Greetings,
I've been trying to mix the documentation between VLANs and Guest networks and I think I've jumbled something. I'd appreciate some help un-jumbling this all up. I'm using an Archer C7 with OpenWRT 21.02.3.
What I'm after is:
two VLAN's (4 & 5)
Wireless one is on radio 0 and VLAN 4 (10.1.4.x) which passes all traffic including DHCP through to the switch where the local servers handle everything. I would like LUCI on this interface so I gave it an IP.
Wireless two is on radio 0 and VLAN 5 (10.1.5.x) which should have a local DHCP server on the 192.168.1.1 network. Tagged packets to the switch via WAN are routed into a zone that has no servers (except 10.1.5.3 which is the DNS server for all networks) but VLAN5 can access the internet via 10.1.5.1. I do not want LUCI on this interface so it's an unmanaged network.
Wireless two_n is on radio 1 and VLAN5 same as above.
Physical ports 1-3 are untagged on VLAN 4
Physical port 4 is untagged on VLAN 5 and gets the same DHCP config as above
I've now got VLAN4 working the way I want and I think I was close to having this working... but then I broke VLAN5 and I'm trying to figure out where I went wrong. And now I fear that I've tried so many things that I'm really off the right path now as I've somehow completely removed my DHCP network and I'm not entirely sure how I did that. o_O
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdad:2eb6:73f0::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'none'
config device
option name 'eth0.2'
option macaddr '40:3f:8c:e5:30:7c'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 1t 2 3 4'
config device
option type '8021q'
option ifname 'eth0'
option vid '4'
option name 'eth0.4'
config device
option type 'bridge'
option name 'bridge.4'
list ports 'eth0.2'
list ports 'eth0.4'
config interface 'vlan4'
option proto 'static'
option device 'bridge.4'
option netmask '255.255.255.0'
option defaultroute '0'
option ipaddr '10.1.4.102'
option gateway '10.1.4.1'
list dns '10.1.5.3'
config device
option type 'bridge'
option name 'bridge.5'
list ports 'eth0.5'
config interface 'vlan5'
option device 'bridge.5'
option proto 'none'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '5'
option ports '0t 1t 2t 3t 4t 5'
This is very, very wrong. You have several other things that are wrong in your configuration, too, so the easiest and cleanest way to resolve this is for you to reset your router to defaults. Once you're in that default state, you can post the /etc/config/network file... that's what @ulmwind was asking about.
We can help you with the changes from the default state. This will be much more likely to succeed than trying to clean up the various mistakes as they exist now.
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
config rule
option name Support-UDP-Traceroute
option src wan
option dest_port 33434:33689
option proto udp
option family ipv4
option target REJECT
option enabled false
config include
option path /etc/firewall.user
And now, here are my changes. I have not tried to setup the four ports on the back yet so that it's easy for me to get in. I'm still having a bit of issues getting this where I want it. Advice is much appreciated.
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd9:6d44:3a2a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'd8:07:b6:74:13:d5'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config device
option type '8021q'
option ifname 'eth0'
option vid '4'
option name 'eth0.4'
config device
option type '8021q'
option ifname 'eth0'
option vid '5'
option name 'eth0.5'
config device
option type 'bridge'
option name 'bridge.4'
list ports 'eth0.2'
list ports 'eth0.4'
config device
option type 'bridge'
option name 'bridge.5'
list ports 'eth0.2'
list ports 'eth0.5'
config interface 'VLAN4'
option proto 'static'
option device 'bridge.4'
option ipaddr '10.1.4.102'
option netmask '255.255.255.0'
option gateway '10.1.4.1'
config interface 'VLAN5'
option proto 'none'
option device 'bridge.5'
option type 'bridge'
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
config rule
option name Support-UDP-Traceroute
option src wan
option dest_port 33434:33689
option proto udp
option family ipv4
option target REJECT
option enabled false
config include
option path /etc/firewall.user
I just assigned logical port 2 to VLAN 4 by removing it from the VLAN 1 switch stanza and creating a new one for VLAN 4 that include that port. I don't know how the physical ports (as labeled on your device) map to the logical port numbers -- you may have to test this. But fundamentally, this is how it is done.
You'll also probably want a DHCP server setup for each network, and you'll need to assign the new networks to a firewall zone. But that can be done after you get the network file sorted out.
On my device it seems eth0.2 is tied to the wan and wan6. I thought I needed that in my bridge (at least for vlan4) so that the wireless and physical ports all show up on the same network as the switch (because that's where all the systems/DHCP/ect are). Did I mis-understand that?
[edit] further clarification - what I'm after is that when a wireless or wired device joins (either via wifi or one of the ports) the vlan4 network, I want them to appear as though they are on the same logical network as all of the other devices on vlan4 routing traffic between each other.
First think in terms of networks not VLANs. VLANs are a technology to multiplex multiple networks into the same physical link, which is only an issue here with the ethernet switch. This includes the internal link from eth0 to the switch. The config interface is the fundamental part of a network-- its IP address and connections through the firewall and DHCP server etc. determine what the network will do.
A dot is not valid in a bridge name so do what psherman said and name the bridges something like br-vlan4 and br-vlan5. You need bridges because there are going to be multiple physical connections (wifi radio 0, wifi radio 1, and Ethernet) to the same network. Declaring a bridge then attaching devices to its ports works like a software implemented Ethernet switch. Every bridge always has a default extra port which is accessible to the kernel layer 3 networking stack, if it holds an IP address.
Thank you all for the continued help. But something still isn't clicking for me. I think I've got vlan4 working the way I want, but I can not seem to get DHCP working on vlan5. I've also got the switch ports on the different vlans for me to test on.
The allowable IP range of a /24 network is .1-.254. Since the router needs to have an address, you need to make sure the DHCP range doesn't overlap that (often it is .1, by typical convention)... so now it is .2-.254. In practice, it is common to keep at least some addresses available for static IPs, but this is not required.
Now, onto the problems with the range you've made:
start = the starting address of the DHCP pool -- you've specified 160, so this means the pool will start at 10.0.5.160.
limit = size of the DHCP pool. You've set 170. So that means that there can be up to 170 leases. The problem here is that it out of range: 160 + 170 - 1 = 329. (the -1 is because the range is inclusive of the start address). 329 > 254. So this is invalid.
If you want your entire range to be 160-170, you would set start = 160, limit = 11.
You keep making the same errors in your network configuration. This is the major reason it is not working...
I've stated this a few times... the above is wrong. eth0.2 is not a port. this whole section is wrong and must be removed.
In this section, yo haven't set an address for VLAN5 (proto none means that this is unmanaged). So it doesn't interact with the CPU and will never function for routing and it won't try to issue DHCP leases.
Here is my suggestion:
Reset to defaults again.
Add one network (VLAN 4 or VLAN 5)... do not do both. Make one network functional, then apply that as the template for the other.
Do not change anything that does not need to be changed in this round.
I have already given you a recipe for the network config that will get you started with the network config part... we'll get to the firewall and DHCP after this is done correctly.
Implement the above after you have reset to defaults... post your network file for review, and we'll go from there.
Doh! I thought that was the end of the range and was after only 10. Good catch. Thanks.
I've stated this a few times... the above is wrong. eth0.2 is not a port. this whole section is wrong and must be removed.
So either I'm not communicating what I'm trying to do well here or I've completely misunderstood something. My understandings are:
eth0.2 is the wan port on the C7 that I have.
In order for a device plugged into a port on the AP to be seen as though it is on the same network that the interface needs to be bridged. EG: computer1 (10.0.5.8) <-> switch <-> Archer C7 <-> Port 3 <-> computer2 (10.0.5.9)
I agree with your plan. I'm going to reset and focus on vlan4 first. Will post back.
Thank you for your patience in helping me understand all of this!
No, your WAN uses eth0.2, but eth0.2 is not a port. It is VLAN 2 on eth0. Although technically eth0 is a port on the CPU, it is not a physical port on your device. eth0 connects to the switch. The switch then uses VLAN 1 and VLAN 2 for your LAN (eth0.1) and WAN (eth0.2) respectively. Then those VLANs are assigned to ports on the switch which emerge as physical ports on your device. By default, eth0.2 is assigned to logical port 1 on the switch, and eth0.1 is assigned to logical ports 2-5. Those logical port numbers don't correspond 1:1 with the physical labels, but we know logical port 1 on the switch corresponds to the physical WAN port.
You don't want to bridge logical ports or VLANs in your situation... you just want to create VLANs on the switch, and then assign the VLANs to logical (and thus physical) ports as required for your goals. If you want to connect wireless and wired together, you use the bridge device definitions and then use the bridge as the device for the logical network interface.
Please trust me on this... I have already given you the right recipes for this. Do exactly what I suggested and then post the results for review.
Remove the gateway.
Does VLAN 4 need to also be connected to the radio for wifi purposes? If so, you need to set it up with a bridge device.
VLAN 4 is not connected to the CPU (which is logical port 0 on the switch). You need to include 0t in the ports for VLAN 4. It is currently setup as tagged on logical port 1 and untagged on logical port 5. Is that what you intended?
Does VLAN 4 need to also be connected to the radio for wifi purposes? If so, you need to set it up with a bridge device.
I would like it to be. I'm working on that now.
VLAN 4 is not connected to the CPU (which is logical port 0 on the switch). You need to include 0t in the ports for VLAN 4. It is currently setup as tagged on logical port 1 and untagged on logical port 5. Is that what you intended?
I'm uncertain. I no longer want to make assumptions because I apparently didn't grasp as much as I thought I did.
Tell you what.... draw a diagram of how this device factors into the rest of the network. Show where your internet connection comes in and how this connects to other devices. Do VLANs 4 and 5 exist on an upstream router somewhere, or is this the device that is handling all of the routing for these VLANs? What about downstream connections -- will any of this go through switches or is it direct connections from this router to the devices that need to be connected? Do you have any managed switches that you'll be using?
It's just my home lab. I've got a managed switch I got second hand. Previously I had two AP units and I didn't do anything fancy with them. One I had the physical port on the switch as untagged for the vlan4 and the other was on a different untagged port for vlan5.
Vlan 4 is where I set up my home devices which is why I've got a dhcp setup on it already and want to be able have them all talk but vlan5 is where I set up the various test systems so I hard set IPs and let them talk to the internet directly which is why I was OpenWRT to hand out DHCP IP's to the wireless devices that connect.
What I was hoping to do was merge the two devices into one.
