Help me to isolate my device from the rest of the network with vlan

Hello to all I followed with attention the subject of dsa config

I have a belkin rt3200

and I would like to isolate my device from all the rest, that is to say to have an interface in 192.168.3.1 for this device

and the rest of the network in 192.168.2.1

I think that this is to be done thanks to vlan ?

my coonfig actually

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vpn'
	option proto 'none'
	option device 'tun0'

@segal_72 maybe can interested

1 Like

What device are you trying to isolate? The RT3200 itself? Or something connected to it (and if so, is it connected via wireless? wired -- which port?)

Is there another router upstream or is this the only router in the system? If there is another router, what is the upstream router's address?

What is the VPN doing? Is that inbound (road-warrior type config), or is it connecting to another endpoint as a client (such as to a commercial VPN)?

1 Like

hi my other device is a playstation 5 game console

it is connected by cable (wired) the vpn I use it sometimes for games to have more or less high lobbies in my games

vpn like cyberchost example (commercial)

What port on your router connects to your playstation?

my ps5 is connect to port lan 1

my config network is exactly

modem routeur (192.168.1.1) --> router OpenWrt -->192.168.2.1 -- device

[quote="Dopam-IT_1987, post:1, topic:135591"]

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'ps_lan'
	option ports 'lan1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'

This should set up another network... you need to also create a firewall zone for the new network and a DHCP server... but this should work (unless I've made any DSA related errors).

1 Like

every time I try to create a vlan my router interface becomes and rollback apply

i will try your solution thanks

If this doesn't work, you might need to make a bridge with lan1 included, and then use that bridge instead of the direct port description.

1 Like

actually it doesn't work

I have rpc error in the interface

config interface 'ps5_lan'
	option ports 'lan1'
	option type 'bridge '
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'

like this maybe ?

k... try this:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'br-pslan'
	option type 'bridge'
	list ports 'lan1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'ps-lan'
	option device 'br-pslan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'

EDIT: Changed the network name from ps_lan to ps-lan.

1 Like

ok great that created the interface correctly

but it's grayed out, now I have to assign it to the firewall by putting it on the lan, right?

firewall zone settings

input reject
output accept
forward reject

masq ticked
clamp ticket

covered pslan

allow destination zone ?

allow forward ?

If you want to isolate it, the best way is to create a new firewall zone.

1 Like

yes I will do that I think it's the same principle as vpn

but in the last two firewalls

I put nothing in allow and

I think I have to check lan

in the second part?

post your current /etc/config/firewall file.

config zone
	option name 'Gaming'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'ps_lan'

config forwarding
	option src 'lan'
	option dest 'Gaming'

Turn off masquerading.
For now, set input to ACCEPT -- this way the router will be able to provide DHCP and DNS services to your playstation. We'll change that later, but this reduces some variables in the config.

If you want to allow your playstation access to the internet, add the following:

config forwarding
	option src 'Gaming'
	option dest 'wan'
1 Like

I think I understand I have to create a dhcp server in the interface is that right?

Yup. Create the DHCP server and then restart the router to make sure that everything is active. You may want to use a regular wired computer for your initial test (easier than using the PS for this purpose).

1 Like

yes thank you i tried to do the same by creating for the pc here is the config

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'br-pslan'
	option type 'bridge'
	list ports 'lan1'

config device
	option name 'br-pclan'
	option type 'bridge'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'ps_lan'
	option device 'br-pslan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'  

config interface 'br-PC'
	option device 'br-pclan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.4.1'

config zone
	option name 'Gaming'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'ps_lan'

config forwarding
	option src 'Gaming'
	option dest 'wan'

config zone
	option name 'OFFICE'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'pc_lan'

config forwarding
	option src 'OFFICE'
	option dest 'wan'

but i has this error

RPCError

RPC call to uci/get failed with ubus code 9: Unspecified error at ClassConstructor.handleCallReply (http://192.168.2.1/luci-static/resources/rpc.js?v=git-22.213.35949-d09fbe0:15:3)

use a dash ("-") not an underserscore ("_")

EDIT: my apologies -- it appears that I gave you the config example with an underscore. My mistake.

2 Likes