Configuring VLANs on Linksys EA8300 for isolating a server

rakka · February 3, 2022, 7:55pm

I own a Linksys EA8300 device, which has 5 physical ports, one of them labelled “Internet” on the device. Of course, it runs OpenWRT, to be exact: OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d (as per LuCI). If I understand it correctly, the device has two physical NICs, one for the 4-port switch and one for the WAN (“Internet”) port, at least this is how I interpret the “Devices” page in LuCI, which lists both an eth0 and an eth1 interface. It labels eth0 an “Ethernet switch“ and eth1 an “Ethernet adapter”. The WAN port is connected to a Fritzbox currently (with the Linksys device in the DMZ), which I ultimately intend to replace with a DSL modem in bridge mode so that the Linksys device is the actual network termination point, but that’s for another day.

What I want to do now is as follows. I run a small personal server from home for things like websites. I would like to isolate this server into its own network segment and set up the firewall on the OpenWRT device so that the server can only talk to the Internet, but not to the rest of my home LAN. After quite a bit of reading I learned that I need to use VLANs to split up the ports on the Ethernet switch, so I went out and decided to dedicate the eth0 switch’s port 4 to the server network segment. Thus, I thought, I will need to put ports 1-3 into VLAN 1 and port 4 into VLAN 2. As the OpenWRT wiki recommends to always set the CPU port “tagged” (it wasn’t in the default configuration), I arrived at the following setup:

| VLAN ID | CPU(eth0) | LAN 1    | LAN2     | LAN3     | LAN4     |
|---------+-----------+----------+----------+----------+----------|
|       1 | tagged    | untagged | untagged | untagged | off      |
|       2 | tagged    | off      | off      | off      | untagged |

This creates new devices eth0.1 and eth0.2. That sounded natural, as I created two VLANs, so I suppose these devices map to the respective VLAN (right?). Consequently, one should not use eth0 directly anymore I suppose. So what I then do is to remove eth0 from the br-lan bridge (which is part of the “LAN” interface) and instead add eth0.1 into it, representing VLAN 1 which covers physical ports 1-3. For eth0.2 I create an entire new interface.

Applying this configuration kills my LAN connectivity. DHCP queries go out from my devices, but will not receive any response and I can only connect via wifi. When I look at the logs with logread, I see the following message printed each time a DHCP request comes in on the VLAN 1:

daemon.warn dnsmasq-dhcp[22537]: DHCP packet received on eth0 which has no address

I am severely confused. How can a packet come in on eth0 at all? My understanding of VLANs may be faulty (I never used them, and am a fairly new OpenWRT user) but I thought if I configure those as outlined above, packages should ever only come in on eth0.1 and eth0.2?

At this point, I’m clueless. There must be something wrong with my understanding of VLANs, at least I don’t get why packets arrive on eth0, which is not included in any interface in LuCI, as opposed to eth0.1 and eth0.2. Please, give me a pointer where the error is.

kind regards
rakka

flygarn12 · February 3, 2022, 8:27pm

This is the case in 21.02 with DSA, then the CPU Ethernet ports aren’t in the setup since you only can use one at this point in time and that port is always included and it is always tagged to the cpu anyway.

Are you sure you have gotten the logic for the switch mapping right, a switch is only a multiplexer.
You highly probably have one switch with total of 7 ports, eth0-eth6.
Eth0 and eth1 is connected to the cpu and eth2-eth6 are in some order connected to the RJ45 ports with paint on the plastic called “internet” and “lan1-4”.
It is just a OpenWRT standardization to call then eth0, eth1, internet, lan1-4 in luci and uci (it would be to much confusion to the people if the name in luci isn’t synced with the plastic box).

Anyway, to be able to say anything more why your setup doesn’t work we need to see your config files for network, dhcp and firewall.

slh · February 4, 2022, 12:14am

First of all, read:

A proper (and easier) solution using DSA will be coming with:

github.com/openwrt/openwrt

ipq40xx: introduce proper ethernet and DSA support

openwrt:master ← sartura:ipq40xx-dsa

opened 05:32PM - 25 Oct 21 UTC

robimarko

+6104 -8852

This PR is a WIP draft for adding a working ethernet + DSA driver along with som…e PHY SFP improvements. Ethernet driver is an updated and fixed version of the IPQESS driver that has been in various trees. DSA driver is based on an older qca8k driver to which IPQ40xx specific stuff was added based on even older modified qca8k that was lingering in the same trees as the IPQESS. DSA driver itself lacks some features that newer qca8k has like VLAN offloading but that is something that I plan on adding. The code also isn't upstream ready due to various hacks that are specific to the IPQ40xx in regards to PSGMII. Driver combo works surprisingly well, however it has one bug that doesn't always present itself. The issue is that PSGMII PHY-s won't calibrate on some boots, this happens really randomly. I have only added conversion of Jalapeno board as an example, however, I will add a few more. Note that I don't know if RGMII works properly as I don't have any board using it. This patch series is based on the following tree: https://github.com/sartura/linux/tree/ipq40xx/linux-v5.10.8-DSA It can be referenced to see the actual development in individual commits as I slightly cleaned up some things when preparing for OpenWrt submission and those are not yet reflected in our public kernel tree. I will rebase on 5.14.14 which we are using internally and publish with OpenWrt changes. You can see that there were actually 3 working taggers added but I only included the shinfo one which has the lowest overhead. I find the driver combo usable, but the code requires some work regarding features and a decent cleanup. We are publishing it in hopes that by working with the community we can eventually get support for wired networking upstream and that will complete IPQ40xx support upstream as the only major subsystem missing. So since the driver combo has been really fixed up I think that we need to convert all of the boards to get this merged. So, to track that let's add a checklist: - [x] 8devices Habanero - [x] 8devices Jalapeno - [x] Alfa AP120C-AC - [x] Aruba AP-303 - [ ] Aruba AP-303H - [ ] Aruba AP-365 - [x] Asus Lyra (MAP-AC2200) - [ ] Asus RT-AC42U - [x] Asus RT-AC58U - [x] AVM FRITZ!Box 4040 - [x] AVM FRITZ!Box 7530 - [x] AVM FRITZ!Repeater 1200 - [ ] AVM FRITZ!Repeater 3000 - [ ] Buffalo WTR-M2133HP - [x] Cell C RTL30VW - [x] Crisis Innovation Lab MeshPoint.One - [ ] Compex WPJ419 - [x] Compex WPJ428 - [ ] devolo Magic 2 WiFi next - [ ] D-Link DAP-2610 - [x] Edgecore ECW5211 - [ ] Edgecore OAP100 - [ ] EnGenius EAP1300 - [ ] EnGenius EAP2200 - [ ] EnGenius EMD1 - [ ] EnGenius EMR3500 - [ ] EnGenius ENS620EXT - [ ] EZVIZ CS-W3-WD1200G - [ ] GL.iNet GL-AP1300 - [x] GL.iNet GL-B1300 - [x] GL.iNet GL-B2200 - [ ] GL.iNet GL-S1300 - [x] Linksys EA6350 - [x] Linksys EA8300 - [x] Linksys MR8300 - [ ] Luma Home WRTQ-329ACN - [x] Cisco Meraki MR33 - [ ] MobiPromo CM520-79F - [ ] NETGEAR EX6100 v2 - [ ] NETGEAR EX6150 v2 - [ ] NETGEAR RBR50 - [ ] NETGEAR RBS50 - [ ] NETGEAR SRS60 - [x] NETGEAR WAC510 - [ ] OpenMesh A42 - [ ] OpenMesh A62 - [x] P&W R619AC - [ ] Plasma Cloud PA1200 - [ ] Plasma Cloud PA2200 - [ ] Qualcomm Atheros AP-DK01.1 C1 - [ ] Qualcomm Atheros AP-DK04.1 C1 - [ ] Qxwlan E2600AC C1 - [ ] Qxwlan E2600AC C2 - [ ] Teltonika RUTX10 - [ ] Unielec U4019 - [x] ZyXEL NBG6617 - [ ] ZyXEL WRE6606 - [x] MikroTik hAP ac2 - [x] MikroTik hAP ac3 - [x] MikroTik Wireless Wire Dish LHGG-60ad - [x] MikroTik SXTsq 5 ac - [x] MikroTik cAP ac - [x] ZTE MF286D - [ ] Telco X1 Pro

rakka · February 4, 2022, 3:56pm

Thank you two for the quick replies.

First of all, read: IPQ40xx Switch Config "Strangeness" (swconfig)

That was helpful. From that thread I deduce that 1) I should not use LuCI to configure the switch and 2) do not use VLAN numbers 1 and 2, because the hardware driver does unexpected things with them. Indeed, I find that if I use other VLAN numbers, I find that at least I still have Internet access over wifi, something that did not work when I was using VLAN numbers 1 and 2. However, even following the configuration suggestion made here I still don’t get connectivity on the LAN ports and still receive this message:

Fri Feb  4 16:28:18 2022 daemon.warn dnsmasq-dhcp[16781]: DHCP packet received on eth0 which has no address

Do I understand that linked thread correctly if I conclude that I need to use an unofficial firmware image or built one myself with the patches applied which are linked there?

A proper (and easier) solution using DSA will be coming with:

And this means that a future version of OpenWRT will “just work” with the configuration I outlined in the OP? That is, my understanding is in principle correct, but there’s a bug in OpenWRT?

Anyway, to be able to say anything more why your setup doesn’t work we need to see your config files for network, dhcp and firewall.

Sure. I will give the dysfunctional configuration below, now with VLANs 100 and 200 instead of 1 and 2:

Let’s start with ip addr list:

root@OpenWrt:~# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether c4:41:1e:ae:14:80 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether c4:41:1e:ae:14:81 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.33/24 brd 192.168.178.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2a02:<redacted>/64 scope global dynamic noprefixroute 
       valid_lft 1183sec preferred_lft 1183sec
    inet6 fe80::c641:1eff:feae:1481/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether c4:41:1e:ae:14:83 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c641:1eff:feae:1483/64 scope link 
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c4:41:1e:ae:14:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd4d:88c:19c3::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::c641:1eff:feae:1480/64 scope link 
       valid_lft forever preferred_lft forever
16: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c4:41:1e:ae:14:83 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::c641:1eff:feae:1483/64 scope link 
       valid_lft forever preferred_lft forever
17: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c6:41:1e:ae:14:84 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c441:1eff:feae:1484/64 scope link 
       valid_lft forever preferred_lft forever
18: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c4:41:1e:ae:14:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c641:1eff:feae:1482/64 scope link 
       valid_lft forever preferred_lft forever
19: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether c6:41:1e:ae:14:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c441:1eff:feae:1482/64 scope link 
       valid_lft forever preferred_lft forever
22: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c4:41:1e:ae:14:80 brd ff:ff:ff:ff:ff:ff

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4d:088c:19c3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.200'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '100'
	option ports '0t 4'

config switch_vlan
	option device 'switch0'
	option vlan '200'
	option ports '0t 1 2 3'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/lan.<redacted>/'
	option domain 'lan.<redacted>'
	list address '/fritz.box/192.168.178.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'hybrid'
	option dhcpv6 'hybrid'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leastime '1h'

config host
	option name '<redacted>'
	option ip '192.168.1.245'
	option mac '48:5B:39:F5:B1:9F'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'HTTP-Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_port '80'
	option dest_ip '192.168.1.245'

config redirect
	option target 'DNAT'
	option name 'HTTPS-Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_port '443'
	option dest_ip '192.168.1.245'

config zone
	option name 'guest2test'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'guest2test'
	option dest 'wan'

/etc/firewall.user is empty (only commented lines).

You highly probably have one switch with total of 7 ports, eth0-eth6.

As per the output of ip addr list above, I don’t think that I have eth2-eth6. On the “plastic” as you call it I count five RJ45 ports. The two others you mention then are the internal CPU ports I presume (one towards the CPU, and one off it, probably).

Please let me know what I should try next.

rakka

rakka · February 4, 2022, 5:01pm

Aha, I found the culprit. The configuration shown above lacks the configuration option vid. Adding

option vid '100'

and

option vid '200'

makes it work. Though I found I have flipped the order of the VLANs and have now settled on using 100 and 101 as the VLAN numbers.

So the bottom line of all this is: just don’t use VLAN numbers 1 and 2, and don’t forget to not only specify vlan, but also vid. That being said, to complete my understanding of the problem, can someone please explain the difference between the vlan and vid settings? And for completeness, what is the pvid setting mentioned in this thread I found by following the links?