First Time User Seeking Advice

Hello! I recently installed OpenWRrt 23.05.2 on a Belkin RT3200 and I just wanted to know if I installed it correctly. I believe I have seen people post their config file but I was not sure how to do that. I was seeking to have my main lan, a guest network, iot network, and a network for a self hosted server all on vlans. I was hoping to have the main network be able to reach the iot, server, and wan network. The guest only reach internet, iot not reach the internet, and the server only reach the internet. Any help would be much appreciated. I believe I have it setup correctly, I was hoping to see areas where I went wrong or areas I could improve.

1 Like
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
				
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'removed'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.99'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'br-lan.3'

config interface 'IOT'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-lan.4'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan1:t'

config device
        option name 'br-lan.3'
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'

config device
        option name 'br-lan.4'
        option type '8021q'
        option ifname 'br-lan'
        option vid '4'

config device
        option name 'br-lan.99'
        option type '8021q'
        option ifname 'br-lan'
        option vid '99'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:t'
        list ports 'lan2:u*'

config interface 'Server'
        option proto 'static'
        option device 'br-lan.5'

config device
        option name 'br-lan.5'
        option type '8021q'
        option ifname 'br-lan'
        option vid '5'
		
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'removed'
        option path 'removed'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'removed'
        option path 'removed'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'removed'
        option encryption 'psk2'
        option key 'removed'
		
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'removed'
        option path 'removed'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '5353'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'IOT'
        option interface 'IOT'
        option start '100'
        option limit '150'
        option leasetime '12h'
		
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'removed'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GUEST'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'lan'
        option dest 'IOT'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option name 'Guest DHCP and DNS'
        option src 'Guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'Server'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'Server'

config forwarding
        option src 'Server'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'Server'

I think I removed passwords and mac addresses hopefully.

802.1q stanzas are not needed and can be deleted:

And this one, too...

The server network interface is using VLAN that has not been defined (it should be a bridge-VLAN definition, not the 802.1q stanza). Further, you have it set with a static protocol, but there is no address.

Input and Forward rules for the wan zone should be REJECT, not drop. This has to do with the way that traffic is sent (or really extinguished)... if it is set to drop, a TCP sender will continue to send packets assuming that they were not delivered. A reject setting ensures the sender knows that the packet arrived but was actively rejected.

Everything else looks okay.

1 Like

Thank you for the response. I am using the luci web interface. How would I go about removing the 802.1q stanzas? In the devices under network interfaces it has you choose a device type which is where I chose the 802.1q, would this be a different option?

I've never done it with the LuCI interface, but you should be able to find the 802.1q stanzas in the network devices section... delete them there.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'removed'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan.99'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'br-lan.3'

config interface 'IOT'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-lan.4'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan1:t'

config device
        option name 'br-lan.99'
        option type '8021q'
        option ifname 'br-lan'
        option vid '99'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:t'
        list ports 'lan2:u*'

config device
        option type 'bridge'
        option name 'br-server'
        list ports 'lan4'

config device
        option name 'br-lan.3'
        option ifname 'br-lan'
        option vid '3'

config device
        option name 'br-lan.4'
        option ifname 'br-lan'
        option vid '4'

config interface 'Server'
        option proto 'static'
        option device 'br-server'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
		
root@OpenWrt:/etc/config# cat firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'removed'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GUEST'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'lan'
        option dest 'IOT'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option name 'Guest DHCP and DNS'
        option src 'Guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'Server'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'Server'

config forwarding
        option src 'Server'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'Server'

I really appreciate your help and patience. Does this look better? I feel I may have made some mistakes.

Remove the 802.1q stanzas:

and all of these devices:

I don't believe that you can run 2 bridges on a single switch chip with DSA.

Port lan4 should be placed back in br-lan and then a bridge-VLAN can be created like you have done for the others (i.e. br-lan.99).

2 Likes