DD WRT dual SSID Access Points using vlans – Routers with gigabit switches

Main thing to bear in mind when setting up these devices is that conceptually the wifi AP needs to seen as quite separate from the setting up of the switch for the vlans etc. So the creating of the vlans etc is one job, the assigning the various APs to subnets, with bridging, is another.

Having used E1000 APs for some time (100mbit switch, single 2.4ghz G wifi ap), this post develops on that by utilizing gigabit based switches. Linksys/Cisco hardware used for this so far:
E2000 1000mbit switch, single, selectable 2.4ghz or 5.0ghz N wifi ap
WRT610n v2 1000mbit switch (aka E3000), dual 2.4ghz and 5.0ghz N wifi ap

Here’s my set up of: Linksys-Cisco E2000 (and explanatory recap on the command lines settings needed).

When initially flashed with DD WRT (small build tailored to exact model needed before upgrade to a full build needed btw):

telnet IP
from within the subnet to access CLI of the router

root@megstemp:~# nvram show | grep vlan.*ports
vlan2ports=0 8
vlan1ports=4 3 2 1 8*


Explanation:

So, 2 vlans: 1 is for lan – main ports (1-4, numbering reversed). 2 is for wan, port 0. The CPU internal port, 8, must be included on any VLAN that must be visible to the CPU. The asterisk (*) signifies that the VLAN it is attached to is the default VLAN (only put this in one VLAN). If the switch receives a packet on the CPU internal port that is not tagged then it is put into the VLAN where the * is configured; always make sure this is the LAN VLAN.

root@megstemp:~# nvram show | grep port.*vlans | sort
size: 28660 bytes (32780 left)
port0vlans=2
port1vlans=1
port2vlans=1
port3vlans=1
port4vlans=1
port5vlans=1 2 16


Explanation:

The port#vlans variables contain a list of VLAN’s that the port is in. The variables control what the GUI displays. ports 0-5 relate to the 6 port switch which virtually all these router devices contain – 5 physical external ports plus the ‘internal’ port ‘hardwired'(?) on the processor chip.

The port5vlans is a bit odd. It corresponds to the internal port regardless of whether you have 100mbit or gigabit ports. ie. gigabit models do not have a port8vlans variable. It is also essential to set it correctly if you are enabling additional VLAN’s. It must be set to include every active VLAN and be tagged because it tag-trunks everything into the CPU internal port.

The =numbers above mean the following in the GUI:

0 = VLAN 0 is checked
1 = VLAN 1 is checked

15 = VLAN 15 is checked
16 = Tagged is checked
17 = Auto-Negotiate is unchecked
18 = 100 Mbit is unchecked or greyed because Auto-Negotiate is checked
19 = Full-Duplex is unchecked or greyed because Auto-Negotiate is checked
20 = Enabled is unchecked.

802.1q VLAN Trunk:
For every VLAN that you want to be trunked you must put the trunk port into the VLAN and add a “t” after the port number to indicate that it will be tagged.

A “t” after a port number means to tag the VLAN ID using 802.1q spec.

Application of above:

The example here will:
1. make the wan port and port1 trunked ports for vlans 1,12,13 (all tagged vlans)
2. make port 2 an untagged port for vlan1
3. make ports 3 and 4 untagged ports for vlan12


nvram set vlan1ports="0t 1t 2 8*"
nvram set vlan12ports="0t 1t 3 4 8"
nvram set vlan13ports="0t 1t 8"

[note: running this set command does not change what shows in the gui!]

nvram set port0vlans="1 12 13 16 18 19"
nvram set port1vlans="1 12 13 16 18 19"
nvram set port2vlans="1 18 19"
nvram set port3vlans="12 18 19"
nvram set port4vlans="12 18 19"
nvram set port5vlans="1 12 13 16"

[use the above set command to update the gui in line with port/vlan settings]

If the additional vlans haven’t already been created ‘declare’ them:
nvram set vlan12hwname=et0
nvram set vlan13hwname=et0

nvram commit
reboot

Setting up the bridging:
For the two vlans 12 and 13 we need the DD WRT AP to keep them in different subnets. The settings in the Setup–> Networking –> Bridging –> Create Bridge seem a bit fiddly. After creating you need to press ‘Apply Settings’ (NOT ‘Save’) using the buttons at the bottom of the gui page. Only by doing this do the IP address and Subnet Mask for the new bridge appear.(?) Add the IP addresses etc.
Next, assign the interfaces to the bridges. eth1 is (I think) the primary wifi IF, this has usually been used with SSID Methodist_inhouse, on the ’12’ vlan/subnet. Bridge this to vlan12. wl0.1 is a virtual IF that is created when adding wireless ‘virtual interfaces’, so wl0.1 is bridged to vlan13.

Other DD WRT General/Various settings:
Security –> Firewall –> Firewall Protection –> SPI ‘Disable’

WAN Connection type: Disabled

Assign WAN port to switch: yes

Advanced Routing –> Operating mode = router. These switches are not internet gateways.

DHCP – I’m unclear whether I’m doing this right. I have set DHCP to ‘forwarder’ on the main settings page, but I get the impression this only relates to vlan1. DHCP for all three vlans is via these routers is coming from the pfsense router so in that sense it works OK. I note in this e2000 there are additional

DD WRT dual BSSID wireless Access Point

So after weeks of reading DD-WRT forums about how to do this, I’m still struggling.

AIM: Setup a pfsense router with (at least) three subnets:
1. office LAN, wired
2. public wifi, controlled using pfsenses captive portal
3. inhouse wifi, routed to main LAN, WPA2, authorised users only

I’m pretty au faith with how all the above works; the challenge is using a cisco router (E1000), flashed with DD WRT firmware, as the dual BSSID wifi AP.
From reading this is possible and I’ve got the two wifi networks working, but only over the same subnet (bearable, but not as secure as separate subnets)

I’m complicating the matter by wanting to only run one network cable to the AP to send the traffic of both wifi subnets. This is possible using VLAN taggging/trunking, both at the pfsense end and via my 802.1q spec switch (a Dlink DGS-1224t)

Learning point/Question 1. On the switch VLAN-trunking is different than port trunking! The latter is link aggregation. Some people indicate I might be complicating things for myself if I have both tagged and untagged subnets down the same vlan-trunk; might be better to only send tagged traffic down same vlan-trunk. TRUE??

Learning point/Question 2. I’ve slowly learnt that the hardware of routers uses vlan tagging and bridges internally to make them work. Any tagging I do has to not clash with the internal workings of the router (aka my AP). I’m hoping that

Learning point/Question 3. Because I thought it’d be simpler (ha) to have the three subnets out of the pfsense router going to three ports in different vlans, I originally intended to have that traffic untagged, as per this:

Dlink DGS-1224t switch vlans

Part 3.
OK I think I got the vlans basically doing what I wanted. NEXT, how to tag the vlans so I can  trunk two subnets from the cisco AP back to the switch. I wonder if having the DHCP ‘feeds’ to these two subnets from my router (pfsense) on two physical NICs is going to be possible/sensible. Maybe I need to trunk those two subnets on vlans right from the pfsense router, as well as from the switch to the AP??

I’ve set port 18 as trunking and made the two vlans overlap on it. hmmm. What’s the tagging number?

Nb. I now have the management on a separate subnet

Part 2.
OK A little progress! With these settings I’m getting IP addresses DHCP’d to a client as I would expect, with the respective DHCP servers plugged into the first port of each vlan group (from the router).

What’s the purpose of the management vlan in my case though – if vlan one subnet = the IP address of the device should I dispense with it? Otherwise it just seems to be wasting a port and means I can’t get to the device unless I plug into port1??

192.168.11.254 = IP of device
vlan1 = management-lan – cannot be deleted. at least one portVID must be in VID1, i’ve elft that as port1
vlan11 = dhcp server for 192.168.11.x
vlan21 = dhcp server for 192.168.21.x
vlan31 = dhcp server for 192.168.31.x

Part 1.
What am I doing wrong with this thing?

the 3 vlans, 11,21,31, correspond to three subnets on my router, all serving dhcp. I’ve tried (I think) to remove most and all ports from vlan1 (management), but it won’t allow that?? but I thought  ports could be in two vlans anyway?

I assumed that ports 1-12 would give a 192.168.11.x IP, 13-18 a 192.168.21.x address and the last 6 a 192.168.31.x IP, but that isn’t happening, bizarly i occasionally get a 192.168.31.x address for a laptop on port 2!