search

goalmarketing / vigor2130

Automatically exported from code.google.com/p/vigor2130
0 stars 0 forks source link

Creating VLANS on the Vigor 2130n #6

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Asking this here, because don't know any other place where they might know the 
solution.

I have 3 vlans, 5, 10 and 20. 
I'd like to add these vlans to the Vigor 2130n.
The physical ports 1,2 and 3 should be placed in vlan 10 (untagged) and 
physical port 4 should be placed in vlan 5,10 and 20 (tagged/trunk).

The routing interface should be placed in vlan 5.

Is this possible with this router and if yes how, cause the web interface is 
driving me nuts on this.

Thanks in advance.

Original issue reported on code.google.com by robm...@gmail.com on 5 Mar 2011 at 3:49

GoogleCodeExporter commented 8 years ago 
I am afraid current 2130 firmware can't do this.
Now the multi vlan function can only
1. add a vlan tag for wan (NAT and ROUTING)
2. add a vlan tag for voip wan
3. add a vlan tag for bridge LAN. ( LAN without tag ---> bridge to WAN and add 
tag)

If you can provide more infomation about your application, maybe we can try 
another way.

Original comment by jht...@gmail.com on 7 Mar 2011 at 10:57

GoogleCodeExporter commented 8 years ago 
That's a bummer, it isn't a specific application, for education purposes I was 
setting up a three leg firewall (Vyatta) at home, to gain some experience with 
IPv4/IPv6 in dualstack and DMZ zones etc.

The problem is, that the ESX server which hosts some LAN machines, some DMZ 
machines and the virtual appliance is not located near the Vigor 2130. So I 
have a switch with an uplink to the Vigor. Since there also some clients 
connected on the Vigor, I need there at least 2 vlans.

I added a (quick) drawing of the logical and physical situation.

Is this vlan support planned for a future release?
Can this be done through the cli?

Original comment by robm...@gmail.com on 8 Mar 2011 at 6:20

Attachments:

GoogleCodeExporter commented 8 years ago 
Maybe you need to try it by yourself.
The vlan config file is in /etc/config/switch/vlan and vlan_port
But the wrong settings will make router out of control easily
You have better backup your configuration first
I can provide you more information about the two config if you want to do trial 
and error

Original comment by jht...@gmail.com on 9 Mar 2011 at 1:25

GoogleCodeExporter commented 8 years ago 
So if I understand correctly it is possible, but I need to figure out how? :-)

I have no problem with that, I will dive into it (I might even like it).

If you got some extra information it is always welcome.

Thanks in advance.

Original comment by robm...@gmail.com on 9 Mar 2011 at 1:53

GoogleCodeExporter commented 8 years ago 
root@Vigor2130:/# cat /etc/config/switch/vlan
1/60
2/2

(VLAN ID) / (mask) (x/x/LAN4/LAN3/LAN2/LAN1/WAN/x) 60=0x3c= 111100

1/60 means vid 1 is for LAN1-LAN4
2/2 means vid 2 is for WAN

You can add other vlan id for specified port

root@Vigor2130:/# cat /etc/config/switch/vlan_port
1/0/0/0/2
2/0/0/0/1
3/0/0/0/1
4/0/0/0/1
5/0/0/0/1
6/0/0/0/1

(port)/(VLAN Aware)/(Ingress filter)/(Frame Type)/(VLAN ID)

port: 1: WAN, 2-5: LAN1-LAN4, 6: not used
VLAN Aware : aware of vlan (turn on this the port will bring vlan tag  out, set 
vid =0 )
Ingress filter: 0: off 1: on , only accept the vlan belong to this port
Frame Type: 0: Accept all frames, 1: Accept tagged frames only, 2: Accept 
untagged frames only

ex : 1/1/0/0/0   , wan port will bring tag out. the tag is define in the 
interface eth1.10 (tag 10) , eth1.2 (tag 2)

You can do /etc/init.d/vtss_appl restart to reinitialize the switch
But reboot will be better.

Before modify the two files. You have better understand it first by config the 
mutivlan function in Web UI
and check the result in config file.

Good Luck! :)

Original comment by jht...@gmail.com on 10 Mar 2011 at 3:30

GoogleCodeExporter commented 8 years ago 
Thanks for the clear explanation, seems fairly easy.

I'm going to try it this weekend, only one question left;
Is it necessary to declare every vlan as an Interface or is this only needed if 
you want to route on this interface (Layer3) ?

Original comment by robm...@gmail.com on 11 Mar 2011 at 8:23

GoogleCodeExporter commented 8 years ago 
You only need the interface in linux if you want to route on this interface. 
The layer2 packet only between switch.

Original comment by jht...@gmail.com on 11 Mar 2011 at 2:06

GoogleCodeExporter commented 8 years ago 
Thanks voor the explanation!

I had some spare times and the VLAN set-up is done and working correctly!

I only have one issue left, packets which I sent to the Internet, aren't coming 
back. I used tcpdump and I see the packets incoming with the proper (lan) 
source and the destion on the Internet, but there isn't coming one packet back, 
I guess it has something to do with NAT, but haven't figure it out yet.

For the curious ones, the configuration so far.
root@Gandalf:~# cat /etc/config/switch/vlan
2/2
5/32
10/60
20/0
root@Gandalf:~# cat /etc/config/switch/vlan_port
1/0/0/0/2
2/0/0/0/1
3/0/0/0/1
4/0/0/0/1
5/1/0/0/1
root@Gandalf:~# cat /etc/config/network
config interface loopback
        option ifname   lo
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0

config interface lan
        option ifname 'eth0.5'
        option proto static
        option ipaddr    '172.16.1.254'
        option netmask   '255.255.255.0'
        option detect    0
        option type      'bridge'
        option pppoe_pass 0

config interface wan
        option ifname 'eth1.2'
        option proto dhcp
        option hostname  Gandalf
        option domain
        option detect    0
        option type      'bridge'
        option disable   0

config interface 3gwan
        option ifname ppp1
        option proto 3g
        option netmask   '0.0.0.0'
        option device    '/dev/ttyUSB0'
        option pincode   ''
        option apn       'internet'
        option init_string1 'AT&F'
        option init_string2 'ATE0V1X1&D2&C1S0=0'
        option dial_string 'ATDT*99#'
        option username  ''
        option password  ''
        option backup '0'

Original comment by robm...@gmail.com on 11 Mar 2011 at 6:49

GoogleCodeExporter commented 8 years ago 
I am not sure what you want.
But I can give you some hint.

Your configuration is different with our current design
Now we assume our LAN/WAN interface is br-lan and br-wan in static ip mode.
You can check the iptables if there are any wrong rule in it.

If you can get the packets by tcpdump, the switch settings should be no problem
You just need to let the routing and iptables correct.

You can disable the Hardware NAT first. Make sure all behavior is as expect.
Then check if the Hardware NAT engine still work

Original comment by jht...@gmail.com on 12 Mar 2011 at 2:02

GoogleCodeExporter commented 8 years ago 
It seems you're right, iptables is blocking the traffic. 
Haven't found out why yet, iptables is kinda new to me.

After switching logging on, I see for example this rule.
iptables denied: IN=br-lan OUT=br-wan SRC=10.0.0.31 DST=8.8.8.8 LEN=60 TOS=0x00
PREC=0x00 TTL=126 ID=10454 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=134

I know I have to look in the forward table, but which rule or which included 
chain, I don't know yet.

Original comment by robm...@gmail.com on 12 Mar 2011 at 8:54

GoogleCodeExporter commented 8 years ago 
I added a a rule and the logging is going, but still no luck, it is very 
strange, cause everything placed in the transit vlan (5) is routed and 
processed correctly.

My FORWARD chain, so far.
root@Gandalf:~# iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/24          anywhere
ACCEPT     all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
zone_3gwan_MSSFIX  all  --  anywhere             anywhere
zone_wan_MSSFIX  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
LOG        all  --  anywhere             anywhere            limit: avg 5/min 
burst 5 LOG level debug prefix `iptables denied: '
LOG        all  --  anywhere             anywhere            limit: avg 5/min 
burst 5 LOG level debug prefix `iptables denied: '
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
forward    all  --  anywhere             anywhere
forwarding_rule  all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Original comment by robm...@gmail.com on 12 Mar 2011 at 9:13

GoogleCodeExporter commented 8 years ago 
a simple way to debug iptables 

show all filter table
iptables -nvL
show nat table (you also need to check this table)
iptables -nvL -t nat

the matched packet count will be shown in first column
reset the counter by
iptables -Z

Check which DROP rule block your packet first
the -j LOG can also help you to debug the iptables.

Original comment by jht...@gmail.com on 12 Mar 2011 at 11:56

GoogleCodeExporter commented 8 years ago 
Thanks for the info about the nat table, till this day I didn't even know that 
iptables also could take care of nat.

So adding the two subnets which couldn't connect to the outside world to the 
FORWARD chain and to the nat table solved the problem!

Only one question left, how could I save the iptables configuration, I noticed 
that after a reboot, the table went back to its original state.

Thanks for your tremendous patience and for the clear explanation!!!
I learned a lot and I'm happy (again) with my Vigor 2130.

(still wondering what else is possible without the webinterface ;-) )

Original comment by robm...@gmail.com on 12 Mar 2011 at 7:09

GoogleCodeExporter commented 8 years ago 
Maybe you need to modify the /etc/firewall.usr or /lib/firewall/uci_firewall.sh
these files will be called when do /etc/init.d/firewall restart

But if you manual modify these files. It will be saved in your local modified 
/jffs folder
and won't upgrade when the new firmware update these files.

You need to compare and merge the difference between new firmware file (in 
/rom) and your local modification.

Original comment by jht...@gmail.com on 14 Mar 2011 at 2:59

GoogleCodeExporter commented 8 years ago 
Hi there,

earlier you wrote:

1/0/0/0/2
2/0/0/0/1
3/0/0/0/1
4/0/0/0/1
5/0/0/0/1
6/0/0/0/1

(port)/(VLAN Aware)/(Ingress filter)/(Frame Type)/(VLAN ID)

Now i want to create 2 thrunks for lan port 1 and 2 so that would be:

1/0/0/0/2
2/1/0/0/0
3/1/0/0/0
4/0/0/0/1
5/0/0/0/1
6/0/0/0/1

(port)/(VLAN Aware)/(Ingress filter)/(Frame Type)/(VLAN ID)

Do i stand correct?

You wrote:
VLAN Aware : aware of vlan (turn on this the port will bring vlan tag  out, set 
vid =0 )

Original comment by kastele...@gmail.com on 29 Mar 2012 at 6:29

GoogleCodeExporter commented 8 years ago 
Not really sure and I can't test it now, but I think every port always needs an 
VLAN ID. More in case to know what to do with "untagged" traffic.

Original comment by r...@progob.nl on 29 Mar 2012 at 7:56

GoogleCodeExporter commented 8 years ago 
Tested the configuration as mentioned above.
Did solve my problem with dhcp from my linux box on wifi.
The only thing that i would like is multi ssid in different vlans....

;-)

THX for pointing me in the right direction

Original comment by kastele...@gmail.com on 29 Mar 2012 at 7:01

GoogleCodeExporter commented 8 years ago 
Did you ever found a way to create multiple SSID's on different vlans?

Got my port vlans setup but havent got any success on the multiple wireless 
signals and vlanning those.

Original comment by XeroX1...@gmail.com on 3 May 2012 at 12:49

GoogleCodeExporter commented 8 years ago 
Hi,
I want to add an interface to the WAN port so I have a switch on the WAN side.
how can I achieve this ?
So WAN + LAN1 = switch for WAN side
internal network = LAN2 + LAN3 + LAN4

Original comment by wimdevri...@gmail.com on 15 Feb 2015 at 10:25