Dividing my network by port using switch

Cylac · January 30, 2020, 8:47pm

Hi all,

I know this might be an easy task for anyone who has lots of experience using the SWITCH feature of OpenWRT, however since I don't want to mess up my home network and have my family after me as to why "the internet is down" so I figured I'd ask for some help first

Anyways, as the subject suggests, I'd like to divide my network based on what port they are connected to on my TP-Link Archer C7 v2 running OpenWRT 19.07.

Basically I'd like to be able to monitor the traffic incoming/outgoing on each port using the Statistics component of OpenWRT.

Here's a graphic of what each port does right now:

Here's how my /etc/config/network file looks like right now.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd07:f443:a329::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.76.1'

config interface 'wan'
        option proto 'pppoe'
        option password 'XXXXXX'
        option username 'XXXXXX'
        option ipv6 '0'
        option ifname 'eth0.35'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '35'
        option ports '6t 1t'

Any help would greatly be appreciated

thanks

psherman · January 30, 2020, 9:34pm

Most built-in switches in consumer grade gear do not have the means of monitoring per-port bandwidth. So to do this, you would need to split your single network into multiple individual networks (subnets), thus making each port its own network. In order to communicate across the different networks, you would need to have firewall zones and rules that permit such connections. This is great from an access/security perspective, but will probably make everything else much more difficult (the default config will break mdns/auto-discovery and such, some local device firewalls may need additional configuration to share across networks, etc.), and could result in bottlenecks as the traffic needs to be routed (through the CPU and/or hardware offload engine in the router), rather than switched through at full line rate.

You're probably better off getting a smart/managed switch that can give you per-port statistics.

mk24 · January 30, 2020, 10:00pm

In the switch, have a separate VLAN for each user LAN port. Instead of attaching them all to eth1.1, have only one there, the next one on VLAN2 (which becomes eth1.2) next one VLAN3, etc. All of these are untagged on the physical port and tagged to the CPU eth1.

Then in /etc/config/network, bridge all of them together with option ifname 'eth1.1 eth1.2 eth1.3 eth1.4'

Now the kernel sees and can count every packet that goes in and out of each port separately, but logically (and for the firewall) they are still all part of the LAN. It has replaced hardware switching with a software bridge. As you might expect, there is a slight performance penalty for this.

You may want to leave the PC and NAS in a hardware VLAN as you likely don't want to count packets of the PC reading files.

Cylac · January 30, 2020, 10:08pm

Thanks so much for that detailed response! It completely makes and I guess the next thing to do is start shopping for a smart/managed switch!

I have a small 5 port one that I use to split up my isp fiber connection so I don’t have to use their modem. I only use theirs for tv.

Fiber => (tp-link fiber to ether converter) => (tp-link 5 port managed switch with vlans) => port 1 to (Tp-link router)
and port 2 to (isp modem/router)

I guess I could get a big enough switch that I could hook up the fiber to directly and do the vlan stuff and hook up my entire network to it on individual ports. Any recommendations? I’m a pretty big fan of tp-link’s hardware

Thanks again

Cylac · January 30, 2020, 10:09pm

That’s what I initially thought I could do!
I’ll give this a whirl and let you know how it goes.

Thanks!