Assistance to create trunk with multiple vlans

atux_null · February 7, 2025, 7:38am

currently my router's eth2 port has the following config in /etc/config/network

config device
        option type 'bridge'
        option name 'br-lan3'
        list ports 'eth2'
        option mtu '1500'

config interface 'lan3'
        option proto 'static'
        option device 'br-lan3'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

the current config will be deleted and have the following.
i would like to change it to a Trunk port with 4 vlans (1000-1003). Vlans:
-VLAN 1000: IP 192.168.100.1/24, DHCPv4 50-199, lease time 2m, NO IPv6.
-VLAN 1001: IP 192.168.101.1/24, DHCPv4 50-199, lease time 2m, NO IPv6.
-VLAN 1002: IP 192.168.102.1/24, DHCPv4 50-199, lease time 2m, NO IPv6.
-VLAN 1003: IP 192.168.103.1/24, DHCPv4 50-199, lease time 2m, NO IPv6.

all of the VLANs should access the Internet via NAT to the WAN port.
No communication of the VLANs between them.

May i have some assistance on how to do that, please?

_bernd · February 7, 2025, 7:56am

Pardon me, but do you struggle with something specific or do you just want to that someone else is doing your homework?

Everything you ask about is covered in the wiki and multiple times a day in the forum.

(If you don't do it on your own, or at least with a little bit of trying it to do it by yourself, how do you wanna learn something?)

atux_null · February 7, 2025, 12:23pm

i have up to now:
/etc/config/network:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'


config device
        option type '8021q'
        option ifname 'eth2'
        option vid '1000'
        option name 'eth2.1000'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth2'
        option vid '1001'
        option name 'eth2.1001'
        option ipv6 '0'

config interface 'Vlan_1000'
        option proto 'static'
        option device 'eth2.1000'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'Vlan_1001'
        option proto 'static'
        option device 'eth2.1001'
        option ipaddr '192.168.101.1'
        option netmask '255.255.255.0'

and /etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

the problem that i have are:
-missing firewall config all of the VLANs should access the Internet via NAT to the WAN port. No communication of the VLANs between them.
-DHCP for each vlan is missing.

may i ask for some check if the above is OK and how to fix the aforementioned?