OpenWrt Forum Archive

Topic: Question regarding VLAN with Kamikaze 7.09 on a Linksys WRT54GL

The content of this topic has been archived on 2 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
ity
19 Oct 2008, 19:53

Hello,

I am using Kamikaze 7.09 on a Linksys WRT54GL, this router is second in a row behind my DSL-Router (192.168.2.1). The WAN-Port is configured to use DHCP to get all relevant data from the DSL-Router, all lan/wlan ports are configured to provide DHCP-services for clients.
Everything is working fine....

Till...
I am trying to separate the ethernert port labeled on the case with '4' (in internal notation it is '0') in a separate VLAN, till now without luck.

Symptom:
- Clients connected to all other ports than '4' (resp. '0') do work fine, they can connect in the internet and so on
- Clients connected to port '4' (resp. '0') get an IP, DNS name resolution works, but even a simple ping or traceroute into the internet does not work (these clients are only able to ping / connect to the Linksys, but not further; the traceroute does not move one single hop and tcpdump on Linksys is not showing anything.)

Examples:
traceroute www.cnn.com
traceroute: Warning: www.cnn.com has multiple addresses; using 157.166.224.25
traceroute to www.cnn.com (157.166.224.25), 64 hops max, 40 byte packets
1  192.168.20.4 (192.168.20.4)  82.475 ms  0.670 ms  0.753 ms
2  * * *
3  * ...... and so on.......

Configuration (mostly created by using VLAN examples out of this forum and other placess):

cat /etc/config/network
#### VLAN configuration
config switch eth0
    option vlan0    "1 2 3 5*"
    option vlan1    "0 5"
    option vlan2    "4 5"


#### Loopback configuration
config interface loopback
    option ifname    "lo"
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0


#### LAN configuration
config interface lan
    option type     bridge
    option ifname    "eth0.0"
    option proto    static
    option ipaddr    '192.168.1.50'
    option netmask    255.255.255.0
    option gateway    ''

config interface lan2
    option type     bridge
    option ifname    "eth0.1"
    option proto    static
    option ipaddr    '192.168.20.4'
    option netmask    255.255.255.0
    option gateway    ''
   
#### WAN configuration
config interface    wan
    option ifname    "eth0.2"
    option proto    dhcp


cat /etc/config/dhcp
config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'filterwin2k' '0'
    option 'localise_queries' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'
    option 'nonegcache' '1'
    option 'logqueries' '1'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

config 'dhcp' 'wan'
    option 'interface' 'wan'
    option 'ignore' '1'

#### Add the lines below if you want lan2 to also serve out dhcp

config 'dhcp' 'lan2'
    option 'interface' 'lan2'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'


Any ideas ?

Thanks
Ity

Post #2
phorn
19 Oct 2008, 22:17

You need to also tell the firewall to let packets from lan2 through to either lan1 or the internet.

For example, if you want to allow "lan2" to talk to the internet you need to add the following into /etc/config/firewall:
config 'forwarding'
        option 'src' 'lan2'
        option 'dest' 'wan'

The "masq" option in the wan port will allow it to get back to whichever client sent the packet, so you do not need forwarding from wan to lan2.

With firewall rules it is also possible for example only allow "lan2" to talk to "lan" (lan "lan" to "lan2"), but not be allowed to get to the internet.  But unless you specifically enable something in the firewall, it is blocked.

Post #3
ity
22 Oct 2008, 20:09

Thanks for your advice, but.....

My /etc/config/firewall now looks like this:

config 'forwarding'
    option 'src' 'lan2'
    option 'dest' 'wan'

all other files are untouched.

Result: WLAN and all other ports are working, port 4/0 is still not working (same symptoms as before).

This makes me wonder, why does "lan" work without any rule in /etc/config/firewall ?
What do you mean by masq ? This is only given in cat /etc/config/dhcp and does say option 'local' '/lan/' and  option 'domain' 'lan' - is this limiting lan2 in any way ?

Post #4
Yanira
22 Oct 2008, 20:18

That firewall config will not work in 7.09. I'd recommend reflashing latest trunk...

Post #5
ity
22 Oct 2008, 20:31

Ahh.... Is 7.09 firewall code not functional ? Or do other rules/mechanisms apply ?

The discussion might have continued from here.