Adding a 3rd NIC to a router/firewall

Installing and Using OpenWrt Network and Wireless Configuration
1

Background: I use a RPi5 as my primary router/firewall. I have an old x86/64 mini PC that I configured as a backup, the idea being I can just swap it in for the the RPi if it every needs maintenance.

I want to setup a new interface via a USB NIC to the x86/64 box that can be used to simply ssh into the thing when the RPi is running. On the x86/64 box currently eth0 is the the WAN setup and eth1 is for the LAN setup (connection to managed switch). I want to put a net interface, "usb-nic" on the new adapter eth2 setup as DHCP so I can simply ssh into the box when both eth0 and eth1 and not connected (ie when the RPi is in use). This new interface needs to be on VLAN 10 and part of the "LAN" firewall zone.

What I tried that did not work: I created a new 802.1q device in luci which became eth2.10 and then I created a new interface using dhcp and assigned it to that device. This went terribly wrong. Even though the x86/64 was only connected via the usb NIC, it somehow started pushing IP addresses to clients on the network.

Below is /etc/config/network on the x86/64 (before the modification). How can I modify /etc/config/network to accomplish this?

/etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:692b:58dc::/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.6'
	option type '8021q'
	option ifname 'br-lan'
	option vid '6'
	option ipv6 '0'

config device
	option name 'br-lan.7'
	option type '8021q'
	option ifname 'br-lan'
	option vid '7'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1:t'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr 'xxx'
	option netmask '255.255.255.192
	option gateway 'xxx'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.9.7.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'homeoffice'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.9.6.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'vpn'
	option device 'br-lan.6'
	option proto 'static'
	option ipaddr '10.9.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'vpn2'
	option device 'br-lan.7'
	option proto 'static'
	option ipaddr '10.9.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option auto '0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
2

It seems like the device name eth1 was assigned to the USB to Ethernet adapter during system boot.

1 Like
3

Thanks for posting that. I will review but that seems likely. Is state of the art to fix this a hacky script? Seems like persistent Ethernet naming is a pretty core functionality.

4

The only way I am aware of is to use a hotplug script, as udev is missing in OpenWrt.

5

Thanks, I came across several options... do you happen to be using one that you can recommend?

7

So I booted several times with just the USB NIC connected to a cable and the order of the NICs was not scrambled. The USB NIC remained as eth2 all five times. So returning to my original question: why doesn't the following modification work (adding these lines to network shared above):

config interface 'usb'
	option proto 'dhcp'
	option device 'eth2.10'

config device
	option type '8021q'
	option ifname 'eth2'
	option vid '10'
	option name 'eth2.10'
	option ipv6 '0'

The new interface does not get an IP address.

8

My assumption was based on the statement that the usb dongle was assigning IP addresses when the interface should have been set as a DHCP client.

My apologies if I misunderstood something. Good luck.

9

Eth2.10 makes the port send tagged packets, which a non vlan-aware device will not receive. Use just eth2 when connecting to a non vlan PC etc.

1 Like
10

I think you're right...

I switched it to a static without the 8021q.

config interface 'usb'
	option device 'eth2'
	option proto 'static'
	option ipaddr '10.9.8.7'
	option netmask '255.255.255.0'
	option delegate '0'

It only works however if I stop the lan interface and then restart it. Why?

ifdown lan
ifup lan

After that, I can ssh to 10.9.8.7.