Netgear DM200 Bridge with VLAN Tagging

Hi

I am trying to configure Internet access using a OpenWrt Combo of a Negear DM200 Modem and and TP-Link Archer C7 v2. Both run stable OpenWrt 19.07.0. I am able to ping the modem at 192.168.2.1 through the router. I don't have an IT background and I need advice on how to set up the VLAN Tagging on the Archer C7 and maybe more.

Network topology
ISP > Modem DM200 OpenWrt 192.168.2.1> Router ArcherC7 OpenWrt 192.168.1.1 >Devices

Objectives

  1. access Internet
  2. prevent LAN from leaking out the DSL interface (VLAN Tagging)
  3. optional: access modem through Router (to ease troubleshooting and updating)

Constraints

  1. I prefer to keep the router IP at 192.168.1.1

Network config of the DM200 DSL modem

root@DM200:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'secret'

config atm-bridge 'atm'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'
	option vci '35'
	option vpi '8'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr 'secret'

config interface 'wan_adsl'
	option type 'bridge'
	option ifname 'eth0 dsl0'
	option proto 'none'
	option auto '0'

config interface 'wan_vdsl'
        option type 'bridge'
        option ifname 'eth0 dsl0.101'
        option proto 'none'
        option auto '0'	

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'secret'

Network config of the Archer C7 router

root@ArcherC7:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'secret'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password 'mysecret'
        option ipv6 'auto'
        option username 'mysecret'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password 'mysecret'
        option ipv6 'auto'
        option username 'mysecret'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'adsl2_modem'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option ifname 'eth0.2'

Thank you in advance for the help.

Where is your LAN interface on C7? Should be eth1.1.

And what is the purpose of interface adsl2_modem on C7?

  1. LAN interface on C7 is indeed eth1.1. I added it to the original post.
  2. The purpose of interface adsl2_modem on C7 is to to access the modem through the router. I followed this instruction and it works on my old modem. https://simplebeian.wordpress.com/2014/03/12/accessing-your-modem-from-openwrt-router/

Is there any necessity from your ISP to use a specific VLAN? I can see dsl0.101 already in place on DM200 and bridged with eth0, however wan interface on C7 is on eth0.2 and will just connect to the management IP of the DM200.

This is redundant. You have ipv6 auto option under wan already, so the wan_6 interface will be created automatically and run dhcpv6.

This is impossible anyway. In order to communicate with the other end you need to have a pppoe interface, which exists on C7.

2 Likes

To my knowledge, my ISP Monzoon doesn't require to use a specific VLAN. Here the link to the ISP DSL configuration https://www.dsl.monzoon.net/support/faq/entry/17?lang=en

I followed the config from, which also operates a router behind the OpenWrt DM200 Modem. My understanding is that one VLAN gets me Internet access and the other VLAN allows me access the GUI of the Router. What would you change?
https://forum.openwrt.org/t/dm200-transparent-bridge-access-to-management-interface/

Ok. Will remove interface 'wan6'

A issue is that the DM200 has a single Ethernet interface. I tried to follow https://openwrt.org/toh/netgear/dm200#bridged_mode_with_openwrt .

I hope I am expressing myself clearly, even though I don't fully understand the situation.

I would suggest to first reset the dm200 modem to defaults (firstboot) and configure it as router for testing, this should answer the question of what you need for your ISP (VLAN settings in particular). Once you've sorted that, you can reset it again and work on your preferred setup, refer to https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=266 (yes, different device, but relatively similar) for quite some configuration hints and tweaks.

1 Like

My OpenWrt DM200 worked as modem/router before, so my DSL settings are correct. It has only 1 LAN while the BT Home Hub 5A mentioned in your link has 4.

Back to my original question: How should I set up the VLAN, mostly on my ArcherC7 router?

If you say that your ISP doesn't require specific VLAN IDs, the default config fir VLANs should work out of the box.

You have already configured the management vlan 2.
On DM200 side you don't use vlan on the ethernet interface of the bridge. So doesn't it work if you use eth0 instead of eth0.2 on the C7?

The OpenWrt DM200 doesn't have any VLAN config out of the box. It has only 1 Ethernet port.

1 Like

eth0.2 on the C7 didn't work. Would I need to change the Firewall settings of the DM200?

Ok let's try one more thing:
DM200: LAN interface, remove the bridge, use ifname eth0. wan_adsl and wan_vdsl use eth0.3 instead of eth0.
C7: wan at eth0.3 and add the following lines:

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '1t 6t'

Ok. I changed it.

Result:

  1. What doesn’t work yet:
    • access internet
    • access modem through router
  2. What works:
    • access modem directly with a PC through the single Ethernetport of the modem. This is a big improvement over the earlier config, where I had to reset the DM200 to make changes.

Questions
3. Which firewall-zone should WAN_ADSL and WAN_VDSL on the DM200 be assigned to? Was unspecified. I changed it to wan.
4. What option ifname should config interface 'adsl2_modem' have? eth0.2 or eth0.3?

Thanks a lot for the help so far. Can I provide any other info that would help?

Post these configs from both devices to see where we stand.
uci export network; uci export firewall

I don't see any reason to keep the firewall on the DM200. These are bridges for passing the ethernet frames carrying the pppoe frame to the xDSL. Remove all zones and leave the defaults to ACCEPT.

eth0.2 untagged should be the right.

@DM200:~#  uci export network; uci export firewall
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'secret'

config atm-bridge 'atm'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'
	option vci '35'
	option vpi '8'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr 'secret'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'secret'

config interface 'wan_adsl'
	option type 'bridge'
	option ifname 'eth0.3 dsl0'
	option proto 'none'
	option auto '0'

config interface 'wan_vdsl'
	option type 'bridge'
	option ifname 'eth0.3 dsl0.101'
	option proto 'none'
	option auto '0'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

And here the output from the archer c7. Additional info: From the archerc7 I can traceroute to the dm200 at 192.168.2.1

@ArcherC7:~#  uci export network; uci export firewall
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ‚secret‘

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.3'
	option proto 'pppoe'
	option password 'secret‘
	option ipv6 'auto'
	option username 'some_numbers@bb.monzoon.net'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1t 6t'

config interface 'dsl_modem'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option ifname 'eth0.2'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan adsl2_modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	list device 'wlan1-1'
	option network 'lan'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option name 'Guest-DNS'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option src 'guest'
	option dest '*'

config rule
	option dest_port '67-68'
	option name 'Guest-DHCP'
	option dest 'lan'
	option target 'ACCEPT'
	option proto 'udp'
	option src 'guest'

config rule
	option dest_port '22 80 443'
	option name 'Guest-Drop-AP-Management'
	option proto 'tcp udp'
	option target 'DROP'
	option src 'guest'
	option dest_ip '192.168.1.1'

Remove the one you are not using.

Then restart the ppp and check the logs:
killall -HUP pppd ; logread -f | grep ppp

I disabled wan_vdsl by putting it into comments with # ( I currently have ADSL and will switch to VDSL once the DM200 works).

Here the logs from the archer C7 connected to the Dm200.

@ArcherC7:~#  killall -HUP pppd ; logread -f | grep ppp
Sat Jan 25 22:04:56 2020 daemon.warn pppd[2276]: Timeout waiting for PADO packets
Sat Jan 25 22:04:56 2020 daemon.err pppd[2276]: Unable to complete PPPoE Discovery
Sat Jan 25 22:04:56 2020 daemon.info pppd[2276]: Exit.
Sat Jan 25 22:04:56 2020 daemon.err insmod: module is already loaded - ppp_generic
Sat Jan 25 22:04:56 2020 daemon.err insmod: module is already loaded - pppox
Sat Jan 25 22:04:56 2020 daemon.err insmod: module is already loaded - pppoe
Sat Jan 25 22:04:56 2020 daemon.info pppd[2354]: Plugin rp-pppoe.so loaded.
Sat Jan 25 22:04:56 2020 daemon.info pppd[2354]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sat Jan 25 22:04:56 2020 daemon.notice pppd[2354]: pppd 2.4.7 started by root, uid 0
Sat Jan 25 22:05:11 2020 daemon.warn pppd[2354]: Timeout waiting for PADO packets

Then the loop repeats with the same messages

On C7 the configuration is correct according to the device page.

On DM200 is the bridge up? Because with auto 0 you don't bring up the interface on boot.

1 Like

Fantastic! Now I have internet.

I changed 'wan_adsl' on the DM200 to option auto '1'.

Here is my config from the DM200:

@DM200:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'secret'

config atm-bridge 'atm'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'
	option vci '35'
	option vpi '8'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr 'secret'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'secret'

config interface 'wan_adsl'
	option type 'bridge'
	option ifname 'eth0.3 dsl0'
	option proto 'none'
	option auto '1'

What doesn't work yet is the optional objective of accessing the modem through the Router.