Basic set up questions & VLANs

Installing and Using OpenWrt
1

I have tried following tutorials to implement VLANs with OpenWRT. I follow all steps but the resulting connection doesn't connect to the router nor the internet via the connected SSID and now wonder if I am missing something basic.

  • I have a fiber optic connection with a TP-Link 1800 AX23 router. The router has the default 192.168.1.1 address and I have disconnected my Pi-Hole DNS/DHCP server for the timebeing.
  • Ethernet socket in my home's wall is connected to the WAN port on the router (unlike the tutorials, the router does not get an internet connection when the cable goes into the LAN1 port)
  • I have created a vlans device in bridge mode (bridged to wan and vlans.2 ports). VLAN filtering is enabled with one VLAN (ID: 2; tagged on wan and vlans.2 ports).
  • There is a "vlans" interface connected to the vlans.2 device. It is configured in static mode with IP 192.168.2.1, subnet 255.255.255.0 and gateway 192.168.1.1
  • I have modified the 5GHz network to be called "Openwrt5" and connected it to the "vlans" network.

However I don't get internet nor access to Openwrt when connecting to the Openwrt5 network. Access to both is fine on the default Openwrt network.

Am I missing somethign?

2

Is the OpenWrt router the only router on the network? Or is there a router ahead of it (i.e. directly connected to the ISP)?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
3

Thank you for the quick reply @psherman.

This is the only router on my network.

Commands output:


	"kernel": "5.15.120",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r23580-b993a00b82",
		"target": "ramips/mt7621",
		"description": "OpenWrt SNAPSHOT r23580-b993a00b82"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf3:b823:8523::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'vlans'
	list ports 'eth0'
	list ports 'vlans.2'

config bridge-vlan
	option device 'vlans'
	option vlan '2'
	list ports 'eth0:t'
	list ports 'vlans.2:t'

config interface 'vlan2'
	option proto 'static'
	option device 'vlans.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt5'
	option encryption 'none'
	option network 'vlan2'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan2'
	option interface 'vlan2'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
4

Remove this:

And delete this, too:

Add this:

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'

And then explictly create VLAN 1 like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

Then, edit your lan interface so that it uses br-lan.1 like this:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

And modify your vlan2 interface to use br-lan.2`

config interface 'vlan2'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

Finally, add vlan2 to the lan firewall zone (this can be changed later, if desired):

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vlan2'

And now restart your router and test again.

1 Like
5

Thanks so much for your help Peter. This got it working. I've since been trying to work out what I did wrong and how to set up new VLANs. I'd appreciate if you could point me in the right direction to learn.

What I got wrong: 1) Not setting the firewall zone for the VLAN interfaces; 2) Trying to create additional devices to set up VLANs on rather than using the br-lan device that was already configured.

To create a new VLAN on it's own SSID
Does this process look complete and accurate to you?

  1. Edit the ‘br-lan’ device in the VLAN tab by adding a VLAN ID. This new VLAN ID should be tagged on eth0 and untagged on all other lan1 to lan4 ports.
  2. A new br-lan.X VLAN (802.1q) device will automatically be created.
  3. Add a new interface named vlanX with a static address connected to device br-lan.X (created in previous step). Configure IP v4 address to be 192.168.X.1/24. Leave gateway blank.
  4. In the DHCP Server tab, click Set up DHCP server and leave default settings.
  5. Configure a wireless network to use vlanX interface as the network.
  6. Set the firewall settings to the lan firewall zone

And finally, does this VLAN set up on the br-lan device appear correct?
The physical LAN1 and LAN2 ports on my router will have my homeserver and DNS server respectively. And LAN3 will be a sync box for IoT devices. Devices of VLAN1 and VLAN2 can access all devices. Devices on VLAN69 will be IoT devices but will also need access to the DNS server and home server where home assistant will be running.

Screenshot 2023-07-30 at 12-06-38 OpenWrt - LuCI
Screenshot 2023-07-30 at 12-06-38 OpenWrt - LuCI1659×1002 63.6 KB

Very grateful for your help here. If I can do something to thank you please let me know :smiley:

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.