Create separate subnet

My router is a PC with 3 eth ports.
-eth1 is my WAN
-eth2 is my LAN 192.168.2.1/24 with DHCP enabled.

I would like to enable eth3 to have a separate subnet 192.168.3.1/24 with DHCP enabled. The 2 subnets should not be able to see each other. Both subnets should have access to the Internet. eth3 should have a traffic shape of 20Mbps/3Mbps down/up. How do i achieve that, please?

To better assist you, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

I have created the second subnet on a different interface and it has access to the Internet. At the moment both subnets can access each other. Also there is not any traffic shape to the second subnet (192.168.2.0/24) and there is not any DHCP on that interface as well.


root@APU_orange: ~ $ **ubus call system board**
{
        "kernel": "5.15.137",
        "hostname": "APU_orange",
        "system": "AMD G-T40E Processor",
        "model": "PC Engines apu1",
        "board_name": "pc-engines-apu1",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

root@APU_orange: ~ $ **cat /etc/config/network**

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd56::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config interface 'WAN_pppoe'
        option proto 'pppoe'
        option device 'eth0'
        option username 'xyz'
        option password 'abc'
        option ipv6 '0'

config interface 'WG_server'
        option proto 'wireguard'
        option private_key ''
        option listen_port '61820'
        list addresses '10.14.0.1/24'

config wireguard_WG_server
        option description 'A_mobile'
        option public_key ''
        list allowed_ips '10.14.0.3/21'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config interface 'Modem_check'
        option proto 'static'
        option ipaddr '192.168.178.27'
        option netmask '255.255.255.0'
        option device 'eth0'

config interface 'Subnet2_2_1'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.2.250'
        option netmask '255.255.255.0'
root@APU_orange: ~ $ **cat /etc/config/dhcp**

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.1.1#5353'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option leasetime '2m'
        option start '161'
        option limit '31'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


config host
        option name 'retropie'
        option mac 'B8:27:EB:18:27:92'
        option ip '192.168.1.243'




config host
        option mac 'B8:27:EB:21:BB:E5'
        option name 'RPI-vpn'
        option dns '1'
        option ip '192.168.1.251'

config host
        option name 'raspberrypi'
        option mac 'B8:27:EB:37:4E:3A'
        option ip '192.168.1.241'

root@APU_orange: ~ $ **cat /etc/config/firewall**

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WG_server'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'Modem_check'
        list network 'WAN_pppoe'
        list network 'wan'
        list network 'Subnet2_2_1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '41820'
        option dest_ip '192.168.1.251'
        option dest_port '41820'
        option name 'Server_PI'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard_Router'
        option src 'wan'
        option src_dport '61820'
        option dest_port '61820'
        option dest_ip '192.168.1.1'

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option target 'DNAT'
        option family 'any'

Try the following, no guarantee it will work, make a backup of config just in case

Assuming the port you want to activate is eth2 you put something like the following in /etc/config/network

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth2'

config interface 'guest'
        option device 'br-guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ipaddr '192.168.3.1

Next step setup DHCP, in /etc/config/dhcp add:

config dhcp 'guest'
        option interface 'guest'
        option dhcpv4 'server'
        option leasetime '60m'
        option start '150'
        option limit '100'

Next step add to the firewall:

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

You might want to set input to REJECT and only allow DHCP and DNS

I do not see anywhere speed limits

Did you install sqm?

i have tried the config and here is what i currently have:
/etc/config/network


config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'


config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth2'

config interface 'guest'
        option device 'br-guest'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'guest'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

/etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '3h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'guest'
        option interface 'guest'
        option dhcpv4 'server'
        option leasetime '2m'
        option start '150'
        option limit '100'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


the problem that i am facing is that when connecting to the new LAN port i am not getting any IP offers from the DHCP.Even if i assign to my laptop a static ip (192.168.3.24/24) i cannot access the 192.168.3.1

Just a reminder i am looking to create a new Interface in the router so that it will have 192.168.3.1/24. the 2 LAN subnets will be completeley isolated to each other, but both of them they will have access to the Internet.

any hints here?

this is what i did. It does not work. That's why i replied to the original post of yours.
any ideas, please?

Not quite. You need to set the guest network with the bridge you defined - not eth2 directly.

And you put the guest network in the wan zone which will mean it won’t work. It needs to be in a new firewall zone and with forwarding from threat zone to wan, per @egc ‘s original comment.

1 Like

Here are printscreens from my Luci




Now i can get IP from DHCP, i can access the internet. Pending is that both LANs can see each other. Need to be isolated.

Please post your configs in text form.

/etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdae:40e0:d0a9::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'lan2'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.3.255'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

 


config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan2'

config forwarding
        option src 'lan2'
        option dest 'wan'

/etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '2m'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan2'
        option interface 'lan2'
        option start '100'
        option limit '150'
        option leasetime '2m'

You can remove option broadcast it is not necessary

Please reboot your router and check again, how do you test?

I noticed you have a very short 2m lease time, any reason why?