Configuring VLANs on Linksys EA8300 for isolating a server

I own a Linksys EA8300 device, which has 5 physical ports, one of them labelled “Internet” on the device. Of course, it runs OpenWRT, to be exact: OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d (as per LuCI). If I understand it correctly, the device has two physical NICs, one for the 4-port switch and one for the WAN (“Internet”) port, at least this is how I interpret the “Devices” page in LuCI, which lists both an eth0 and an eth1 interface. It labels eth0 an “Ethernet switch“ and eth1 an “Ethernet adapter”. The WAN port is connected to a Fritzbox currently (with the Linksys device in the DMZ), which I ultimately intend to replace with a DSL modem in bridge mode so that the Linksys device is the actual network termination point, but that’s for another day.

What I want to do now is as follows. I run a small personal server from home for things like websites. I would like to isolate this server into its own network segment and set up the firewall on the OpenWRT device so that the server can only talk to the Internet, but not to the rest of my home LAN. After quite a bit of reading I learned that I need to use VLANs to split up the ports on the Ethernet switch, so I went out and decided to dedicate the eth0 switch’s port 4 to the server network segment. Thus, I thought, I will need to put ports 1-3 into VLAN 1 and port 4 into VLAN 2. As the OpenWRT wiki recommends to always set the CPU port “tagged” (it wasn’t in the default configuration), I arrived at the following setup:

| VLAN ID | CPU(eth0) | LAN 1    | LAN2     | LAN3     | LAN4     |
|---------+-----------+----------+----------+----------+----------|
|       1 | tagged    | untagged | untagged | untagged | off      |
|       2 | tagged    | off      | off      | off      | untagged |

This creates new devices eth0.1 and eth0.2. That sounded natural, as I created two VLANs, so I suppose these devices map to the respective VLAN (right?). Consequently, one should not use eth0 directly anymore I suppose. So what I then do is to remove eth0 from the br-lan bridge (which is part of the “LAN” interface) and instead add eth0.1 into it, representing VLAN 1 which covers physical ports 1-3. For eth0.2 I create an entire new interface.

Applying this configuration kills my LAN connectivity. DHCP queries go out from my devices, but will not receive any response and I can only connect via wifi. When I look at the logs with logread, I see the following message printed each time a DHCP request comes in on the VLAN 1:

daemon.warn dnsmasq-dhcp[22537]: DHCP packet received on eth0 which has no address

I am severely confused. How can a packet come in on eth0 at all? My understanding of VLANs may be faulty (I never used them, and am a fairly new OpenWRT user) but I thought if I configure those as outlined above, packages should ever only come in on eth0.1 and eth0.2?

At this point, I’m clueless. There must be something wrong with my understanding of VLANs, at least I don’t get why packets arrive on eth0, which is not included in any interface in LuCI, as opposed to eth0.1 and eth0.2. Please, give me a pointer where the error is.

kind regards
rakka

This is the case in 21.02 with DSA, then the CPU Ethernet ports aren’t in the setup since you only can use one at this point in time and that port is always included and it is always tagged to the cpu anyway.

Are you sure you have gotten the logic for the switch mapping right, a switch is only a multiplexer.
You highly probably have one switch with total of 7 ports, eth0-eth6.
Eth0 and eth1 is connected to the cpu and eth2-eth6 are in some order connected to the RJ45 ports with paint on the plastic called “internet” and “lan1-4”.
It is just a OpenWRT standardization to call then eth0, eth1, internet, lan1-4 in luci and uci (it would be to much confusion to the people if the name in luci isn’t synced with the plastic box).

Anyway, to be able to say anything more why your setup doesn’t work we need to see your config files for network, dhcp and firewall.

First of all, read:

A proper (and easier) solution using DSA will be coming with:

1 Like

Thank you two for the quick replies.

First of all, read: IPQ40xx Switch Config "Strangeness"

That was helpful. From that thread I deduce that 1) I should not use LuCI to configure the switch and 2) do not use VLAN numbers 1 and 2, because the hardware driver does unexpected things with them. Indeed, I find that if I use other VLAN numbers, I find that at least I still have Internet access over wifi, something that did not work when I was using VLAN numbers 1 and 2. However, even following the configuration suggestion made here I still don’t get connectivity on the LAN ports and still receive this message:

Fri Feb  4 16:28:18 2022 daemon.warn dnsmasq-dhcp[16781]: DHCP packet received on eth0 which has no address

Do I understand that linked thread correctly if I conclude that I need to use an unofficial firmware image or built one myself with the patches applied which are linked there?

A proper (and easier) solution using DSA will be coming with:

And this means that a future version of OpenWRT will “just work” with the configuration I outlined in the OP? That is, my understanding is in principle correct, but there’s a bug in OpenWRT?

Anyway, to be able to say anything more why your setup doesn’t work we need to see your config files for network, dhcp and firewall.

Sure. I will give the dysfunctional configuration below, now with VLANs 100 and 200 instead of 1 and 2:

Let’s start with ip addr list:

root@OpenWrt:~# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether c4:41:1e:ae:14:80 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether c4:41:1e:ae:14:81 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.33/24 brd 192.168.178.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2a02:<redacted>/64 scope global dynamic noprefixroute 
       valid_lft 1183sec preferred_lft 1183sec
    inet6 fe80::c641:1eff:feae:1481/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether c4:41:1e:ae:14:83 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c641:1eff:feae:1483/64 scope link 
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c4:41:1e:ae:14:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd4d:88c:19c3::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::c641:1eff:feae:1480/64 scope link 
       valid_lft forever preferred_lft forever
16: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c4:41:1e:ae:14:83 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::c641:1eff:feae:1483/64 scope link 
       valid_lft forever preferred_lft forever
17: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c6:41:1e:ae:14:84 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c441:1eff:feae:1484/64 scope link 
       valid_lft forever preferred_lft forever
18: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c4:41:1e:ae:14:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c641:1eff:feae:1482/64 scope link 
       valid_lft forever preferred_lft forever
19: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether c6:41:1e:ae:14:82 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c441:1eff:feae:1482/64 scope link 
       valid_lft forever preferred_lft forever
22: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c4:41:1e:ae:14:80 brd ff:ff:ff:ff:ff:ff

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4d:088c:19c3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.200'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '100'
	option ports '0t 4'

config switch_vlan
	option device 'switch0'
	option vlan '200'
	option ports '0t 1 2 3'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/lan.<redacted>/'
	option domain 'lan.<redacted>'
	list address '/fritz.box/192.168.178.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'hybrid'
	option dhcpv6 'hybrid'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leastime '1h'

config host
	option name '<redacted>'
	option ip '192.168.1.245'
	option mac '48:5B:39:F5:B1:9F'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'HTTP-Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_port '80'
	option dest_ip '192.168.1.245'

config redirect
	option target 'DNAT'
	option name 'HTTPS-Server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_port '443'
	option dest_ip '192.168.1.245'

config zone
	option name 'guest2test'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'guest2test'
	option dest 'wan'

/etc/firewall.user is empty (only commented lines).

You highly probably have one switch with total of 7 ports, eth0-eth6.

As per the output of ip addr list above, I don’t think that I have eth2-eth6. On the “plastic” as you call it I count five RJ45 ports. The two others you mention then are the internal CPU ports I presume (one towards the CPU, and one off it, probably).

Please let me know what I should try next.

rakka

Aha, I found the culprit. The configuration shown above lacks the configuration option vid. Adding

option vid '100'

and

option vid '200'

makes it work. Though I found I have flipped the order of the VLANs and have now settled on using 100 and 101 as the VLAN numbers.

So the bottom line of all this is: just don’t use VLAN numbers 1 and 2, and don’t forget to not only specify vlan, but also vid. That being said, to complete my understanding of the problem, can someone please explain the difference between the vlan and vid settings? And for completeness, what is the pvid setting mentioned in this thread I found by following the links?