Hi, I’d like to set up my Gl-inet Beryl (gl-mt1300) so that the two LAN ethernet ports cannot directly communicate without going through the router first (i.e. I want to apply some firewall rules). I have gotten this to work in a Linksys MR8300 (using swconfig) but can’t achieve the same thing for this Gl-inet Beryl (which uses DSA).
I trust the hosts being plugged into the LAN ports, so I’m not worried about MAC spoofing.
I know the best way to achieve this is through VLANs. I know I could bypass VLANs and just have dnsmasq give out addresses for each host on a different subnet. The hosts would then reach out to the gateway (the router) to send a packet to another LAN host. I’ve also heard that having separate subnets on a single layer 2 link (e.g. the two switch ports on my router) can have unintended consequences.
As I said, I’ve achieved this on my Linksys MR8300 (which uses swconfig) by assigning each port to a separate VLAN (untagged) and ensuring the CPU port (port 0) is tagged:
config 'device'
option 'name' 'br-lan'
option 'type' 'bridge'
list 'ports' 'eth0.11'
list 'ports' 'eth0.12'
list 'ports' 'eth0.13'
list 'ports' 'eth0.14'
config 'interface' 'lan'
option 'device' 'br-lan'
option 'proto' 'static'
option 'ipaddr' '192.168.68.1'
option 'netmask' '255.255.255.0'
config 'switch'
option 'name' 'switch0'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'switch0'
option 'vlan' '11'
option 'vid' '11'
option 'ports' '0t 1'
config 'switch_vlan'
option 'device' 'switch0'
option 'vlan' '12'
option 'vid' '12'
option 'ports' '0t 2'
config 'switch_vlan'
option 'device' 'switch0'
option 'vlan' '13'
option 'vid' '13'
option 'ports' '0t 3'
config 'switch_vlan'
option 'device' 'switch0'
option 'vlan' '14'
option 'vid' '14'
option 'ports' '0t 4'
I also had to install the kmod-br-netfilter package to ensure the firewall could filter traffic between the LAN.
The Linksys is too big for what I need, and I thought the Beryl would work fine, but I can’t even get basic VLANing set up.
As a test, I flashed OpenWrt 22.03.0 r19685-512e76967f onto the Beryl. I connected my laptop to one of the LAN ports and (as a sanity check), set a static IP for my laptop’s Ethernet device to 192.168.1.2/24 (just in case some of the VLANing stuff I was doing would temporarily cause issues with dnsmasq).
Here’s what I’ve tried:
- Do a full reset of the Beryl back to stock OpenWrt settings.
- As a sanity check, I went to Network -> Interfaces -> Devices -> br-lan Configure -> Removed “lan2” from the Bridge Ports (I verified from the UI that my laptop was connected to lan1).
- In the Bridge VLAN filtering tab, I enabled “Enable VLAN filtering”, added a row, set VLAN ID to “1”, Local checked, and set lan1 to “Egress untagged / primary VLAN ID” (u*).
- Hit “Save”, started up a terminal with “ping 192.168.1.1”, then Save and Apply. The pings work until Save and Apply, then stop working with “ping: sendto: No route to host” (remember, I still have a static IP of 192.168.1.2/24 for my laptop)
- Eventually the Luci interface will revert the changes and my pings return. I hit “dismiss” to keep my unsaved changes.
- I go back to Network -> Interfaces -> Devices -> br-lan Configure, and change the Bridge Ports from “lan1” to “Software VLAN: ‘br-lan.1’” (removing lan1). Again, Save and Save and Apply. Pings stop working. Wait for Luci to revert.
I feel like I’ve tried every other combination and I can’t even get pings to the router to work:
- Set the lan1 port to just “Egress untagged” (u)
- Set the lan1 port to “Egress tagged / primary” (t*)
- Set the lan1 port to “Egress tagged” (t)
- Set the br-lan bridge ports to “br-lan.1, lan1”
- Set the VLAN id to “3” and just have br-lan use the br-lan.3 as its bridge port
I feel like where I ended up at the last numbered step above is functionally identical to how the Linksys was configured (port is on a VLAN, bridge is set to bridge that VLAN port).
Any idea what I’m doing wrong? Thanks!