Conceptually, how do I configure multiple VLANs so that each VLAN can use its own default gateway on DSA (v23.05)?
I know how to do it with name spaces or policy routing with separate routing tables on 'standard' Linux distros, but how is it supposed to be done on OpenWrt?
Right now, I only get one default gateway:
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.8.254 0.0.0.0 UG 0 0 0 eth0.8
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.8
192.168.9.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
Thanks for the links, but I’m not really looking for example solutions. Like I mentioned, I already know how to do policy-based routing with separate tables and also how load balancing works.
My question is more about the concept: Is the same approach used on OpenWRT as in 'vanilla' Linux like separating VLANs using specific hacks like Name Spaces or Policy-Based Routing to get separate gateways per VLAN? Or is there another way (ie OpenWRT best practice) to solve it that for example works with Luci?
I did. In fact, my post actually responded to that reply.
There's nothing needed to add mutiple gateways. You'll need to obviously configure traffic to properly route, of course - hence my remarking:
I wouldn't call that a hack - I'd call it routing. But its not necessary to actually create them. I'm not sure why you feel namespaces have to be created, etc. This isn't necessary in "vanilla Linux" either (i.e. the spaces).
So the same approach isn't used as with "vanilla Linux" to my understanding, because they're generally still function as a PC or Server (usually with IP Forwarding disabled). You also asked can it be solved with LuCI - of course the web GUI can be used to configure the router.
If your answer hasn't already been covered by others, perhaps more clarification would be helpful.
I might not have explained it clearly or maybe the technical terms caused some confusion, but you can't solve the issue of having multiple default gateways (0.0.0.0/0) for different VLAN subnets with regular routing. The only way to handle multiple default gateways is by using namespaces or separate routing tables with their own default gateways including routing rules triggered by the source interface or address, at least when you're working with standard Linux netfilter.
For future reference, the OpenWRT method for adding multiple default gateways involves using the config route and config rule options in /etc/config/network. This creates a separate routing table for a particular interface with its own isolated default gateway. It's worth mentioning that this doesn't require any additional packages.
An example using the interface vlan8_interface (VLAN 8) is shown below, as well as a configuration using LuCI:
Both methods result in the following routing rules:
# ip rule show
0: from all lookup local
10000: from 192.168.8.232 lookup vlan8_table
20000: from all to 192.168.8.232/24 lookup vlan8_table
30000: from all iif eth0.8_device lookup vlan8_table
32766: from all lookup main
32767: from all lookup default
90039: from all iif lo lookup vlan8_table
Btw, you can add mutiple gateways, they dont have to be on a separate table (e.g. metrics). You appear to want different networks (i.e., VLAN 8) to have different gateways.
Glad you got it!
(For some reason your first post asked, but I thought you knew how to route pre-DSA - which is the same. My bad.)
No, I was seeking the OpenWRT standard method for sorting out different default gateways for different interfaces. It doesn't matter what kind of interface you are dealing with; it's the same for VLAN, VPN, Ethernet, or any other interface.
Yes, but once again, the method of configuring routing tables and rules in OpenWRT is the same regardless of whether you're dealing with VLANs, VPNs, or Ethernet interfaces. The core principle and the need to use custom routing tables and rules still apply.
Yes, they do! Metrics can help prioritize routes but don't resolve the need for distinct default gateways per interface. For that, you really must use either namespaces or custom routing tables along with routing rules.
Yep, thats remains the same post DSA, same as before. There's no difference. Glad you figured it out.
(As noted, I thought you were asking was there a difference post-DSA, not how to route 2 different networks via separate gateways in general. Thanks for the clarification. )
This is largely the correct solution - and threads like this have arisen before.
mwan3 and pbr are like sledgehammers to crack a nut, and good tools in themselves. But they are not the right tools for a simple static routing, albeit uncommon scenario like this.
Just curious, why is it uncommon to use separate default gateways per VLAN, like for a guest Wi-Fi VLAN on an AP, to get full [semi*] Layer 3 separation from your home network?
Is there a simpler way to handle this in OpenWRT without requiring a separate routing table and rules?
[*] EDIT:
To achieve true Layer 3 separation you'll need VRF but unfortunately it's not enabled by default in the standard OpenWRT distribution.
I don't have all the answers why but were it more common there would be either more threads or a helpful article in the wiki, perhaps even a different interface for this. ( I tried adding one but it seems I cannot add a new page, only edit existing ). But since doing so requires important variables which a not insignificant number of end-users are not familiar with regarding routing and networking, it's not common...
Perhaps @vgaetera has an idea how to add a new wiki stub to cover this scenario?