Create a vlan for each wan interface where wan interfaces has the same ip ranges

Hi,
I used the wireless card on my OpenWRT device to connect to two wireless APs so I have wan1 and wan2, now I want to create 2 VLANs (lan1_1, lan1_2) on my LAN port and connect each VLAN to a wan interface
so I created two VLANs (lan1_1, lan1_2) and a LAN firewall zone for each VLAN and a wan firewall zone to each wan and allowed forwarding accordingly
lan1 -> wan1
lan2 -> wan2
what I expected was that when I activate the vlan1(lan1_1) on my client device I would access the internet through wan1 and when I activate vlan2 (lan1_2) on my client I would access the internet through wan2.
but then I discovered that both wireless APs use the same IP range (192.168.0.0/24) and same gateway IP (192.168.0.1), which leads to problems due to conflicts in default route.

I can't change the IP addresses on these wifi APs so is it possible to work around this issue?

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9f:0a74:3fba::/48'

config interface 'lan1'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'lan2'
        option ifname 'eth0'
        option proto 'static'
        list ipaddr '192.168.2.1/24'
        option type 'bridge'

config interface 'wwan1'
        option proto 'dhcp'

config interface 'wwan2'
        option proto 'dhcp'

config interface 'lan1_1'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'

config interface 'lan1_2'
        option proto 'static'
        option ifname 'eth1.2'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wan lan2 lan1'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'LAN1_1 lan1_2'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option name 'wan1'
        option network 'wwan1'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'wan1'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'wan1'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'wan1'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wan1'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wan1'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wan1'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wan1'

config rule
        option name 'Allow-IPSec-ESP'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option src 'wan1'

config rule
        option name 'Allow-ISAKMP'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'wan1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wan2'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wwan2'
        option input 'REJECT'

config forwarding
        option src 'lan2'
        option dest 'wan2'

config zone
        option name 'lan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan1_1'

config forwarding
        option src 'lan1'
        option dest 'wan1'
1 Like

Hmmm firewall traffic marking, I used this feature before in Mikrotik routers, didn't know it's possible in OpenWrt.
Anyways I couldn't achieve this, do I need to install an additional package ? do I need to add the rules somewhere else?

This is what I did:
1- added static routes using '100' as a table id

/etc/config/network

config route                                   
        option interface 'wwan1'
        option target '0.0.0.0/0'
        option gateway '192.168.0.1'
        option table '100'  
                             
config route                       
        option interface 'wwan1'
        option target '192.168.0.0/24'
        option table '100'

2- I created two rules in the firewall config one to add a firewall mark and one to match that mark and use the routing table with id '100' for routing

/etc/config/firewall

config rule                           
        option name 'vlan1 traffic '  
        list proto 'all'              
        option src 'lan1'             
        option dest '*'               
        option target 'MARK'          
        option set_mark '0xFF'        
                                      
config rule                           
        option mark '0xFF'            
        option in 'lan1'              
        option lookup '100'           
        option name 'route traffic vlan1'
        list proto 'all'                 
        option target 'ACCEPT'

I think your solution is the right one i probably just have a mistake in my rules!

one thing that used to be very useful for debugging in Mikrotik routers is the counter field that tells you how many times a certain firewall rule was used, is this possible in OpenWRT? I can't see a counter in the firewall Luci

uci set network.lan1.ip4table="1"
uci set network.lan2.ip4table="2"
uci set network.wwan2.ip4table="3"
uci -q delete network.lan2_wwan2
uci set network.lan2_wwan2="rule"
uci set network.lan2_wwan2.in="lan2"
uci set network.lan2_wwan2.lookup="3"
uci set network.lan2_wwan2.priority="30000"
uci commit network
/etc/init.d/network restart

https://openwrt.org/docs/guide-user/network/routing/pbr_netifd

well the ip rules policy routing link that you posted suggested matching based on a mark so I assumed that was your suggestion.
Anyways your proposed solution worked so I marked it as solved, Thanks

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.