The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
hi,
I break bridge br0 by
lan_ifname=br0
lan_ifnames=eth2
lan_ipaddr=192.168.2.99
lan_proto=staticsecond vlan is prepared by
lan2_ipaddr=192.168.3.99
lan2_name=eth0
lan2_names=eth0
lan2_netmask=255.255.255.0
lan2_proto=staticnvram commit, reboot ,
just lan_ device is working, so ...
questions:
1) how to start lan2_ during start up
2) how to route between lan_ and lan2_ devices
btw: used White Russian rc4 - jffs2
tkx for you time and help 
(Last edited by reset on 3 Dec 2005, 14:20)
To bring the new interface up on boot add this to your /etc/init.d/S40network:
ifup lan2Add this to your /etc/init.d/S45firewall to get routing going:
LAN2=$(nvram get lan2_ifname)iptables -A FORWARD -i $LAN2 -o $WAN -j ACCEPTYou will find other lines very similar to the above lines that instead of "LAN2" will have "LAN" add the new lines right below them.
Now I think you'll probably also need these in your firewall script before each LAN vlan can talk to each other:
iptables -A FORWARD -i $LAN2 -o $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $LAN2 -j ACCEPTAlso, your nvram names are wrong. I think you want "lan2_ifname", not "lan2_name".
tkx for help with starting eth0 and corrections 
i still have a problem with routing,
my network looks:
pc 192.168.2.1 (netmask 255.255.0.0)
|
.
.
asus 192.168.2.2 (every routers are asus with bridged interfaces)
.
.
|
{ asus - dev bro 192.168.2.99 (netmask 255.255.255.0)
asus - dev eth0 192.168.3.99 (netmask 255.255.255.0) }
|
|
pc 192.168.3.34 (netmask 255.255.0.0)
from machine x.x.3.34 i can ping to 3.99 and 2.99, but no to machines 2.2 or 2.1 and so on in x.x.2.x network
I thing, that routing problem is between x.x.2.99 and x.x.3.99
iptables routing is set by Void Main
routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 * 255.255.255.0 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
default 192.168.2.1 0.0.0.0 UG 0 0 0 br0Where should be problem?
(Last edited by reset on 3 Dec 2005, 18:02)
and ip_forward is set to 1
root@OpenWrt:~# cat /proc/sys/net/ipv4/ip_forward
1
i spend a few day on the routing between two vlan network without any reaseon (wl500g) 
I read allmost all topics about that,
many people solv this problem
I still cannot find it 
can someone help me?
thx
(Last edited by reset on 4 Dec 2005, 04:04)
S45Firewall
#!/bin/sh
## Please make changes in /etc/firewall.user
${FAILSAFE:+exit}
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
LAN2=$(nvram get lan2_ifname)
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
#iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $LAN2 -j ACCEPT
iptables -A FORWARD -i $LAN2 -o $LAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
# [ -f /etc/firewall.user ] && . /etc/firewall.userroot@OpenWrt:/etc/init.d# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain forwarding_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destinationroot@OpenWrt:/etc/init.d# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 br0well, and when i ping from 192.168.3.34 throu router to pc 192.168.2.30
tcpdump on eth0 looks like:
00:09:32.918341 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:33.919383 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:34.921192 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:34.933611 arp who-has 192.168.2.1 tell 192.168.3.34
00:09:35.922449 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:36.924328 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:37.925358 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:38.927177 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:39.928243 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:40.930095 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:41.931194 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:42.933096 arp who-has 192.168.2.30 tell 192.168.3.34
00:09:42.936854 arp who-has 192.168.2.1 tell 192.168.3.34(Last edited by reset on 4 Dec 2005, 12:58)
Where is the fucking routing problem ?
Do you have a default route set on your PCs? What does your "netstat -rn" show on each of your PCs?
pc settings:
pc1 - system w2k :
addr: 192.168.2.30
mask 255.255.254.0
gw 192.168.2.1
---
asus router
---
pc2 - system w2k :
addr: 192.168.3.34
mask 255.255.254.0
gw 192.168.2.1(Last edited by reset on 4 Dec 2005, 15:43)
on pc1:
netstat -rn
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 05 1c 0c 23 e1 ...... rtl81395 Realtek RTL8139/810x Family Fast Ethern
et NIC (Microsoft's Packet Scheduler)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.30 2
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.254.0 192.168.2.30 192.168.2.30 2
192.168.2.30 255.255.255.255 127.0.0.1 127.0.0.1 2
192.168.2.255 255.255.255.255 192.168.2.30 192.168.2.30 2
224.0.0.0 224.0.0.0 192.168.2.30 192.168.2.30 2
255.255.255.255 255.255.255.255 192.168.2.30 192.168.2.30 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
Noneon pc2
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 10 60 f6 1d 24 ...... PCMCARD6 10/100 LAN Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.3.34 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.254.0 192.168.3.34 192.168.3.34 1
192.168.3.34 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.3.255 255.255.255.255 192.168.3.34 192.168.3.34 1
224.0.0.0 224.0.0.0 192.168.3.34 192.168.3.34 1
255.255.255.255 255.255.255.255 192.168.3.34 192.168.3.34 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None(Last edited by reset on 4 Dec 2005, 15:43)
pc settings:
pc1 - system w2k : pc2 - system w2k : addr: 192.168.3.34 mask 255.255.254.0 gw 192.168.2.1
There's your problem. The gateway on PC2 should be 192.168.3.1. Actually you assigned the interfaces on the router *.99 right? The gateways should be *.99 (PC1 should be set to 192.168.2.99, PC2 should be set to 192.168.3.99)
why gw has to be set to *.99?
my main router connected to the Internet has address 192.168.2.1 , mask 255.255.0.0
I just need to route vlans,
asus router located on *.99 is not gateway for the network , it just separate 2 vlans.
Your PC's gateway has to be on the same subnet as your PC. And that gateway has to know how to route traffic to any other network/subnet you want your PCs to get to. That's basic TCP/IP networking.
well,
my is setting is following now:
firewall/router/nat:
addr: 192.168.2.1
mask 255.255.0.0
pc1:
addr: 192.168.2.30
mask: 192.168.254.0
gw: 192.168.2.1
asus router (separate 2 vlans)
addr: 192.168.2.99 (br0-wifi)
addr: 192.168.3.99 (eth0-lan)
mask: 255.255.255.0
pc2:
addr: 192.168.3.34
mask: 255.255.254.0
gw: 192.168.3.99
pc1 *2.30 is connected throu wireless with assus router *.2.99
it still doesn't work
i cannot ping from *.3.34 to *.2.30 and any others addresses in 2.*
i can ping only:
from *.2.30 to *.2.99 (ie *3.99)
from *.3.34 to *.3.99 (ie *2.99)
my current network lokks like:
http://ernetfree.net/ernet.jpg
... i would like to separete to more vlans with posibility to filter connections.
Currently it wirks on one subnet, main routers are asus wl500g with bridged interfaces (it's not good, .. no filtering).
So I prepare to saparate to more vlan networks and now I hahe problem, how to route connections between vlans.
(Last edited by reset on 4 Dec 2005, 20:23)
well,
my is setting is following now:
firewall/router/nat:
addr: 192.168.2.1
mask 255.255.0.0
That 255.255.0.0 is a problem. It either should be 255.255.255.0 or all your other settings are wrong involving 192.168.*.*. The network map really doesn't tell me anything unless you have network/address labels. I guess I really still don't understand *exactly* what you are trying to accomplish.
well, and when i ping from 192.168.3.34 throu router to pc 192.168.2.30
tcpdump on eth0 looks like:
00:09:32.918341 arp who-has 192.168.2.30 tell 192.168.3.34 00:09:33.919383 arp who-has 192.168.2.30 tell 192.168.3.34 00:09:34.921192 arp who-has 192.168.2.30 tell 192.168.3.34 00:09:42.936854 arp who-has 192.168.2.1 tell 192.168.3.34
I think your problem is that you didn't fully break the bridge (get rid of br0 entirely) so the arp packets are being bridged. Try setting lan_ifname=eth2. Also I believe that using wifi_ instead of vlan2_ will eliminate the need for you to bring up the wireless interface yourself.
ie, if I'm reading your intent correctly you simply want to break the wireless/lan bridge and route between them? To do this I would simply set lan_ifname=eth0, unset lan_ifnames, set wifi_ifname=eth2, and set the appropriate IP addresses and masks. I would think iptables and routes would take care of themselves for basic routing. I believe this is similar to the basic wiki example - perhaps you were trying to do something more exotic?
- DL
(Last edited by dl on 4 Dec 2005, 20:52)
ie, if I'm reading your intent correctly you simply want to break the wireless/lan bridge and route between them?
yes
... well, i set
nvram set lan_ifname=eth2
when i unset lan_ifnames (or set lan_ifnames=<empty>),
(after reboot)
automatic is set to eth0 eth1 eth2
and then i cannot ping from *.2.0 network to *.2.99
ping from *.3.34 to *.2.99 is ok
when i look to ifconfig interfaces, on eth2 are counted incomming data, counter RX & TX is incremented,
The asus is connected to my network (*.2.0) via wds , can be problem in wds ?
(Last edited by reset on 5 Dec 2005, 01:45)
when i played with my dick 
,
i changed configuration on assus,
I removed WDS, set standard AP mode and a ovislink 5460 is connected as a client (address *.2.98),
settings:
assus: AP (only)
lan_ifname=eth0
lan_ifnames=eth0
lan_ipaddr=192.168.3.99
lan_netmask=255.255.255.0
lan_gateway=192.168.2.1
lan_proto=static
wifi_ifname=eth2
wifi_ifnames=eth2
wifi_ipaddr=192.168.2.99
wifi_netmask=255.255.255.0
wifi_gateway=192.168.2.1
wifi_proto=staticS40network:
ifup lan
ifup wifiS45firewall:
#!/bin/sh
## Please make changes in /etc/firewall.user
${FAILSAFE:+exit}
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
#LAN2=$(nvram get lan2_ifname)
WIFI=$(nvram get wifi_ifname)
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
#- iptables -N input_rule
#- iptables -N output_rule
#- iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#- iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
#- iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
#- iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
#- iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT ACCEPT
#- iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
#- iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
#- iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
#- iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD ACCEPT
#iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
#- iptables -A FORWARD -j forwarding_rule
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
#iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
#iiptables -A FORWARD -i $LAN -o $LAN2 -j ACCEPT
#iptables -A FORWARD -i $LAN2 -o $LAN -j ACCEPT
#iptables -A FORWARD -i $LAN2 -o $LAN2 -j ACCEPT
iptables -A FORWARD -i $WIFI -o $LAN -j ACCEPT
#iptables -A FORWARD -i $WIFI -o $LAN2 -j ACCEPT
iptables -A FORWARD -o $WIFI -i $LAN -j ACCEPT
#iptables -A FORWARD -o $WIFI -i $LAN2 -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
# [ -f /etc/firewall.user ] && . /etc/firewall.userroot@OpenWrt:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:2F:E3:25:2D
inet addr:192.168.3.99 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:884 errors:0 dropped:0 overruns:0 frame:0
TX packets:509 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:80383 (78.4 KiB) TX bytes:105549 (103.0 KiB)
Interrupt:3 Base address:0x2000
eth2 Link encap:Ethernet HWaddr 00:11:2F:E3:25:2D
inet addr:192.168.2.99 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2492 errors:0 dropped:0 overruns:0 frame:294
TX packets:2829 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:265340 (259.1 KiB) TX bytes:417728 (407.9 KiB)
Interrupt:6 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:549 errors:0 dropped:0 overruns:0 frame:0
TX packets:549 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:48312 (47.1 KiB) TX bytes:48312 (47.1 KiB)root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth2now I can ping to asus *.2.99 , but no routing via the asus works ,
works:
ping from *.2.30 to *.2.99 (*.3.99)
ping from *.3.34 to *.3.99 (*.2.99)
doesnt work:
ping from *.2.30 to *.3.34
ping from *.3.34 to *.2.30
One problem was probably in WDS, it's eliminated.
ie: I tried connect the asus as client, without success 
too, it will be solved latter
Why?
(Last edited by reset on 5 Dec 2005, 08:13)
Nobody has idea why routing doesn't work?
Make sure your gateway on *.2.x is set to *.2.99 etc?
- DL
it works now,
problem was in gateway settings,
THANK YOU !!!
(Last edited by reset on 6 Dec 2005, 16:20)
it works now,
problem was in gateway settings,
THANK YOU !!!
Didn't I already tell you that days ago?
Me:
PC1 should be set to 192.168.2.99, PC2 should be set to 192.168.3.99
You:
why gw has to be set to *.99?
Why ask for help if you aren't going to follow it? Could it be because of:
You:
when i played with my dick
Didn't I already tell you that days ago?
yes, you're right
I had bad setting on machines,
my final idea is
http://forum.openwrt.org/viewtopic.php?id=3570
how to set the coyote router for routing to subnet *.3.0/24?
The discussion might have continued from here.