|
philow
Member
2014-Mar-25 4:11 pm
VLAN configuration on MI424WR Gen 3 Rev. II just got one of these Gen3 Rev. I routers. Before that I had a Rev. D. I created a VLAN on my Rev D using the directions at this site: support.actiontec.com/doc_files/Creating_an_Ethernet_VLAN.pdf Using those same directions and the directions here: » blog.jeffreyberg.net/?p=56I have tried to create a VLAN on my Rev I and the computer connected to the ethernet port shows up with the new IP address in network status but I cannot ping it from the rougher and it does not have any Internet access I have been pulling my hair out trying to make this work and I am starting to wonder if it is not a bug in the firmware for the router. I am running version 40.21.10.3. I am trying to segment an ethernet port to say 10.0.0.x so I can keep it off my normal 192.168.1.x network. As I said I had this working on my Rev. D router Has anyone successfully created a VLAN on this router? If so can you give me some pointers? Thanks! |
|
guppy_fish Premium Member join:2003-12-09 Palm Harbor, FL |
Have you put in static routes from the new vlan to the wan or other lan? |
|
|
philow
Member
2014-Mar-25 9:19 pm
I have not but it was not required with the Rev D i can try that but what would the route be from the router to ping the the computers on the VLAN? |
|
guppy_fish Premium Member join:2003-12-09 Palm Harbor, FL |
to philow
routers "route" from different networks, this requires defined routes.
A VPN network requires a route both to and from the WAN and or the other LAN networks, otherwise the are islands into themselves |
|
1 edit |
philow
Member
2014-Mar-26 9:28 am
Agreed but I am not trying to make a VPN I am trying to split off a VLAN on a couple of physical ethernet ports. |
|
philow |
philow
Member
2014-Mar-26 10:12 am
Source Destination Gateway Flags DSCP Metric Interface
0.0.0.0/0 10.0.0.0/24 * U 0 4 br0.100
0.0.0.0/0 xxx.xxx.xxx.0/24 * U 0 3 eth1
0.0.0.0/0 192.168.2.0/24 * U 0 4 br0
0.0.0.0/0 0.0.0.0/0 xxx.xxx.xxx.1 UG 0 3 eth1
This is what my routing table looks like (x'd out my external IP addresses) My 10. VLAN network looks identical to my 192 (Home/Office) built in network. |
|
Mahalo join:2000-12-20 united state |
Mahalo
Member
2014-Mar-26 10:50 am
Something to try. At the bottom of this page » blog.jeffreyberg.net/wp- ··· 7881.png add a route for the 10 network. You may try specifying its GW as 192.168.2.1. I have used that section before when I extended my network and using a 10 network on the remote switch. There is also a default route option there as well that you may want to try. |
|
|
philow
Member
2014-Mar-26 11:43 am
said by Mahalo:Something to try. At the bottom of this page »blog.jeffreyberg.net/wp- ··· 7881.png add a route for the 10 network. You may try specifying its GW as 192.168.2.1. I have used that section before when I extended my network and using a 10 network on the remote switch. There is also a default route option there as well that you may want to try. I tried this but still did not work :-/ I am beginning to think there is a bug in the firmware. I would like to figure this out though. |
|
Mahalo join:2000-12-20 united state |
Mahalo
Member
2014-Mar-26 12:03 pm
I have an idea of what you are trying to do, but why for one PC? I am not seeing the benefit (yet) of separating traffic for one PC for security or bandwidth purposes? If everything is connecting to one device (AT router), the switch does its thing to isolate the traffic to the device connected on that port, and a VLAN is not helping control bandwidth. Can you expand on the goal/requirement? |
|
|
philow
Member
2014-Mar-26 12:25 pm
The reason I do this is because I have a Web Server that I put on the VLAN and then I write rules to keep that VLAN from communicating with the rest of the network. I may also add computers with a hub to that network later. And it was easy with the Rev D router. |
|
|
Big Hype to philow
Anon
2014-Mar-26 9:14 pm
to philow
I wish I had a solution, but I am experiencing the same problem. I had to make a few assumptions since there were a couple of places the step by step instructions did not match. I have search the net for additional information and reached out to Actiontec, but I have come up dry. I will continue to come back here and check for updates. |
|
Mahalo join:2000-12-20 united state |
to philow
Spent a couple of hours last night trying to get it to work and never could. Tried multiple variations of the setup and nothing would let it route out to the internet or see another network. Tried multiple variations of the setup. Research the net, read the manuals, etc.. Its broke sir. |
|
|
philow
Member
2014-Mar-27 2:21 pm
That is kinda what I was coming up with. So I tried to use some IP ranges to see if I could do something without a VLAN. I set the DHCP Server to serve up 192.168.1.2 - 192.168.1.199 Then put my servers in the 200-254 I then created an advanced firewall rule as follows: Home network Source 192.168.1.200-192.168.1.254 Destination 192.168.1.2-192.168.1.199 Drop With above I could still ping in either direction So I moved that same rule to the Ethernet/Coax and then I could not ping in either direction. My goal and how I had it when I was using the VLAN was to not allow the servers to access my home network but the home network could access the servers. This worked awesome on the Rev D with the VLAN. Ideas on what I might try short of adding another router? |
|
Mahalo join:2000-12-20 united state |
Mahalo
Member
2014-Mar-27 2:55 pm
To adding another router, here are your options: » Verizon FiOS FAQ » What are the tradeoffs between the various router configurationsAnother option that will work. You can add a managed switch behind one port and have the switch handle the DHCP as well. You would need the add the route to the switch in the AT that I mentioned previously above. Example: Uplink interface with the address 10.1.1.1, route added to the AT for 10.1.1.0/24, setup a VLAN that hands out 10.1.1.2-254. |
|
1 edit |
The newer switches use Marvell Avanta 88F6560 SoC in them, and according to the spec sheets they don't mention support for port based VLANs. In fact none of the newer GW that use avanta chips are supported with openwrt or dd-wrt most likely due to drivers. If they do support PVID and this is not working, likely the VLAN you are creating is not tagged to the processor or it requires a bridge to the processor (no routing). I dont know that hardware, so I couldn't tell you. Some processors support access, general, or tagged or a combo. All of them are configged differently and depend upon the driver writer. The likely issue could be firewall. Try turning that off. And pinging does not mean you will have connectivity. Most res firewalls let ICMP traffic through, but anything in L2 in residential hardware they will typically block if fw rules aren't set up correctly. Avanta family ------------- Flavors: 88F6510 88F6530P 88F6550 88F6560 Homepage : » www.marvell.com/broadband/ Product Brief: » www.marvell.com/broadban ··· rief.pdf No public datasheet available. Core: ARMv5 compatible Linux kernel mach directory: no code in mainline yet, planned for the future Linux kernel plat directory: no code in mainline yet, planned for the future If you have free time: » opensource.actiontec.com ··· 0-readme |
|
|
philow
Member
2014-Mar-27 9:45 pm
Thanks for this info! I will try with the Firewall completely off. I used the ping test to make it easy but even when I forward port 80 and try to hit it the same scenario as I stated above happens. Cause bole servers and one of the workstations are configured to server up a default web page Thanks again to all. If I find a way to get this to work I will write up the instructions. |
|
philow |
philow
Member
2014-Mar-30 10:36 am
Just thought I would let everyone I turned off the firewall but that did not help. Did some more testing as well. After I create the VLAN I can reach the VLAN address from my normal network. But if I put a computer on the VLAN it cannot reach its gateway.
192.168.1.x can reach 10.0.0.1 VLAN address 10.0.0.2 plugged into ethernet port 4 (Where I set the VLAN) cannot reach 10.0.0.1 |
|
guppy_fish Premium Member join:2003-12-09 Palm Harbor, FL |
What are your network rules? as in what is the size of the network for your 10.*.*.* network? is it /24 /30 ect?
This all sound like you don't understand route and subnets and expect the router to generate these for you?
you say your /24 192 network can reach the 10 network so what does that route look like?
What was at the 10.0.0.1 address to test with? |
|
|
philow
Member
2014-Mar-30 12:52 pm
Subnet is 10.0.0.0/24 This is set on ethernet port 4 with ingress tagged. My route table looks like the one posted above: Source Destination Gateway Flags DSCP Metric Interface
0.0.0.0/0 10.0.0.0/24 * U 0 4 br0.100
0.0.0.0/0 xxx.xxx.xxx.0/24 * U 0 3 eth1
0.0.0.0/0 192.168.2.0/24 * U 0 4 br0
0.0.0.0/0 0.0.0.0/0 xxx.xxx.xxx.1 UG 0 3 eth1
10.0.0.1 is the router itself I can login using that IP or ping it using both 192.168.2.1 or 10.0.0.1 from the 192.168.2.* network. the 10.0.0.* network cannot reach the Internet or even the router itself. |
|
guppy_fish Premium Member join:2003-12-09 Palm Harbor, FL |
If you have tagging enabled, you would need a vlan capable hub or router at the other end of that port, then a regular client device.
Also your table doesn't make sense there are no routes from the 10* to 192* networks
Again, do some reading about what vlans are, what routes are, what subnets are |
|
|
philow
Member
2014-Mar-30 9:18 pm
Guppy_fish, I do not discount what you are saying. You more than likely know more about this then I do. I was merely stating that this exact configuration worked on my Rev. D router but is not working on my Rev. I router. Maybe it was the Rev. D router that was not functioning as it should and I just got used to that Thanks and I will read more. |
|
Mahalo join:2000-12-20 united state |
to guppy_fish
said by guppy_fish:"you would need a vlan capable hub or router at the other end of that port" Care to explain how a hub is VLAN capable? You didn't say switch. said by guppy_fish:"then a regular client device." I can configure my PC NIC for VLANs. Lastly, have you tried setting up Philow's scenario and knowing if it works or not? Philow is not looking for the easy answer since you can tell he/she has done some research and performed some testing. |
|
dennismurphyPut me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ |
to philow
I also was trying to play with some VLANs on the Rev I... part of the issue I ran into was that my wireless and wired clients ended up in two different DHCP scopes.
I gave up and went back to a single VLAN. What I was trying to do was isolate a new UniFi access point onto its own VLAN so I can provide guest access at my house without putting them on my LAN ... the UniFi has a mechanism that supposedly filters traffic to the rest of my LAN when a guest signs in, but it's a bit of black magic and I don't quite know how it works, so I hesitate to trust it fully.
Either way, seems for right now, I'm a bit stuck. I do have a VLAN capable switch behind the Rev I, so maybe I could do some VLAN trunking and assign the UniFi to a separate VLAN on the switch side .... hmm. Gotta think that through. Will the Rev I let me assign a different DHCP scope to an individual VLAN even if it's trunked? |
|
|
If you can't get vlans working on your router actiontec as it were then you can't trunk. Trunking is typically used for isl between switches. Not sure what you are saying.
Your best bet is to find a router or ap and put openwrt on it. It has excellent vlan support and multi dhcp. In running a customer with six vlanson a tp link wdr3600.. not an issue and using complex firewall rules and fully isolated WiFi... It can do virtual WiFi connections. Tp link can't do general ports but most low end stuff can't but trunked and access ports no problem
You could also get a smart switch and set up filter rules as vlan at the router isn't working. |
|
dennismurphyPut me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ |
said by elefante72:If you can't get vlans working on your router actiontec as it were then you can't trunk. Trunking is typically used for isl between switches. Not sure what you are saying.
Your best bet is to find a router or ap and put openwrt on it. It has excellent vlan support and multi dhcp. In running a customer with six vlanson a tp link wdr3600.. not an issue and using complex firewall rules and fully isolated WiFi... It can do virtual WiFi connections. Tp link can't do general ports but most low end stuff can't but trunked and access ports no problem
You could also get a smart switch and set up filter rules as vlan at the router isn't working. I will continue to use the Actiontec. I'm not buying some other router. My issue with the VLANs wasn't that it didn't work, but that I ended up having to put wireless and wired clients in different DHCP scopes if I enabled port-based VLANs. My question was simple, if I enable VLAN tagging, can I assign a different DHCP scope to each VLAN? If I do this, I can untag the packets on my switch and then hopefully have my wireless and most wired clients in the same DHCP scope, with my 'guest' VLAN in a separate scope. I can then firewall between the two VLANs as necessary. The Actiontec is a powerful router - I just have to understand its full capabilities first. Do you actually have FiOS? If so, you'd understand my reasoning for using it. Performance of the Actiontec has proven to be very good - I have both a Rev G and a Rev I, both of which are more than capable to handle line rate of my 75/35 connection. So is my core switch behind it (HP 1810) and mt edge switches (various HP models.) This is just a question of managing DHCP scopes... I didn't want to experiment and disrupt the entire house (it's a pain when things start readdressing themselves), but I guess I have to. |
|
|
philow
Member
2014-Apr-1 1:12 pm
Dennis, When I used the first link in my OP (Actiontec Support PDF) on the Rev. D router I did not need to separate the "Home Network" bridge that is created and all the ethernet ports pulled from the same DHCP as the WiFi AP except the ethernet port I assigned to the VLAN. I gave it a different IP with its own DHCP. Then I was able to write rules around that. (BTW this is what I am trying to do on the Rev I)
Initial install of the Actiontec router is to have a bridge called "Home Network" This bridge has the WiFi AP, the ethernet ports, and the internal coax for the STB's all pulling from the same subnet and DHCP. In the Jeffery Berg blog link in my OP he said to remove the ethernet from the bridge. That give the Ethernet its own IP and DHCP.
I have not played with a Rev G only my Rev D and trying to work on my Rev I.
If you do need to break the bridge you might be able to create two VLANs. One for the Port you want and the put the other 3 ports into the second VLAN and bridge that VLAN to the "Home Network" bridge. I have never tried that but who knows. Good luck! |
|
|
to philow
I hesitate to post since I don't remember al the details, but I have used my Actiontec Rev I with VLANs, both creating a trunk on a port and assigning PVIDs to ports. I do remember needing to add routes for the inter subnet routing to prevent all inbound traffic to just flow out WAN. |
|
|
philow
Member
2014-Apr-2 12:12 pm
This at least gives me hope |
|
|
Yeah, the menus are not straightforward, you basically have to click through them all to make sure you have something setup right. And keep your default password handy, I remember having to reset to factory defaults a few times. |
|
dennismurphyPut me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ |
said by Springbok:Yeah, the menus are not straightforward, you basically have to click through them all to make sure you have something setup right. And keep your default password handy, I remember having to reset to factory defaults a few times. Yep, exactly. I'm going to have to setup a lab environment using my spare Rev G + spare HP 1810 switch. That might help so I can test the living daylights out of this to get a procedure that works. |
|