Bridged networks from the OpenWRT tutorial

Hi,

I'm reading the tutorial: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_bridged_networks

It states the following:

Devices plugged into the home ports will be able to communicate with each other, and the devices in the office ports can also talk together. But the “home” ports will not be able to communicate with “office” ports unless there is a routing or firewall rule to allow it.

Well, I repeated the setup on my ASUS ax4200.

Router:

 route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    10     0        0 eth1
10.170.0.0      *               255.255.255.252 U     0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     10     0        0 eth1
192.168.2.0     *               255.255.255.252 U     0      0        0 br-lan
192.168.3.0     *               255.255.255.252 U     0      0        0 br-home

Laptop1: 
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.3.1     0.0.0.0         UG    100    0        0 eno2
192.168.3.0     0.0.0.0         255.255.255.252 U     100    0        0 eno2

Laptop2:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.2.1     0.0.0.0         UG    100    0        0 eno2
192.168.2.0     0.0.0.0         255.255.255.252 U     100    0        0 eno2

I listen on laptop 2:

nc -lvp 4444

and I connect on laptop 1:

nc 192.168.2.2 

and I am able to connect.

The laptops are connected to LAN3 on br-home:

and LAN1 on br-lan:

so the laptops on the different bridged networks as explained by the tutorial so they should not be able to connect. But they connect.

Actually, why would not they? The router has both routes. So, why does the tutorial state the opposite? Is it my reading comprehension which fails?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "ASUS TUF-AX4200",
	"board_name": "asus,tuf-ax4200",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mediatek/filogic",
		"description": "23.05.3 240325"
	}
}
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'phy0-ap0'
	list ports 'phy1-ap1'

config device
	option name 'lan1'
	option macaddr 'xxxx'
	option ipv6 '0'

config device
	option name 'lan2'
	option macaddr 'xxxx'

config device
	option name 'lan3'
	option macaddr 'xxxx'

config device
	option name 'lan4'
	option macaddr 'xxx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.2.1/30'
	list ipaddr '10.170.0.1/30'

config device
	option name 'eth1'
	option macaddr 'xxxx'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option metric '10'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-home'
	list ports 'lan3'
	list ports 'lan4'

config interface 'home'
	option proto 'static'
	option device 'br-home'
	list ipaddr '192.168.3.1/30'
cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '0'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'tuf-ax4200-2g-0'
	option encryption 'psk2'
	option key '******'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '0'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'tuf-ax4200-5g-1'
	option encryption 'psk2'
	option key '*********'
cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option confdir '/tmp/dnsmasq.d'
	option noresolv '1'
	list server '127.0.0.1#9053'
	list server '::1#9053'
	list server '8.8.8.8'
	list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,8.8.8.8'
	list dhcp_option '3,192.168.2.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'home'
	option interface 'home'
	option start '100'
	option limit '150'
	option leasetime '12h'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'home'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list network 'wan'
	list network 'wan6'
	list network 'vpn1'
	list network 'vpn2'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config forwarding
	option src 'lan'
	option dest 'wan'

You don’t appear to have followed the tutorial.

You need to use bridge VLANs since dsa doesn’t allow multiple bridges on a single switch chip.

Further, the isolation between two or more l3 network interfaces comes from the firewall - in this case, you assigned them both to the same firewall zone, so you haven’t set them up for isolation.

You should reset to defaults and then follow the bridge vlan examples in the DSA tutorial.

Thanks, so it's my misunderstanding.
I thought that tutorial states that already at step 2 the networks are already unaccessible by each other.

The tutorial reads:

2. Multiple bridged networks

and at the 3rd step

3. Multiple networks using VLANs

Ports can also be separated (grouped) using single bridge with multiple VLANs.

Here is an example you can use as a reference.

1 Like

Thanks alot, i'll follow the guide you sent.

I have another burning question, should I open a new topic or maybe you can answer here?

I want to round-robin between two VPNS with mwan3. I think I almost succeeded but when mwan3 starts it changes the default route and the VPNs themselves are cut of connection.

Can you suggest some standard way to do this, I suppose Im not the first person who is faced with such a requirement.

Thanks!

Best to keep each thread on a single topic. If you have more questions about bridge VLANs, this thread is a good place for it. Start another thread for your mwan3/vpn questions.

1 Like