Flint 2 OpenWRT VLAN config broken?

user8274 · February 2, 2025, 11:26am

Hi everyone,
First of all thank you very much for the many inspirational posts. Very helpful!

I’m running the following setup: modem > Opnsense (wan, lan) > MT6000 router with Openwrt 23.05.5 on it

Opnsense is taking care of firewall, routing etc. Openwrt is acting as the switch.

I’m using the Opnsense config exactly as in this amazing tutorial: https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/

Config see link. I won’t post all the details but only provide some key info derived from the tutorial:

VLANs in Opnsense:
10: DMZ
20: USER
30: IOT
40: GUEST
50: IPCAM

LAN is on 192.168.1.1/24. DHCPv4 ranges from 100-200 for all interfaces. DNS, DHCP all on Opnsense on 192.168.1.1

So far so good. Now I want my Openwrt device with its physical LAN ports to provide the VLANs:

LAN port1: DMZ
LAN port2: USER
LAN port3: IOT
LAN port4: IPCAM

From what I understand, those physical lan ports would be all untagged because I don’t plan to connect another AP/managed switch for now.

My goal is that a client device that is connected to e.g. physical lan port3 of the Openwrt switch is automatically connected to VLAN30 and gets an IP through DHCP in the range of 192.168.30.100-200. My problem is that my clients connected to the lan ports always get 192.168.1.100. So, I assume LAN dhcp is assigning the local IP.

To make things easier I’d start with the standard config of Openwrt. I only set the lan ipv4 address to 192.168.1.2 since my Opnsense is on 192.168.1.1. Also, DNS on 192.168.1.1, subnet mask on 255.255.255.0, both dhcpv4 and ipv6 dhcp disabled. See „dumb ap“ tutorial: https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap

I feel like I tried all possible combinations, including setting pvid and everything: Eth0 tagged with VLAN10, 20, 30, … lan1 untagged, lan2 untagged with/without primary VLAN, … on interface side, I configured the VLANs on the devices that are created. No success so far.

My ask: could you please tell me how to configure the devices and interfaces to work with the VLANs?

Thank you so much in advance! I already spent many hours on this, hence I’d appreciate to make some progress

user8274 · February 2, 2025, 2:03pm

For your info: I added a pure management VLAN 99 in OPNsense according to this guide: https://homenetworkguy.com/how-to/set-up-management-vlan-for-opnsense-network-switch-and-access-point/

I reset the MT6000 with Openwrt to default and applied the "dumb openwrt ap" settings to it.

I then

span the br-lan across all lan ports including eth0 and eth1,
add VLAN 99 and set eth0 to tagged and lan3 to untagged with pvid, I enter save (not apply),
enter interfaces, create a new interface with static address 192.168.99.2 with device "Software VLAN br.lan.99", ipv4 gateway 192.168.1.1/24 and apply everything.

Unfortunately, not working. Anybody have an idea? Thanks

psherman · February 2, 2025, 4:58pm

Let’s review the actual text configuration of the OpenWrt router.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

user8274 · February 2, 2025, 11:31pm

Thank you very much for your reply!

Here we go:

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config device
	option name 'lan2'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config device
	option name 'lan3'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config device
	option name 'lan4'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config device
	option name 'lan5'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 'YY:YY:YY:YY:YY:98'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		XXXX::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

psherman · February 2, 2025, 11:57pm

So the first thing we need to do is create bridge-vlans. I'm going to guess that there are actually 6 VLANs total -- the management one untagged on the trunk (192.168.1.0/24) and then the 5 that you specifically described. I'll also assume that port lan5 is the uplink to the main router

So... the following gets added to the network config file:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:u*'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:u*'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan4:u*'
	list ports 'lan5:t'

Now, edit the lan interface to use br-lan.1 and update the address to 192.168.1.2:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

And finally, add unmanaged networks interfaces for all the other VLANs:

config interface 'dmz'
	option device 'br-lan.10'
	option proto 'none'

config interface 'user'
	option device 'br-lan.20'
	option proto 'none'

config interface 'iot'
	option device 'br-lan.30'
	option proto 'none'

config interface 'guest'
	option device 'br-lan.40'
	option proto 'none'

config interface 'ipcam'
	option device 'br-lan.50'
	option proto 'none'

Finally, in the DHCP file, we need to disable the DHCP server on the lan... edit it so it looks like this:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

Restart the Flint 2 device. Then make sure that the uplink is connected to port lan5. From there, the 4 other ports will have the assignments you requested:

user8274 · February 3, 2025, 7:39am

Hi there, I gave it a quick try and it seems to work very well. Thank you so much, I will test it more thoroughly later! You saved me a lot of time, highly appreciated

psherman · February 3, 2025, 3:18pm

Great! Glad it is working.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!