Can't make VLANs to work, only DHCP is working

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey there.
At first I wanted to make a statement that I am no expert, but I try to learn. I still prefer Luci GUI to console commands, so all my current config info is taken from there.
I've tried reading other topics with VLAN issues, but none seems to match my use case, most of them are about tagged VLANs, which I think I don't need right now (I still fully don't get an idea of tagged/untagged but from what I understand tagged ports are only needed when connecting another router to the ethernet port, not a single computer (which is my case)

Device: Netgear r6220 - MediaTek MT7621 ver:1 eco:3
OpenWrt 19.07.2 r10947-65030d81f3 / LuCI openwrt-19.07 branch git-20.057.55219-13dd17f

My current configuration (interfaces):

  • lan on 192.168.32.* - main network with WIFI access, everything close to defaults
  • guest on 192.168.200.* - guest network with separate WIFI, without access to other clients
  • iot on 192.168.100.* - untrusted devices with one more WIFI network, without access to internet and other clients. Only one device (a server) can have access to devices from this network

And this is working just great.

Now I wanted to have the same behavior as iot interface but on wired connection. I connected another computer via LAN 3 port and went to Network -> Switch, added VLAN, set CPU to tagged, LAN 3 to untagged, and from VLAN 1 i set LAN 3 to off.
It looks like this: https://i.imgur.com/6nue6Mr.png

Then I went to interfaces, created "iotwired" interface, with Static Address of 192.168.101.1, without "bridge", of course I've selected VLAN eth0.3. Interface got DHCP server and new firewall zone "wirediot". Everything else was left default.

In the Firewall section in zones I set reject/accept/reject, just like I have in my iot zone. No allow forward from/to zones seleced.

In Traffic Rules, I allow wirediot to access Device on ports 67-68 (to allow DHCP to work) and I let access the server from lan to allow forwards on all protocols to wirediot.

But I can't ping or access services on devices connected to LAN 3 port (i've tried 3 devices). I've tried loosening the rules here and there and finally trying random switches and options but nothing helped.

Am I missing something?
Is it a bug?
Or maybe my Router is bad (I have other problems with it - randomly (I mean once a 3 days or a month) gets out of memory and stops working until manual reboot) and won't work with VLANs?

2

What network are devices located?

3

As expected if I connect anything to LAN 3 port then device gets 192.168.101.x address.

If I disable the firewall rule to allow DHCP traffic the device "correctly" cannot get an IP address.

4

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
5

Hello again. Yestarday I finally have the time to mess around with that again. I got a new router and bumped into the same issue.

But I've found the solution before getting the logs and asking for help again so I'm leaving this here for people that may look for that in the future or something.

Then I went to interfaces, created "iotwired" interface, with Static Address of 192.168.101.1, without "bridge", of course I've selected VLAN eth0.3. Interface got DHCP server and new firewall zone "wirediot". Everything else was left default.

Not creating a bridge here was a mistake. I selected to create a bridge, left only eth0.3 selected, and it all works now.
Screenshot:
https://i.imgur.com/TViBran.png

6

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.