I have tried several related how-to's and only seem to lock up my router giving my son withdrawal episodes until I can reset it! At the moment the router was reset and 100% defaulted. I am trying to make 2 LAN segments that work the same (more or less) as the single existing one but isolated from each other except for what is explicitly allowed. Mainly to ioslate heavy broadcasts from this software from flooding my personal network. I would just double NAT with an additional router but the software partially runs on the head router and requires 2 way UDP communication with the nodes on LAN2. The easiest choice is to put 1 router on all segments eliminating the need to relay UDP in either direction. Most traffic on LAN2 is from the router CPU to LAN2 as a 192.168.y.255 broadcast. However, control messages are sent back to the router from the individual LAN2 nodes as single non-broadcast UDP to be included as the next broadcast as described previously. LAN2 is being applied as an interconnect for a CPU cluster in a way that allows the timeline relation to be preserved even when time-frame is always offset between nodes. This is important for the software to work.
desired configuration:
WAN, DHCP unmodified
WIFI on radios 1, 2 & 3, unmodified
OpenVPN 192.168.z.0, bridged to LAN and route pushed as default route on remote, unmodified
LAN 192.168.x.0, DHCP (for users and servers, just like existing)
LAN2 192.168.y.0, DHCP not required but a plus if so (new secure lan)
LAN uses ports 1 2 3 on switch, connected to an unmanaged switch for household use
LAN2 uses port 4 on switch, connected to an unmanaged switch for cluster
LAN needs standard NAT access to WAN
Port forwards are needed for WAN to LAN
LAN2 needs standard NAT access to WAN, no WAN to LAN2 forwards allowed.
Access to LAN2 is only by attaching to LAN2 physically or outbound from a LAN2 node.
Router spec:
https://lede-project.org/toh/hwdata/linksys/linksys_wrt3200acm
Model Linksys WRT3200ACM
Firmware Version LEDE Reboot 17.01.2 r3435-65eec8bd5f / LuCI lede-17.01 branch (git-17.152.82987-7f6fc16)
It doesn't seem that this can be done only by only using Luci. However the command line and config file instructions seems to have differences with what I see with my current version and cause a mess. So I am asking for help. Thanks for reading and any help would be greatly appreciated.
Hey there.
If it's not for security reasons but only to isolate broadcast, you could create a secondary network called "lan", assign it the the very same firewall group "lan" and adjust the "lan" firewall group to allow access "to lan" as well. That's afaik not possible through LuCI web ui but if sure works if you du it via /etc/config/firewall.
Forwards from WAN don't care where to they forward to. If you only configure them from WAN to LAN but none from WAN to LAN2 then there will be only those to LAN but none for LAN2. Currently I cannot think of a way that somehow "by firewall" only allows forwarding only fro WAN to LAN but keeps the configuration page of adding new forwarding rules accessible to LAN2. If your son opens the LuCI web ui and adjusts the forwarding page, then he can add forwarding rules from WAN to LAN2.
If you want to prevent that overall, you need to create a distinct firewall zone LAN2 that basically mimics LAN. You should make the "input" rule "reject" (instead of "accept" which it is for LAN), this means on traffic from LAN2 to the router (targeting the router configuration page or SSH) is allowed. To not crash DNS and DHCP, you need to manually create allow rules "from LAN2 to device" for DHCP (UDP port 67/68) and DNS (UDP port 53). That, however, can be done purely through LuCI web ui.
The OpenVPN thingy is somehow unclear to me. You don't "bridge" that. Bridge means TAP device the connected VPN area gets DHCP via broadcasting to LEDE/dnsmasq.
OpenVPN almost never runs in bridged mode. Usually you run OpenVPN on TUN devices, let IP range be handled not by LEDE/dnsmasq but by OpenVPN and add routes.
I cannot tell you anything about OpenVPN settings on LEDE through LuCI web ui, never did that. But to me that sounds like only OpenVPN config, LEDE should be default.
Regards,
Stephan.
Let's go step by stem... shall we?
You should have (among others) sections similar to these in your /etc/config/network file:
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option force_link '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
Now, change them to these:
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option force_link '1'
config interface 'lan2'
option ifname 'eth0.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option force_link '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '3 5t'
After restarting the network, you must have an interface LAN (configured exactly as before) on three ports, and interface LAN2 at the fourth port. But LAN2 still does not have a DHCP server (router can be reached at 192.168.2.1, if client is configured properly), so lets add one in /etc/config/dhpc: just copy the config for LAN into LAN2, restart, and test.
take a look at: https://lede-project.org/docs/user-guide/guestwifi_configuration
this creates a network parallel to LAN and a new firewall zone for it, which then can be used to manually ad a wifi configuration on top. you will need both of it, that why this seems like a good fit for your needs.
your only difference is: instead of adding a guest wifi radio on top of that, just add your split of VLAN-port to that new network. and add some more firewall rules depending on your requirements.
your lockup could have happened for overlapping DHCP's (2 networks, both with DHCP, but the networks having overlapping assignments, leading to connected clients to find the DHCP servers of both networks, which makes them fail to get an IP by DHCP.
Oh, i am so excited. I cant wait to get home and try this. If its good i'll owe you a bottle of wine. 
I'll post my progress later tonight. Tyvm!!!
I have this as default for the vlan part:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
VLAN 2- (CPU/eth1 and WAN) already exists, so I used your instruction but with VLAN 3 instead.
The router was inaccessible to all clients on LAN after the following was applied. If I were to say, LAN was no longer bridged or something. No DHCP reply and tried all static IP settings that applied and couldn't connect to luci..
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddb:c1ec:4224::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.16.1'
option netmask '255.255.255.0'
option ip6assign '60'
option force_link '1'
-----------------------new---------------------
'config interface 'lan2'
' option ifname 'eth0.2'
' option proto 'static'
' option ipaddr '192.168.15.1'
' option netmask '255.255.255.0'
' option force_link '1'
-----------------------new---------------------
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
-----------------------new---------------------
'config switch_vlan
' option device 'switch0'
' option vlan '3'
' option ports '3 5'
'-----------------------new---------------------
reset! back to default.
In tinkering around with it it seems maybe it does not allow for a port to be added to more than 1 vlan, 5. The Luci interface explicitly will not allow it.
You forgot to tag the packets on the CPU side: you need that so the switch separates the traffic for VLAN 1 to eth0.1 and the traffic for VLAN3 to eth0.3.
I got everything to the point of the wifi working on the new segment with DHCP. Internet access as well as wlan to router communication. As soon as I do anything with VLAN tagging on eth0, my existing network is down. I was thinking that LAN port 4 should be "off" on VLAN 1 and untagged on VLAN 3, but eth0 can not be untagged on 2 VLANs since it is already untagged on VLAN 1. If I use tagged on both, again you can not have eth0 tagged and untagged at the same time even on different VLANs. So how does LAN 4 get attached to the new segment without disconnecting eth0 from VLAN1? Either I am missing something or this can not be done via VLAN tagging.
NOTE: VLAN 2 is eth1 and WAN untagged.
In your device, switch ports 0, 1, 2, 3 go to LAN ports 4, 3, 2, 1 (in that order), switch port 4 is WAN port, switch port 5 is eth0, and switch port 6 is eth1. The default configuration says:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
That means:
- LAN ports 4, 3, 2, 1 go with eth0
- WAN port goes with eth1.
Now you change (please notice the subtle "t") that to:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 5t'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
And that means (also, notice the subtle ".1" and ".3"):
- LAN ports 2, 3, 4 go with eth0.1
- LAN port 1 goes with eth0.3
- WAN port goes with eth1
Now, when you configure your network, "LAN" must use interface "eth0.1" instead of "eth0", and LAN2 will use "eth0.3". Also, since LAN port 1 is connected to "eth0.3", you will not be able to connect the router on that port, unless you define a network on "eth0.3".
Perfect!! I already had the network redone minus the vlan. So I just applied your information via luci to my existing config. It made good sense and was exactly what I was looking for. Also, it did lock me out but instead of doing a reset, I only did a power off/on and everything checked out. Thank you very much, I am grateful for your help.