OpenWrt Forum Archive

Topic: Separate second WAN port WNDR3700 + VLANs

The content of this topic has been archived on 3 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

My network setup is as follows:

ISP (DHCP) --- Router (WNDR3700) --- Switch (TL-WR1043ND) ---- HTPC
                                                         |____ DVR (needs WAN IP)

There is only one Ethernet jack in the living room, but the DVR needs a WAN IP (and the HTPC is part of the LAN). So I configured two VLANs.

Router

config switch_vlan
    option device 'rtl8366s'
    option vlan '1'
    option ports '1 2 3t 5t'

config switch_vlan
    option device 'rtl8366s'
    option vlan '2'
    option ports '0 3t 5t'

Port 3 links the switch to the router. I'd like to use port 0 as the second, separate WAN port. I was told port 3 needs to be tagged in both VLANs.


Switch

config switch_vlan
    option device 'rtl8366rb'
    option vlan '1'
    option ports '0 1t 2 3 5t'

config switch_vlan
    option device 'rtl8366rb'
    option vlan '2'
    option ports '1t 4 5t'

Port 1 links the switch to the router so I tagged it in both VLANs. Port 4 connects the DVR.

I have configured a 'Digiwan' interface for the second WAN port (on the router). I am not sure whether to set it to 'Unmanaged' or keep it on 'DHCP' - I guess it should be unmanaged so it doesn't interfere with the DVR requesting an IP address?

config interface 'digiwan'
    option proto 'dhcp'
    option ifname 'eth0.2'

Is this correct, or is there some kind of bridging needed (like on the LAN interface)? Do I need to add a separate firewall zone? I have added one:

config zone
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option name 'digiwan'
    option network 'digiwan'
    option masq '1'
    option mtu_fix '1'

(I guess the input part should read REJECT as well like on the WAN interface settings.)

Thanks!

(Last edited by Borromini on 13 Apr 2014, 16:13)

Anyone? smile

I'm not sure I understand your setup correctly.
Are you running two cables between "ISP" and WNDR3700?
Do you want a direct layer 2 path between the DVR and ISP equipment?
And no layer 3/IP routing between the DVR and the LAN of WNDR3700?
Or would a one-to-one NAT between the DVR and the second WAN IP (in that case obtained by WNDR3700) do what you want?
And then preserve IP routing between the DVR and LAN.
In first scenario I guess you would bridge.

By having VLAN 2 untagged from port 0 on the router (the true wan) and tag to port 3, and then pick up the tags on port 1 of the switch with untagged on port 4, you should be creating a layer 2 network between the dvr and the cable modem (or whatever that is).  You would not need any interfaces, routes, or firewalls since the traffic is all layer 2.  This is based on the presumption that both the router and switch are doing well-behaved VLAN transactions.  I presume that you set it up and it doesn't work?  Troubleshooting it should be as easy as getting a laptop with wireshark, and following all the ARP broadcasts from the CMTS (assuming youre on a cable modem) to see what point they stop.

Thanks for the response guys!

glenten wrote:

I'm not sure I understand your setup correctly.
Are you running two cables between "ISP" and WNDR3700?

Yes, that will be the case

Do you want a direct layer 2 path between the DVR and ISP equipment?
And no layer 3/IP routing between the DVR and the LAN of WNDR3700?
Or would a one-to-one NAT between the DVR and the second WAN IP (in that case obtained by WNDR3700) do what you want?
And then preserve IP routing between the DVR and LAN.
In first scenario I guess you would bridge.

I want the first scenario. Both VLANs don't need to be able to communicate. I don't have any experience with one-to-one NAT.

jeffmeden wrote:

By having VLAN 2 untagged from port 0 on the router (the true wan) and tag to port 3, and then pick up the tags on port 1 of the switch with untagged on port 4, you should be creating a layer 2 network between the dvr and the cable modem (or whatever that is).

Yes, that's my aim.

You would not need any interfaces, routes, or firewalls since the traffic is all layer 2.  This is based on the presumption that both the router and switch are doing well-behaved VLAN transactions.  I presume that you set it up and it doesn't work?

Thanks, I was not sure if I needed to do anything beyond setting up the VLAN. I will test functionality this monday (had to figure out first how VLANs worked and were to be configured). I'll dump the interface and firewall entries then. Both router and switch are using the same Realtek switch (or at laest a very similar one), and they're both ar71xx. So I'm crossing my fingers.

Troubleshooting it should be as easy as getting a laptop with wireshark, and following all the ARP broadcasts from the CMTS (assuming youre on a cable modem) to see what point they stop.

Thanks, I'll keep that in mind!

(Last edited by Borromini on 16 Apr 2014, 17:49)

Borromini wrote:

Thanks for the response guys!

glenten wrote:

I'm not sure I understand your setup correctly.
Are you running two cables between "ISP" and WNDR3700?

Yes, that will be the case

My ISP equipment has most often only had a single port :- )

Do you want a direct layer 2 path between the DVR and ISP equipment?
And no layer 3/IP routing between the DVR and the LAN of WNDR3700?
Or would a one-to-one NAT between the DVR and the second WAN IP (in that case obtained by WNDR3700) do what you want?
And then preserve IP routing between the DVR and LAN.
In first scenario I guess you would bridge.

I want the first scenario. Both VLANs don't need to be able to communicate. I don't have any experience with one-to-one NAT.

When you said that the DVR needs a WAN IP (public?) it thought you might just wanted all traffic from that secondary public IP to reach the DVR. The one-to-one NAT is just that you redirect all traffic from "WAN IP2" to one specific private LAN IP and the other way around (DNAT+SNAT/MASQ).
In case you needed to access the DVR from your LAN, play recordings etc. And you would be able have the WNDR3700 firewalling the DVR. Do remember to firewall :- )

The cable modem they're supplying is one of those modem/router combinations - they have four 'LAN' ports. I believe that device already has a firewall (nonetheless, the OpenWrt firewall will stay active), if not all their non tech-savvy consumers would be exposed.

Over here they call it 'triple play' - you can get TV, internet and telephone plans from the same provider. Before they used to provide you with a simple modem, one Ethernet port, that was it.

Thanks for the primer on one-to-one NAT, but I think (if I get it working) that the layer 2 stuff might be easier. So I'm going to give that a shot first.

Borromini wrote:

The cable modem they're supplying is one of those modem/router combinations - they have four 'LAN' ports. I believe that device already has a firewall (nonetheless, the OpenWrt firewall will stay active), if not all their non tech-savvy consumers would be exposed.

Over here they call it 'triple play' - you can get TV, internet and telephone plans from the same provider. Before they used to provide you with a simple modem, one Ethernet port, that was it.

Thanks for the primer on one-to-one NAT, but I think (if I get it working) that the layer 2 stuff might be easier. So I'm going to give that a shot first.

I misunderstood. I thought your WNDR3700 was connected directly/public. With the layer 2 solution the OpenWrt firewall in WNDR3700 can't guard the DVR. But you are probably right that there's a firewall in your ISP router.
That the triple play DVR needs an IP from the ISP router, is that something they are stating? They might be doing more than IP traffic, perhaps the IPTV is coming in on its own VLAN? If that's the case the NAT'ing is off the table :- )

The DVR settings panel shows both a private and a public IP. Nobody seems to know for sure whether it's just the public IP that does it, and customer service doesn't know jack about it; a seperate VLAN makes sense.

I hope it works out! :-)

Borromini wrote:

The cable modem they're supplying is one of those modem/router combinations - they have four 'LAN' ports. I believe that device already has a firewall (nonetheless, the OpenWrt firewall will stay active), if not all their non tech-savvy consumers would be exposed.

Over here they call it 'triple play' - you can get TV, internet and telephone plans from the same provider. Before they used to provide you with a simple modem, one Ethernet port, that was it.

Thanks for the primer on one-to-one NAT, but I think (if I get it working) that the layer 2 stuff might be easier. So I'm going to give that a shot first.

Sounds like the IPTV services here in the states.  The one thing I ran into when I had that service was that the DVR was especially fault sensitive.  One missed video packet would cause the time sync in the recording/playback to get behind, so audio would lose sync and even one error every 10 min or so would be enough to make a 60 minute show miserable.  You will want to make the path between the residential gateway (their modem/router combo) and the DVR to be as clear as possible to prevent video issues.  It turned out that my issue was having a 100/1000 switch in the path to the DVR, with some devices on the 100 side; every so often a broadcast packet (since IPTV is typically distributed via multicast) would collide on the 100 side.  Putting a direct path from the RG to the DVR fixed that.  The RG will use IGMP to only send the broadcasts out the necessary port.

Won't the separate VLAN take care of this? Only the DVR will be on it.

Guys I am extremely happy to report that the VLAN did the job smile. The DVR now gets a private and public IP.

Thanks for your help!

Great to hear :-)
I'm curious, was your IPTV VLAN tagged so you adjusted to that?

(Last edited by glenten on 23 Apr 2014, 23:15)

I didn't check the traffic honestly... My brother was a bit in a hurry to have it all set up. So I can't tell.

The discussion might have continued from here.