Help me understand the switch and vlans

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello lovely people of OpenWrt!

I am trying to set up a separate network for my kids that uses OpenDNS, Adblocking and a whole bunch of other DNS based content filtering using this (KidSafe WiFi, Forced SafeSearch and Adblock) awesome guide. I have run into a bit of a snag though. The kid's network for some reason requires that my 'lan' network (the main or "adult" network) have masquerading turned on. I would like for the two networks to be independent of one another. The masquerading needs to be on anyways for my vpn to work, but this shouldn't have anything to with the kid's network.

Second, in the config files I set both networks to be bridges. I am assuming this is wrong as my main network loses DHCP for clients when the kid's net is a bridge. If I comment that line out, I get DHCP back. I am pretty certain it is because I have created vlans incorrectly. I am trying to fix this but I am having trouble understanding how the switch and vlan configurations work in the first place. Here is my network config:

config interface 'lan'                                                          
        option type 'bridge'                                                    
        option ifname 'eth0.1'                                                  
        option proto 'static'                                                   
        option ipaddr '192.168.1.1'                                             
        option netmask '255.255.255.0'                                          
        option ip6assign '60'                                                   
        option dns '1.1.1.1 1.0.0.1'                                            
                                                                                
config interface 'wan'                                                          
        option ifname 'eth1'                                                    
        option proto 'dhcp'                                                     
        option peerdns '0'                                                      
                                                                                
config interface 'wan6'                                                         
        option ifname 'eth1'                                                    
        option proto 'dhcpv6'                                                   
                                                                                
config switch                                                                   
        option name 'switch0'                                                   
        option reset '1'                                                        
        option enable_vlan '1'                                                  
                                                                                
config switch_vlan                                                              
        option device 'switch0'                                                 
        option vlan '1'                                                         
        option ports '0 1 2 3 5'                                                
        option vid '1'                                                          
                                                                                
config switch_vlan                                                              
        option device 'switch0'                                                 
        option vlan '2'                                                         
        option ports '4 6'                                                      
        option vid '2'                                                          
                                                                                                                                                                                                             
config interface 'kidsvlan'                                                     
        option type 'bridge'                                                    
        option ifname 'eth0.2'                                                  
        option proto 'static'                                                   
        option netmask '255.255.255.0'                                          
        option dns '208.67.222.123 208.67.220.123'                              
        option ipaddr '192.168.2.1'

And here is the switch configuration per the wiki:
11%20PM

I can't quite figure out how ports 4, 5 and 6 work. According to my network config file eth1 is my WAN/Internet, but the wiki has eth0 (which is what my 'lan' network uses) on the same line as the Internet...? This doesn't seem right to me but I'm definitely not an expert so I would greatly appreciate it if someone could help me understand this. Thanks!

2

I'm not terribly familiar with the WRT units, but, in general, for a four-LAN, one-WAN, two-Ethernet phy device:

  • One VLAN is used to connect the four switch ports that are used for LAN connections to one of the two Ethernet interfaces.

  • One VLAN is used to connect the switch port that is used for WAN to the other Ethernet interface.

Based on that diagram:

  • VLAN 1 "wires" the four LAN ports to eth1
  • VLAN 2 wires the WAN port to eth0

Your config looks consistent with that.

If you've got one or more additional VLANs, such as for guest or IoT networks, they need to be on a different VLAN from the ones used for LAN and WAN wiring.

config interface 'kidsvlan'                                                     
        option type 'bridge'                                                    
        option ifname 'eth0.2'

looks like you're reusing VLAN 2 for your kidsvlan. As a result, it's wired to your WAN interface port.

If you're not allowing guest or IoT net access over the wire (just wireless), then you don't need to change your switch at all (assuming you have distinct VLANs for each network, which you should). You will need to configure the eth1.NNNN VLAN as an interface, assign it a different subnet, enable DHCP on the interface (or at least not disable it), and set up firewall rules to prevent VLAN-to-VLAN routing that you don't want.

If you do want wired access to those "new" VLANs/networks, typically they are connected as tagged to the Ethernet interface used for LAN.

1 Like
3

If you're not allowing guest or IoT net access over the wire (just wireless), then you don't need to change your switch at all (assuming you have distinct VLANs for each network, which you should).

So the above excerpt from my network config file is all the vlans that I have. That being said, are you saying that I need to create an additional vlan for the kidsvlan (I mean it is in the name)? Or are you saying that if the kid's net isn't going to be connected to the physical (wired) ports then I don't need to worry about that?

You will need to configure the eth1.NNNN VLAN as an interface, assign it a different subnet, enable DHCP on the interface...

I just attempted to to assign the kidsvlan to eth1.2 and lost DHCP on my main 'lan' network again. Here's what I tried:

config interface 'kidsvlan'           
        option type 'bridge'       
        option ifname 'eth1.2'     
        option proto 'static'   
        option netmask '255.255.255.0'
        option dns '208.67.222.123 208.67.220.123'
        option ipaddr '192.168.2.1'

I can only assume this is not what you meant. I'm sorry I'm so slow... I thought I had a grasp on this when I started this endeavour but now I am committed! I appreciate your help.

4

kidsvlan is "just" a convenient name so that it can more easily be referred to in other config (and, I'm guessing, show up in LuCI with something meaningful).

Try something like:

config interface 'kidsvlan'           
        option type 'bridge'       
        option ifname 'eth1.10'     
        option proto 'static'   
        option netmask '255.255.255.0'
        option dns '208.67.222.123 208.67.220.123'
        option ipaddr '192.168.2.1'

to put it on VLAN 10 (to pick a number between 0 and 4095 -- anything other than 0 and 4095, which are reserved, or 1 and 2, which are already in use, should be OK). You should also check that DHCP is enabled for that subnet. Probably the easiest is to go into LuCI. That will probably get you up and running, but traffic may still be routed between your "LAN" and "kidsvlan". To prevent that, you'll need some firewall rules that prevent forwarding between the zones that the OpenWrt firewall configuration defines.

1 Like
5

That appears to have worked!! Thank you!

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.