Create separate networks based on phisical LAN ports

Installing and Using OpenWrt
1

Hi.
Can someone post the same solution for v22.03 following this old one:

Thanks

2

The solution is to use VLANs as you already shared. Have you consulted the wiki? https://openwrt.org/docs/guide-user/network/vlan/switch_configuration

3

I see, thanks for the quick reply.
I am more familiar with Luci GUI configuration and in that old tutorial is very well explained with screen shots.
I tried to sort it in v22, but the "Network --> Switch" menu option does not exist anymore as it changed/moved to configure from "Network/Interfaces(Devices)", but I could not manage to sort it out.
I am sure it's not just me who would like to have as detailed explanation as that old post, whoever needs to make this setup =)
Thanks again.

additionally, most likely I don't need VLANs as I am trying to separate the phisical ports like ports 1&2 in one subnet and 3&4 in an other subnet to create separate network for different devices connected to those ports

4

I think VLANs are exactly what you need. Here is my setup on a switch where lan1-3 are VLAN 10 and lan4 is VLAN 4 (WAN is the uplink to the router/firewall):

switch
switch1297×776 54.7 KB

For reference:

/etc/config/network 
...

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'dhcp'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.3'
	option delegate '0'

config interface 'homeoffice'
	option proto 'none'
	option device 'br-lan.4'
	option delegate '0'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.5'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan4:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'wan:t'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'
1 Like
5

  1. Go to Network>Interfaces>Devices>br-lan and remove lan3 and lan4 from the existing bridge.

  2. Create a new bridge device using lan3 and lan4.
    image

  3. Use br-lan2 as the device to create a new interface.

6

Ok, here what I did:

  • Removed ports 2&3 from "br-lan/Configure/Bridge Ports"
  • Added new bridge "br-lan2" in "network/Add device configuration..."
  • Added ports 2&3 to "br-lan2"
  • Added new interface "LAN2" in "Network/Interfaces" with static 192.168.22.1
  • Enabled DHCP server for that interface and assigned the Firewall zone for LAN2 under the same page following the tabs above.
    Finally I have this error:
    owrt1
    owrt11226×764 112 KB

What am I missing and/or what I did not do correctly?

7

This usually happens when there are no physical ports assigned to the bridge device, so double-check the br-lan2 configuration.

Checking the Bring up empty bridge box will make the interface go up, but it's not a solution.

If everything looks fine in LuCI but it still doesn't work, post the output of uci export network redacting the sensitive information.

Edit: Did you click the Save & Apply button in the Devices tab before creating the interface?

8

Thanks pavelgl, now it has no error.
I am trying to set up isolated networks quite a while following a couple of tutorial which are based on the old OWRT firmware trying to apply to my 22.03, but as setup bridges and switches changed a bit - I could not sort it out.
I was following the tutorial of the Youtuber " OneMarcFifty" about setting IoT, Guest and WiFi network ("How to configure OpenWrt as Firewall for your home network and Guest Wifi and IPTables explained") and the option to tick the box "Bring empty bridge" in the old firmware was when you create a new interface:
like on this screenshot from his video:

owrt02
owrt021219×555 96.3 KB

..but it's not present now:
owrt03
owrt031099×289 18.9 KB

But now, after you mentioned it again I went to "network/Devices" tab, clicked "Configure" along "br-lan2" and found that "Bring up empty bridge" tick box which was un-cheked:

owrt04
owrt04692×206 21.7 KB

After checking and applying the the error is gone...
I'll follow from here to set separate two networks (this weekend) and post the result if will be sorted or not.
Thank you and " [darksky]" for helping me out =)

9

Unfortunately, this (most likely) means that your router is one of the devices that doesn't support more than one bridge.

Instead of multiple bridged networks, you will need to move to multiple networks using VLANs.

10

Right, I tried to connect a device into ports 3&4 and no luck, this what you mean that my router doesn't support more than on bridge right?
The router I am setting this up (main one) is "Linksys WRT1900ACS", where to find the compatibility list to multiple bridged networks? if it exists.
I have other 2 routes: "D-link Dir-1960" and "D-link Dir-2660" maybe (one of) these are capable? I can swap the main router with one of these if needed.
Thanks

11

No need to replace the device.
The second linked example in post 9 will do exactly what you want (in a different way).

If you feel insecure, post the output of uci show network and we will help you with the uci commands. Redact the sensitives.

12

Thank you for the help and support pavelgl (and to all community and development team) thanks for this amazing FOSS piece of art.
I'll set up as on VLANs based on that chapter, I am sure it will be working.
I was just trying to create separation based on physical ports as each of them will handle better speed individually than split one single port traffic for example to 3 devices connected via virtual division (VLAN).

1 Like
13

Could not sort my network case,
posting uci show network:

 OpenWrt 22.03.2, r19803-*****
 -----------------------------------------------------
root@wrt1900:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxxxxxx::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='xx'
network.lan.dns='9.9.9.9' '192.168.1.1'
network.@device[1]=device
network.@device[1].name='wan'
network.@device[1].macaddr='xx:xx:xx:xx:xx:xx'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='9.9.9.9' '149.112.112.112' '1.1.1.1'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='xxx:xxx::xxx' 'xxx:xxx::xxx'```
14

You don't need DNS servers set on the lan interface, so remove them.
The commands below will create a separate lanb interface attached to ports lan3 and lan4. Network 192.168.1.0/24 will still be accessible via lan1 and lan2.

Change the IP address according to your needs. Set the DHCP server and firewall zone later.

uci add network bridge-vlan
uci set network.@bridge-vlan[-1].vlan='1'
uci set network.@bridge-vlan[-1].device='br-lan'
uci add_list network.@bridge-vlan[-1].ports='lan1'
uci add_list network.@bridge-vlan[-1].ports='lan2'

uci add network bridge-vlan
uci set network.@bridge-vlan[-1].vlan='10'
uci set network.@bridge-vlan[-1].device='br-lan'
uci add_list network.@bridge-vlan[-1].ports='lan3'
uci add_list network.@bridge-vlan[-1].ports='lan4'

uci del network.lan.dns
uci set network.lan.device='br-lan.1'

uci set network.lanb=interface
uci set network.lanb.device='br-lan.10'
uci set network.lanb.proto='static'
uci set network.lanb.ipaddr='192.168.10.1'
uci set network.lanb.netmask='255.255.255.0'
/etc/init.d/network restart

If after running the commands you can still access the router, save the settings.

uci commit network

Otherwise, reboot the device.

15

Thank you very much, it works.
My goal was to create separate networks because I wanted to isolate them (the second ...10.1 from ...1.1), that device connected to 192.168.10.1 can't ping to ...1.1 and open the main router configuration web page on ...1.1
I guess I need to mess with firewall, how can I proceed here?
Thank you again for your help and time =)

16

Looks like a guest network.

uci -q del firewall.@zone[0].network
uci set firewall.@zone[0].network='lan'

uci add firewall zone
uci set firewall.@zone[-1].name='lanb'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].network='lanb'

uci add firewall rule
uci set firewall.@rule[-1].dest_port='53 67'
uci set firewall.@rule[-1].src='lanb'
uci set firewall.@rule[-1].name='LANB-DHCP-DNS'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='udp'

uci add firewall forwarding
uci set firewall.@forwarding[-1].dest='wan'
uci set firewall.@forwarding[-1].src='lanb'
uci commit firewall
/etc/init.d/firewall restart
1 Like
17

Thank you, works like charm.
I am trying to make this setup quite a while, spending hours, following several OpenWrt video tutorials, trying to "translate" those for the old version to my newer one, searching on manual pages too, but I believe I need to start setting these things up in terminal and approach from this angle, as Luci video tutorials mostly are for older firmware.

All I needed is isolate less secure devices from the main (core) network, I did not want to have all my devices on the same network as those others and also learn better about this firmware as it has so many possibilities.

One more thing what's left for my base goal is if I can set rules for main (192.168.1.1) devices to reach those on 192.168.10.1 (one way only) as on those device are shared folders for me to have access to, SMB and NFS shares, as some of those devices are Windows and some Linux.

Thank you

18 
uci add firewall forwarding
uci set firewall.@forwarding[-1].dest='lanb'
uci set firewall.@forwarding[-1].src='lan'
uci commit firewall
/etc/init.d/firewall restart
1 Like
19

It works, thank you very much, today I resolved the problem I was after for some time, after several times get to it and try to solve for hours.

I am just curious, are you evolved in OWRT development or a network professional?
Thank you :wink:

20

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.