Avoid Inter-VLAN Routing?

Ahoy friends.
Currently i got my Raspberry Pi running as OpenWRT router. It's struggeling with routing, so i'd like my switches (which are layer 3 aware) to do the inter vlan routing.
But how can i do so? Currently i got 3 VLANs ( i got more, but only to make it more simple). Lab VLAN2, Trusted devices VLAN3, and Storage server VLAN 220.
All three are in LAN zone, and VLAN2 and VLAN3 should access the VLAN220 subnet, but not via the router.
How can i prevent OpenWRT of doing so?

Make separate zones for untrusted networks. Placing them all in the LAN zone means that you trust them equally.

Regardless of that, once the switch internally routes a packet between two devices it has in its ARP table, it won't send it to the router port.

3 Likes

If the intervlan routing is handled by the l3 switches, what will OpenWrt do?

2 Likes

I think honestly i don't have any other options.
Unfortunately the Raspberry Pi is not able to route a gbit stream from my VLAN2 to my VLAN220 (storage server). So i need to go a different way i think. Especially for the VLAN 2 where my pc is located in. Usually i do a lot of transfers onto my storage server, so it's bottlenecking.
Another thing i could do, i could create a second interface on the storage server, and put it into the VLAN2, but i don't know what's better.
For everything else, the OpenWRT router is performing fine.

The devices in vlan 2, 3 and 220 somehow need to have routes to each other with the layer3 switch as gateway.
It can be done by using the switch as default route (for example by configuring a DHCP option or use the switch as dhcp relay and disable dhcp on the VLANs on the router). Or by adding static routes on the devices. Or possibly configure routes in dhcp option. Etc.

3 Likes

Thanks, i was also thinking about it.
So i have to put the VLAN 220 (Storage server) into an isolated network, to avoid routing through the router, and create the routes on the switch?

In this scenario the endpoints are configured with their Cisco switch as the default route, then the switch's default route (to reach IPs it doesn't know, such as the Internet) is via the actual router.

This is useful for example at a campus with several buildings and a big switch in each building-- you can administer separate IP ranges for each building so and then know generally where something is by its IP address, and there isn't a total free for all of broadcast traffic on layer 2 in the inter-building trunks. It really doesn't bring much security since everything in the network has an unencumbered route to everything else.

With different classes of users you can set up entirely separate network trees using VLANs though. For a member of the untrusted network to have access to only certain resources of the trusted network, an external firewall device would make the decision and route it. With enough money that can be done at gigabit line speed.

It seems unnecessarily complicated for a home network. Placing everything in the same layer 2 network is yes boring and maybe a potential security issue, but it has the benefit of fast hardware switching.

1 Like

the switch will support access lists... then vlsm just for a few devices is viable... but as stated above... your adding complexity... lack of centralised control... and several points of failure...

Thanks for your help, i have considered this as well.
Before i did exactly this, i had everything in one single layer 2 network, but the router always had 100% cpu load, so it's only there to route out to the internet now. I got a lot of smart home stuff here, almost everything, even light switches are part of the network.
Unfortunately security is quite important in my home network.
Often i work at home, and to test some stuff in the company network, i got my VM VLAN and i bridge the VLAN into the comapny network in order to do so. So i want to avoid putting everything into one network.
Also i got my chinese CCTV system which tries to send data over the internet to a chinese server.
I've also used a /19 subnet in order to get enough space.

That's my current setup.

I had these things available, also a Cisco router, but i prefer OpenWRT in terms of GUI.

One storage server, one server for virtualization with almost 250 guest vms, and another Xeon sytem which i wanted to use for OpenWRT first. But i think the reliability of a SoC, in this case the RPi 4 is higher.

I got these 3 switches in the network.



So i've used these 2 switches, but is there maye a completely different way to achieve this?
Or is it just simplier as mentioned before, just adding 2 more network interfaces into each VLAN in order to avoid the need of routing of these gbit streams? I could simplify these things a little, which will only require routing between VLAN 2 and VLAN 220 instead of VLAN 3 as well. I've established a point-to-point connection with my PC and Storage server for now.

OpenWrt looks completely redundant there.
wan is supposed to be eth0.1 vlan1, which is also available on all the switches.

Either don't use it at all, or have a vlan from the Fritz to the OpenWrt only, which will be for the internet routed packets.

2 Likes

Thanks, i have changed that now.
Vlan one is in use for all the untrusted, or guest devices now. I got vlan 4092 now which connects only the OpenWRT router and the Fritz router.
Unfortunately now i've found out that ip functionallity is very very reduced on my Cisco switches, because they are part of the SG Small Business series only.

I got 2 ideas:

Also i'll make some minor changes to avoid routing at all in order to access the storage server.
The storage server will now be part of vlan 3 which is for trusted devices, so almost all devices which are no guests.
Routing from vlan 2 to 3 won't be an issue anymore, because performance is not important in this case.

2nd idea:

I leave everything how it is, because in most cases throughput doesn't matter, so i use the point-to-point connection from my pc to my server instead.

Or 3rd, any other suggestions?

i run SG... what is reduced ( that compromises your goals)?

Idea 1 sounds good.
Otherwise you can get a RPi4 with a few usb3 gigeth adapters to replace the older RPi.
RPi4 has enough power to route gigabit speed flows without sweating.

1 Like

Thanks friends, the Pi wasn't the problem.
Had some issue with my storage server, it was the reason why I didn't reach gbit speed.
It's a RPi4 and now with correct config it's reaching 113MB/s but @95% load. But that's not a problem. Thanks for the help of all of you, I will also consider the mentioned points.
I will also simplify my network.
Special thanks to @trendy

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.