While reading on this fantastic forum, I managed to build a config so it is possible to:
connect devices on a LAN network
connect STB through VLAN20
Nothing special, though I'm using following setup:
Not an expert on networking (but learning and working my way into this knowledge), I'm just wondering if this configuration is giving me security issues or maybe other problems that I'm totally not aware of.
Regarding the config of the ASUS router some screenshots on how this config is fully operational at this moment:
In theory, there should be no issue. And actually the firewall rule should be entirely unnecessary.
But let’s see your config in text form and we can verify the setup.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Set the TV network interface to protocol Unmanaged (proto none in the config file). There is no need for TV packets to touch the CPU at all. But you do need a dummy interface to properly instantiate the br-lan.20 DSA hardware bridge.
You have added the wan port to br-lan. This should only be done if your plan is to use the OpenWrt device as a managed switch (and/or dumb AP). If you plan to use the device as a router, the wan port should not be in the lan bridge.
It follows that if you are using this as a router, the wan should use the device wan, not br-lan. If you are not routing on the OpenWrt device, remove the device from the wan and wan6 interfaces/
All of the port assignments should be re-evaluated. It seems that you want ports 2 and 3 to be untagged in the lan, and then port 4 to be tagged on lan and vlan20 (TV). But currently port 3 is missing, and you have this wan port defined in the lan bridge (which it should not be, as described earlier)
This part is correct!
This is all unnecessary and should be removed (including the orphaned config rule statements in there).
Are you planning to use the OpenWrt router as a router, or is it a dumb ap/switch?
Actually in DSA that needs to be done in order to enable hardware switching(*) among all the ports. Different networks are then segregated using bridge-vlans. It is a good idea to rename the single master bridge to something other than br-lan, such as br-ethernet, to distinguish that it isn't only for LAN now.
At least it has been necessary. At some point DSA may get smart enough to handle multiple bridge definitions with hardware switching among them.
Not only won't hardware optimization work, software bridging also fails to work as expected.
Wouldn't this only be necessary if the wan port was to be switched? I believe that in the default configuration, the wan port is not included in br-lan and used directly on the wan.
Thanks for your feedback on the config files!
I'm working myself through the remarks and testing all corrections.
About my network and router:
The OpenWRT router needs to act as a wireless router with DHCP for the LAN connections to serve multiple NAS, camera's, media stations,... Static IP and port forwarding are to be configured after a stable setup of the router.
I will add a wifi guest zone (Access Point somewhere to be placed and connected) so connections to LAN devices from visitors are avoidable.
I also want a router as first device so I'm handling my network and not my ISP. The current setup is a temporary situation because we moved to this new place but not all necessary cabling was present to achieve a hardware separated network (LAN & STB).
So, because of the missing cabling, I need the STB connection to go 'through' the router over the same cable connections further down the LAN network. There is no option to place additional wiring here ... As @mk24 is mentioning: the OpenWRT router does not have to do anything with that traffic, just pass it to the STB. The STB is than handled by the ISP Modem Router. This is where VLANs kicked in.
Next challenge on STB level will be the STB inhome IP address, so internal connection is routed to the internal network and not to the ISP network. But as long as all primary STB functionality is assured, I'm OK with this config.
Because VLAN configs are quite new to me, I'm building up the config and started with the STB routing 'over' the router. All other options are yet to be explored.
I've noticed the DSA config is not that widely documented by examples. Making progress on how to work with this, though it is a headache generator;-)
Thank you for your time and expertise!!!
Coming back with new outputs from network and firewall configs.
You said your ISP device is a router... therefore, adding a second router will create a dobule-NAT situation. This is not ideal, but is manageable. Port forwarding needs to be done twice (ISP router > OpenWrt, OpenWrt > host with service(s)). Some devices (especially game consoles) don't like double NAT. You can avoid this if you can add static routes in your ISP modem (then you can disable NAT masquerading on the OpenWrt router).
Does your ISP device have a special port for the STB, or are all 4 ports effectively identical? If the latter there are two ways to handle this with just one cable... option 1 - keep the wan bridged on br-lan as you have it now, and simply set VLAN 20 on the wan port and port 4. Or, option 2: connect the GS308 between the ISP router and the OpenWrt router -- in fact, you can even make that a single port connection between the OpenWrt router and the managed switch.
I'm thinking of using DMZ in the ISP device to point to the OpenWRT router. Avoiding double port forwarding in this way The NAT problem should be manageable indeed. Until now (touching wood) never had any issue with double NAT.
All 4 ports are identical. It doesn't matter where you connect an STB. It is correctly served by the ISP router. At this moment I'm working on your option 1 proposal. Keeping in mind option 2.
Update: full network was working perfectly until today … the WiFi 2,4GHz decided to leave the building… I did a reset to OEM firmware and conclusion is that there is a hardware problem.
Looking at another router RT-AX53U to begin all over again starting on monday.
Installation is done! Fully functional and quite satisfied about internal network speed.
Also found out that the problem regarding 2,4GHz Wifi was caused by VLAN passing by PowerLine Wifi plug. So all traffic picked up by WiFi on the PWL WiFi plug was not 'routed' because this connection was trunked is my conclusion for now. Level of knowledge about VLAN trippled but far from complete
As promised, hereby Network and Firewall setting from the router. 1. NETWORK
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix '***********/48'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-eth.1'
config interface 'wan'
option proto 'dhcp'
option device 'br-eth.2'
config interface 'wan6'
option proto 'dhcpv6'
option device 'br-eth.2'
option reqaddress 'try'
option reqprefix 'auto'
config device
option type 'bridge'
option name 'br-eth'
option bridge_empty '1'
option acceptlocal '1'
list ports 'eth0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
list ports 'wlan0'
list ports 'wlan1'
config bridge-vlan
option device 'br-eth'
option vlan '1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4:t'
list ports 'wlan0'
list ports 'wlan1'
config bridge-vlan
option device 'br-eth'
option vlan '2'
list ports 'wan'
config bridge-vlan
option device 'br-eth'
option vlan '20'
list ports 'lan1'
list ports 'lan4:t'
config bridge-vlan
option device 'br-eth'
option vlan '50'
list ports 'lan4:t'
config device
option type '8021q'
option ifname 'br-eth'
option vid '1'
option name 'br-eth.1'
config device
option type '8021q'
option ifname 'br-eth'
option vid '2'
option name 'br-eth.2'
config device
option type '8021q'
option ifname 'br-eth'
option vid '20'
option name 'br-eth.20'
config device
option type '8021q'
option ifname 'br-eth'
option vid '50'
option name 'br-eth.50'
config interface 'TLN_TV'
option proto 'none'
option device 'br-eth.20'
config interface 'GuestZone'
option proto 'static'
option device 'br-eth.50'
2. FIREWALL
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'LAN'
config zone
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option name 'WAN'
config forwarding
option src 'LAN'
option dest 'WAN'
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src 'WAN'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IGMP'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IPSec-ESP'
option proto 'esp'
option target 'ACCEPT'
option dest 'LAN'
option src 'WAN'
config rule
option name 'Allow-ISAKMP'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'LAN'
option src 'WAN'
config zone
option name 'TLN_TV'
option output 'ACCEPT'
option forward 'REJECT'
list network 'TLN_TV'
option input 'REJECT'
config zone
option name 'GuestZone'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GuestZone'
option input 'REJECT'
config redirect
option dest 'LAN'
option target 'DNAT'
option name '*************'
list proto 'tcp'
option src 'WAN'
option src_dport '***********'
option dest_ip '*************'
option dest_port '********'
option reflection '0'
config redirect
option dest 'LAN'
option target 'DNAT'
option name '************'
list proto 'tcp'
option src 'WAN'
option src_dport '*********'
option dest_ip '*************'
option dest_port '**********'
config redirect
option dest 'LAN'
option target 'DNAT'
list proto 'tcp'
option src 'WAN'
option src_dport '*********'
option dest_ip '**************'
option dest_port '*********'
option name '***********'
config redirect
option dest 'LAN'
option target 'DNAT'
option name '**********'
list proto 'tcp'
option src 'WAN'
option src_dport '**********'
option dest_ip '************'
option dest_port '******'
config redirect
option dest 'LAN'
option target 'DNAT'
option name '***********'
list proto 'tcp'
option src 'WAN'
option src_dport '********'
option dest_ip '*********'
option dest_port '*******'
Port forwarding is working and PowerlIne plugs are set in place between router and different places where I cannot place UTP.
The only thing to add is guest WiFi by a separate AP.
I'm not sure about the firewall rules, so if one could have a look at that.
Thanks to @psherman and @mk24 for all comment, tips and help!
The NAT problem should be manageable indeed. Until now (touching wood) never had any issue with double NAT.