I want to seperate my network with VLANs. I thought, I had all configuration done, but the device, which I put in VLAN 103 don't get a IP-address.
Let me at first describe my network infrastructure:
I have a FritzBox 7490 with original OS, which is connected to internet. This 7490 is connected to a TP-Link Switch TL-SG1016DE on Port 1.
Port 9 of this switch is connected to the WAN-Port of a FritzBox 4040, which runs with openwrt.
Port 10 of this switch is connected to port LAN1 of the 4040.
Port 3 is connected to an internet radio.
I create VLAN 101 for DMZ (not in use), VLAN 102 for Guest and VLAN 103 for IOT in openwrt. And I changed the default VLAN1 to 100, because the FritzBox 4040 has problems with VLAN 1 and 2.
All this VLAN are tagged to port 9 in the switch which is port 5 in the 4040.
In the switch also port 2 is tagged with all VLANs, which leads to another TP-Link switch TL-SG108E.
Port 3 in the switch TL-SG1016DE is untagged with VLAN 103.
The problem is, that no ip-address is assigned to the internet radio on port 3.
Here are the relevant parts of the /etc/config/network on openwrt:
In your first post, you commented that all VLANs are tagged on port 9 of the main switch, but on the drawing port 9 is connected to the WAN port from the router. Shouldn't you be using port 10 for trunking? Or is this just a typo?
No typo. I tagged port 9 of the switch, which is connected to the WAN-Port of the openwrt router. I read in another post (https://forum.openwrt.org/t/solved-vlans-on-ipq40xx-alternative-config-for-fritzbox-4040/41832/3), that on this Fritzbox 4040 the driver is not working good with VLAN and the port 5 (which is the WAN-Port) must be tagged. Otherwise the router is not reachable, after VLAN is enabled.
I also tried to tagg port 10, which is connected with port LAN1 of the openwrt router. But this leads also to a not reachable router.
On the router's port LAN1 you have VLANs 100, 101, 102, and 103, all of them tagged. These are connected to port 10 of the main router, but you do not have them tagged on that port. Then, how is this switch supposed to untagg all these VLANs?
Unless I am wrong, on the main router you should also define VLANs 100, 101, 102, and 103, all of them tagged on port 10, and untagged on one port each one.
Now the internet radio get an ip-address 192.168.103.107!
But there are still problems:
As DNS it gets 192.168.103.1 and this don't exist. So no connection to internet is made.
I have a raspi with pi-hole, which acts as DNS-Resolver, but this is in the network 192.168.178 of the FritzBox 7490. Is it a good solution, to define this DNS-server in the network-interface of each VLAN?
Openwrt is after tagging ot port LAN1 not reachable. I tagged port 1 (LAN1) for VLAN 100 too, is this cause the problem?
I don't really understand this, because the WAN-port cannot be used with VLAN, but it works!
Problem 2 is still unsolved. I try to set dns to 192.168.178.1 (= FritzBox 7490, where the raspi is set as DNS) and then add gateway 192.168.178.1. In the internet radio I still see gateway and DNS is set to 192.168.103.1. In openwrt I see it correct:
Any hints about this?
The DHCP server at the OpenWrt is offering itself as a DNS, because that is the default behavior. DNSMASQ acts both as a DHCP server and a DNS cache.
If you want to use a different DNS, you have two options:
Configure the DNS at the router to use a different upstream DNS.
Send a different DNS to your client, using specific DHCP options.
The gateway must always be within the network segment where it is defined. You cannot have a gateway at 182.168.178.1 in a 192.168.103.1/24 network, because it cannot be reached. Besides, a gateway and a DNS are two completely different things, and (as far as I know) the PiHole is just a DNS.
The FritzBox 7490 (192.168.178.1) acts as DHCP-Server in my network. But in the 7490 is the raspi (192.168.178.52) configured as DNS-server. On the raspi runs pi-hole.
The openwrt router gets via WAN an ip-address 192.168.178.73 from the main network and so automatically uses the raspi as DNS.
The openwrt lan-interface is configured with static ip-address 192.168.1.1.
I understand, that a DNS-server has to be in the same network as the client. But which strategy can be used with VLANs on openwrt? Is it necessary, to configure a DNS-server for each VLAN-network? And how get this DNS-Server the necessary information from Internet DNS-Server?
Or is it possible to use the DNS information, which the the router gets over the WAN interface? If yes, how to do?
OK, a DNS-server has to be in the same local network or in internet.
The google DNS is only a temporary option for me. But I set the DNS 8.8.8.8 in IOT interface for testing. This is also not working. The internet radio still gets the same DNS 192.168.103.1 and cannot establish a internet connection.
Maybe my firewall configuration is not correct? Here is the /etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'VPN'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option network 'WG0'
config forwarding
option dest 'lan'
option src 'VPN'
config nat
option target 'MASQUERADE'
option name 'VPN'
option src_ip '192.168.20.0/24'
option src '*'
config forwarding
option dest 'wan'
option src 'VPN'
config zone
option network 'DMZ'
option input 'ACCEPT'
option forward 'ACCEPT'
option name 'DMZ'
option output 'ACCEPT'
config zone
option network 'Gast'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option name 'GAST'
config zone
option network 'IOT'
option input 'ACCEPT'
option forward 'ACCEPT'
option name 'IOT'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'DMZ'
config forwarding
option dest 'wan'
option src 'GAST'
config forwarding
option dest 'wan'
option src 'IOT'
config forwarding
option dest 'DMZ'
option src 'lan'
config forwarding
option dest 'IOT'
option src 'lan'
# Allow DNS Guest -> Router
# Client DNS queries originate from dynamic UDP ports (>1023)
config rule
option name 'Allow DNS Queries'
option src 'IOT'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
# Allow DHCP Guest -> Router
# DHCP communication uses UDP ports 67-68
config rule
option name 'Allow DHCP request'
option src 'IOT'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
192.168.103.1 is the openwrt router. It is pingible from a laptop, which is connected to a VLAN 103 port.
But this laptop has no connection to network 192.168.178.xx where the DNS-server is located and no connection to internet addresses. I guess, the VLAN-interfaces has no access to WAN, altough forwarding for the zones in the firewall is allowed.
I found the solution:
In the firewall zone wan Masquerading and MSS clamping was deactived. I activate this settings and after that dns is working and ping of 192.168.178.x works.
I have to look, if this solution is practicable, because the goal was to separate the VLANs from each other. Maybe I have to create another VLAN for the "normal" devices which then cannot be reached from IOT and Guest VLAN.
