I have a Cisco Catalyst 3560-E switch that is new to me and is my first managed switch
I have the following VLANs setup on the switch:
VLAN10 - OpenWRT only network, this is plugged in from port 47 on the switch to eth0 on my "router" (raspberry pi 4)
VLAN20 - DD-WRT only network (can be ignored for this, but for context)
VLAN30 - Combination of VLAN10 and VLAN20, able to access intranet devices on both while getting IP address from VLAN10
Right now I am just trying to get VLAN10 and VLAN30 setup on the OpenWRT router to make sure devices connected to VLAN10 and VLAN30 on my switch are able to connect to the OpenWRT router then I will worry about getting VLAN20 added and being able to access the devices on that subnet
Here is my current port configuration on the Cisco switch:
When connected to a VLAN10 port I get a DHCP address and am able to access the router and internet
When connected to a VLAN30 port I do not get a DHCP address and am not able to access the router or internet. Tried with a static address with no change
I am brand new to OpenWRT, managed switches, and networking in general so please go easy on me
Let me know what I'm missing or if I need to provide any more information that may be helpful
You've got eth0.10 used here and on br-lan. If you're using the Pi's wifi, you need to use br-lan as the lan device. If not, remove eth0.10 from br-lan.
Meanwhile, as for VLAN30, how are you connecting to this network? Do you have an access port defined on the switch (i.e. VLAN 30 untagged + PVID/default/native)? This is required.
Next, where is the DHCP server for VLAN 30? Is the OpenWrt Pi the router/DHCP server for that VLAN, or is there some other device on VLAN 30 that is handling routing and/or DHCP server functions?
If it is the Pi, let's see the rest of the relevant files:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/dhcp
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
As for how I am connecting to VLAN30, I just have a trunk port on the switch that has VLAN 10 and 30 allowed. I only have 2 ethernet ports available on the pi (built in eth0 in is connected to switch on trunk port, USB eth1 is connected to wan) so if I need an access port for VLAN30 untagged would I need to get another USB NIC?
Delete this (you've got another DHCP server defined right below it -- leave that one in place since it is correct and properly case-sensitive):
You don't have vlan 30 associated with a firewall zone. For now, add it to the lan zone:
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vlan30'
No -- you need to configure your switch accordingly.
The port on the switch that connects to the Pi currently has VLANs 10, 20 and 30 trunked.
The Pi has VLANs 20 and 30 defined.
If you want to connect to VLAN 30, you need to configure another port on your switch to carry VLAN 30 untagged and PVID. Then you plug a computer into that port and it should get an address on VLAN 30.
When I plug my computer into port 13 on the switch, which is in access mode to vlan 30, I don't get an IP address and have no connection. Static still does not work
