dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
14919
philow
join:2014-03-25

philow

Member

VLAN configuration on MI424WR Gen 3 Rev. I

I just got one of these Gen3 Rev. I routers. Before that I had a Rev. D.

I created a VLAN on my Rev D using the directions at this site:

support.actiontec.com/doc_files/Creating_an_Ethernet_VLAN.pdf

Using those same directions and the directions here:

»blog.jeffreyberg.net/?p=56

I have tried to create a VLAN on my Rev I and the computer connected to the ethernet port shows up with the new IP address in network status but I cannot ping it from the rougher and it does not have any Internet access I have been pulling my hair out trying to make this work and I am starting to wonder if it is not a bug in the firmware for the router. I am running version 40.21.10.3.

I am trying to segment an ethernet port to say 10.0.0.x so I can keep it off my normal 192.168.1.x network. As I said I had this working on my Rev. D router

Has anyone successfully created a VLAN on this router? If so can you give me some pointers?

Thanks!

guppy_fish
Premium Member
join:2003-12-09
Palm Harbor, FL

guppy_fish

Premium Member

Have you put in static routes from the new vlan to the wan or other lan?
philow
join:2014-03-25

philow

Member

I have not but it was not required with the Rev D i can try that but what would the route be from the router to ping the the computers on the VLAN?

guppy_fish
Premium Member
join:2003-12-09
Palm Harbor, FL

guppy_fish to philow

Premium Member

to philow
routers "route" from different networks, this requires defined routes.

A VPN network requires a route both to and from the WAN and or the other LAN networks, otherwise the are islands into themselves
philow
join:2014-03-25

1 edit

philow

Member

Agreed but I am not trying to make a VPN I am trying to split off a VLAN on a couple of physical ethernet ports.
philow

philow

Member

Source             Destination        Gateway            Flags DSCP Metric Interface       
0.0.0.0/0          10.0.0.0/24        *                  U     0    4      br0.100         
0.0.0.0/0          xxx.xxx.xxx.0/24   *                  U     0    3      eth1            
0.0.0.0/0          192.168.2.0/24     *                  U     0    4      br0             
0.0.0.0/0          0.0.0.0/0          xxx.xxx.xxx.1      UG    0    3      eth1 
 

This is what my routing table looks like (x'd out my external IP addresses)

My 10. VLAN network looks identical to my 192 (Home/Office) built in network.

Mahalo
join:2000-12-20
united state

Mahalo

Member

Something to try. At the bottom of this page »blog.jeffreyberg.net/wp- ··· 7881.png add a route for the 10 network. You may try specifying its GW as 192.168.2.1. I have used that section before when I extended my network and using a 10 network on the remote switch. There is also a default route option there as well that you may want to try.
philow
join:2014-03-25

philow

Member

said by Mahalo:

Something to try. At the bottom of this page »blog.jeffreyberg.net/wp- ··· 7881.png add a route for the 10 network. You may try specifying its GW as 192.168.2.1. I have used that section before when I extended my network and using a 10 network on the remote switch. There is also a default route option there as well that you may want to try.

I tried this but still did not work :-/ I am beginning to think there is a bug in the firmware. I would like to figure this out though.

Mahalo
join:2000-12-20
united state

Mahalo

Member

I have an idea of what you are trying to do, but why for one PC? I am not seeing the benefit (yet) of separating traffic for one PC for security or bandwidth purposes? If everything is connecting to one device (AT router), the switch does its thing to isolate the traffic to the device connected on that port, and a VLAN is not helping control bandwidth. Can you expand on the goal/requirement?
philow
join:2014-03-25

philow

Member

The reason I do this is because I have a Web Server that I put on the VLAN and then I write rules to keep that VLAN from communicating with the rest of the network. I may also add computers with a hub to that network later.

And it was easy with the Rev D router.

Big Hype
@verizon.net

Big Hype to philow

Anon

to philow
I wish I had a solution, but I am experiencing the same problem. I had to make a few assumptions since there were a couple of places the step by step instructions did not match. I have search the net for additional information and reached out to Actiontec, but I have come up dry. I will continue to come back here and check for updates.

Mahalo
join:2000-12-20
united state

Mahalo to philow

Member

to philow
Spent a couple of hours last night trying to get it to work and never could. Tried multiple variations of the setup and nothing would let it route out to the internet or see another network. Tried multiple variations of the setup. Research the net, read the manuals, etc.. Its broke sir.
philow
join:2014-03-25

philow

Member

said by Mahalo:

Its broke sir.

That is kinda what I was coming up with. So I tried to use some IP ranges to see if I could do something without a VLAN.

I set the DHCP Server to serve up 192.168.1.2 - 192.168.1.199
Then put my servers in the 200-254
I then created an advanced firewall rule as follows:

Home network
Source 192.168.1.200-192.168.1.254
Destination 192.168.1.2-192.168.1.199
Drop

With above I could still ping in either direction

So I moved that same rule to the Ethernet/Coax and then I could not ping in either direction. My goal and how I had it when I was using the VLAN was to not allow the servers to access my home network but the home network could access the servers. This worked awesome on the Rev D with the VLAN.

Ideas on what I might try short of adding another router?

Mahalo
join:2000-12-20
united state

Mahalo

Member

To adding another router, here are your options: »Verizon FiOS FAQ »What are the tradeoffs between the various router configurations

Another option that will work. You can add a managed switch behind one port and have the switch handle the DHCP as well. You would need the add the route to the switch in the AT that I mentioned previously above. Example: Uplink interface with the address 10.1.1.1, route added to the AT for 10.1.1.0/24, setup a VLAN that hands out 10.1.1.2-254.
elefante72
join:2010-12-03
East Amherst, NY

1 edit

elefante72

Member

The newer switches use Marvell Avanta 88F6560 SoC in them, and according to the spec sheets they don't mention support for port based VLANs. In fact none of the newer GW that use avanta chips are supported with openwrt or dd-wrt most likely due to drivers.

If they do support PVID and this is not working, likely the VLAN you are creating is not tagged to the processor or it requires a bridge to the processor (no routing). I dont know that hardware, so I couldn't tell you. Some processors support access, general, or tagged or a combo. All of them are configged differently and depend upon the driver writer.

The likely issue could be firewall. Try turning that off.

And pinging does not mean you will have connectivity. Most res firewalls let ICMP traffic through, but anything in L2 in residential hardware they will typically block if fw rules aren't set up correctly.

Avanta family
-------------

Flavors:
88F6510
88F6530P
88F6550
88F6560
Homepage : »www.marvell.com/broadband/
Product Brief: »www.marvell.com/broadban ··· rief.pdf
No public datasheet available.

Core: ARMv5 compatible

Linux kernel mach directory: no code in mainline yet, planned for the future
Linux kernel plat directory: no code in mainline yet, planned for the future

If you have free time:

»opensource.actiontec.com ··· 0-readme
philow
join:2014-03-25

philow

Member

Thanks for this info! I will try with the Firewall completely off. I used the ping test to make it easy but even when I forward port 80 and try to hit it the same scenario as I stated above happens. Cause bole servers and one of the workstations are configured to server up a default web page Thanks again to all. If I find a way to get this to work I will write up the instructions.
philow

philow

Member

Just thought I would let everyone I turned off the firewall but that did not help. Did some more testing as well. After I create the VLAN I can reach the VLAN address from my normal network. But if I put a computer on the VLAN it cannot reach its gateway.

192.168.1.x can reach 10.0.0.1 VLAN address
10.0.0.2 plugged into ethernet port 4 (Where I set the VLAN) cannot reach 10.0.0.1

guppy_fish
Premium Member
join:2003-12-09
Palm Harbor, FL

guppy_fish

Premium Member

What are your network rules? as in what is the size of the network for your 10.*.*.* network? is it /24 /30 ect?

This all sound like you don't understand route and subnets and expect the router to generate these for you?

you say your /24 192 network can reach the 10 network so what does that route look like?

What was at the 10.0.0.1 address to test with?
philow
join:2014-03-25

philow

Member

Subnet is 10.0.0.0/24 This is set on ethernet port 4 with ingress tagged.

My route table looks like the one posted above:

Source             Destination        Gateway            Flags DSCP Metric Interface       
0.0.0.0/0          10.0.0.0/24        *                  U     0    4      br0.100         
0.0.0.0/0          xxx.xxx.xxx.0/24   *                  U     0    3      eth1            
0.0.0.0/0          192.168.2.0/24     *                  U     0    4      br0             
0.0.0.0/0          0.0.0.0/0          xxx.xxx.xxx.1      UG    0    3      eth1
 

10.0.0.1 is the router itself I can login using that IP or ping it using both 192.168.2.1 or 10.0.0.1 from the 192.168.2.* network. the 10.0.0.* network cannot reach the Internet or even the router itself.

guppy_fish
Premium Member
join:2003-12-09
Palm Harbor, FL

guppy_fish

Premium Member

If you have tagging enabled, you would need a vlan capable hub or router at the other end of that port, then a regular client device.

Also your table doesn't make sense there are no routes from the 10* to 192* networks

Again, do some reading about what vlans are, what routes are, what subnets are
philow
join:2014-03-25

philow

Member

Guppy_fish, I do not discount what you are saying. You more than likely know more about this then I do. I was merely stating that this exact configuration worked on my Rev. D router but is not working on my Rev. I router. Maybe it was the Rev. D router that was not functioning as it should and I just got used to that

Thanks and I will read more.

Mahalo
join:2000-12-20
united state

Mahalo to guppy_fish

Member

to guppy_fish
said by guppy_fish:

"you would need a vlan capable hub or router at the other end of that port"

Care to explain how a hub is VLAN capable? You didn't say switch.
said by guppy_fish:

"then a regular client device."

I can configure my PC NIC for VLANs.

Lastly, have you tried setting up Philow's scenario and knowing if it works or not? Philow is not looking for the easy answer since you can tell he/she has done some research and performed some testing.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy to philow

Premium Member

to philow
I also was trying to play with some VLANs on the Rev I... part of the issue I ran into was that my wireless and wired clients ended up in two different DHCP scopes.

I gave up and went back to a single VLAN. What I was trying to do was isolate a new UniFi access point onto its own VLAN so I can provide guest access at my house without putting them on my LAN ... the UniFi has a mechanism that supposedly filters traffic to the rest of my LAN when a guest signs in, but it's a bit of black magic and I don't quite know how it works, so I hesitate to trust it fully.

Either way, seems for right now, I'm a bit stuck. I do have a VLAN capable switch behind the Rev I, so maybe I could do some VLAN trunking and assign the UniFi to a separate VLAN on the switch side .... hmm. Gotta think that through. Will the Rev I let me assign a different DHCP scope to an individual VLAN even if it's trunked?
elefante72
join:2010-12-03
East Amherst, NY

elefante72

Member

If you can't get vlans working on your router actiontec as it were then you can't trunk. Trunking is typically used for isl between switches. Not sure what you are saying.

Your best bet is to find a router or ap and put openwrt on it. It has excellent vlan support and multi dhcp. In running a customer with six vlanson a tp link wdr3600.. not an issue and using complex firewall rules and fully isolated WiFi... It can do virtual WiFi connections. Tp link can't do general ports but most low end stuff can't but trunked and access ports no problem

You could also get a smart switch and set up filter rules as vlan at the router isn't working.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy

Premium Member

said by elefante72:

If you can't get vlans working on your router actiontec as it were then you can't trunk. Trunking is typically used for isl between switches. Not sure what you are saying.

Your best bet is to find a router or ap and put openwrt on it. It has excellent vlan support and multi dhcp. In running a customer with six vlanson a tp link wdr3600.. not an issue and using complex firewall rules and fully isolated WiFi... It can do virtual WiFi connections. Tp link can't do general ports but most low end stuff can't but trunked and access ports no problem

You could also get a smart switch and set up filter rules as vlan at the router isn't working.

I will continue to use the Actiontec. I'm not buying some other router.

My issue with the VLANs wasn't that it didn't work, but that I ended up having to put wireless and wired clients in different DHCP scopes if I enabled port-based VLANs.

My question was simple, if I enable VLAN tagging, can I assign a different DHCP scope to each VLAN? If I do this, I can untag the packets on my switch and then hopefully have my wireless and most wired clients in the same DHCP scope, with my 'guest' VLAN in a separate scope. I can then firewall between the two VLANs as necessary.

The Actiontec is a powerful router - I just have to understand its full capabilities first.

Do you actually have FiOS? If so, you'd understand my reasoning for using it. Performance of the Actiontec has proven to be very good - I have both a Rev G and a Rev I, both of which are more than capable to handle line rate of my 75/35 connection. So is my core switch behind it (HP 1810) and mt edge switches (various HP models.)

This is just a question of managing DHCP scopes... I didn't want to experiment and disrupt the entire house (it's a pain when things start readdressing themselves), but I guess I have to.
philow
join:2014-03-25

philow

Member

Dennis, When I used the first link in my OP (Actiontec Support PDF) on the Rev. D router I did not need to separate the "Home Network" bridge that is created and all the ethernet ports pulled from the same DHCP as the WiFi AP except the ethernet port I assigned to the VLAN. I gave it a different IP with its own DHCP. Then I was able to write rules around that. (BTW this is what I am trying to do on the Rev I)

Initial install of the Actiontec router is to have a bridge called "Home Network" This bridge has the WiFi AP, the ethernet ports, and the internal coax for the STB's all pulling from the same subnet and DHCP. In the Jeffery Berg blog link in my OP he said to remove the ethernet from the bridge. That give the Ethernet its own IP and DHCP.

I have not played with a Rev G only my Rev D and trying to work on my Rev I.

If you do need to break the bridge you might be able to create two VLANs. One for the Port you want and the put the other 3 ports into the second VLAN and bridge that VLAN to the "Home Network" bridge. I have never tried that but who knows. Good luck!
Springbok
join:2002-09-13
Leander, TX

Springbok to philow

Member

to philow
I hesitate to post since I don't remember al the details, but I have used my Actiontec Rev I with VLANs, both creating a trunk on a port and assigning PVIDs to ports. I do remember needing to add routes for the inter subnet routing to prevent all inbound traffic to just flow out WAN.
philow
join:2014-03-25

philow

Member

This at least gives me hope
Springbok
join:2002-09-13
Leander, TX

Springbok

Member

Yeah, the menus are not straightforward, you basically have to click through them all to make sure you have something setup right. And keep your default password handy, I remember having to reset to factory defaults a few times.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy

Premium Member

said by Springbok:

Yeah, the menus are not straightforward, you basically have to click through them all to make sure you have something setup right. And keep your default password handy, I remember having to reset to factory defaults a few times.

Yep, exactly. I'm going to have to setup a lab environment using my spare Rev G + spare HP 1810 switch. That might help so I can test the living daylights out of this to get a procedure that works.