In router modus, so one LAN port is for the raspberry pi router, the other three ports are for settopboxes etc from the IPS (they need some simple network and there own DNS)
there are on 192.168.178.0/24
On one of the network ports;
Raspberry pi 4B router with an manageable switch. (so only using the one network port on my Pi) My own (lan) network in on this network, 192.168.1.0/24 on Openwrt 21.02.1
I only have one cat 6 cable from my router location to my living room, so there are two manageable switches with the one cat 6 cable as trunk. So two vlans (one from the ISP router and one from my private raspberry router) are going in the switch and on the other end the network is split again, so I have two separate networks in my living room, one for my ISP stuff and one for private use. coming from the same switch depending on what port you use.
What I want to do;
End the double NAT, so my ISP router needs to go in bridge mode, so the three lan cables, now in the ISP modem, need to go in the spare ports of my raspberry Pi switch on a new vlan.
So I need a extra LAN network om my OpenWRT router (Pi) on a new vlan network interface, with his own (or the default from my isp) dns servers and own ip range.
So probably a lot of text to ask how to setup an extra br-lan interface on a extra vlan.
/etc/config/network
`config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdad:b459:8594::/48'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '84.200.69.80'
list dns '84.200.70.40'
option device 'eth0.10'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2001:1608:10:25::1c04:b12f'
list dns '2001:1608:10:25::9249:d69b'
option device 'eth0.10'
config interface 'vpnclient'
option proto 'none'
option device 'tun1'
config interface 'vpnserver'
option proto 'none'
option device 'tun0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.20'`
Does your modem support bridge mode
2a) Do your STBs continue to function as-is when the modem is in bridge mode? Depending on how the ISP handles the STB connections, they may or may not work this way.
2b) If your STBs do not work as-is with the modem in bridge mode, do you have the relevant information about how to configure a VLAN for them to operate? This may or may not be possible; if it is possible, it may or may not be officially supported by the ISP.
If 1 and 2 end up with dead-ends, does the modem support the ability to configure static routes (when it is operating in router mode)?
Yes it supports bridge mode, and after setting it in bridge mode it's an ordinairy cable modem.
Yes the STB works when on bridge mode (tested) but it works best on the dns from my isp and seperated from the rest from my network.
The whole idea is to skip the double nat, because al my connections from my Pi router, are only one connection on the isp router and it's on it's limits for the amount of users/devices on this one connection.
You don't need to create another bridge for additional VLANs. It is actually as simple as creating a new network interface and binding it against the device eth0.x where x is the VLAN ID you want to use.
You will probably want to have a DHCP server configured for this network -- that is where you can specify the desired DNS servers to advertise to the STBs (do this with DHCP option 6).
And then you'll assign this new network to a firewall zone (or create a new zone) and set the desired rules.
Obviously, you also need to configure your managed switch to handle the additional VLAN on the ports.
I just made a vlan, with the DHCP settings and made a new firewall rule for it (by the way, it doesn't work when I add the vlan to the lan firewall rule, so I gues that that is not the issue)
Offcourse I a configured a port on my switch for the vlan so I can test.
Firewall rules? Yes, you'll need to ensure that the firewall permits, at the minimum, UDP ports 67-68 (DHCP) as input (to the router) from the zone associated with the new network. If your router will also serve DNS on that network, you'll also want TCP/UDP port 53 open (but you said those devices are best used with the DNS from the ISP, so you don't need port 53 in that case).
If you want a review of what you've done so far, post the following:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
so I can test.