TO lan4 = TOLp4
TOLp4 <--- cat cable / VLAN trunk ----> NGpT
On the TO configure trunk ports
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.2'
On the NG (pardon I cannot assist with the exact config for it)
configure NGpT as trunk port (tagged) with VLAN ID 1 and 2
configure NGpL as access ports (untagged) with VLAN ID 1
configure NGpW as access ports (untagged) with VLAN ID 2
Maybe also have a look at this thread (towards the bootom or what is marked as solution) [Solved] Internet redudancy with two routers and two connections
Excuse me the late response, I have few time...
Then, this seems to work:
Turris Omnia.
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.1'
Netgear wndr3700v2 (This is a switch, don't have direct internet acces, it gets internet access through Turris Omnia)
config interface 'lan'
option type 'bridge'
option ifname 'eth0 eth1'
config device 'lan_eth0_dev'
option name 'eth0'
config device 'lan_eth1_dev'
option name 'eth1'
config interface 'dmz'
option type 'bridge'
option ifname 'eth1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
I can't find documentation about config device 'lan_ethX_dev', only this .
I will need to test that networks are isolated really. And It looks to be some trouble with DNS resolution on devices connected to LAN on Netgear (I will need verify this).
I would like to meet your opinion about this config. Thanks.
see [1]
does not achieve anything, can be removed.
Which is somewhat odd since it seems that you wanted VID 1 for LAN and VID 2 for DMZ but now you set VID 1 for DMZ instead?
Do you have any port schematics/layout for the wndr3700v2? If I look this up it shows as Dualband-Gigabit-WLAN-Router instead but not a pure switch device, apparently with a build in switch (4 lan ports?). What are the eth0 (WAN?) and eth1 (CPU port facing the switch?) ports?
[1] /etc/config/network: config device section
Never mind, just found[2]
switch port 5 <---> CPU port eth0
CPU port eth1 <---> WAN
[2] https://openwrt.org/toh/netgear/wndr3700
On the NG turn off (to avoid duplicity and subsequent issues since all should be handled by the TO):
DHCPv4 server
DHCPv6 server
DNS server
Firewall
On the TO create and groom the DMZ firewall zone according to your requirements and assign the DMZ interface to that zone, e.g. lan4.2
Then what is your intention with eth1 (WAN) on the NG:
leverage it as upstream port/link to the TO and thus have all four LAN ports at disposal, which increases CPU cycles? or
forgo the port and connect to the TO from a Lan port instead, with less CPU cycles?
The UCI config for DSA is very limited. I don't care the VIDs, I want two isolated networks:
LAN: Turris wifi + Turris ports + Netgear ports with my devices (PC, TV, mobile, etc) and one LXC container (samba, minidlna, etc) in the Turris.
DMZ: Netgear wifi with guest devices (mobile of friends, etc) and one LXC container (transmission, etc) in the Turris.
Yes, the Netgear is a router, but I am using it as a switch. I only have a internet connection with a only one ISP and it is connected to Turris.
The Netgear eth0 is the CPU port facing the switch and eth1 is the WAN.
This is the full configuration:
Turris /etc/config/network:
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.1'
config interface 'wan'
option ifname 'eth2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth2'
option proto 'dhcpv6'
Turris /etc/config/dhcp:
config dnsmasq
option local '/lan/'
option domain 'lan'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
config dhcp 'dmz'
option interface 'dmz'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
Turris /etc/config/firewall:
config defaults
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option drop_invalid '1'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'dmz'
list network 'dmz'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'dmz'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'dmz'
option dest 'wan'
config rule
option name 'dmz-input-icmp'
option src 'dmz'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'dmz-input-icmpv6'
option src 'dmz'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'dmz-forward-icmpv6'
option src 'dmz'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-input-bootpc'
option src 'wan'
option proto 'udp'
option dest_port '68'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'wan-intput-dhcpv6client'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-input-icmp'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'wan-input-icmpv6'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-input-igmp'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'wan-input-mld'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-forward-icmpv6'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
Netgear /etc/config/network:
config interface 'lan'
option type 'bridge'
option ifname 'eth0 eth1'
option gateway '<TURRIS_LAN_IP>'
config interface 'dmz'
option type 'bridge'
option ifname 'eth1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
Netgear /etc/config/dhcp:
config dnsmasq
option local '/dmz/'
option domain 'dmz'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'dmz'
option interface 'dmz'
list dhcp_option '3,<TURRIS_DMZ_IP>'
option dhcpv6 'server'
option ra 'server'
Netgear /etc/config/firewall:
config defaults
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option drop_invalid '1'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'dmz'
list network 'dmz'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'dmz'
config rule
option name 'dmz-input-icmp'
option src 'dmz'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'dmz-input-icmpv6'
option src 'dmz'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'dmz-input-bootps'
option src 'dmz'
option proto 'udp'
option dest_port '67'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'dmz-intput-dhcpv6server'
option src 'dmz'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '547'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'dmz-input-domain'
option src 'dmz'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'dmz-forward-icmpv6'
option src 'dmz'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
There should be only one instance in the network to handle
If you duplicate those it adds complexity and potential for issues. Why do you want DHCP server and Firewall, maybe even DNS server, on the NG?
Less workload to Turris, Netgear Is doing little and Turris will have two containers (yes, the firewall in Netgear can be redundant).
But no trouble in turn off DNS, DHCP and firewall in the Netgear. My main objective are the two isolated networks.
I have doubts, mainly if this:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
should be:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
but then it don't seems to work.
I will try to come up with something but I am not going through any Firewall and DHCP settings on the NG. Also not working in abstracts but specifics:
Lan port 4 on the TO still to be connected to the NG?
you want eth1 on NG to connect to the TO or any Lan port on NG, and if latter which of the Lan ports - this would be important since the outside Lan labelling appears oddly inverted to the switch port naming, least the way it is depicted
Yes, LAN port 4 on the TO is connected to WAN on the NG and working.
With this, all seems to work but I am not sure about of the isolation:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
anon45274024:
you want eth1 on NG to connect to the TO or any Lan port on NG, and if latter which of the Lan ports - this would be important since the outside Lan labelling appears oddly inverted to the switch port naming, least the way it is depicted
WAN port is labeled correctly and separately (yes, the switch LAN ports are inverted in the case labels)
PS: Thank you very much for your interest in this.
Suggest we take one step at time, skip the guest network for the moment, and use the Lan as stepping stone first.
On the TO:
config interface 'lan'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
check with bridge v that lan 0 - 3 are showing
lan0 1 PVID Egress Untagged
If not then run from the cli
bridge v a dev lan0 vid 1 pvid untagged
bridge v a dev lan1 vid 1 pvid untagged
bridge v a dev lan2 vid 1 pvid untagged
bridge v a dev lan3 vid 1 pvid untagged
and check again with bridge v
On the NG
config interface 'wan'
option type 'bridge'
option proto 'dhcp'
option ifname 'eth1.1'
config interface 'wan6'
option proto 'dhcpv6'
option ifname '@wan'
option reqaddress 'try'
option reqprefix 'auto'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0u 1u 2u 3u 5t'
I will go to reset to default config, to start from zero.
In the meantime, NG eth1 is WAN so it is not affected by:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0u 1u 2u 3u 5t'
hence
config interface 'wan'
option ifname 'eth1.1'
What I proabably missed on NG is
config interface 'lan'
option type 'bridge'
option proto 'dhcp'
option ifname 'lan0 lan1 lan2 lan3'
config interface 'lan6'
option proto 'dhcpv6'
option ifname '@lan'
option reqaddress 'try'
option reqprefix 'auto'
NG only has 2 interfaces (and it don't use DSA):
eth1 -> WAN
eth0 -> LAN switch port 5
TO done:
# bridge v
port vlan ids
lan0 1 PVID Egress Untagged
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
lan3 1 PVID Egress Untagged
br-lan 1 PVID Egress Untagged
lan4.1 1 PVID Egress Untagged
Right, so then perhaps it makes sense
config interface 'wan'
option ifname 'eth1.1 eth0'
Not good - please remove that one since it has to be tagged - being the trunk port to the NG
It is being taken care of with
config interface 'lan'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
Currently.
NG (I am using LAN and not WAN because the default firewall drop SSH on WAN):
config interface 'lan'
option type 'bridge'
option ifname 'eth0 eth1.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
TO:
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
but:
port vlan ids
lan0 1 PVID Egress Untagged
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
lan3 1 PVID Egress Untagged
br-lan 1 PVID Egress Untagged
lan4.1 1 PVID Egress Untagged
TO:
Is not good practice since it creates a hybrid port (tagged as trunk port | untagged as access port)
Suggest to delete it with bridge v d dev lan4.1 vid 1
Can you ping from a Lan client on the TO a Lan client on the NG and vice versa, permitted that clients are not blocking by their own firewall?
Excuse me, I need leave. We continue at another time, rigth? Thanks and sorry.
No ping form TO-PC to NG-PC. The NG-PC no gets IP (It is a Wandboard, no keboard or screen at this moment)
