[SOLVED] VLAN on WAN with WNDR3800 freeze router

tchab · October 21, 2018, 7:58am

Hello,

I'm trying to set up my Netgear WNDR3800 to have two vlan : one dedicated to my LAN network, with id 1, and the other with id 832, shared between two interfaces : the router wan port and the port labeled 1 on the router which I had plug to my ISP box.

I need this setup to keep telephony working (my phone is connected to the box).

According to the documentation, the port labeled 1 on my router case should be referred to port 3 in openwrt switch's configuration.

So I ended up with the following setup :

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        option stp '1'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth1.832'
        option proto 'dhcp'
        option broadcast '1'
        option peerdns '0'

config switch                                                                                                                                                             
        option name 'rtl8366s'                                                                                                                                             
        option reset '1'                                                                                                                                                   
        option blinkrate '2'                                                                                                                                               
        option enable_vlan '1'                                                                                                                                             
        option enable_vlan4k '1'                                                                                                                                           
        option max_length '3'                                                                                                                                             
                                                                                                                                                                           
config switch_vlan                                                                                                                                                         
        option device 'rtl8366s'                                                                                                                                           
        option vlan '1'                                                                                                                                                   
        option ports '0 1 2 5t'                                                                                                                                           
        option vid '1'                                                                                                                                                     
                                                                                                                                                                           
config switch_vlan                                                                                                                                                         
       option device 'rtl8366s'                                                                                                                                           
       option vlan '832'                                                                                                                                                   
       option ports '3 5t'                                                                                                                                                 
       option vid '832'                                                                                                                                                   
                                                                                                                                                                           
config switch_port                                                                                                                                                         
        option device 'rtl8366s'                                                                                                                                           
        option port '1'                                                                                                                                                   
        option led '6'                                                                                                                                                     
                                     
config switch_port                                                                                                                                                         
        option device 'rtl8366s'     
        option port '2'               
        option led '6'               
                                     
config switch_port                                                                                                                                                         
        option device 'rtl8366s'                                                                                                                                           
        option port '3'         
        option pvid '832'
                               
config switch_port             
        option device 'rtl8366s'
        option port '5'                                                                                                                                                   
        option led '2'                                                       

config interface 'tel'               
        option ifname 'eth1.832'     
        option proto 'static'                                                                                                                                             
        option ipaddr '192.168.100.254'                                                                                                                                   
        option netmask '255.255.255.0'

/etc/config/dnsmasq

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonegcache '1'
	option filterwin2k '1'
	option resolvfile '/etc/resolv.dns'
	option dnssec '1'
	option dnsforwardmax '2000'
	list server '192.168.2.254'
	option sequential_ip '1'
	option localservice '0'
	option nonwildcard '0'
	option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'tel'
        option interface 'tel'
        option start '250'
        option limit '1'
        option leasetime '1d'
        list server '81.253.149.10'
        list server '80.10.246.3'
        option domain 'orange.fr'
        list dhcp_option '3,192.168.100.254'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

I added a dhcp instance to allow an IP, and send my ISP DNS to the box. I prefer to use my own DNS resolver for the LAN, that's the reason for the 192.168.2.254 which is my Unbound instance.

/etc/config/firewall

config defaults
	option syn_flood '1'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'
	option input 'DROP'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option family 'ipv4'
	option log '1'
	option forward 'REJECT'

config zone
	option name 'wan'
	option network 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'lan'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone                                 
        option name 'tel'                   
        option input 'ACCEPT'               
        option forward 'REJECT'             
        option output 'ACCEPT'             
        option network 'tel'
        option log '1'

config forwarding                           
        option src 'tel'
        option dest 'wan'

When I tried this config, my router was completely frozen after a reboot, every led stopped blinking and I had to reboot in fail-safe mode to cancel my changes.

Obviously there's something wrong with this setup, but I can't figure out what.

Is there someone which manage to get working a similar setup ?

Borromini · October 21, 2018, 9:23am

You need to bridge your WAN interface (eth1?) with your LAN 3 port. From your /etc/config/network it looks like you just set your WAN to eth1.832 altogether, also for regular traffic, and that won't work.

The option ifname stanza for your tel interface should contain the tagged WAN port (ID 832) and LAN 3. Do your telephony clients need the VID? If not, you can drop the VID on LAN 3.

Maybe this would work:

config interface 'wan'
        option ifname 'eth1.0'
        option proto 'dhcp'
        option broadcast '1'
        option peerdns '0'


config interface 'tel'               
        option ifname 'eth1.832 eth0.832'     
        option proto 'static'                                                                                                                                             
        option ipaddr '192.168.100.254'                                                                                                                                   
        option netmask '255.255.255.0'

Once you start fiddling with VLANs you need to redefine assumed ifname settings - ie if you had a default eth1, once you set a VLAN on that interface, you need to redefine the eth1 instances to eth1.0, keeping it on eth1 won't work (if I'm mistaken, someone correct me please).

tchab · October 21, 2018, 9:52am

Thanks for the precision about redefining ethX names with VLAN, I wasn't aware of that.

Sorry, I forgot to mention that my WAN interface must be on vlan 832 (eth1.832) otherwise I don't get dhcp lease from my ISP.

I have to keep the VID on LAN3 because telephony won't work.

So I tried to bridge eth1.832 with eth0.832 on interface tel but I loose my wan connectivity.

I tried bridge with wan interface set to eth1.0 then eth1.832, both cases have failed.

Is it normal ? Is there a workaround ?

Borromini · October 23, 2018, 11:21pm

You also tried keeping WAN on just eth1 I assume (just to err on the side of caution)?

Try also adding type bridge to the tel config.

tchab · October 27, 2018, 10:36am

Thanks, it works better with adding type bridge as suggested, now I see a br-vlan interface with the 192.168.100.254 ip address.

The main issue now is how to get DHCP working on this interface. I've double checked my dnsmasq config and my firewall settings, but DHCP request sent to 255.255.255.255 doesn't seems to arrive through the bridged interface.

Borromini · October 27, 2018, 12:40pm

What netmask are you supposed to use? 255.255.255.0 would be logical if it's a private LAN. 255.255.255.255 won't give you anything since that effectively means no bits may be flipped (and you have no private network range). 255.255.255.0 means 'every bit in the last block of eight bits can be used'.

tchab · October 31, 2018, 6:25am

Hello,

I finally rewrote my setup from scratch, and get it working with the following conf :

config interface 'tel'
	option ifname 'eth0.832'
	option proto 'static'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option ipaddr '192.168.100.1'

config switch
	option name 'rtl8366s'
	option reset '1'
	option blinkrate '2'
	option enable_vlan '1'
	option enable_vlan4k '1'
	option max_length '3'

config switch_vlan
	option device 'rtl8366s'
	option vlan '1'
	option ports '0 1 2 5t'

config switch_vlan
	option device 'rtl8366s'
	option vlan '832'
	option ports '3t 5t'
        option vid '832'

The bridge doesn't seems necessary after all.

Thanks for your help.

Borromini · November 1, 2018, 9:08am

Glad you got it fixed.

system · November 11, 2018, 9:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.