Open GoogleCodeExporter opened 8 years ago
I am afraid current 2130 firmware can't do this.
Now the multi vlan function can only
1. add a vlan tag for wan (NAT and ROUTING)
2. add a vlan tag for voip wan
3. add a vlan tag for bridge LAN. ( LAN without tag ---> bridge to WAN and add
tag)
If you can provide more infomation about your application, maybe we can try
another way.
Original comment by jht...@gmail.com
on 7 Mar 2011 at 10:57
That's a bummer, it isn't a specific application, for education purposes I was
setting up a three leg firewall (Vyatta) at home, to gain some experience with
IPv4/IPv6 in dualstack and DMZ zones etc.
The problem is, that the ESX server which hosts some LAN machines, some DMZ
machines and the virtual appliance is not located near the Vigor 2130. So I
have a switch with an uplink to the Vigor. Since there also some clients
connected on the Vigor, I need there at least 2 vlans.
I added a (quick) drawing of the logical and physical situation.
Is this vlan support planned for a future release?
Can this be done through the cli?
Original comment by robm...@gmail.com
on 8 Mar 2011 at 6:20
Attachments:
Maybe you need to try it by yourself.
The vlan config file is in /etc/config/switch/vlan and vlan_port
But the wrong settings will make router out of control easily
You have better backup your configuration first
I can provide you more information about the two config if you want to do trial
and error
Original comment by jht...@gmail.com
on 9 Mar 2011 at 1:25
So if I understand correctly it is possible, but I need to figure out how? :-)
I have no problem with that, I will dive into it (I might even like it).
If you got some extra information it is always welcome.
Thanks in advance.
Original comment by robm...@gmail.com
on 9 Mar 2011 at 1:53
root@Vigor2130:/# cat /etc/config/switch/vlan
1/60
2/2
(VLAN ID) / (mask) (x/x/LAN4/LAN3/LAN2/LAN1/WAN/x) 60=0x3c= 111100
1/60 means vid 1 is for LAN1-LAN4
2/2 means vid 2 is for WAN
You can add other vlan id for specified port
root@Vigor2130:/# cat /etc/config/switch/vlan_port
1/0/0/0/2
2/0/0/0/1
3/0/0/0/1
4/0/0/0/1
5/0/0/0/1
6/0/0/0/1
(port)/(VLAN Aware)/(Ingress filter)/(Frame Type)/(VLAN ID)
port: 1: WAN, 2-5: LAN1-LAN4, 6: not used
VLAN Aware : aware of vlan (turn on this the port will bring vlan tag out, set
vid =0 )
Ingress filter: 0: off 1: on , only accept the vlan belong to this port
Frame Type: 0: Accept all frames, 1: Accept tagged frames only, 2: Accept
untagged frames only
ex : 1/1/0/0/0 , wan port will bring tag out. the tag is define in the
interface eth1.10 (tag 10) , eth1.2 (tag 2)
You can do /etc/init.d/vtss_appl restart to reinitialize the switch
But reboot will be better.
Before modify the two files. You have better understand it first by config the
mutivlan function in Web UI
and check the result in config file.
Good Luck! :)
Original comment by jht...@gmail.com
on 10 Mar 2011 at 3:30
Thanks for the clear explanation, seems fairly easy.
I'm going to try it this weekend, only one question left;
Is it necessary to declare every vlan as an Interface or is this only needed if
you want to route on this interface (Layer3) ?
Original comment by robm...@gmail.com
on 11 Mar 2011 at 8:23
You only need the interface in linux if you want to route on this interface.
The layer2 packet only between switch.
Original comment by jht...@gmail.com
on 11 Mar 2011 at 2:06
Thanks voor the explanation!
I had some spare times and the VLAN set-up is done and working correctly!
I only have one issue left, packets which I sent to the Internet, aren't coming
back. I used tcpdump and I see the packets incoming with the proper (lan)
source and the destion on the Internet, but there isn't coming one packet back,
I guess it has something to do with NAT, but haven't figure it out yet.
For the curious ones, the configuration so far.
root@Gandalf:~# cat /etc/config/switch/vlan
2/2
5/32
10/60
20/0
root@Gandalf:~# cat /etc/config/switch/vlan_port
1/0/0/0/2
2/0/0/0/1
3/0/0/0/1
4/0/0/0/1
5/1/0/0/1
root@Gandalf:~# cat /etc/config/network
config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
config interface lan
option ifname 'eth0.5'
option proto static
option ipaddr '172.16.1.254'
option netmask '255.255.255.0'
option detect 0
option type 'bridge'
option pppoe_pass 0
config interface wan
option ifname 'eth1.2'
option proto dhcp
option hostname Gandalf
option domain
option detect 0
option type 'bridge'
option disable 0
config interface 3gwan
option ifname ppp1
option proto 3g
option netmask '0.0.0.0'
option device '/dev/ttyUSB0'
option pincode ''
option apn 'internet'
option init_string1 'AT&F'
option init_string2 'ATE0V1X1&D2&C1S0=0'
option dial_string 'ATDT*99#'
option username ''
option password ''
option backup '0'
Original comment by robm...@gmail.com
on 11 Mar 2011 at 6:49
I am not sure what you want.
But I can give you some hint.
Your configuration is different with our current design
Now we assume our LAN/WAN interface is br-lan and br-wan in static ip mode.
You can check the iptables if there are any wrong rule in it.
If you can get the packets by tcpdump, the switch settings should be no problem
You just need to let the routing and iptables correct.
You can disable the Hardware NAT first. Make sure all behavior is as expect.
Then check if the Hardware NAT engine still work
Original comment by jht...@gmail.com
on 12 Mar 2011 at 2:02
It seems you're right, iptables is blocking the traffic.
Haven't found out why yet, iptables is kinda new to me.
After switching logging on, I see for example this rule.
iptables denied: IN=br-lan OUT=br-wan SRC=10.0.0.31 DST=8.8.8.8 LEN=60 TOS=0x00
PREC=0x00 TTL=126 ID=10454 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=134
I know I have to look in the forward table, but which rule or which included
chain, I don't know yet.
Original comment by robm...@gmail.com
on 12 Mar 2011 at 8:54
I added a a rule and the logging is going, but still no luck, it is very
strange, cause everything placed in the transit vlan (5) is routed and
processed correctly.
My FORWARD chain, so far.
root@Gandalf:~# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
zone_3gwan_MSSFIX all -- anywhere anywhere
zone_wan_MSSFIX all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
LOG all -- anywhere anywhere limit: avg 5/min
burst 5 LOG level debug prefix `iptables denied: '
LOG all -- anywhere anywhere limit: avg 5/min
burst 5 LOG level debug prefix `iptables denied: '
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
forward all -- anywhere anywhere
forwarding_rule all -- anywhere anywhere
reject all -- anywhere anywhere
Original comment by robm...@gmail.com
on 12 Mar 2011 at 9:13
a simple way to debug iptables
show all filter table
iptables -nvL
show nat table (you also need to check this table)
iptables -nvL -t nat
the matched packet count will be shown in first column
reset the counter by
iptables -Z
Check which DROP rule block your packet first
the -j LOG can also help you to debug the iptables.
Original comment by jht...@gmail.com
on 12 Mar 2011 at 11:56
Thanks for the info about the nat table, till this day I didn't even know that
iptables also could take care of nat.
So adding the two subnets which couldn't connect to the outside world to the
FORWARD chain and to the nat table solved the problem!
Only one question left, how could I save the iptables configuration, I noticed
that after a reboot, the table went back to its original state.
Thanks for your tremendous patience and for the clear explanation!!!
I learned a lot and I'm happy (again) with my Vigor 2130.
(still wondering what else is possible without the webinterface ;-) )
Original comment by robm...@gmail.com
on 12 Mar 2011 at 7:09
Maybe you need to modify the /etc/firewall.usr or /lib/firewall/uci_firewall.sh
these files will be called when do /etc/init.d/firewall restart
But if you manual modify these files. It will be saved in your local modified
/jffs folder
and won't upgrade when the new firmware update these files.
You need to compare and merge the difference between new firmware file (in
/rom) and your local modification.
Original comment by jht...@gmail.com
on 14 Mar 2011 at 2:59
Hi there,
earlier you wrote:
1/0/0/0/2
2/0/0/0/1
3/0/0/0/1
4/0/0/0/1
5/0/0/0/1
6/0/0/0/1
(port)/(VLAN Aware)/(Ingress filter)/(Frame Type)/(VLAN ID)
Now i want to create 2 thrunks for lan port 1 and 2 so that would be:
1/0/0/0/2
2/1/0/0/0
3/1/0/0/0
4/0/0/0/1
5/0/0/0/1
6/0/0/0/1
(port)/(VLAN Aware)/(Ingress filter)/(Frame Type)/(VLAN ID)
Do i stand correct?
You wrote:
VLAN Aware : aware of vlan (turn on this the port will bring vlan tag out, set
vid =0 )
Original comment by kastele...@gmail.com
on 29 Mar 2012 at 6:29
Not really sure and I can't test it now, but I think every port always needs an
VLAN ID. More in case to know what to do with "untagged" traffic.
Original comment by r...@progob.nl
on 29 Mar 2012 at 7:56
Tested the configuration as mentioned above.
Did solve my problem with dhcp from my linux box on wifi.
The only thing that i would like is multi ssid in different vlans....
;-)
THX for pointing me in the right direction
Original comment by kastele...@gmail.com
on 29 Mar 2012 at 7:01
Did you ever found a way to create multiple SSID's on different vlans?
Got my port vlans setup but havent got any success on the multiple wireless
signals and vlanning those.
Original comment by XeroX1...@gmail.com
on 3 May 2012 at 12:49
Hi,
I want to add an interface to the WAN port so I have a switch on the WAN side.
how can I achieve this ?
So WAN + LAN1 = switch for WAN side
internal network = LAN2 + LAN3 + LAN4
Original comment by wimdevri...@gmail.com
on 15 Feb 2015 at 10:25
Original issue reported on code.google.com by
robm...@gmail.com
on 5 Mar 2011 at 3:49