Hi,
I'm reading the tutorial: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_bridged_networks
It states the following:
Devices plugged into the home ports will be able to communicate with each other, and the devices in the office ports can also talk together. But the “home” ports will not be able to communicate with “office” ports unless there is a routing or firewall rule to allow it.
Well, I repeated the setup on my ASUS ax4200.
Router:
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 10 0 0 eth1
10.170.0.0 * 255.255.255.252 U 0 0 0 br-lan
192.168.1.0 * 255.255.255.0 U 10 0 0 eth1
192.168.2.0 * 255.255.255.252 U 0 0 0 br-lan
192.168.3.0 * 255.255.255.252 U 0 0 0 br-home
Laptop1:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.3.1 0.0.0.0 UG 100 0 0 eno2
192.168.3.0 0.0.0.0 255.255.255.252 U 100 0 0 eno2
Laptop2:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 eno2
192.168.2.0 0.0.0.0 255.255.255.252 U 100 0 0 eno2
I listen on laptop 2:
nc -lvp 4444
and I connect on laptop 1:
nc 192.168.2.2
and I am able to connect.
The laptops are connected to LAN3 on br-home:
and LAN1 on br-lan:
so the laptops on the different bridged networks as explained by the tutorial so they should not be able to connect. But they connect.
Actually, why would not they? The router has both routes. So, why does the tutorial state the opposite? Is it my reading comprehension which fails?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
psherman:
ubus call system board
ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "ASUS TUF-AX4200",
"board_name": "asus,tuf-ax4200",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mediatek/filogic",
"description": "23.05.3 240325"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'phy0-ap0'
list ports 'phy1-ap1'
config device
option name 'lan1'
option macaddr 'xxxx'
option ipv6 '0'
config device
option name 'lan2'
option macaddr 'xxxx'
config device
option name 'lan3'
option macaddr 'xxxx'
config device
option name 'lan4'
option macaddr 'xxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.2.1/30'
list ipaddr '10.170.0.1/30'
config device
option name 'eth1'
option macaddr 'xxxx'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option metric '10'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-home'
list ports 'lan3'
list ports 'lan4'
config interface 'home'
option proto 'static'
option device 'br-home'
list ipaddr '192.168.3.1/30'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '1'
option band '2g'
option htmode 'HE20'
option disabled '0'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'tuf-ax4200-2g-0'
option encryption 'psk2'
option key '******'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '0'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'tuf-ax4200-5g-1'
option encryption 'psk2'
option key '*********'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option confdir '/tmp/dnsmasq.d'
option noresolv '1'
list server '127.0.0.1#9053'
list server '::1#9053'
list server '8.8.8.8'
list server '8.8.4.4'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,8.8.8.8'
list dhcp_option '3,192.168.2.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'home'
option interface 'home'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'home'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
list network 'wan'
list network 'wan6'
list network 'vpn1'
list network 'vpn2'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config forwarding
option src 'lan'
option dest 'wan'
You don’t appear to have followed the tutorial.
You need to use bridge VLANs since dsa doesn’t allow multiple bridges on a single switch chip.
Further, the isolation between two or more l3 network interfaces comes from the firewall - in this case, you assigned them both to the same firewall zone, so you haven’t set them up for isolation.
You should reset to defaults and then follow the bridge vlan examples in the DSA tutorial.
Thanks, so it's my misunderstanding.
The tutorial reads:
2. Multiple bridged networks
and at the 3rd step
3. Multiple networks using VLANs
Ports can also be separated (grouped) using single bridge with multiple VLANs.
Here is an example you can use as a reference.
Start by creating bridge-VLANs. To make sure it works, we'll use lan 1 for your normal lan, lan2 for the guest network, and lan3 for the iot network. Then we'll use port lan4 for the trunk which would go to your dumb APs. You can modify the port assignments as you need -- it should be fairly clear once this is done.
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan…
1 Like
Thanks alot, i'll follow the guide you sent.
I have another burning question, should I open a new topic or maybe you can answer here?
I want to round-robin between two VPNS with mwan3. I think I almost succeeded but when mwan3 starts it changes the default route and the VPNs themselves are cut of connection.
Can you suggest some standard way to do this, I suppose Im not the first person who is faced with such a requirement.
Thanks!
Best to keep each thread on a single topic. If you have more questions about bridge VLANs, this thread is a good place for it. Start another thread for your mwan3/vpn questions.
1 Like
