Gateway setting for managed switch [solved]

since the recent attack I am not having access to my account any longer, password is not recognised (checked multiple times). So here is oscar2 then....

I feel quite stupid with my question, since it seems so trivial. I could not find an answer after several hours of search, though.

My OpenWRT router is extended by a managed switch, which includes 2 Ports belonging to vlan4, the others to vlan1. The vlan4 ports are for the VoIP phones.

The Setting on the switch is as follows:
The Gateway setting seems strange to me. The
Options are

  1. leave it as is, as it appears to work
  2. change it to point to the Openwrt router IP (
  3. leave it blank

Besides a directive I would appreciate a few words of explanation, since after years with OpenWRT I still haven't fully understood what the difference of 'gateway' vs. 'interface' :flushed:


If you leave it without gateway, only intra-subnet communication is possible.
If you add a gateway, then inter-subnet communication is possible. However a valid subnet must be entered. For IP a valid gateway is in the range
Interface can be an ethernet card, wireless card or anything else that can connect you to a network.
Gateway is the IP of the upstream router, when the address you are trying to reach is not known, e.g not in the routing table.

1 Like

Thank you for explanation. With the current '' setting, inter-subnet communication is possible through the corresponding firewall setting:

config forwarding
        option dest 'Fon'
        option src 'lan

where 'Fon' is, 'lan' corresponds to Seems that has either zero effect or corresponds to any IP address, which includes the one of the router. would then be the correct entry? Isn't this in conflict with 'For IP a valid gateway is in the range you mentioned?

you gave me new homework :wink: is a reserved IP, I find it really hard that some vendor allowed it to be used as gateway in that way. Even so, the gateway has to be a specific IP, not an abstract to let the device try all possible addresses.

It is not a correct address when you have IP with mask /24. The gateway must belong to the same network as the address of the device.

1 Like

Apologies for being dumb. I don't get it.

  • the device (switch) has the ip
  • its physical ports of the switch belong through vlan tagging to either and
  • the gateway setting applies for the whole device, i.e. must belong to it's subnet, even though there is additional subnet assigned to the device.

The correct gateway according your advice is clearly, since this is within the subnet of the switch device. How do the ports that are assigned to 192.168.2.X know about the gateway, i.e. get access to DNS and internet?

What is the gateway setting for at all*? Am I mixing forwarding and gateway?

Is it or not, I am lost

128     prelocal
255     local
254     main
253     default
0       unspec

This setting concerns the switch and not the devices connected to the switch.
For IP, the gateway is a valid choice.
Devices in vlan2 with IP 1982.168.2.X/24 must use as gateway the IP of the interface of the router on that vlan.
It is not the switch's job to route the packets from one vlan to another, it's the router's. The switches job is to separate the vlans and connect to a router, so the latter can route them.

1 Like

You are generously patient

Got it, it is the IP address of the interface of the subnet, right? As defined in /etc/config/network.
You relieved a major headache, thanks a million.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Did you read the big warning (with instructions) on every page of the site?

It's still against the site guidelines to make a second account.

Also, out of curiosity:

  • How was this managed switch related to OpenWrt?
  • What brand is it?

You can reset your password at the login prompt if you still have access to the associated email address.

I did read the instructions which propose to change the account password. However, this is not possible since I cannot log into it. Password does not match. Unfortunately, I used an email address alias that I discarded recently. Password reset is no option therefore.
I cannot legitimise myself to the admins as 'oscar'. All I could do theoretically is to ask to block that account.
There has not been any intend to have two accounts.

1 Like

It is a Zyxel GS1200-5. It is attached to my OpenWRT router and because of different vlans settings I use across the two, I assumed that the solution for my request is located in the settings of the openWRT router. Which turned out to be true.

Also please consider my initial statement


I'm going to expand on this further to clarify for new learners. In this case, the switch is a "managed" swich, so it has a tiny embedded computer inside it that serves configuration web pages. The configurations show are the settings for this tiny embedded computer serving the web pages. Suppose the switch has some feature where it needs to talk to a "cloud" resource, how would it do it? It needs to send packets to "the internet" so it needs to know the address of a gateway. The gateway being entered here is for the embedded computer inside the switch to talk to the internet. In this case the setting means "no gateway / no internet access"

1 Like

The most trivial (not really cloud-) examples of this would be (S)NTP requests, to set the internal clock of the managed switch or being able to pull a firmware upgrade directly from the internet - this is obviously more important for the increasingly popular cloud managed switches.


I should have made this clear, the image shown with the setting is indeed from the switch and not from the openWRT router.

The devices attached to the vlan-tagged-port in a subnet on the switch had internet access despite the gateway setting ''. I believed this is because of port forwarding in the firewall, i.e. wan --> vlan-subnet called 'Fon' (in addition to lan-->Fon above).

The other ports on the extended switch belong to the lan. I have not checked it but it might well be they had no internet access, I did not check it and can't do so at the moment. But will do it this evening.

PS: as you may have noticed I am back as Oscar which was made possible with the help of the administrator.

Primarily because the clients got the correct settings from the OpenWrt dhcp server and secondarily because there is a Fon->wan forwarding in place.

1 Like

This setting in the switch is just for use by the embedded computer in the switch. Everyone else is getting their network info via dhcp from your router.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.