Configure four networks on four physical ports

Hi folks - a new OpenWRT user here. Working through the documentation and trying to understand the configuration paradigm.

I have an ASUS RT-N66U flashed with 24.10. I DO NOT intend to use the WiFi for obvious reasons. I believe that this router does not have support for DSA and requires "swconfig." To be honest, I'm not 100% sure what the swconfig part means.

I am trying to configure this router with and inbound internet connection on the WAN port and then each of the four physical ports being the internet feed to separate networks. DHCP servers should be associated with each port. Therefore, four separate DHCP server configs.

As I am understanding the general config process, network interfaces must first be defined with an assigned IP, network, and subnet mask. These parameter are then used to inform the range of the dhcp servers. ifname set the association with the physical port. Please correct me if any of these assertions are incorrect.

Below is a script I've been trying to use to configure the system, but with no success. The usual result after a restart is that I can't get a dhcp lease from any of the ports. The script is posted below for reference. It's a combination of ChatGPT, reading the doco, and trial and error. Firewall rules have been left out to simplify things.

Questions are:

• for this configuration, are VLANs required? The outputs will be connected to a switch for VLANs
• How do I find the correct naming for the physical interfaces? The ubus command does not show me what I would expect.
• I'm assuming the switch config is required to associate with each interface. Is this correct? And, is enabling VLAN required?
• Lastly, any thoughts on why it doesn't work?

Appreciate any assistance!

#!/bin/sh

# === NETWORK CONFIGURATION ===
# Remove default LAN/WAN
uci delete network.lan
uci delete network.wan
uci delete network.wan6

# VLAN setup via swconfig (old model)
uci set network.switch0=switch
uci set network.switch0.name='switch0'
uci set network.switch0.reset='1'
uci set network.switch0.enable_vlan='1'

# VLAN 10: Suite (port 1)
uci set network.vlan10=switch_vlan
uci set network.vlan10.device='switch0'
uci set network.vlan10.vlan='10'
uci set network.vlan10.ports='0t 1'

uci set network.suite=interface
uci set network.suite.proto='static'
uci set network.suite.ipaddr='192.168.10.1'
uci set network.suite.netmask='255.255.255.0'
uci set network.suite.ifname='eth0.10'

# VLAN 20: IoT (port 2)
uci set network.vlan20=switch_vlan
uci set network.vlan20.device='switch0'
uci set network.vlan20.vlan='20'
uci set network.vlan20.ports='0t 2'

uci set network.iot=interface
uci set network.iot.proto='static'
uci set network.iot.ipaddr='192.168.20.1'
uci set network.iot.netmask='255.255.255.0'
uci set network.iot.ifname='eth0.20'

# VLAN 30: Internal (port 3)
uci set network.vlan30=switch_vlan
uci set network.vlan30.device='switch0'
uci set network.vlan30.vlan='30'
uci set network.vlan30.ports='0t 3'

uci set network.internal=interface
uci set network.internal.proto='static'
uci set network.internal.ipaddr='192.168.30.1'
uci set network.internal.netmask='255.255.255.0'
uci set network.internal.ifname='eth0.30'

# VLAN 1: Monitor (port 4)
uci set network.vlan1=switch_vlan
uci set network.vlan1.device='switch0'
uci set network.vlan1.vlan='1'
uci set network.vlan1.ports='0t 4'

uci set network.monitor=interface
uci set network.monitor.proto='static'
uci set network.monitor.ipaddr='192.168.1.1'
uci set network.monitor.netmask='255.255.255.0'
uci set network.monitor.ifname='eth0.1'

# WAN port
uci set network.wan=interface
uci set network.wan.proto='dhcp'
uci set network.wan.ifname='eth0.2'

# === DHCP CONFIG ===
for net in suite iot internal monitor; do
  uci set dhcp.${net}=dhcp
  uci set dhcp.${net}.interface="${net}"
  uci set dhcp.${net}.start='100'
  uci set dhcp.${net}.limit='150'
  uci set dhcp.${net}.leasetime='12h'
  uci set dhcp.${net}.dhcp4="server"
  uci set dhcp.${net}.dhcp6="server"
done


# === APPLY CHANGES ===
uci commit network
uci commit dhcp
/etc/init.d/network restart
/etc/init.d/dnsmasq restart

Run ip link
device like lan1@eth0 mean dsa

bridges with ip addresses in general, then wifis ethernets vlans can be connected to those

I have the following:

• 1: lo: loopback
• 2: eth0
• 4: br-lan
• 5: eth0.1@eth0
• 6: eth0.2@eth0

So we do have DSA support on this router?

let's see the complete config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I think I might have got it working on a base level. Here are the file dumps requested. Wireless is disabled.

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "Broadcom BCM5300",
	"model": "Asus RT-N66U",
	"board_name": "0xF5B2:e0:3f:49:f6:5b:20",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "bcm47xx/mips74k",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd06:6cdf:ba2c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 8t'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0.2'

config interface 'suite'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.10'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.20'

config interface 'internal'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.30'

config interface 'monitor'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.40'

config switch 'switch0'
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan 'switch0_vlan1'
	option device 'switch0'
	option vlan '10'
	option ports '1 8t'

config switch_vlan 'switch0_vlan2'
	option device 'switch0'
	option vlan '20'
	option ports '2 8t'

config switch_vlan 'switch0_vlan3'
	option device 'switch0'
	option vlan '30'
	option ports '3 8t'

config switch_vlan 'switch0_vlan4'
	option device 'switch0'
	option vlan '40'
	option ports '4 8t'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'suite'
	option interface 'suite'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'internal'
	option interface 'internal'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'monitor'
	option interface 'monitor'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wan'
	option network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'suite'
	option network 'suite'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'iot'
	option network 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'internal'
	option network 'internal'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'monitor'
	option network 'monitor'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'suite'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'internal'
	option dest 'wan'

config forwarding
	option src 'monitor'
	option dest 'wan'

Generally looks good. However, you need to remove this (or remove ports 1-4) so that it doesn't conflict with the other VLANs:

If you do delete the above (it is unused), you also need to delete this:

Otherwise, this should work as you desire.

Thanks for the input. Appreciate it!