Forward WAN, directly to LAN1

how do I, configure settings?:

so WAN cable is directly forwarded to LAN1
(excluded from OpenWrt Firewall,
and so LAN1 gets IP from from WAN cable)

move the WAN port cable to whatever is connected to LAN1 ?

1 Like

If you're running default OpenWRT, chances are:

  • You have a single bridge device that collects all ports (LAN1, LAN2, LAN3, LAN4, as well as WAN).
  • The distinction between LAN and WAN is done via vlan tagging.
  • LAN is vlan 1, WAN is vlan 2 by default.
  • WAN port set up as "vlan 2 untagged".
  • All LAN ports are set up as "vlan 1 untagged".

This means:

  • LAN is named "eth0.1" within OpenWRT.
  • WAN is named "eth0.2" within OpenWRT.
  • Traffic between all LAN ports doesn't go through the CPU, but is entirely handled by the switch portion of your device.
  • Traffic between all LAN ports flows freely.
  • Traffic passing WAN needs to be handled "somehow" by the firewall. Even "let pass" is a thing the firewall needs to do explicitly.

I guess what you want to do is: Assign LAN port 1 not to vlan 1 untagged, but to vlan 2 untagged.

This means:

  • Both ports, WAN and LAN1, behave the same and can be used interchangeably.
  • Traffic between WAN and LAN1 doesn't go through the CPU but is handled purely by the switch.
  • Traffic between WAN and LAN1 hence flows freely
  • LAN1 will no longer be part of your internal LAN port group.

This would behave just like if you took an external 3-port switch and added it to your WAN port, leaving you with an additional physical rj45 jack, which sees the unfiltered WAN traffic.

Is your goal to allow both OpenWrt and another device to both be connected to the wan?

If that's the case, it is usually fairly easy to make the necessary modifications -- we just need to see the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

Be aware of these two things:

  1. Your second device will be directly connected to the upstream network, so it must be protected if the upstream network is not trusted.
  2. It will only work if the upstream network will provide multiple IP addresses. Many ISPs only provide a single IPv4 address, which would mean the other device wouldn't be able to get online. If you've got a private network upstream, this is often not an issue.
Yes, I want both WAN and LAN1, to have same connection


I got cable from MODEM, and it has TRUNK traffic (both VIDEO and INTERNET)
sent to OpenWRT Router:

I use Openwrt as Wifi for Internet Connection
(it works, without any special settings)

Now, I want TRUNK traffic, to be Forwarded directly to LAN1
(so I can use both Internet and VIDEO on PC)

I had set hyperv on PC and 2 virtual network cards
(1 for INTERNET, and 1 for VIDEO)

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd08:4991:5d56::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
  • Create a new device. Just like you currently have "br-lan" create a new device called "br-wan".
  • Make that "br-wan" device of "type bridge", just like you have for "br-lan".
  • Remove the "list port 'lan1' from "br-lan".
  • Add "list port 'wan'" to "br-wan"
  • Add "list port 'lan1'" to "br-wan"
  • Change interface "wan". Use "br-wan" for its device, not "wan".

This will remove "lan1" from your LAN and put it to "wan".

2 Likes

Thank You Very Much,

that is what I needed

This most likely won't work because DSA can only handle a single bridge on a switch chip.

The solution, therefore, is to add the wan to br-lan and then use bridge-vlans to separate them.

Start by adding the wan to br-lan so that it looks like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'wan'

Then, create bridge-VLANs like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:u*'
        list ports 'wan:u*'

Now, edit the wan and lan interfaces to use br-lan.1 and br-lan.2 respectively:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'br-lan.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-lan.2'
        option proto 'dhcpv6'

Then restart the router. At this point, lan1 and wan will be bridged together, so if you plug a device into lan1, it will connect to the upstream network.

Port lan2 will be your normal lan.

The above solution may not actually solve your issue, though -- at least if other VLANs are in use. A trunk is defined as a port/cable that carries more than one network... if there are other VLANs, they need to be defined, too, otherwise they will simply be ignored.

1 Like

i made it, like you wrote in previous post

now i added vlan3999, for udpxy (udpxy works)
but now Internet on WiFi isn't working

what could be wrong now ?

i tried adding new wan interface for br-lan.1,
but still no success

Before you change anything, please read carefully, especially the question at the end.

Does it work if you set your 3999 vlan on all 3 columns to "- / none".

Could you provide any information on how you configured wifi? Especially: Where do you attach your wifi to? That's the "network" field, where you should have only selected "lan".
If you want to separate your TV wifi, add an additional wifi config with a different SSID that has only the "TV" network configured as "network".

As to what I can see/assume on your screenshots:

  • Make sure every LAN port (lan1, lan2 or wan) has either only one "untagged" setting, or an arbitrary number of "tagged" settings, but don't mix "tagged" and "untagged" on one port.
  • This means: Since you only have three LAN ports and need one port for vlan1 and two for vlan2, you just haven't enough ports for an additional TV vlan.
  • But unless you intend to connect your TV by wire to your router, its totally fine to have the 3999 not connected to a physical port at all.
  • You didn't set any firewall zone at all to your TV network. This defaults to "block everything". I'd suggest starting with LAN (green), which allows all traffic. You can add firewalling and limit stuff later.
  • I see you have 169.25.x as the IP address for your TV vlan. So your router has no IP address configured. Unless you intend to add another router to your setup (connedcted to the TV vlan which provides IP and routing), I suggest enabling DHCP on your TV network. Make sure IP ranges don't overlap, so "192.168.39.1/24", for example.

Could you please describe in detail and in full what you're trying to do? Switching the raw WAN port to a LAN port allows you to "sniff" your WAN traffic with a second device. It requires your ISP to provide you with at least one additional external IP address, which most ISPs don't do. What's with the TV vlan you introduced? If you want to put your potentially unsecure/hackable TV on another vlan to prevent your other devices from being accessed in case your TV gets hacked: That might be a good idea and will work the way we're about to configure. If the "3999" number is something your ISP sends "TV over IP" on, that's something completely different.

As psherman suggested in his last paragraph and as I included in my list of things in this post: If you pass multiple VLANs "tagged" to an external device (your TV, I suppose) that's something that very external device needs to understand. An arbitrary consumer grade TV you buy on amazon will not.

2 Likes

Thank you, it works now

I had to assign firewall to TV,
and create DHCP for WIFI

Now WIFI works, and can have Firewall Enabled