DSA with two VLAN on one Network

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi
I try to migrate my WRT3200ACM to the 21.02.1 firmware and I have a setup I don't see how to do this with DSA.

In my current 19.08.7 I have a number of networks seperated with VLANs for LAN, DMZ, IoT, WORK, Guest, ..
The LAN is a bit special as I use two VLAN for this one network, 1 and 41.

grafik

I did this, to have the network devices (Switches and my Notebook on VLAN 1, mainly as one switch requires 1 for maintenance VLAN). Also, this setup allows me to upgrade OpenWrt and have all devices in VLAN 1 if necessary, but have Servers in VLAN 41 offline as long as I updated the configuration).

Is there a way to achieve this with OpenWrt 21?

2

Reset device to start fresh.

Under network > interfaces > devices click configure br-lan
add vlans and enable vlan filtering . but do not apply yet as that will lock you out of device.
Add tagged vlans if you use trunked ports

Screenshot_2021-11-15_18-39-45
Screenshot_2021-11-15_18-39-45902×505 29.8 KB

under Network>interfaces> edit lan and switch device to br-lan.1

Now add interfaces for each new vlan2 and vlan3 and assign device br-lan.2 and br-lan.3
choose your diferent subnets etc...
and under firewall Create/Assigne firewall zones Lan2 and Lan3 for each.

Screenshot_2021-11-15_18-46-43
Screenshot_2021-11-15_18-46-43903×609 39.4 KB

Screenshot_2021-11-15_18-46-45
Screenshot_2021-11-15_18-46-45956×711 72.2 KB

Under Network>firewall edit each zone Allow forward to destination zones and add wan if you want
internet and other zones you want zone to be able to contact.

That allows that particular zone to contact the other.
But this will not allow the destination zone to contact the source zone , unless
the source zone makes the initial originating request.

If you want other zone to be able to originate the connection then add it to source zones.

Screenshot_2021-11-15_18-49-18
Screenshot_2021-11-15_18-49-18959×420 34 KB

That is the basic configuration

More fine grained rulles can be added under network > firewall > trafic rulles
like allowing a single computer acces to wan or other zone from a zone that does not allow it etc...

PS: with this setup wifi also needs its own interface for control or just add it to lan, lan2 or lan3

3

Hi
Thanks for clarification. But this is what I figured out myself. My question was about having two VLAN with one Network/Interface as seen in the picture in the first post.
So two VLAN where I need to have the same subnet on both and have to access them via the router.
In version 19 I had a bridge on each interface, so this worked well. In the new setup I'm missing the switch UI, where this is went into the br-lan?

4

switch config removed and replaced with DSA config on some routers in new versions.

Multiple vlans on same port is done in br-lan > vlan filtering . Otherwise called
a trunk port if it has a single untagged lan and multiple tagged ones , but you
need something on the other end that understands trunking .

5

Add a new device under Network/Interfaces/Devices tab. Select Device type Bridge device

image
image903×578 30.6 KB

6

After reset , i think br-lan should include all ethernet ports by default

7

But the OP needs a bridge made of specific vlan subinterfaces, not the default br-lan.

8

I have now nearly everything working with 21.02.1, but I struggle on the bridges connecting multiple vlan. This is what I did:

I renamed the original br-lan to br-switch, and configured like this:

grafik
grafik900×684 52.1 KB

grafik
grafik894×836 53.4 KB 

config device
	option name 'br-switch'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-switch'
	option vlan '1'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-switch'
	option vlan '37'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '38'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '400'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-switch'
	option vlan '401'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '402'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '403'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '41'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '42'
	list ports 'lan2:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '44'
	list ports 'lan4:t'

I also created a bride to cover the dmz: br-dmz like this:

grafik
grafik897×683 52.2 KB

grafik
grafik896×400 30.1 KB 


config device
	option type 'bridge'
	option name 'br-dmz'
	list ports 'br-switch.400'
	list ports 'br-switch.401'
	list ports 'br-switch.402'
	list ports 'br-switch.403'

config interface 'dmz'
	option proto 'static'
	option device 'br-dmz'
	option ip6assign '64'
	option ip6hint '40'
	list ipaddr '192.168.40.1/24'

grafik
grafik958×64 8.1 KB

I now have the problem, that there is no traffic between the VLANS 400, 401, 402, 403. Accessing a device on on of the VLANS from outside is possible, but no connection between the devices in the VLANS.

Any help welcome.