Configuration on OpenWrt to allow a wired device access to both the "LAN" and "Guest" zone?

My OpenWRT router is setup with two zones, a "Guest" and a "LAN."
LAN range is 10.9.8.*
Guest range is 172.17.1.*

How would I go about running a linux container that can only access the "Guest" zone on a server running connected via a hard wire to the "LAN" zone?

The container would use a bridge interface managed by lxc-net running on the server.
Physical server IP:
Linux container IP range: 10.0.3.x (managed by lxc-net).

I am not sure I fully understand your question.
Which device will initiate the connection? From which zone? To which zone? To which target device?

If you have enabled forwarding from source to destination zone, then you don't need to do anything else.
If you have not, and you don't want to allow everything, then you need to add a rule to allow the desired traffic.

1 Like
  • Change the hard wire to VLAN trunk line by tagging the port in the OpenWrt - you're responsible for configuring the trunk on the server-end, too; the trunk will carry the LAN and GUEST VLANs
  • Run a second hard wire for Guest
  • Connect the VM via wireless to the Guest AP
  • Static route another subnet in the LAN zone; firewall it - only allowing access to Guest (this is quite complex and requires installing more packages)

Is this a trick question; or did you need to provide more details?

Not a trick quick... probably me ineffectively describing what I want to do. Firstly, no wireless connections are involved. One 2 physical machines are involved, 1. The OWRT R7800 and 2. a raspberry pi running Linux (I will call it the "server"). The server is currently connected via a physical cable and gets an IP address on the LAN zone via its eth0 interface.

Here's here is gets complicated (to me at least)... on the server, lxc-net does a few things:

  • creates a bridge interface lxcbr0
  • uses dnsmasq to assign an ip in the 10.0.3.x range to a veth device that lxc creates.

My question is how can I make it so that this veth device only connects to the Guest zone not the LAN zone. Would this involve using a 2nd physical cable and tagging as you described?

I'm not familiar with the particular VM system you're using, but to be clear, I'm suggesting that you do one or the other - not both.

I use VirtualBox; and I use one wire and tags to carry mutiple VLANs (approxmately 10) to my VM Host. I enumerate the VLANs on the host, and they appear as network options to select in VirtualBox.

I already listed options in my post above. Additionally, another option is to lay the Guest tags inside the untagged LAN port; but I've never configured such a thing in OpenWrt

1 Like

I don't see how is this an OpenWrt problem. Looks to me more like a VM issue.

( a typical lxc setup will nat the lxc-br <> lan-ip via iptables, nothing too special about it )

  • you can enslave a gre-tap in lxcbr0 + guest-br on the router...
  • Like trendy says, your better off trunking to multiple .x interfaces on the pi... then you just have to change which it's natted to... ( or similar )

similar situation to the "distributing vlan to remote ap"...

Thanks for the helpful suggestions, all. For the record, here is a post detailing how to tag one of the ports on the router to only use the guestzone.

1st post doing this.
2nd post doing this.