===
[email protected]:/tmp/home/root# robocfg show
Switch: enabled
Port 0: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:e0:67:1f:95:da
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 18:b4:30:26:c5:9a
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 70:8b:cd:cd:f3:68
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 4 5 7 8t
2: vlan2: 8u
9: vlan9: 4t 8t
10: vlan10: 4t 8t
===
[email protected]:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.708bcdcdf368 no vlan1
br1 8000.708bcdcdf368 no wl0.1
vlan9
br2 8000.708bcdcdf368 no wl0.2
vlan10
 
Last edited:

grifo

Senior Member
Glad it got it working and (knock on wood) it should stick.

Yes you didn't have to add that line to your script, it just needs to be set once in the shell.

EDIT: as for why it didn't work after the first reboot it was probably one of the other commands you had put in.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top