Iraw
January 15, 2020, 3:10pm
1
Hi
I am trying to configure Internet access using a OpenWrt Combo of a Negear DM200 Modem and and TP-Link Archer C7 v2. Both run stable OpenWrt 19.07.0. I am able to ping the modem at 192.168.2.1 through the router. I don't have an IT background and I need advice on how to set up the VLAN Tagging on the Archer C7 and maybe more.
Network topology
ISP > Modem DM200 OpenWrt 192.168.2.1> Router ArcherC7 OpenWrt 192.168.1.1 >Devices
Objectives
access Internet
prevent LAN from leaking out the DSL interface (VLAN Tagging)
optional: access modem through Router (to ease troubleshooting and updating)
Constraints
I prefer to keep the router IP at 192.168.1.1
Network config of the DM200 DSL modem
root@DM200:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'secret'
config atm-bridge 'atm'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
option vci '35'
option vpi '8'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'secret'
config interface 'wan_adsl'
option type 'bridge'
option ifname 'eth0 dsl0'
option proto 'none'
option auto '0'
config interface 'wan_vdsl'
option type 'bridge'
option ifname 'eth0 dsl0.101'
option proto 'none'
option auto '0'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr 'secret'
Network config of the Archer C7 router
root@ArcherC7:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'secret'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option password 'mysecret'
option ipv6 'auto'
option username 'mysecret'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'pppoe'
option password 'mysecret'
option ipv6 'auto'
option username 'mysecret'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'adsl2_modem'
option proto 'static'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
option ifname 'eth0.2'
Thank you in advance for the help.
Hegabo
January 15, 2020, 3:19pm
2
Where is your LAN interface on C7? Should be eth1.1.
And what is the purpose of interface adsl2_modem on C7?
trendy
January 15, 2020, 4:42pm
4
Is there any necessity from your ISP to use a specific VLAN? I can see dsl0.101 already in place on DM200 and bridged with eth0, however wan interface on C7 is on eth0.2 and will just connect to the management IP of the DM200.
Iraw:
config interface 'wan6'
This is redundant. You have ipv6 auto option under wan already, so the wan_6 interface will be created automatically and run dhcpv6.
This is impossible anyway. In order to communicate with the other end you need to have a pppoe interface, which exists on C7.
2 Likes
Iraw
January 15, 2020, 7:24pm
5
To my knowledge, my ISP Monzoon doesn't require to use a specific VLAN. Here the link to the ISP DSL configuration https://www.dsl.monzoon.net/support/faq/entry/17?lang=en
I followed the config from, which also operates a router behind the OpenWrt DM200 Modem. My understanding is that one VLAN gets me Internet access and the other VLAN allows me access the GUI of the Router. What would you change?
https://forum.openwrt.org/t/dm200-transparent-bridge-access-to-management-interface/
Ok. Will remove interface 'wan6'
A issue is that the DM200 has a single Ethernet interface. I tried to follow https://openwrt.org/toh/netgear/dm200#bridged_mode_with_openwrt .
I hope I am expressing myself clearly, even though I don't fully understand the situation.
slh
January 15, 2020, 9:32pm
6
I would suggest to first reset the dm200 modem to defaults (firstboot
) and configure it as router for testing, this should answer the question of what you need for your ISP (VLAN settings in particular). Once you've sorted that, you can reset it again and work on your preferred setup, refer to https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=266 (yes, different device, but relatively similar) for quite some configuration hints and tweaks.
1 Like
Iraw
January 16, 2020, 7:41am
7
My OpenWrt DM200 worked as modem/router before, so my DSL settings are correct. It has only 1 LAN while the BT Home Hub 5A mentioned in your link has 4.
Back to my original question: How should I set up the VLAN, mostly on my ArcherC7 router?
Hegabo
January 16, 2020, 9:01am
8
If you say that your ISP doesn't require specific VLAN IDs, the default config fir VLANs should work out of the box.
trendy
January 16, 2020, 10:38am
9
You have already configured the management vlan 2.
On DM200 side you don't use vlan on the ethernet interface of the bridge. So doesn't it work if you use eth0 instead of eth0.2 on the C7?
Iraw
January 17, 2020, 2:28pm
10
The OpenWrt DM200 doesn't have any VLAN config out of the box. It has only 1 Ethernet port.
1 Like
Iraw
January 17, 2020, 2:29pm
11
eth0.2 on the C7 didn't work. Would I need to change the Firewall settings of the DM200?
trendy
January 17, 2020, 11:09pm
12
Ok let's try one more thing:
DM200: LAN interface, remove the bridge, use ifname eth0. wan_adsl and wan_vdsl use eth0.3 instead of eth0.
C7: wan at eth0.3 and add the following lines:
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '1t 6t'
Iraw
January 21, 2020, 10:37pm
13
Ok. I changed it.
Result:
What doesn’t work yet:
access internet
access modem through router
What works:
access modem directly with a PC through the single Ethernetport of the modem. This is a big improvement over the earlier config, where I had to reset the DM200 to make changes.
Questions
3. Which firewall-zone should WAN_ADSL
and WAN_VDSL
on the DM200 be assigned to? Was unspecified
. I changed it to wan
.
4. What option ifname
should config interface 'adsl2_modem'
have? eth0.2
or eth0.3
?
Thanks a lot for the help so far. Can I provide any other info that would help?
trendy
January 22, 2020, 10:00am
14
Post these configs from both devices to see where we stand.
uci export network; uci export firewall
Iraw:
Which firewall-zone should WAN_ADSL
and WAN_VDSL
on the DM200 be assigned to? Was unspecified
. I changed it to wan
.
I don't see any reason to keep the firewall on the DM200. These are bridges for passing the ethernet frames carrying the pppoe frame to the xDSL. Remove all zones and leave the defaults to ACCEPT.
Iraw:
What option ifname
should config interface 'adsl2_modem'
have? eth0.2
or eth0.3
?
eth0.2 untagged should be the right.
Iraw
January 22, 2020, 12:54pm
15
@DM200:~# uci export network; uci export firewall
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'secret'
config atm-bridge 'atm'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
option vci '35'
option vpi '8'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'secret'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr 'secret'
config interface 'wan_adsl'
option type 'bridge'
option ifname 'eth0.3 dsl0'
option proto 'none'
option auto '0'
config interface 'wan_vdsl'
option type 'bridge'
option ifname 'eth0.3 dsl0.101'
option proto 'none'
option auto '0'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
Iraw
January 22, 2020, 1:21pm
16
And here the output from the archer c7. Additional info: From the archerc7 I can traceroute to the dm200 at 192.168.2.1
@ArcherC7:~# uci export network; uci export firewall
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix ‚secret‘
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.3'
option proto 'pppoe'
option password 'secret‘
option ipv6 'auto'
option username 'some_numbers@bb.monzoon.net'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '1t 6t'
config interface 'dsl_modem'
option proto 'static'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
option ifname 'eth0.2'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan adsl2_modem'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option name 'guest'
option output 'ACCEPT'
list device 'wlan1-1'
option network 'lan'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option dest_port '53'
option name 'Guest-DNS'
option target 'ACCEPT'
option proto 'tcp udp'
option src 'guest'
option dest '*'
config rule
option dest_port '67-68'
option name 'Guest-DHCP'
option dest 'lan'
option target 'ACCEPT'
option proto 'udp'
option src 'guest'
config rule
option dest_port '22 80 443'
option name 'Guest-Drop-AP-Management'
option proto 'tcp udp'
option target 'DROP'
option src 'guest'
option dest_ip '192.168.1.1'
trendy
January 22, 2020, 1:30pm
17
Iraw:
wan_adsl
wan_vdsl
Remove the one you are not using.
Then restart the ppp and check the logs:
killall -HUP pppd ; logread -f | grep ppp
Iraw
January 25, 2020, 9:20pm
18
I disabled wan_vdsl by putting it into comments with # ( I currently have ADSL and will switch to VDSL once the DM200 works).
Here the logs from the archer C7 connected to the Dm200.
@ArcherC7:~# killall -HUP pppd ; logread -f | grep ppp
Sat Jan 25 22:04:56 2020 daemon.warn pppd[2276]: Timeout waiting for PADO packets
Sat Jan 25 22:04:56 2020 daemon.err pppd[2276]: Unable to complete PPPoE Discovery
Sat Jan 25 22:04:56 2020 daemon.info pppd[2276]: Exit.
Sat Jan 25 22:04:56 2020 daemon.err insmod: module is already loaded - ppp_generic
Sat Jan 25 22:04:56 2020 daemon.err insmod: module is already loaded - pppox
Sat Jan 25 22:04:56 2020 daemon.err insmod: module is already loaded - pppoe
Sat Jan 25 22:04:56 2020 daemon.info pppd[2354]: Plugin rp-pppoe.so loaded.
Sat Jan 25 22:04:56 2020 daemon.info pppd[2354]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sat Jan 25 22:04:56 2020 daemon.notice pppd[2354]: pppd 2.4.7 started by root, uid 0
Sat Jan 25 22:05:11 2020 daemon.warn pppd[2354]: Timeout waiting for PADO packets
Then the loop repeats with the same messages
trendy
January 25, 2020, 10:24pm
19
On C7 the configuration is correct according to the device page .
On DM200 is the bridge up? Because with auto 0
you don't bring up the interface on boot.
1 Like
Iraw
January 26, 2020, 8:04am
20
Fantastic! Now I have internet.
I changed 'wan_adsl'
on the DM200 to option auto '1'
.
Here is my config from the DM200:
@DM200:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'secret'
config atm-bridge 'atm'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
option vci '35'
option vpi '8'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'secret'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr 'secret'
config interface 'wan_adsl'
option type 'bridge'
option ifname 'eth0.3 dsl0'
option proto 'none'
option auto '1'
What doesn't work yet is the optional objective of accessing the modem through the Router.