[Cerowrt-devel] Routed LANs vs WOL & Windows troubles

Toke Høiland-Jørgensen toke at toke.dk
Sun Apr 12 10:29:47 EDT 2015

Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk> writes:

> Yes please!

Right, well you can do it in two ways - depending on whether you want to
use the switch VLAN functionality (this is on the WNDR3800 - no idea
what the Archer has). I happen to have one box use the switch VLANs and
the other not, so both are included below:

This is all in /etc/config/network:

On the gateway device, I changed each of the sw* and gw* interfaces so
they use the VLANs:

config interface sw00
        option 'type' 'bridge'
        option 'ifname' 'se00.2'
        option 'proto'  'static'

The 'bridge' turns the interface into a bridge connected to the 'se00.2'
interface. The '.2' means 'use VLAN 2' on that interface, so in this
case, use VLAN 2 on the se00 interface. You need to use separate VLANS
for each of the interfaces you want to bridge in this way.

On this box, I then activate the switch VLAN functionality as follows:

config switch
        option name     rtl8366s
        option reset    1
        option enable_vlan 1
        option enable_vlan4k 1
        # Blinkrate: 0=43ms; 1=84ms; 2=120ms; 3=170ms; 4=340ms; 5=670ms
        option blinkrate        2
        option max_length 3

Note the 'enable_vlan' and 'enable_vlan4k' options - both are needed!

Then, modify the existing switch_vlan section:

config switch_vlan
        option device   rtl8366s
        option vlan     1
        option ports    "0 1 2t 3t 5t"
#       option ports    "0 1 2 3 5t"

The commented out option was the original setting. The 't' is for
'tagged', meaning that in this case, ports 0 and 1 are on VLAN 1
untagged (so traffic is considered to be part of VLAN 1, but no tags go
out on the wire), while ports 2 and 3 have VLAN tags on them (so the
equipment at the other end need to understand them). Port 5 is the
internal port that the WNDR itself sees all the traffic on, so should
always be tagged.

Now, add a section for each additional VLAN that you want to use:

config switch_vlan
        option device   rtl8366s
        option vlan     2
        option ports    "2t 3t 5t"

Here I define VLAN 2 active on ports 2 and 3 with VLAN tags. I have
identical sections for VLANs 3, 4 and 5.

Finally, I have sections:

config switch_port
        option port 0
        option pvid 1

Which basically tells the switch that the default VLAN for port 0 is
vlan 1. I have those for ports 0 and 1, but not entirely sure they're
absolutely needed.

The above config (repeated appropriately for all the wireless interfaces
you want this to work for) should get your wireless interfaces setup to
be bridged with a VLAN each. No changes are needed in
/etc/config/wireless, as long as you keep the 'config interface sw00'
part the same.

Now, on the secondary AP, I use the WAN port as the VLAN-aware 'uplink'
port to the primary gateway, and I don't use the switch VLAN support. So
this config is a bit simpler, and may be applicable to your setup if you
don't have a hardware switch in your device (or just don't want to use

So what I do on the secondary AP is just, in /etc/config/network, set up
the bridging similar to on the primary AP:

config interface sw00
        option 'type' 'bridge'
        option 'ifname' 'ge00.2'

(again, repeat for all the sw* and gw* interfaces).

Make sure to match the VLAN number with what you had at the other end.
Also, I bridge the LAN ports with VLAN1:

config interface se00
        option 'ifname' 'se00 ge00.1'
        option 'type' 'bridge'

so anything connecting to the other side of the secondary AP will work
as though they're just on the LAN.

Also, on the secondary AP, I turn off all services (only ntpd, dropbear
and hostapd are running), and assign different IPs to the interfaces
(just add one to the last octet). The wireless config on the secondary
AP is identical to the primary, except I change the wireless channels to
minimise interference. If you're using PSKs for encrypted wifi, just use
the same key. If you're using WPA enterprise-type setups, just point the
secondary AP at the primary in the auth_server directive.

Hope the above explanation makes sense; if not, feel free to ask more
questions :P


More information about the Cerowrt-devel mailing list