Bridge and NAT Connection over Single WAN Port using VLAN?

deepdarkfantasy · May 20, 2025, 3:47pm

I have two routers: a DIR-878 (ver. A1) and a PHICOMM K2P. Both are running OpenWRT version 24.10.1.

I'm using the PHICOMM K2P as the main DHCP server, but without the wireless access point enabled.
The DIR-878 is set up as a wireless router with both bridge and NAT connections. The bridge connection (Device Name: br-bridge) on the DIR-878 uses LAN1 and SSID2, while NAT uses the default WAN port. The DIR-878 is connected to the PHICOMM K2P using two cables—one from LAN1 and one from WAN.

Now to my question:
Is it possible to use just one cable connected to the WAN port on the DIR-878 and still have both bridge and NAT connections like in the topology shown below? Maybe by using VLANs? If yes, how would I go about setting it up?

psherman · May 20, 2025, 4:32pm

Yes, this can be achieved using VLANs.

I'm a bit confused as to why you have NAT running on the DIR-878? Ideally, all routing happens on the main router.

Let's take a look at your configs from both devices:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

deepdarkfantasy · May 21, 2025, 12:32am

Thank you for your response.

Here is the configuration you requested below.

Phicomm K2P

{
	"kernel": "6.6.86",
	"hostname": "K2P",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Phicomm K2P",
	"board_name": "phicomm,k2p",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.1",
		"revision": "r28597-0425664679",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.1 r28597-0425664679",
		"builddate": "1744562312"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5d:f07d:3922::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'
	option delegate '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'
	option eee '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'wan'
	option ipv6 '0'


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option channel '11'
	option htmode 'HT20'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'K2P'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0+1'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT80'
	option cell_density '0'
	option rxldpc '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'K2P'
	option encryption 'none'
	option disabled '1'


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'arpa'
	option expandhosts '1'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option sequential_ip '1'
	list interface 'lan'
	list rebind_domain 'arpa'
	option noresolv '1'
	option strictorder '1'
	list server '192.168.2.2'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '2m'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'


config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

DIR-878 (A1)

{
	"kernel": "6.6.86",
	"hostname": "DIR-878",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "D-Link DIR-878 A1",
	"board_name": "dlink,dir-878-a1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.1",
		"revision": "r28597-0425664679",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.1 r28597-0425664679",
		"builddate": "1744562312"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3d:520b:f616::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.254.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'

config device
	option type 'bridge'
	option name 'br-bridge'
	option ipv6 '0'
	list ports 'lan1'

config interface 'bridge'
	option proto 'dhcp'
	option device 'br-bridge'
	option defaultroute '0'
	option force_link '1'
	option peerdns '0'
	option delegate '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'
	option eee '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'wan'
	option ipv6 '0'


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option channel '11'
	option htmode 'HT20'
	option cell_density '0'
	option txpower '26'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'DIR-878'
	option encryption 'none'
	option disabled '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT80'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'DIR-878'
	option encryption 'none'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'IM06'
	option encryption 'none'
	option network 'bridge'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IM06'
	option encryption 'none'
	option network 'bridge'
	option disabled '1'


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'arpa'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'arpa'
	option sequential_ip '1'
	list interface 'lan'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '2m'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config zone
	option name 'bridge'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'bridge'

config forwarding
	option src 'lan'
	option dest 'wan'

deepdarkfantasy · May 21, 2025, 12:47am

Sorry if that was a bit confusing. I'm actually still new to more advanced OpenWRT setups like this. Apologies if I’m not using the right terms. Basically, I want to set up the DIR-878 (A1) router to have two separate connections over a single lan cable. The idea is: when device(s) connects to SSID1 (DIR-878) or from LAN ports 2 to 4, it should get a DHCP lease from the DIR-878. Then, if device(s) connects to SSID2 (IM06) or LAN port 1, it should get a DHCP lease from the Phicomm K2P.

I’m just not sure what the correct terms are for this setup and how to actually configure it.

psherman · May 21, 2025, 2:09am

The best way to achieve this is to establish both networks on the main router and then use the second device as a bridged ap (with VLANs). Are you okay making those changes? If so, we will start with the main router.

deepdarkfantasy · May 21, 2025, 3:06am

In other words, does this mean I need to create two different subnets (192.168.2.1/24 and 192.168.254.1/24) on the main router (Phicomm K2P)? Then, on the second router (DIR-878 A1), I should set up a bridge between the AP and LAN ports that are tied to each VLAN?

If that’s the case, how can I access SSH on the second router (DIR-878 A1) after applying that configuration? Would I need to keep one of the LAN ports or a specific AP unbridged so I can still access the DIR-878?

So, is it impossible to achieve goal like what I have stated above?

I think I’d like to give it a try. Please guide me through it!

psherman · May 21, 2025, 5:55am

There are other ways to approach it, but yes, this is the most efficient and easiest method, and it is the preferred technique because it will make management of your network much easier.

Although this is not a hard requirement, typically the AP (i.e. the second router) will have an address only on the network that is used to manage the device, and the other network will be 'unmanaged' -- basically transparently passing through. The address that the device holds on the management network will be the one you use for administration (ssh or LuCI web interface). All devices on the management network will be able to reach the AP (be it via wifi or ethernet), and it is your choice if the devices on the other network can reach it or not (this will be controlled by the firewall in the main router).

It's not that it is impossible, but rather that it is not an optimal topology. In most cases, it's best for the main router to do the routing for the whole network.

Ok... let's start with the main router.

We'll begin in the network config file, and we're going to (temporarily) take one port from the main lan and assign it to the secondary network. The purpose here is to be able to verify the functionality... you can always reassign it once that's done.

To do this, we'll add bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '254'
	list ports 'lan1:t'
	list ports 'lan4:u*'

Next, edit the lan to use the device br-lan.2:

config interface 'lan'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'

add the network interface for the secondary network:

config interface 'lan254'
	option device 'br-lan.254'
	option proto 'static'
	option ipaddr '192.168.254.1'
	option netmask '255.255.255.0'
	option delegate '0'

Next, in /etc/config/dhcp:

remove the lines marked with -:

deepdarkfantasy:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'arpa'
	option expandhosts '1'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
-	option sequential_ip '1'
-	list interface 'lan'
	list rebind_domain 'arpa'
	option noresolv '1'
-	option strictorder '1'
	list server '192.168.2.2'

I recommend changing the dhcp lease time to something more sensible -- 12h is the default:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Now add a DHCP server for the new network:

config dhcp 'lan254'
	option interface 'lan254'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

The firewall comes next. This will allow access for the new network (192.168.254.0/24) to reach the router itself as well as the internet, and the original network (192.168.2.0/24), but the original network won't be able to reach the new network (this replicates your current configuration's permissions; all of this can be adjusted, but we'll start here). Add this:

config zone
	option name 'lan254'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'lan254'

config forwarding
	option src 'lan254'
	option dest 'wan'

config forwarding
	option src 'lan254'
	option dest 'lan'

You can now restart the main router. Plug in a computer into any of ports lan1-lan3 and you should get an address on the 192.168.2.0/24 network. Then plug that computer into port lan4 and you'll get an address in 192.168.254.0/24. Assuming that's working, you can move on to the AP.

Reset the AP to defaults.
Delete the wan and wan6 interfaces
Edit br-lan so it looks like this (adding the wan port):

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

Create bridge-VLANs (replicating the config you have now, lan1 will be the 192.168.2.0/24 network, lan2-4 will be 192.168.254.0/24):

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:u*'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '254'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u'
	list ports 'wan:t'

Edit the lan interface to look like this:

config interface 'lan'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

And create a new unmanaged interface like this:

config interface 'lan254'
	option device 'br-lan.254'
	option proto 'none'

In the AP's /etc/config/dhcp file, disable the dhcp server. It'll look like this:

config dhcp 'lan'
   option interface 'lan'
   option start '100'
   option limit '150'
   option leasetime '12h'
   option dhcpv4 'server'
   option ignore '1'

Reboot this device and plug in an ethernet cable between the wan port on the AP and port lan1 on the main router. This device should now have port lan1 as 192.168.2.0/24 and ports lan2-4 as 192.168.254.0/24.
You can now setup your wifi SSID's against lan and lan254 respectively.

Assuming that all is working, from here, we can make any changes that you want to the port allocations and allowances/restrictions for inter-network routing/firewall.

If anything doesn't work, post the complete configs for review.

deepdarkfantasy · May 22, 2025, 1:54am

Thank you...

system · June 1, 2025, 1:54am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.