1st OpenWrt with a single port, 2nd OpenWrt as switch/AP, setting up VLANs and firewall

Hello, I am trying to virtualize my main openwrt gateway on a host pc with a single ethernet port, for the purpose of saving space and avoiding cable clutter.

My current set up is this:

ISP modem --- main openwrt gateway --- 2nd openwrt as acess point --- other acess points.
This is a very simple setup, with no explicit VLAN settings required.

Since I have a pc that will be hosting several other VMs, I am thinking of puting my openwrt gateway into a VM as well, to save space.

First of all, I am aware of the option of adding a second nic to my host pc. A solution like this is relatively simple, again without the need for explict VLAN use. The reason I am trying to avoid it is that it will need two cables running to the host pc. In my apartment, all the wall ethernet sockets are quite far apart. So for the two cables to the host pc, at least one will be exposed out side the wall for some distance, making the scene ugly.

For the above reason, I am thinking of an alternative:

ISP modem --- 2nd openwrt with 2 VLANs (one for LAN and wireless, one for modem) --- 2 VLANs on a single port to vm host (from the perspective of virtualized openwrt gateway, one interface to LAN, one to modem)

Thus for the 2nd openwrt, my plan is to assign all 5 ports to a bridge; assign port 2,3,4 to the LAN vlan, for example vlan2, all untagged; assign port wan to the modem vlan, for example vlan3; assign port 1 to vlan2 untagged (regular LAN), vlan3 tagged (for modem).

The idea is for port1, which connects to the host pc, LAN traffic run untagged, modem traffic on vlan3.

I guess this alternative "single cable with vlan" setup is theoretically viable, based on my reading of vlan concepts.

However, I am not sure what I should do with the firewall settings on the 2nd openwrt that works as a managed switch + wireless AP. Should I assign the modem vlan to a seperate interface and set input, output, and forwarding policies? or just leave the whole thing out of any firewall setting?

FYI, I tested adding a dump switch between the modem and 1st openwrt gateway. It worked. So conneting to the modem via a switch is doable. The scheme is:

ISP modem --- dump switch --- main openwrt gateway --- 2nd openwrt as acess point

using an unmanaged switch is not recommended when you are working with VLANs. It does appear that your device is passing tagged frames without issue, but since an unmanaged switch is not designed for VLANs and thus the behavior is undefined, you could run into issues at some point.

Meanwhile, I'm not sure how this saves space in your setup... and performance might not be great (depending on the speed of your internet connection and the bandwidth that will be used by your various VMs... but in broad strokes, yes, you can do a 1-wire router where the LAN and WAN are carried using VLANs.

Thanks for the comment, psherman.

The test with dump switch was just to see if openwrt to modem connection needs to be direct or not. In my vm environment, the traffic will generally go through various software bridges. So this is just to make sure that adding a bridge between the modem and openwrt is OK. It will be replaced with the software bridge running vlan3 in the vm host.

My question is mainly about the setting of my 2nd openwrt, which I plan to use vlans as described in the first post:

ISP modem --- 2nd openwrt with 2 VLANs (one for LAN and wireless, one for modem) --- 2 VLANs on a single port to vm host

There are many guides on VLANs, mostly to segregate private lan from iot or guest network. In my case, one vlan will be for gateway-modem traffic, which I am not sure on what to do with firewall policies.

As for performance, right now my internet connection is 300mb, so a gigabit port is probably fine.

In some way, what I am trying to do is analogous to this youtube video. The main different is that I plan to use my 2nd openwrt as the managed switch, instead of adding a seperate one, hense the question on firewall settings in openwrt.

On the device that is operating as a switch, you typically will have the switch configuration (either swconfig or DSA based) such that the VLANs are switched through, but for the WAN, you don't even need to include the CPU on that VLAN... without a CPU connection, it will not even interact with the firewall, so you don't need to setup any special firewall settings.

Thanks, Peter. I am currently using version 21.02, with DSA. The CPU part probably only show up in swconfig versions, but not DSA. But even for swconfig, my understanding was that all vlans are supposed to be tagged in the CPU port?

Here is my current setting. The bridge is set as this, with all switch ports (lan + wan) included:
Screenshot 2022-07-13 092340

And VLAN (lan1 & wan in the vlan for modem, lan1-4 in the vlan for lan) as:

Resulting devices page:
Screenshot 2022-07-13 092813

in that case, just make the protocol "none" (unmanaged") for the VLAN that is switching the WAN through (and don't 'connect' it with this device's wan network) and do the same for any other networks aside from the management network. The only network that needs an address is the one that is used for managing the device itself.

Am I right to understand that for "umanaged" interfaces, the firewall is irrelavent? In other words, firewall is for IP traffc only (L3). For an umanaged interface with a vlan bridge or regular bridge, openwrt is only dealing with L2 traffc for the couple of ports invovled in that bridge, and L2 traffic is unaffected by any firewall settings?

Correct. The firewall operates at L3, and an unmanaged interface has no connection to the L3 functions (routing/firewall). Therefore, if a network is unmanaged, the firewall is irrelevant.

To report back, I think I got it working, with some tweaks. The wireless router I am using is Netgear R6220. Somehow with v21 of openwrt, I tend to lose DHCP on wireless after a day, with vlan configured. But with v19, the setup was usable, as:

Peter was correct on the CPU port. For my use case, because no forwarding is needed for vlan21, it is OK to be "off" for the CPU/eth0 port.
And since there is even no need to create an interface for this modem specific vlan, no firewall setting is needed.

Glad to hear it is working!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Another tweak in my testing was about vlan settings in my vm host.
I am using Proxmox 7.2-3. There are at least two ways of assigning vlans. One is to make the bridge vlan-aware, after which the interface of vms can be set to tagged or untagged as needed, without explicit creation of new bridges. This solution worked well for IPv4. But for IPv6, somehow my PCs were taking a long time before getting IPv6 connectivity.
The second is the more traditional method, first creating tagged ethernet connections, than creating bridges on those vlans (as shown below). Using this tranditional method, both IPv4 and IPv6 worked fine with virtualized openwrt.
Screenshot 2022-07-23 221912
It is not clear to me why the vlan-aware method was having issues with IPv6, but the old way of creating vlan specific bridges worked well.

Some illustrations.

(1) The most common way: run the openwrt gateway on a PC with two ethernet ports:

(2) Vitualize openwrt on a host PC with just one ethernet port, using vlans for lan and wan traffic.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.