Configuration check and little help with questions please

Greetings all,

For past few days I have been attempting to divorce my network from the legacy network that I had been sharing and learn the intricacies of networking and configuring OpenWRT. With a help of members of this forum, I fool myself to be close.

Proposed network structure.

  1. Interfaces and devices
    lan is an interface to VLAN, device eth0.1, hosting servers.
    Lan_WS is an interface to VLAN, device eth0.2, hosting workstation.
    Lan_Legacy is a is an interface to VLAN, device eth0.1, to connect to the above-mentioned legacy network, namely a printer with a fixed address 192.168.0.XX.

  2. Firewalls

The workstations are to connect to (i) internet via WAN, to (ii) lan and to (iii) Lan Legacy.
Re (i) the connection should be initiated by the workstation; no hosts form other VLANs should be able to reach or be reached by the Internet.
Re (ii) the connection can be initiated by both the workstations and the server; neither the workstations, nor the servers should be reachable buy the legacy network.
Re (iii) only the workstations should be able to print.

  1. Configuration and configuration files

3.1 Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfa:a9a4:3d11::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option description 'Lan_WS'
        option ports '0t 4'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'
        option ipv6 '0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 4t'
        option vid '2'
        option description 'lan'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option description 'Lan_Legacy'
        option ports '0t 3'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '3'
        option name 'eth0.3'
        option ipv6 '0'

config interface 'Lan_WS'
        option device 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'

config interface 'Lan_Legacy'
        option proto 'static'
        option device 'eth0.3'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.5'

3.2 Firewalls

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfa:a9a4:3d11::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option description 'Lan_WS'
        option ports '0t 4'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'
        option ipv6 '0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 4t'
        option vid '2'
        option description 'lan'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option description 'Lan_Legacy'
        option ports '0t 3'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '3'
        option name 'eth0.3'
        option ipv6 '0'

config interface 'Lan_WS'
        option device 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'

config interface 'Lan_Legacy'
        option proto 'static'
        option device 'eth0.3'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.5'
  1. Questions

4.1 I would like to rename the lan to Lan_Servers, so the purpose of the VLAN is understood. It appears that there is no other option but delete the interface and re-create it. IS this correct?

4.2 I still have difficulty with the firewall settings. Is there a good description somewhere, preferably with examples? For example, eventually I would like to have the connection between servers and workstations initiated only from the servers, e.g., backup.

4.3 The connection to the legacy network was discussed with @psherman in this thread: Setting Static Adress at the Host - #9 by mefizto, but, I think that I cannot just connect the LAN port 2 to the network switch, since it would not understand the VLAN. I tried to connect it directly to a computer with the correct sub-net and it did not work.

Kindest regards,

M

Greetings all,

please ignore, after some re-configuration it works - in third world sort of way. I still am not sure about the firewall setting, so I am re-reading the manual.

Kindest regards,

M

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.