Configuring multiple VLANs with different default gateways, v23.05 (DSA)

Conceptually, how do I configure multiple VLANs so that each VLAN can use its own default gateway on DSA (v23.05)?

I know how to do it with name spaces or policy routing with separate routing tables on 'standard' Linux distros, but how is it supposed to be done on OpenWrt?

Right now, I only get one default gateway:

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.8.254   0.0.0.0         UG        0 0          0 eth0.8
192.168.8.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0.8
192.168.9.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan

https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

or

https://openwrt.org/docs/guide-user/network/routing/pbr

Thanks for the links, but I’m not really looking for example solutions. Like I mentioned, I already know how to do policy-based routing with separate tables and also how load balancing works.

My question is more about the concept: Is the same approach used on OpenWRT as in 'vanilla' Linux like separating VLANs using specific hacks like Name Spaces or Policy-Based Routing to get separate gateways per VLAN? Or is there another way (ie OpenWRT best practice) to solve it that for example works with Luci?

1 Like

I'm sorry I can't give you further support ...

you have to wait for someone more experienced than me to help you ...

1 Like

Routing/IP rules can be used in Luci to configure policy-based routing without installing other packages such as pbr or mwan3 anyway.

3 Likes

OpenWrt is a router (Linux with IP Forwarding enabled). So you can configure interfaces with gateways as you desire.

If you're asking how to configure the traffic, others have posted about PBR or IP Routes/Rules.

1 Like

@lleachii: Thanks for the heads up! But I’m wondering if you actually read my prevous reply or if there’s any way I can make it even clearer?

@mikma, thanks mate!

I did. In fact, my post actually responded to that reply.

There's nothing needed to add mutiple gateways. You'll need to obviously configure traffic to properly route, of course - hence my remarking:

I wouldn't call that a hack - I'd call it routing. But its not necessary to actually create them. I'm not sure why you feel namespaces have to be created, etc. This isn't necessary in "vanilla Linux" either (i.e. the spaces).

So the same approach isn't used as with "vanilla Linux" to my understanding, because they're generally still function as a PC or Server (usually with IP Forwarding disabled). You also asked can it be solved with LuCI - of course the web GUI can be used to configure the router.

If your answer hasn't already been covered by others, perhaps more clarification would be helpful.

I might not have explained it clearly or maybe the technical terms caused some confusion, but you can't solve the issue of having multiple default gateways (0.0.0.0/0) for different VLAN subnets with regular routing. The only way to handle multiple default gateways is by using namespaces or separate routing tables with their own default gateways including routing rules triggered by the source interface or address, at least when you're working with standard Linux netfilter.

Cheers!

For future reference, the OpenWRT method for adding multiple default gateways involves using the config route and config rule options in /etc/config/network. This creates a separate routing table for a particular interface with its own isolated default gateway. It's worth mentioning that this doesn't require any additional packages.

An example using the interface vlan8_interface (VLAN 8) is shown below, as well as a configuration using LuCI:

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '8'
	option name 'eth0.8_device'

config interface 'vlan8_interface'
	option proto 'static'
	option type 'bridge'
	option device 'eth0.8_device'
	option ipaddr '192.168.8.232'
	option netmask '255.255.255.0'
	option gateway '192.168.8.254'
	option ip4table 'vlan8_table'

config route
	option target '0.0.0.0/0'
	option table 'vlan8_table'
	option gateway '192.168.8.254'
	option interface 'vlan8_interface'

config rule
	option priority '30000'
	option in 'vlan8_interface'
	option lookup 'vlan8_table'

The same can also be accomplished using LuCI by configuring the following settings:

  1. Network > Interfaces > vlan8_interface > Advanced Settings > Override IPv4 routing table:

  1. Network > Routing > Static IPv4 Routes:

  1. Network > Routing > IPv4 Rules

Both methods result in the following routing rules:

# ip rule show
0:	from all lookup local 
10000:	from 192.168.8.232 lookup vlan8_table 
20000:	from all to 192.168.8.232/24 lookup vlan8_table 
30000:	from all iif eth0.8_device lookup vlan8_table 
32766:	from all lookup main 
32767:	from all lookup default 
90039:	from all iif lo lookup vlan8_table
3 Likes

Oh, you were seeking routing examples. Cool.

Btw, you can add mutiple gateways, they dont have to be on a separate table (e.g. metrics). You appear to want different networks (i.e., VLAN 8) to have different gateways.

Glad you got it!

(For some reason your first post asked, but I thought you knew how to route pre-DSA - which is the same. My bad.)

No, I was seeking the OpenWRT standard method for sorting out different default gateways for different interfaces. It doesn't matter what kind of interface you are dealing with; it's the same for VLAN, VPN, Ethernet, or any other interface.


Yes, but once again, the method of configuring routing tables and rules in OpenWRT is the same regardless of whether you're dealing with VLANs, VPNs, or Ethernet interfaces. The core principle and the need to use custom routing tables and rules still apply.


Yes, they do! Metrics can help prioritize routes but don't resolve the need for distinct default gateways per interface. For that, you really must use either namespaces or custom routing tables along with routing rules.

1 Like

Yep, thats remains the same post DSA, same as before. There's no difference. Glad you figured it out.

(As noted, I thought you were asking was there a difference post-DSA, not how to route 2 different networks via separate gateways in general. Thanks for the clarification. )

1 Like

This is largely the correct solution - and threads like this have arisen before.

mwan3 and pbr are like sledgehammers to crack a nut, and good tools in themselves. But they are not the right tools for a simple static routing, albeit uncommon scenario like this.

Here's another older thread which achieves basically the same thing.

2 Likes

@systemcrash, Thanks for the link!

Just curious, why is it uncommon to use separate default gateways per VLAN, like for a guest Wi-Fi VLAN on an AP, to get full [semi*] Layer 3 separation from your home network?

Is there a simpler way to handle this in OpenWRT without requiring a separate routing table and rules?

[*] EDIT:
To achieve true Layer 3 separation you'll need VRF but unfortunately it's not enabled by default in the standard OpenWRT distribution.

I don't have all the answers why but were it more common there would be either more threads or a helpful article in the wiki, perhaps even a different interface for this. ( I tried adding one but it seems I cannot add a new page, only edit existing ). But since doing so requires important variables which a not insignificant number of end-users are not familiar with regarding routing and networking, it's not common...

Perhaps @vgaetera has an idea how to add a new wiki stub to cover this scenario?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.