Fiber ISP needs VLAN Tagging on the wan

mrgenie · December 28, 2018, 1:59am

First of all, I'm using the exact same configuration I've been using with my previous fiber internet provider I had in Europe. And that worked great!

virtual box on a computer with 2 NIC
1 NIC for WAN
1 NIC for LAN
behind the LAN comes a switch to connect the network

the VirtualBox as virtual Router for the whole LAN (reason for this openVPN performance, no router out there under 1000 USD can beat the performance of an 300 USD computer when it comes to openVPN!)

Now I have a new ISP and they have some EXTREMELY WEIRD stuff..

It's not like a fiber endpoint connecting directly to your hardware, instead they have an fiber endpoint with integrated router and behind that they put another router so my router would be behind that router..

Very weird, Malaysian MAXIS ..

Anyway, I read on the internet people used openWRT here in Malaysia using their PPPoE login data (why would any ISP use PPPOE? In Europe I just hooked up my router with DHCP and DHCPv6 and case closed, works)

But here they want PPPoE

On top of that, for whatever reason they want VLAN Tagging on the WAN as well...

Although I literally copy paste what seems to work for others, doesn't work for me!

This is what my /etc/config/network looks like:

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fda3:28c1:7b39::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option ipaddr '172.22.68.1'
option netmask '255.255.0.0'
option ip6assign '60'

config interface 'wan'
option type 'bridge'
option ifname 'eth0.621'
option proto 'pppoe'
option username '@home.maxis.com.my'
option password '*'
option keepalive '1'
option ipv6 '0'

username and password are correct I copied these from their router.

I really tried everything! Literally,..

so can it be, that openWRT with virtualBox causing a problem here?
If you need any more information how to debug this, I'd really love to hear.

Reason is I need to use IPv6, but as all bad providers they don't offer your prefix delegation so what my server gets is just 1 single IPv6 address and internal I have to setup my own IPv6 and somehow NAT IPv6 outbound, yeah this defies any logic on IPv6 but it is as it is, my openWRT gets just a single IPv6 address

The router I got from the ISP I have no control over it. In fact, it is 100% monitored by the ISP all the time and they have admin access to the router and thus my private network.

So I really want to take out this crap system where everyone from the ISP has the right and possibility to just login to my network without even the need for hacking because they just have full control over my private network.

Any ideas?

dlakelan · December 28, 2018, 2:26am

No just no. Call someone at the ISP and tell them you want a /56 or /60 prefix for ipv6

Beyond that, you are using a bridge for your wan, that seems wrong.

mrgenie · December 28, 2018, 2:42am

yes, I know the bridge setting is wrong. Without it the eth0 keeps getting down and up non/stop..
adding the "bridge" type prevents this and keeps the interface alive.

Don't ask me where I got this info, but one of the 1000+ comments I read suggested if the interface keeps
going up and down you simply add switch and that's true, adding switch works.. keeps the interface alive.

eduperez · December 28, 2018, 11:04am

If I remember correctly, you also need to configure the VLAN on the switch.

leeandy · December 28, 2018, 11:25am

Try add
option pppd_options 'debug'
under config interface wan section & run command "logread -e pppd" to see what happens.

mk24 · December 28, 2018, 2:07pm

I'm not sure how virtualbox handles VLAN tagging on an Ethernet port. Obviously you need to either grant the OpenWrt guest OS rather direct and exclusive control of the port hardware, or configure some sort of virtual switch in the hypervisor.

mrgenie · December 29, 2018, 12:06am

Thanks for your suggestions, going to try them.

But I noticed when booting the virtual openwrt router following messages:

8021q: adding vlan 0 to HW filter on device eth0
8021q: adding vlan 0 to HW filter on device eth1

I guess, if I could change this 0 into 621 my problem is solved.

Where in the openWRT is this setting? So at boot I can change it to 621?

I added the eth0.621 and eth0.821 (which is used as well although I have no idea what for, maybe IPTV or something else I would guess) but using the eth0.621 someone still doesn't give me a tagged interface it seems.

btw there is NO "switch" configuration page available in LUCI using eth0 and eth1.
So I can't use that either.

Although in the interfaces the LUCI does recognize the eth0.621 as a VLAN, but I assume it's not tagged and that's the problem remaining, or more simple: find a way to get the boot VLAN 0 to HW filter changed to 621.

mrgenie · December 29, 2018, 12:25am

Sat Dec 29 01:23:41 2018 daemon.debug pppd[7328]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:23:41 2018 daemon.debug pppd[7328]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:23:41 2018 daemon.debug pppd[7328]:  [service-name]
Sat Dec 29 01:23:46 2018 daemon.debug pppd[7328]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:23:46 2018 daemon.debug pppd[7328]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:23:46 2018 daemon.debug pppd[7328]:  [service-name]
Sat Dec 29 01:23:51 2018 daemon.debug pppd[7328]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:23:51 2018 daemon.debug pppd[7328]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:23:51 2018 daemon.debug pppd[7328]:  [service-name]
Sat Dec 29 01:23:55 2018 daemon.warn pppd[7226]: Timeout waiting for PADO packets
Sat Dec 29 01:23:55 2018 daemon.err pppd[7226]: Unable to complete PPPoE Discovery
Sat Dec 29 01:23:55 2018 daemon.info pppd[7226]: Exit.
Sat Dec 29 01:23:55 2018 daemon.info pppd[7947]: Plugin rp-pppoe.so loaded.
Sat Dec 29 01:23:55 2018 daemon.info pppd[7947]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sat Dec 29 01:23:55 2018 daemon.notice pppd[7947]: pppd 2.4.7 started by root, uid 0
Sat Dec 29 01:23:56 2018 daemon.warn pppd[7328]: Timeout waiting for PADO packets
Sat Dec 29 01:23:56 2018 daemon.err pppd[7328]: Unable to complete PPPoE Discovery
Sat Dec 29 01:23:56 2018 daemon.info pppd[7328]: Exit.
Sat Dec 29 01:23:56 2018 daemon.info pppd[8059]: Plugin rp-pppoe.so loaded.
Sat Dec 29 01:23:56 2018 daemon.info pppd[8059]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sat Dec 29 01:23:56 2018 daemon.notice pppd[8059]: pppd 2.4.7 started by root, uid 0
Sat Dec 29 01:23:56 2018 daemon.debug pppd[8059]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:23:56 2018 daemon.debug pppd[8059]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:23:56 2018 daemon.debug pppd[8059]:  [service-name]
Sat Dec 29 01:24:01 2018 daemon.debug pppd[8059]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:24:01 2018 daemon.debug pppd[8059]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:24:01 2018 daemon.debug pppd[8059]:  [service-name]
Sat Dec 29 01:24:06 2018 daemon.debug pppd[8059]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:24:06 2018 daemon.debug pppd[8059]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:24:06 2018 daemon.debug pppd[8059]:  [service-name]
Sat Dec 29 01:24:10 2018 daemon.warn pppd[7947]: Timeout waiting for PADO packets
Sat Dec 29 01:24:10 2018 daemon.err pppd[7947]: Unable to complete PPPoE Discovery
Sat Dec 29 01:24:10 2018 daemon.info pppd[7947]: Exit.
Sat Dec 29 01:24:10 2018 daemon.info pppd[8667]: Plugin rp-pppoe.so loaded.
Sat Dec 29 01:24:10 2018 daemon.info pppd[8667]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sat Dec 29 01:24:11 2018 daemon.notice pppd[8667]: pppd 2.4.7 started by root, uid 0
Sat Dec 29 01:24:11 2018 daemon.warn pppd[8059]: Timeout waiting for PADO packets
Sat Dec 29 01:24:11 2018 daemon.err pppd[8059]: Unable to complete PPPoE Discovery
Sat Dec 29 01:24:11 2018 daemon.info pppd[8059]: Exit.
Sat Dec 29 01:24:11 2018 daemon.info pppd[8778]: Plugin rp-pppoe.so loaded.
Sat Dec 29 01:24:11 2018 daemon.info pppd[8778]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sat Dec 29 01:24:11 2018 daemon.notice pppd[8778]: pppd 2.4.7 started by root, uid 0
Sat Dec 29 01:24:11 2018 daemon.debug pppd[8778]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:24:11 2018 daemon.debug pppd[8778]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:24:11 2018 daemon.debug pppd[8778]:  [service-name]
Sat Dec 29 01:24:16 2018 daemon.debug pppd[8778]: Send PPPOE Discovery V1T1 PADI session 0x0 length 4
Sat Dec 29 01:24:16 2018 daemon.debug pppd[8778]:  dst ff:ff:ff:ff:ff:ff  src b0:be:76:91:26:9f
Sat Dec 29 01:24:16 2018 daemon.debug pppd[8778]:  [service-name]

dlakelan · December 29, 2018, 12:33am

I'm not sure how it works but the problem is in the Host OS not the OpenWrt. Basically the host needs to give OpenWrt the whole device.

mrgenie · December 29, 2018, 12:37am

Ah, so bridged networking in the virtualbox.. and then assigning the VLAN ID in the openwrt guest ..
means the VLAN ID get lost because the VirtualBox can't handle this?

"grant the OpenWrt guest OS rather direct and exclusive control of the port hardware"
Any ideas how to do that?

dlakelan · December 29, 2018, 12:45am

Is the host windows or Linux?

mrgenie · December 29, 2018, 9:51am

Host is Server 2012 R2. Could turn it into Linux and run the 2012R2 under Virtualbox.

I'd love to have my virtual router doing the WAN, it's isolated from the OS, but with potent CPU no router out there offers!

BUT, I just tried the suggestions I got here from openWRT forums on VLAN tagging on my WRT1900ACS and on that one the connection runs perfect!

I get IPv4, IPv6 with dhcpv6-pd with proper prefix delegation but on the /64 and I would love to have a /60 if possible but /64 will do as well I guess.

Anyway, openwrt on a real hardware router works!

If too much work to get it to work under virtualbox+windows I'll just let the WRT1900ACS handle the internet and forward the openVPN to my virtual router to have the fast VPN performance of that one..

ORRR, I'll try wireguard, but I haven't got that running EVER!

Everyone says a much weaker router with wireguard still outperforms openVPN on a XEON processor, but the point is, although everyone keeps claiming how easy wireguard is, I actually find it impossible. Never got it to work.

openVPN I just followed a tutorial once 10 years ago and never found it a problem. Straight forward logic easy configuration works out of the box.

wireguard somehow is just impossible to do for me.

But I might just go for that, and try to figure it out this time to replace openVPN alltogether.

Currently my setup is
172.22.50.0/16
to
172.22.70.0/16

and openVPN I just the tap (not the tunnel) so it's a layer 2 network combined together..
so even broadcasting works, although I not necessarily need that.

I understood wireguard doesn't work like that. It needs a layer 3, so
172.22.56.0/24
to
172.22.70.0/24

layer 3 so I have to set the routing for each wireguard connection, correct?

I searched google to find proper tutorials on wireguard, but I really didn't any fool-proof-beginners guide on wireguard..

Anyway, drifting off-topic here.. just wrote my own thoughts...sometimes it helps writing down the thoughts...

anyway, the problem is indeed with the virtualbox devices.. the VLAN tagging doesn't seem to work in virtualbox.

At least with all your help I narrowed down the issue.

dlakelan · December 29, 2018, 5:33pm

I don't know enough about virtual box esp under windows, but the general idea would be to tell virtual box to give your VM a bridged device so that whatever packets it sends get put on the wire. I know virtual box has a pull down where you can configure the type of network adapter, see if changing it to some other type helps.

Under kvm libvirt has virtio paravirtualized devices and that would probably be the way to go. But virtual box on windows... No idea sorry.

Another option if you can't make virtual box work is to use your WRT device as an AP and set up the switch to handle the tags.

anon50098793 · December 29, 2018, 8:12pm

why no switch page? ... was going to point to the CPU columns there with relation to their respective vlans....

dlakelan · December 29, 2018, 8:23pm

It's an x86 inside a virtual box so there is no switch, hence no switch page

anon50098793 · December 29, 2018, 8:31pm

yup..... some windows drivers have the capability to tag assuming your using separate physical interfaces, which is almost obligatory for a wan link.... then switch as mentioned above.....

wireshark and a splitter will be your friend plug it in on both sides of your upstream device.... you might find it's tagging for you already....

mrgenie · January 4, 2019, 12:32am

Thanks for the suggestions. I figured I go for the solution from Dlakelan!

Using my WRT device now for the tagging. I was using it as AP only, but I guess it'll serve the tagging purpose as well while services I can still run on my xeon run virtual box to get the performance I need for encryption.

Thanks for the help and suggestions! Really appreciated.

mrgenie · January 4, 2019, 12:33am

Thanks again to the openWRT community could solve the issue. Many thanks to eduperez, leeandy, mk24, dlakelan, wulfy23 for joining the discussion and help to find a solution. I put a summary here with the 3 working solutions and marked it as solved. All 3 I tested and work, took me some time to test them all. I went for the first one because I had that WRT device running 24/7 already anyway.

Solution 1:

Solution 2:

Solution 3 (This might be the easiest and first solution if you need to buy a small new equipment, the splitter which I had around anyway but very cheap compared to a wrt device, to get it done, wireshark was easy to setup) :

system · January 14, 2019, 12:33am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.