Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Page 2 of 6 FirstFirst 1 2 3 4 ... LastLast
Results 16 to 30 of 77
  1. #16
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,139
    @RTouris, the EWAN concept is nothing other than a VLAN.

    @cayvman, the WRT54 always uses VLANs, wether you set up a second (guest) network or not:

    Name:  WRT54G_arch.png
Views: 0
Size:  61.9 KB

    The WRT54 SoC implements two Ethernet interfaces eth0 and eth1. eth1 is used for the WiFi, while eth0 is used for the 5-port Ethernet switch.

    In order to separate WAN from LAN, VLANs are used. LAN (4 ports) are usually eth0.1 (VLAN 1), the WAN port (Internet) is usually eth0.2 (VLAN 2). Note that in the picture above there is a different setup with VLAN 0 and VLAN 1, but this has been changed long time ago in favor for a more general VLAN layout. So the principle is still the same, although with other VLAN IDs nowadays.

    Actually the switch is 6-port switch if you count the internal port leading to the CPU (internal port 5, not visible outside). This port 5 is a tagged port, meaning data packets from other ports to the CPU carry the VLAN ID in it, so the CPU can decide what is traffic from/to WAN and what is traffic from/to LAN.

    Now your guest network comes into play. If you add a guest network on the WRT54, it will be done by creating another virtual Ethernet interface (say, eth0.3, VLAN 3). Let's call this GLAN for guest LAN. So far VLAN 3 aka GLAN is unused, but as soon as you assign it to a virtual WiFi interface (a second SSID to simplify), it can be used wirelessly on the WiFi adapter of the WRT54. As soon as you assign a port, for example one of 0 to 3 (corresponding to port numbers 1 to 4 on the box), to VLAN 3 aka GLAN, devices connected to this port let's you send/receive traffic from/to the guest network.

    So you have nothing more to do as assigning a port (say, port 3, labeled 1 on the box) to eth0.3 (VLAN 3 / GLAN) to be able to connect the CPE through this port to the guest network. Either you use the web UI to do so or you use config files directly through the command line. I could tell you the content of the config file to have a port assigned to a VLAN, but I don't know the web UI's menu structure of DD-WRT (I don't use DD-WRT). If you are familiar with command line, please post the content of file /etc/config/network. Alternatively, post a screenshot of the Network->Switch web page of the web UI. There must be a page where you can assign ports to networks/VLANs.

    There are also several HowTo articles for VLANs on the OpenWRT and DD-WRT web site, maybe these are of further help. This is actually no big deal.
    Last edited by R1D2; 04-06-2017 at 23:00.

  2. #17
    20 hours later, give or take a few, I believe I've finally been able to dedicate a port with a separate ssid and ip address on the wrt54gs. Will know for sure later this evening early morning as I can't muck with the network just now as the missus is watching something on the tube that requires internet. Will update when i'm able to test.

    If it works, the trick will be how to accomplish the same (dedicating a port) with the wrtac1200 router, which I'd prefer to use, newer and a couple of bells and whistles I'd like to be able to use.
    Last edited by cayvman; 04-07-2017 at 03:50. Reason: more input

  3. #18
    Success.Able to dedicate Port 4 of the WRT54 (configured with a separate ssid) and have the CPE plugged into that port. All is working great, thanks to you R1D2. Now, if I can get the WRTAC1200 configured with a dedicated port, that would be ideal.
    Here's a screen shot of the dd-wrt firmware showing what I have to work with.

    Name:  screenshot1.jpg
Views: 0
Size:  71.7 KB

    Question is if I telnet the router and send the following command nvram set vlan3ports="3" how should I complete the following command: nvram set vlan3hwname=?. Should it be br1 or ath1.1?

    If you have any thoughts would appreciate it.

    Thanks again for getting me this far.
    Last edited by cayvman; 04-07-2017 at 17:45.

  4. #19
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,139
    Quote Originally Posted by cayvman View Post
    Question is if I telnet the router and send the following command nvram set vlan3ports="3" how should I complete the following command: nvram set vlan3hwname=?. Should it be br1 or ath1.1?
    Glad it works for you. If you are using a bridge, you should set the hwname to br1. But what do you want to achieve with a bridge with only one interface assigned? It should also work with ath1.1 if you don't assign it to a bridge interface. To be honest, I didn't use DD-WRT at all and with OpenWRT NVRAM is gone even on WRT54 since long time (it uses config files instead). So, if in doubt, please ask in the DD-WRT forum to be sure. The DD-WRT wiki talks about et0 for the WRT54's switch ports, but it might be outdated already or a typo, since you have eth1 instead.

  5. #20
    Quote Originally Posted by R1D2 View Post
    . But what do you want to achieve with a bridge with only one interface assigned?.
    Agreed only one interface, but how or where would I assign that interface with a ssid?

  6. #21
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,139
    Quote Originally Posted by cayvman View Post
    Agreed only one interface, but how or where would I assign that interface with a ssid?
    In wireless setting you should be able to assign the SSID with a network (GLAN or whatever you named it), this will create the link between ath1.1 and the WiFi interface (SSID). In network settings the network then is assigned an interface such as br1 or ath1.1. If DD-WRT differs in this respect from OpenWRT, just find the place where you would assign br1 to the SSID and use ath1.1 instead.

  7. #22
    While we're still at it and looking for a moment back to the KISS principle as I outlined in page 1 of the current thread, could someone explain to me why following a much simpler approach would potentially "expose the personal network to the guest network when using the same router" (which btw is how things are done most of the time in that all are conected to a same modem/router) given that the CPE supports AP isolation for the Guest WiFi network SSID?

    Thanks!

  8. #23
    Quote Originally Posted by R1D2 View Post
    In wireless setting you should be able to assign the SSID with a network (GLAN or whatever you named it), this will create the link between ath1.1 and the WiFi interface (SSID). In network settings the network then is assigned an interface such as br1 or ath1.1. If DD-WRT differs in this respect from OpenWRT, just find the place where you would assign br1 to the SSID and use ath1.1 instead.
    Still working at getting the wrtac1200 working. Have done as suggested and when I telenet the router, everything looks as it should. I've set up vlan3 to go to port 3 of the router. I've assigned vlan3 a separate ssid (192.168.3.1 router's id is 192.168.0.1). I've connected the router to the computer (without internet) and ran arp -a to see if the ip address is showing up. It does.
    However, when I connect the router to the modem and then the cpe210 to port 3 of the router, it's showing ip192.168.0.xx as the address. So, I tried other ports on the router, knowing that sometimes port 3 in telenet can be port 4 or port 2 or port x. So, I plugged the cpe210 into each of the 4 ports and tested it and they all indicated 192.168.0.x as the ip address. I must be missing something in turning on the vlan3 to port 3.
    See screenshots below.
    Name:  screenshot1a.jpg
Views: 0
Size:  63.4 KBName:  screenshot1b.jpg
Views: 0
Size:  48.4 KBName:  screenshot1c.jpg
Views: 0
Size:  53.6 KB

  9. #24
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,139
    Quote Originally Posted by cayvman View Post
    However, when I connect the router to the modem and then the cpe210 to port 3 of the router, it's showing ip192.168.0.xx as the address. So, I tried other ports on the router, knowing that sometimes port 3 in telenet can be port 4 or port 2 or port x. So, I plugged the cpe210 into each of the 4 ports and tested it and they all indicated 192.168.0.x as the ip address. I must be missing something in turning on the vlan3 to port 3.
    Did you ask in the DD-WRT forum already? They seem to have strange conventions.

    Usually, under Linux the interface name defines the VLAN ID. So, ath1.1 would be VLAN ID 1, ath1.2 VLAN ID 2 and so on. Names (e.g. VLAN3) are irrelevant, but NVRAM assignments could matter unless they obey the standard LINUX conventions. I can show you my setup for a guest network, maybe you can transfer the principle to DD-WRT. See http://forum.tp-link.com/showthread....l=1#post194548 for the following setup (ignore the part re trunking):

    (Sorry for formatting, no tables possible here):

    Network LAN:
    Interface: eth0.1
    VLAN ID: 1
    IP: 192.168.1.0
    Ports: 3, 4 (port 0 is the internal CPU port with my WDR4300 under OpenWRT)

    Network WAN:
    Interface eth0.2
    VLAN ID: 2
    IP: (DHCP)
    Port: 5 (internal port 5 is external port labeled "Internet")

    Network GUEST:
    Interface: eth0.3
    VLAN ID: 3
    IP: 192.168.7.0
    Ports: 1, 2


    Bridges
    (bridge for guest LAN only needed for port and WiFi interface, see note below):

    Interface for network LAN & WiFi: br0
    Members: eth0.1, wlan0, wlan1 (wlan0 is 2.4 GHz, wlan 1 is 5 GHz, SSID is "private")

    Interface for network GUEST & WiFi: br1
    Members: eth0.3, wlan0-1, wlan1-1 (wlanN-1 is the convention of OpenWRT for an additional wireless interface)

    If you don't use the WiFi of your main router, you don't need a bridge. In this case the GUEST VLAN is only accessible on ports 1 and 2, not by WiFi. These ports in network eth0.3 are the ones I connect the guest CPE to. Setup is pretty straight-forward, but DD-WRT uses another terminology (which seems much more complicated if you ask me).
    Last edited by R1D2; 04-08-2017 at 19:44.

  10. #25
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,139
    Quote Originally Posted by RTouris View Post
    While we're still at it and looking for a moment back to the KISS principle as I outlined in page 1 of the current thread, could someone explain to me why following a much simpler approach would potentially "expose the personal network to the guest network when using the same router" (which btw is how things are done most of the time in that all are conected to a same modem/router) given that the CPE supports AP isolation for the Guest WiFi network SSID?
    AP isolation is done in the WiFi chip. It prevents wireless clients from connecting to each other, although they are in the same subnet.

    Note that any client still can receive all wireless frames if he uses monitor mode on his WiFi adapter. Radio waves can't be "isolated", they are receivable by every receiver. So in monitor mode one can still spy on wireless frames being exchanged between any client and the AP, regardless of AP isolation. That's the reason why one should use WPA2 encryption in addition to AP isolation if the latter is applicable.

    AP isolation does not prevent routing in the kernel. It's just a restriction in respect to packet forwarding of the WiFi chip itself. So, if you have a private network (LAN) and a guest network (GUEST) sharing an Internet connection (WAN), routing and forwarding comes into play. SInce the kernel has routes for each subnet and needs IP forwarding turned on to be able to reach the WAN, every packet from the GUEST network finds its way to the WAN, but also to the LAN if no firewall rules prevent this. Therefore, clients in the LAN are exposed to the GUEST network and vice versa. However, this applies only to setups where both wireless radios are tied to networks on the same router, e.g. on a WiFi router such as the Linksys WRT or TP-Link WR/WDR.

    If you connect a CPE, things are slightly different in so far that LAN devices are still reachable by clients in the GUEST network (b/c of the default route in the CPE), but not the other way around, since there is no subnet route pointing to the CPE as the gateway in charge. But LAN clients can still reach the CPE through its LAN IP b/c of the subnet route on the router.

    In both cases you have to ensure that the LAN and GUEST networks are isolated frome ach other. To do so, you create firewall rules for those networks. But to be able to access two isolated networks through a shared NIC, you need VLANs. The alternative would be to have two separate NICs, one for each network. VLAN are usually used to separate networks from each other b/c on most routers all ports (e.g. 1-4 "LAN" ports and 5 "Internet" port) are using the same (shared) NIC. There are devices using two NICs such as some routers from Bufallo and Netgear IIRC, but if you want to use two local networks, you need to create VLANs on those routers, too.

    This does in no way contradict the Keep it small & simple (KISS) principle (which often is translated as Keep it simple, stupid, but this is bullshit and was never meant with the original KISS principle as emphasized by Brian Kernighan and Ken Thompson, the inventors of UNIX).

    The fact that most people use a simpler setup is not related to KISS, but to the fact that they just don't care about security nowadays.
    Last edited by R1D2; 04-08-2017 at 20:02.

  11. #26
    Quote Originally Posted by R1D2 View Post
    Did you ask in the DD-WRT forum already? They seem to have strange conventions.
    I hadn't thought of that. duh! (scratch head). Will do that before I go any further. Thanks

  12. #27
    Quote Originally Posted by R1D2 View Post
    @RTouris,
    There are also several HowTo articles for VLANs on the OpenWRT and DD-WRT web site, maybe these are of further help. This is actually no big deal.
    I've ditched DD-WRT for OpenWRT, However, OpenWRT is daunting, at least for me.
    Not sure where and how to configure the VLAN and where to establish the SSID and IP Address for the VLAN. There doesn't seem to be any video tutorials on OpenWRT, except for the installation. If you could point me in the direction of the specifics I'd appreciate it.

  13. #28
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,139
    Switch Documentation
    Quote Originally Posted by cayvman View Post
    Not sure where and how to configure the VLAN and where to establish the SSID and IP Address for the VLAN. There doesn't seem to be any video tutorials on OpenWRT, except for the installation. If you could point me in the direction of the specifics I'd appreciate it.
    It's easy. There is a config file /etc/config/networks for networks (e.g. LAN), ethernet interfaces (e.g. eth0.1) and VLANs (e.g. the switch's port assignments to a network). That's all regarding the networks.

    Wireless settings are in /etc/config/wireless. There are the definitions for the WiFi adapters (e.g. radio0 defining its characteristics such as channel, tx power etc.) and WiFi interfaces (e.g. radio0.network0 defining an SSID and assignments to networks in the config file above). For each network there can be a wireless interface and therefore an own SSID (e.g. SSID private for network LAN, SSID guest for network GUEST and so on). Very straightforward.

    See following docs:
    Network configuration: https://wiki.openwrt.org/doc/uci/network
    Switch Documentation: https://wiki.openwrt.org/doc/uci/network/switch
    Wireless Documentation: https://wiki.openwrt.org/doc/uci/wireless
    Recipe: Configuration of a guest WLAN: https://wiki.openwrt.org/doc/recipes/guest-wlan

    You don't need to study each option in detail, but it should tell you enough about the interconnections between a network, the switch, VLANs and WLANs. Since this is basic Linux structure, everything also applies in principle to DD-WRT, although the latter uses NVRAM syntax to achieve the same.

  14. #29
    Quote Originally Posted by R1D2 View Post
    Switch Documentation

    It's easy. There is a config file /etc/config/networks for networks (e.g. LAN), ethernet interfaces (e.g. eth0.1) and VLANs (e.g. the switch's port assignments to a network). That's all regarding the networks.

    Wireless settings are in /etc/config/wireless. There are the definitions for the WiFi adapters (e.g. radio0 defining its characteristics such as channel, tx power etc.) and WiFi interfaces (e.g. radio0.network0 defining an SSID and assignments to networks in the config file above). For each network there can be a wireless interface and therefore an own SSID (e.g. SSID private for network LAN, SSID guest for network GUEST and so on). Very straightforward.

    See following docs:
    Network configuration: https://wiki.openwrt.org/doc/uci/network
    Switch Documentation: https://wiki.openwrt.org/doc/uci/network/switch
    Wireless Documentation: https://wiki.openwrt.org/doc/uci/wireless
    Recipe: Configuration of a guest WLAN: https://wiki.openwrt.org/doc/recipes/guest-wlan

    You don't need to study each option in detail, but it should tell you enough about the interconnections between a network, the switch, VLANs and WLANs. Since this is basic Linux structure, everything also applies in principle to DD-WRT, although the latter uses NVRAM syntax to achieve the same.
    Thanks very much for the quick and detailed response. Will report back with my progress and hopefully (fingers crossed) success.

  15. #30
    Have managed to set up the router however when it came to the swconfig file. have come to an impasse. I'm using WinSCP to view it, however,in its present form it is gibberish.


    See attached.
    There must be a process that must be done before it is viewable and editable.Name:  swconfig.jpg
Views: 0
Size:  167.5 KB


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2017 TP-LINK Technologies Co., Ltd. All rights reserved.