Access LAN From VLAN

bqq100 · January 19, 2019, 9:46pm

I am currently looking at potentially replacing my DD-WRT router(s) with OpenWRT so I've been starting to play around with OpenWRT on an old router to get more comfortable with OpenWRT and as a platform to learn more about networking/routing/firewalls.

I am trying to achieve the following:

Use 3 ports as a 3 port switch for my primary home network (192.168.0.0/24)
Use 1 port as a VLAN with a dedicated DHCP range (10.0.0.0/24)
WAN port is not used
Devices connected to the VLAN should be able to access both LAN and internet resources

I have the VLAN and dedicated DHCP range setup and working, but I am running into problems being able to have devices connected to the VLAN be able to access the internet. Here is the firewall rule that I currently have setup:

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'VLAN'
        option forward 'ACCEPT'
        option masq '1'
        option network 'VLAN'

config forwarding
        option dest 'lan'
        option src 'VLAN'

Shouldn't this double NAT devices on my VLAN and allow access to both LAN and internet resources? I also played around with SNAT and static routes, but couldn't get this to work.

vgaetera · January 19, 2019, 10:49pm

From those devices:

ip a; ip r
nslookup google.com
traceroute 8.8.8.8

bqq100 · January 20, 2019, 3:13am

root@partedmagic:~# ip a; ip r
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 94:10:3e:b7:f3:41 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.111/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::9610:3aff:ffb8:f330/64 scope link 
       valid_lft forever preferred_lft forever
default via 10.0.0.1 dev eth0 
10.0.0.0/24 dev eth0  src 10.0.0.111  metric 1 
127.0.0.0/8 dev lo 
root@partedmagic:~# nslookup google.com
Server:    10.0.0.1
Address 1: 10.0.0.1 OpenWrt.<mydomain>

Name:      google.com
Address 1: 216.58.218.238 iad23s40-in-f14.1e100.net
Address 2: 2607:f8b0:4004:804::200e iad30s07-in-x0e.1e100.net
root@partedmagic:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  OpenWrt.<mydomain> (10.0.0.1)  1.211 ms  0.419 ms  0.399 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *

Busted out my old laptop with a live disk just in case Linux in ChromeOS conatainers muck things up

mk24 · January 20, 2019, 3:46am

Highly recommend staying with a convention of only lowercase for network names.

Set masq and mtu_fix on the destination zone of a NAT/forward. See the default setup with lan and wan.

bqq100 · January 20, 2019, 4:56am

That did the trick! Thanks!

system · January 30, 2019, 4:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.