Another vlan topic, cuz i am so bad at them

so with how i and with a help from psherman setup vlan it's rock solid, but i've been trying to make new vlan/network for just me and myself to have network adblock that wouldn't make other people in the house mad, could somebody lend me a hand for setting this up correctly on my dumb AP?

the dumb AP nanoPi r5c, gets internet from managed switch with vlans already configured i believe correctly

What is currently setup on the AP? Have you created the new VLAN on the main router?

It has been created on the main router with also dhcp

current AP setup is default dumb AP setup, one LAN interface with br-lan and just LAN firewall zone

Let's see the configs from each of the devices:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Main Router:

root@Cudy:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "Cudy",
        "system": "ARMv8 Processor rev 4",
        "model": "Cudy WR3000 v1",
        "board_name": "cudy,wr3000-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@Cudy:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fc00:dead:beef::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '64'
        option ip6weight '145'
        option delegate '0'
        option ip6ifaceid '::1'
        list ipaddr '10.0.0.1/24'
        list dns '127.0.0.1'
        list dns '0::1'
        option dns_metric '20'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username '**'
        option password '**'
        option ipv6 'auto'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option dns_metric '50'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option dns_metric '55'

config interface 'WAN_MGMT'
        option proto 'static'
        option device 'wan'
        list ipaddr '10.0.1.2/30'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan3:u'

config interface 'Guest'
        option proto 'static'
        option device 'br-lan.3'
        option delegate '0'
        list ipaddr '10.0.2.1/24'
        list dns '127.0.0.1'
        list dns '0::1'

config interface 'DomNetwork'
        option proto 'static'
        option device 'br-lan.4'
        list dns '127.0.0.1'
        list dns '0::1'
        list ipaddr '10.0.3.1/16'

root@Cudy:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wifi'
        option channel '7'
        option band '2g'
        option country 'CZ'
        option htmode 'HE20'
        option cell_density '0'
        option txpower '20'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/18000000.wifi+1'
        option band '5g'
        option channel '52'
        option htmode 'HE80'
        option txpower '15'
        option country 'CZ'
        option cell_density '0'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid '***_Host'
        option encryption 'none'
        option isolate '1'
        option ifname 'WiFi-Guest-2.4'
        option network 'Guest'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid '***_Host'
        option encryption 'none'
        option isolate '1'
        option network 'Guest'
        option ifname 'WiFi-Guest-5'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid '***'
        option encryption 'psk2+ccmp'
        option key '***'
        option network 'lan'
        option ifname 'WiFi'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid '***'
        option encryption 'psk2+ccmp'
        option key '***'
        option ieee80211w '1'
        option network 'lan'
        option ifname 'WiFi2'

root@Cudy:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'home'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option dhcpleasemax '254'
        option dnsforwardmax '254'
        option boguspriv '0'
        option sequential_ip '1'
        option allservers '1'
        list address '/cudy.home/10.0.0.1'
        list server '0::1#5453'
        list server '127.0.0.1#5453'
        option noresolv '1'
        option strictorder '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '254'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option preferred_lifetime '24h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'SDG'
        option ip '10.0.0.10'
        list mac '20:68:9D:C2:FA:C1'

config host
        option ip '10.0.0.44'
        option name 'GarazMonitor'
        list mac '90:31:4B:35:2B:F4'

config domain
        option name 'Studio'
        option ip '10.0.0.93'

config domain
        option name 'PergolaAP'
        option ip '10.0.0.92'

config domain
        option name 'Garaz'
        option ip '10.0.0.91'

config domain
        option name 'pcrgb'
        option ip '10.0.0.20'

config domain
        option name 'cetin'
        option ip '10.0.1.1'

config host
        option ip '10.0.0.46'
        option name 'Loznice'
        list mac '60:DC:81:F0:03:3B'

config domain
        option name 'nabijecka'
        option ip '10.0.0.70'

config domain
        option name 'StreamPi'
        option ip '10.0.0.80'

config domain
        option name 'tiskarna'
        option ip '10.0.0.30'

config domain
        option name 'switch'
        option ip '10.0.0.5'

config dhcp 'Guest'
        option interface 'Guest'
        option start '2'
        option limit '254'
        option leasetime '12h'

config host
        option ip '10.0.0.50'
        option mac '0C:F0:B4:40:5E:7A'
        option name 'Pergola'

config dhcp 'DomNetwork'
        option interface 'DomNetwork'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option netmask '255.255.0.0'
        option ignore '1'

root@Cudy:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NAS'
        option src 'wan'
        option src_dport '445'
        option dest_ip '10.0.0.180'
        option dest_port '445'

config zone
        option name 'mgmt'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'WAN_MGMT'

config forwarding
        option src 'lan'
        option dest 'mgmt'

config forwarding
        option src 'mgmt'
        option dest 'lan'

config nat
        option name 'NoNAT'
        option family 'ipv6'
        list proto 'all'
        option src 'lan'
        option target 'ACCEPT'

config forwarding
        option src 'mgmt'
        option dest 'wan'

config rule
        option name 'DNS-WAN-BLOCK'
        option dest 'wan'
        option target 'REJECT'
        option src '*'
        option dest_port '53'

config rule
        option name 'Block-MGMT'
        option src 'lan'
        option target 'DROP'
        list proto 'all'
        list dest_ip '10.0.1.2'
        list dest_ip '10.0.2.1'

config zone
        option name 'GuestZone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config rule
        option name 'Vlan3-DHCP-DNS'
        option src 'GuestZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'DomNetwork'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'DomNetwork'

config forwarding
        option src 'DomNetwork'
        option dest 'lan'

config forwarding
        option src 'DomNetwork'
        option dest 'mgmt'

config forwarding
        option src 'lan'
        option dest 'DomNetwork'

config forwarding
        option src 'mgmt'
        option dest 'DomNetwork'

config forwarding
        option src 'DomNetwork'
        option dest 'wan'

Studio Dumb AP:

root@Studio:~# ubus call system board
{
        "kernel": "6.6.47",
        "hostname": "Studio",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5C",
        "board_name": "friendlyarm,nanopi-r5c",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r27208-cf765b1be6",
                "target": "rockchip/armv8",
                "description": "OpenWrt SNAPSHOT r27208-cf765b1be6"
        }
}
root@Studio:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config device
        option name 'eth0'
        option macaddr '56:2d:84:e4:ec:09'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '10.0.0.93/24'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'

config device
        option name 'eth1'
        option macaddr '56:2d:84:e4:ec:08'

root@Studio:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/fd000000.usb/xhci-hcd.1.auto/usb7/7-1/7-1:1.0'
        option band '5g'
        option channel '36'
        option htmode 'HE40'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '***'
        option encryption 'psk2+ccmp'
        option ifname 'Wi-Fi2'
        option disassoc_low_ack '0'
        option key '***'
        option ieee80211w '1'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '3c0000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '149'
        option htmode 'HE160'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '***'
        option encryption 'psk2+ccmp'
        option ifname 'Wi-Fi1'
        option skip_inactivity_poll '1'
        option disassoc_low_ack '0'
        option key '***'
        option ieee80211w '1'
        option ocv '0'

root@Studio:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@Studio:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

Your main router has a lot of stuff going on, too much for me to review exhaustively. There are a lot of things that look questionable or unusual,
but I don't have the ability to go through everything at this time. However, I did notice some errors and I have a few questions and comments.

Why did you have the ipv6 weight, ip6ifaceid, DNS, and dns_metrics added to the lan network?

The DNS entries don't do what you would expect here... it's not really useful to add it here. But a major problem exists here in that you've got a /16 defined. This should be a /24 based on your other networks.

Your limit is wrong here, causing the DHCP server to be invalid. The DHCP pool is:

start to (start + limit - 1)

That means that when the start is 100 on a /24, the max value of limit is 155.

It is also incorrectly set on your guest network.

On your new DomNetwork, the DHCP server is disabled, and you have a netmask that line in the DHCP server that needs to be removed (it is unnecessary, and the value is wrong):

Your firewall has a lot of extra rules -- I haven't gone through to see what is useful/necessary vs what might be incorrect or unusual. But you also have a management network that seems unusual and unnecessary... So there's a lot in there that maybe should be reconsidered.

That said..


On your AP, you'll setup bridge VLANs and then some unmanaged networks. This assumes eth0 is used to connect to the upstream network:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'
        list ports 'eth1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'
        list ports 'eth1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'eth0:t'

Now edit the lan network to use br-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '10.0.0.93/24'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'

And setup 2 unmanaged interfaces:

config interface 'guest'
        option device 'br-lan.3'
        option proto 'none'

config interface 'DomNetwork'
        option device 'br-lan.4'
        option proto 'none'

Now you can setup wifi SSIDs against the respective networks.

for the metrics and ipv6 stuff i was battling against router advertisements from my google nest devices which are sending RA so i wanted to make my ULA ipv6 to be the main RA instead of the RA from google devices.

also this AP won't do Guest network because the USB wifi stick i have in my nanoPi r5c can't do multiple ssids (mt7921au).

What i want to do is for this dumb AP to have 2 vlans. Vlan4 which is my DomNetwork where i will have adblock for my pc and VR wi-fi. Vlan1 which is my main LAN for my second Wi-Fi radio which is for other devices. I want to make Vlan4 to see vlan1 devices and vice versa and to grab dhcp from vlan1

Also what makes my dhcp pool invalid? from my knowledge /24 network is 255.255.255.0 which makes 254 available addresses. i use my main LAN as 10.0.0.1-10.0.0.99 for static ip addresses and the rest of the network (10.0.0.100-10.0.0.254) for dhcp. how come i only can have 55 ip addresses for dhcp?

Oh wait. disregard, i think i understand what you mean on the dhcp pool. i completely misunderstood the limit meaning in this scenario.

Ok. Well all you need to do is set the single network (vlan4) and the associated ssid.

Devices connecting to each other is a function of the firewall allowances on the main router. That is easy as long as the forwards are in place.

But no, it will use its own dhcp server. It cannot use the dhcp from vlan 1 because it is on a different subnet.

You can have all 155 addresses. The limit is the size of the dhcp pool, not the last address.

updated diagram for understanding. i want eth1 to carry vlan4 as well to my pc to be on DomNetwork

Hey, you available?

Sorry, I missed this part earlier.

Sure...

Remove eth1 from VLAN 1, so it will look like this

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'

Then add eth1 to VLAN 4:

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'eth0:t'
        list ports 'eth1:u*'

Reboot and it should do what you want.

Alright, done that.

I am encountering weird issue where my pc is getting dhcp from VLAN1 (10.0.0.x/24 network) instead of VLAN4 (10.0.3.x/24 network) and i can't access my dumb AP anymore.

I can access Main router but it can't ping my dumb AP

image

Please draw a complete topology diagram that includes all of the infrastructure devices, the ports, VLANs and IP addresses for each. This will help me understand the complete picture of your physical setup so we can then review the configs with all the context.

this should be pretty much it:

IP addresses i am aware of:

Bridge Modem: 10.0.1.1

Main Router: 10.0.0.1

managed switch: 10.0.0.5

studio AP: 10.0.0.93

Garden AP: 10.0.0.92

Garage AP: 10.0.0.91
Vlan1 = 10.0.0.X/24 network

Vlan3 = 10.0.2.X/24 network

Vlan4 = 10.0.3.X/24 netwok

Ok... so everything is working except for the branch that goes to the studio, correct?

Let's look at the port on the managed switch that connects to the studio AP.

That is correct.
the switch: