Help request to create vLans

Hello, I am looking for some help in creating vLans for my basic home network. My goal is to create 3 vLans, one for my gaming device, another for my work pc, a third for a shared pc.

I think the best way to approach this is to lay out my understanding and settings and if there are any mistakes can someone please point them out, thank you!

—————-
My scheme is:

ONT ->

TP-Link Archer C7 v5 with OpenWrt as router. ->

TP-Link sg108e switch. ->

User devices obtain networking capabilities from switch.
————————

Since I am connecting a router to a switch, if I understand correctly, the port connecting the two has to be tagged? I did this on vLan 4, I left eth0 as tagged as well, but I think that might be wrong because why would the connection between router and switch involve eth0 on this network level.

Next I believe I need to manage the vLans in the switch interface. I left DHCP settings as enabled in the DHCP settings.

In the 802.1q vLan settings, here I would create 1 vLan for a tagged connection to the router and 3 untagged vLan connections to my end point user devices?

Connection between switch and router:

Then create 3 untagged vLans for each for my desired devices.

Example connection from switch to user device:

After this I would have to add the vLans to the 802.1Q PVID settings and create an interface for each vLan in the openwrt interface settings.

Does this set up seem correct? Can someone please point out any errors or misunderstandings. I’ve been trying to apply vLans to my network for a while now and keep bringing my network down and we all rely heavily on the network now, so I’m trying to avoid bringing the network down again.

Thank you,

Mateusz

Are all the devices being attached via the switch? If so then the port on the router, and corresponding port on the switch, will need to be tagged with all the VLANs that you want to use.

Each port that you're going to connect an end device to on the switch will need to be added to the appropriate VLAN as an untagged port. You don't need to do anything in the 802.1Q PVID settings.

Hi Krazeh, thanks for your reply.

Yes, all devices receive their connections from the switch. The router’s lan4 port connects to the switches lan8 port.

Using your advice, I created my 3 vLans, vLan7, vLan6 and vLan5. I made all of them tagged on port 4 in the openwrt vLan settings. (Also, is it okay that the eth0 port is tagged and the lan4 port is tagged on these vLans? )

Next in my switch I made my 3 vLans all tagged on port 8 and untagged on their user device connection port.

Is this the correct execution of your advice? Thank you.

Yeah, that looks right.

1 Like

The tagged and untagged ports make much more sense now, thanks for filling that gap for me krazeh.

Unfortunately, my entire network goes down when I create an interface for my vLan? I don’t think this is supposed to happen and even with the firewall zone set up my entire network remains down.

When looking at the interfaces via ssh, I do see the interface eth0.7 with the IPs I assigned.

Looking at the switch vLan interface, I am curious if the default vLan 1 interface needs to be adjusted. I created the vLan 7 interface using the guidelines posted above.

Can someone please advise on why the network goes down and how to properly set up the interface and firewall zone settings?

Thank you.

Why does eth0.7 have a public IP address?

Can you copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;

Currently there is no vLans on my network, so I can access the internet. Not sure if this helps, but these are the results of running the commands on my current network.

I will reapply the vlan settings posted above and post the output of the commands as well.


BusyBox v1.31.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SFE, r13152-5019a06fc1
 -----------------------------------------------------
root@OpenWrt:~# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc7:5059:d813::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'REDACTED'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'
	option vid '7'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt 5GHz'
	option encryption 'psk2'
	option key 'REDACTED'
	option ieee80211w '1'
	option ieee80211w_max_timeout '1000'
	option ieee80211w_retry_timeout '201'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vLan7'
	option interface 'vLan7'
	option start '100'
	option limit '150'
	option leasetime '12h'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet REDACTED  brd REDACTED scope global eth0.2
       valid_lft forever preferred_lft forever
34: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via REDACTED dev eth0.2 proto static src REDACTED 
REDACTED dev eth0.2 proto kernel scope link src REDACTED 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
broadcast REDACTED dev eth0.2 table local proto kernel scope link src REDACTED 
local REDACTED dev eth0.2 table local proto kernel scope host src REDACTED
broadcast REDACTED dev eth0.2 table local proto kernel scope link src REDACTED 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default


I assume that your WAN interface currently has a public IP?

Yes, my WAN interface has a public IPv4 address. It's the same IP assigned to my laptop I use to manage the network.

Good news to report, I've created the vLan7 interface and my entire network didn't go down.

I changed my IPv4 gateway address to the wan IPv4 recommended by LuCi, which was my wan public ip address with the last octet being 1. I'm new to networking still, so it didn't quite click that my gateway shouldn't be a random IP address if I want the vLan traffic to actaully connect to the internet via a gateway.

Now the network doesn't go down, but the wired connection from port 7 in my switch doesn't deliver internet to the end user device.

Also here are the results from running the command you posted above, now with the vLan7 interface on my network:


BusyBox v1.31.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SFE, r13152-5019a06fc1
 -----------------------------------------------------
root@OpenWrt:~# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc7:5059:d813::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'REDACTED'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'
	option vid '7'

config interface 'vLan7'
	option proto 'static'
	option ifname 'eth0.7'
	option ipaddr '192.168.7.3'
	option netmask '255.255.255.0'
	option gateway 'X.X.X.1'
	option broadcast '192.168.7.255'
	list dns '8.8.8.8'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt 5GHz'
	option encryption 'psk2'
	option key REDACTED
	option ieee80211w '1'
	option ieee80211w_max_timeout '1000'
	option ieee80211w_retry_timeout '201'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vLan7'
	option interface 'vLan7'
	option start '100'
	option limit '150'
	option leasetime '12h'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vLan7'
	option network 'vLan7'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'vLan7'
	option dest 'wan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet X.X.X.195/24 brd X.X.X.255 scope global eth0.2
       valid_lft forever preferred_lft forever
34: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
37: eth0.7@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.7.3/24 brd 192.168.7.255 scope global eth0.7
       valid_lft forever preferred_lft forever
default via X.X.X.1 dev eth0.2 proto static src X.X.X.195 
X.X.X.0/24 dev eth0.2 proto kernel scope link src X.X.X.195 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.7.0/24 dev eth0.7 proto kernel scope link src 192.168.7.3 
broadcast X.X.X.0 dev eth0.2 table local proto kernel scope link src X.X.X.195 
local X.X.X.195 dev eth0.2 table local proto kernel scope host src X.X.X.195 
broadcast X.X.X.255 dev eth0.2 table local proto kernel scope link src X.X.X.195 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.7.0 dev eth0.7 table local proto kernel scope link src 192.168.7.3 
local 192.168.7.3 dev eth0.7 table local proto kernel scope host src 192.168.7.3 
broadcast 192.168.7.255 dev eth0.7 table local proto kernel scope link src 192.168.7.3 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Change vLan7 to

config interface 'vLan7'
	option proto 'static'
	option ifname 'eth0.7'
	option ipaddr '192.168.7.3'
	option netmask '255.255.255.0'

I went into /etc/config/ and edited the network interface vLan 7 so it now has the ip address 192.168.7.3 and the 255.255.255.0 netmask and removed the gateway and broadcast and reset the vLan 7 network.

Unfortunately the device still does not receive internet over ethernet cable. Am I missing something simple like a lan or wan reset? Or possibly plugging the ethernet in and out the router or switch?

Your continued support is appreciated, if you could advise again that would be greatly appreciated. Thank you.

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc7:5059:d813::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'REDACTED'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'
	option vid '7'

config interface 'vLan7'
	option proto 'static'
	option ifname 'eth0.7'
	option ipaddr '192.168.7.3'
	option netmask '255.255.255.0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt 5GHz'
	option encryption 'psk2'
	option key 'REDACTED'
	option ieee80211w '1'
	option ieee80211w_max_timeout '1000'
	option ieee80211w_retry_timeout '201'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vLan7'
	option interface 'vLan7'
	option start '100'
	option limit '150'
	option leasetime '12h'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vLan7'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'vLan7'
	option dest 'wan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet X.X.X.195/24 brd X.X.X.255 scope global eth0.2
       valid_lft forever preferred_lft forever
34: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
41: eth0.7@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.7.3/24 brd 192.168.7.255 scope global eth0.7
       valid_lft forever preferred_lft forever
default via X.X.X.1 dev eth0.2 proto static src X.X.X.195 
X.X.X.0/24 dev eth0.2 proto kernel scope link src X.X.X.195 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.7.0/24 dev eth0.7 proto kernel scope link src 192.168.7.3 
broadcast X.X.X.0 dev eth0.2 table local proto kernel scope link src X.X.X.195 
local X.X.X.195 dev eth0.2 table local proto kernel scope host src X.X.X2.195 
broadcast X.X.X.255 dev eth0.2 table local proto kernel scope link src X.X.X.195 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.7.0 dev eth0.7 table local proto kernel scope link src 192.168.7.3 
local 192.168.7.3 dev eth0.7 table local proto kernel scope host src 192.168.7.3 
broadcast 192.168.7.255 dev eth0.7 table local proto kernel scope link src 192.168.7.3 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Add list dhcp_option '6,192.168.1.1' to the DHCP config for vLan7.

I've added the additional DHCP option of 6,192.168.1.1 , the end device is still not receiving an internet connection.

I was looking at a thread from someone who wants the same set up and is experiencing the same issues as me, No internet with VLANs, something I noticed was in their vLan config interfaces, the had an option type 'bridge' included in the config. I did some reading and bridging vlans can help them discover the topology of the network, but am not sure if it is needed in my instanced.

Here are the vLan7 details from the network output:

config interface 'vLan7'
	option proto 'static'
	option ifname 'eth0.7'
	option ipaddr '192.168.7.3'
	option netmask '255.255.255.0'

config dhcp 'vLan7'
	option interface 'vLan7'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.1'

config zone
	option name 'vLan7'
	option network 'vLan7'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'vLan7'
	option dest 'wan'


Is there anything else you could recommend? Thanks for all the support thus far.

Has the end device got an IP in the correct subnet? Double check the firewall zones and forwardings on the router.

1 Like

Did some troubleshooting, and found that the ports on my router are labeled in reverse from the the port labels in LuCi. Fixed this and created new switch settings, a new interface and firewall. Sorry for this basic mix up, but it's fixed now. Now my switch delivers internet to non vLan connections.

Unfortunately, my end user device on my vLan is still not connecting to the internet?

On the target device, I set the ip configuration to manual and entered the details below. For the gateway, should I be putting the same IP that my WAN has, even with the same ending octet? The IP address I assigned is within the subnet I gave and within the /24 convention.

Thank you.

If the vlan is working correctly you should be able to use DHCP. If not then there's still an issue somewhere.

1 Like

I am able to connect with DHCP, so that looks good! But my internal IPv4 is on the 192.168.1.X subnet, if I created the vLan with the 192.168.7.X subnet, shouldn't the device's internal IP be 192.168.7.X?

Thank you for all your help Krazeh!

can you post your latest config files (network. DHCP, firewall)?

I assume the end device is plugged into the correct port on the switch? Make sure the switch port is only used by vlan 7.