Help with Configuring multiple DHCP's on VLANS

Hi All,

I'm new to OpenWRT, and have basic knowledge of networking ( I understand Ip ranges etc and the concepts of vlans).

What I want is the following:
I have my current Broadband Router - Currently Sky soon to move
That is connected to a Gs724T V4, which is then connected to another Gs724T v3. Both are capable of vlans but not currently in use.

I have Pi Hole running on a VM, running on a physical PC
I have Home assistant running on a VM, running on a physical PC.
I have a Synology which hosts the iscsi for the above PC's

Multiple wired and wireless devices, mixture of tablets etc and "Smart devices"

What I am looking for:
on my OpenWRT (TL-WR743ND) I want to run multiple DHCP servers, using the PI-Hole for DNS, and pointing to the sky router for gateway.

A) VLAN will be for the home automation + Home Assistant (Smart devices and the Home Assistant) - Home Assistant needs internet access but the smart devices do not.

B) VLAN for security - CCTV/ALARM etc which will need to feed into home Assistant (On VLAN A) - (may be better to be merged between the two?) Ideally also viewable from mobile devices which would be on the C vlan

C) VLAN for home desktop etc - main computing use

D) VLAN for guest devices (may not be needed if the broadband provider network allows connection straight out without being able to come back into one of the VLANS above).

The TL-WR743ND wont be connecting to the internet directly, and wont be used for WIFI - purely just DHCP for multiple VLANS.

I would then hang off an old router to act as wifi AP on each vlan as required (A and C and possibly D), disabling the WIFI on the OpenWRT and the providers router.

So firstly, would this work, and is there a better/easier way at minimal/no cost?
secondly, can someone give me high level steps on how to implement? I have found a few you-tube guides on creating vlans on OpenWRT but high level steps of the entire process would be good - things to look out for?

The OpenWRT install is fresh - only thing i have changed is the default password.

You'd need to create the interfaces for each vlan. Then DHCP server should be created by default. Change options 3 for the default gateway and 6 for the nameserver.

thanks - Ive managed to do this:

Which I think is right for the vlans, DHCP seems to give me an ip in the correct range for each LAN, next step im struggling with is to get each vlan to talk to the main router and out to the internet - currently on vlan 1.

Very good, now you need to assign the interfaces to firewall zones to allow the interzone traffic.
Currently only lan is assigned to lan zone.

Sorry- I've banged my head for a few days trying to understand this, any more details or a link to a guide/howto?

Go to Network-Firewall page in Luci. At the bottom click the add button to create a new zone. Give it a name, configure the policies for INPUT, OUTPUT, and FORWARD. Select the covered networks from the drop down list. Finally select from the drop down list Allow forward to destination zones to allow outgoing traffic to another zone, e.g towards wan if you want this zone to access the internet. Or you can select a zone from the Allow forward from source zones if you want to allow incoming traffic from another zone, e.g if you have a new IoT zone and you want to allow traffic from lan zone, but not vice versa, and to the internet then you'll configure to wan and from lan

Thanks Trendy, unfortunately i still can not access anything from a device on the 192.168.3.x network to ping a device on the 192.168.1.x network apart from the router itself!

Just to double check, I have 4 ports + WAN on my router.

I have port 1 LAN (eth0.1)
port2 = VLAN2 (eth0.2)
port3 = VLAN3 (eth0.3)
port4 = VLAN4 (eth0.4)

I have a cable in port 1 going to my existing network, and have set with static ip.
I can access the interface from the 192.168.1.x ip device

I have a laptop connected to port3 - it has picked up a 192.168.3.x ip, but also lists the openwrt router as the gateway - 192.168.3.x ip address.

On firewall i added a new rule - called newzone
where vlan2, vlan3 and vlan4 have accept on input/output/forward to lan and wan where lan is eth0.1 device

I've fiddled with the config more then i think i should have so will revert to defaults and start creating vlans again, but just want to check if i have cabled correctly for the test I am trying to do?

Or have I completely got this wrong somewhere?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

So I reset to openwrt default and started again, made the 4 vlans and added them into the LAN group for testing... (if that works then I can create a new group and split them off!)

Output from the commands below:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "4.9.243",
        "hostname": "OpenWrt",
        "system": "Atheros AR7240 rev 2",
        "model": "TP-Link TL-WR743N\/ND v1",
        "board_name": "tl-wr741nd",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.9",
                "revision": "r8077-7cbbab7246",
                "target": "ar71xx\/tiny",
                "description": "OpenWrt 18.06.9 r8077-7cbbab7246"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd55:5794:aa6d::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.251'
        option delegate '0'
        option ifname 'eth0.1'
        option gateway '192.168.1.1'
        option dns '192.168.1.247'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1t 2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 1t 3'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '0t 1t 4'

config interface 'VLAN2'
        option proto 'static'
        option ifname 'eth0.2'
        option ipaddr '192.168.2.251'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '192.168.1.247'

config interface 'VLAN3'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.3.251'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '192.168.1.247'

config interface 'VLAN4'
        option proto 'static'
        option ifname 'eth0.4'
        option ipaddr '192.168.4.251'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '192.168.1.247'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN2'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN2'

config dhcp 'VLAN3'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN3'

config dhcp 'VLAN4'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan VLAN2 VLAN4 VLAN3'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.251/24 brd 192.168.2.255 scope global eth0.2
       valid_lft forever preferred_lft forever
6: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.251/24 brd 192.168.3.255 scope global eth0.3
       valid_lft forever preferred_lft forever
7: eth0.4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.4.251/24 brd 192.168.4.255 scope global eth0.4
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.251/24 brd 192.168.1.255 scope global eth0.1
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.1
192.168.1.0/24 dev eth0.1 scope link  src 192.168.1.251
192.168.2.0/24 dev eth0.2 scope link  src 192.168.2.251
192.168.3.0/24 dev eth0.3 scope link  src 192.168.3.251
192.168.4.0/24 dev eth0.4 scope link  src 192.168.4.251
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev eth0.1 table local scope link  src 192.168.1.251
local 192.168.1.251 dev eth0.1 table local scope host  src 192.168.1.251
broadcast 192.168.1.255 dev eth0.1 table local scope link  src 192.168.1.251
broadcast 192.168.2.0 dev eth0.2 table local scope link  src 192.168.2.251
local 192.168.2.251 dev eth0.2 table local scope host  src 192.168.2.251
broadcast 192.168.2.255 dev eth0.2 table local scope link  src 192.168.2.251
broadcast 192.168.3.0 dev eth0.3 table local scope link  src 192.168.3.251
local 192.168.3.251 dev eth0.3 table local scope host  src 192.168.3.251
broadcast 192.168.3.255 dev eth0.3 table local scope link  src 192.168.3.251
broadcast 192.168.4.0 dev eth0.4 table local scope link  src 192.168.4.251
local 192.168.4.251 dev eth0.4 table local scope host  src 192.168.4.251
broadcast 192.168.4.255 dev eth0.4 table local scope link  src 192.168.4.251
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~#

Remove the gateways and dns from VLAN2/3/4. They are not reachable from these interfaces, only from lan.
Another thing is that you are not using the wan interface for internet. Therefore you need to make a few adjustments in the lan firewall zone.
Masquerade must be enabled, otherwise the upstream router must have a route for the additional subnets.
Also it would be better to exclude masquerading from the traffic between the vlans. masq_dest option, use the vlan subnets with ! for negation.

Cheers,

With the WAN/WAN6 - would it simplify things if i just deleted the interfaces?

For ref, this is what my output looks like now:

> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "4.9.243",
        "hostname": "OpenWrt",
        "system": "Atheros AR7240 rev 2",
        "model": "TP-Link TL-WR743N\/ND v1",
        "board_name": "tl-wr741nd",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.9",
                "revision": "r8077-7cbbab7246",
                "target": "ar71xx\/tiny",
                "description": "OpenWrt 18.06.9 r8077-7cbbab7246"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd55:5794:aa6d::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.251'
        option delegate '0'
        option ifname 'eth0.1'
        option gateway '192.168.1.1'
        option dns '192.168.1.247'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1t 2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 1t 3'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '0t 1t 4'

config interface 'VLAN2'
        option proto 'static'
        option ifname 'eth0.2'
        option ipaddr '192.168.2.251'
        option netmask '255.255.255.0'

config interface 'VLAN3'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.3.251'
        option netmask '255.255.255.0'

config interface 'VLAN4'
        option proto 'static'
        option ifname 'eth0.4'
        option ipaddr '192.168.4.251'
        option netmask '255.255.255.0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        list server '192.168.1.247'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN2'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN2'

config dhcp 'VLAN3'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN3'

config dhcp 'VLAN4'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan VLAN2 VLAN4 VLAN3'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.251/24 brd 192.168.1.255 scope global eth0.1
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.251/24 brd 192.168.2.255 scope global eth0.2
       valid_lft forever preferred_lft forever
10: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.251/24 brd 192.168.3.255 scope global eth0.3
       valid_lft forever preferred_lft forever
11: eth0.4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.4.251/24 brd 192.168.4.255 scope global eth0.4
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.1
192.168.1.0/24 dev eth0.1 scope link  src 192.168.1.251
192.168.2.0/24 dev eth0.2 scope link  src 192.168.2.251
192.168.3.0/24 dev eth0.3 scope link  src 192.168.3.251
192.168.4.0/24 dev eth0.4 scope link  src 192.168.4.251
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev eth0.1 table local scope link  src 192.168.1.251
local 192.168.1.251 dev eth0.1 table local scope host  src 192.168.1.251
broadcast 192.168.1.255 dev eth0.1 table local scope link  src 192.168.1.251
broadcast 192.168.2.0 dev eth0.2 table local scope link  src 192.168.2.251
local 192.168.2.251 dev eth0.2 table local scope host  src 192.168.2.251
broadcast 192.168.2.255 dev eth0.2 table local scope link  src 192.168.2.251
broadcast 192.168.3.0 dev eth0.3 table local scope link  src 192.168.3.251
local 192.168.3.251 dev eth0.3 table local scope host  src 192.168.3.251
broadcast 192.168.3.255 dev eth0.3 table local scope link  src 192.168.3.251
broadcast 192.168.4.0 dev eth0.4 table local scope link  src 192.168.4.251
local 192.168.4.251 dev eth0.4 table local scope host  src 192.168.4.251
broadcast 192.168.4.255 dev eth0.4 table local scope link  src 192.168.4.251
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

I think it would be simpler to connect the OpenWrt to the upstream router on the wan port. If you need to access the router from the 192.168.1.0/24 subnet you can add a few rules in the firewall to allow port tcp/22 and tcp/80.
Other than that the config looks better now.

So i would have my home router on say 192.168.0.1
openwrt would connect and have a WAN ip of 192.168.0.2
then LAN1 would become VLAN1, and have an ip of 192.168.1.1
LAN2 would become VLAN2, and have an ip of 192.168.2.1
LAN3 would become VLAN3, and have an ip of 192.168.3.1
LAN4 would become VLAN4, and have an ip of 192..168.4.1

With firewall I would then limit client IP+ port connections between the various VLANs,
and on the switches i have (Netgear) i can then tag ports to each of these vlans for wider use.

Just out of lack of understanding, would that infer that all traffic from one VLAN to another MUST go via this router? But traffic for the same vlan can bounce around via the netgear's without access to this router once its picked up an IP address? (just wandering if its worth looking into a device with 10/100/1000 for the openwrt!)

Yes, that is correct.

Yes, but that would be the case in either way.

Thanks for confirming,

Hopefully last question - If i have a zone - say HomeAuto, which has reject in forwarding, that limits all traffic to stay within that zone?

Then I can specify specific traffic rules to allow specific devices to connect via specific ports to the WAN? Have I understood that correctly?

And the same for the other way around - anything from WAN currently is forwarding as rejected, so i would need to put in a traffic rule to let a specific device connect in over a specified port?
If so what would be the destination for accessing the OpenWRT interface from the WAN side of the network? (only needed while setting up, once its "Live" this will be disabled unless needed)

Correct.

Correct too.

In Ipv4 with only one public IP, a redirect (or port forward) is needed. In IPv6 and in case you have a routed IPv4 subnet, then a rule is needed.

@trendy
Thank you for all your help!

My config looks like this for now:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "4.9.243",
        "hostname": "OpenWrt",
        "system": "Atheros AR7240 rev 2",
        "model": "TP-Link TL-WR743N\/ND v1",
        "board_name": "tl-wr741nd",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.9",
                "revision": "r8077-7cbbab7246",
                "target": "ar71xx\/tiny",
                "description": "OpenWrt 18.06.9 r8077-7cbbab7246"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd55:5794:aa6d::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ifname 'eth0.1'
        option ipaddr '192.168.10.251'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option delegate '0'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1t 2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 1t 3'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '0t 1t 4'

config interface 'VLAN2'
        option proto 'static'
        option ifname 'eth0.2'
        option ipaddr '192.168.2.251'
        option netmask '255.255.255.0'

config interface 'VLAN3'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.3.251'
        option netmask '255.255.255.0'

config interface 'VLAN4'
        option proto 'static'
        option ifname 'eth0.4'
        option ipaddr '192.168.4.251'
        option netmask '255.255.255.0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        list server '192.168.1.247'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN2'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN2'

config dhcp 'VLAN3'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN3'

config dhcp 'VLAN4'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option network 'VLAN3'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'HA'
        option network 'VLAN4'

config zone
        option name 'Internal'
        option input 'ACCEPT'
        option masq '1'
        option network 'lan'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'Syno_back'
        option masq '1'
        option network 'VLAN2'

config forwarding
        option dest 'wan'
        option src 'Syno_back'

config forwarding
        option dest 'HA'
        option src 'Internal'

config forwarding
        option dest 'Syno_back'
        option src 'Internal'

config forwarding
        option dest 'lan'
        option src 'Internal'

config forwarding
        option dest 'wan'
        option src 'Internal'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'Internal'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.10.251'
        option dest_port '80'
        option name 'manage interface'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'Internal'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '192.168.10.251'
        option dest_port '22'
        option name 'manage interface-SSH'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.1.251/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
5: eth0.2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 192.168.2.251/24 brd 192.168.2.255 scope global eth0.2
       valid_lft forever preferred_lft forever
6: eth0.3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 192.168.3.251/24 brd 192.168.3.255 scope global eth0.3
       valid_lft forever preferred_lft forever
7: eth0.4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 192.168.4.251/24 brd 192.168.4.255 scope global eth0.4
       valid_lft forever preferred_lft forever
9: eth0.1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 192.168.10.251/24 brd 192.168.10.255 scope global eth0.1
       valid_lft forever preferred_lft forever
default via 192.168.1.254 dev eth1  src 192.168.1.251
192.168.1.0/24 dev eth1 scope link  src 192.168.1.251
192.168.2.0/24 dev eth0.2 scope link  src 192.168.2.251
192.168.3.0/24 dev eth0.3 scope link  src 192.168.3.251
192.168.4.0/24 dev eth0.4 scope link  src 192.168.4.251
192.168.10.0/24 dev eth0.1 scope link  src 192.168.10.251
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev eth1 table local scope link  src 192.168.1.251
local 192.168.1.251 dev eth1 table local scope host  src 192.168.1.251
broadcast 192.168.1.255 dev eth1 table local scope link  src 192.168.1.251
broadcast 192.168.2.0 dev eth0.2 table local scope link  src 192.168.2.251
local 192.168.2.251 dev eth0.2 table local scope host  src 192.168.2.251
broadcast 192.168.2.255 dev eth0.2 table local scope link  src 192.168.2.251
broadcast 192.168.3.0 dev eth0.3 table local scope link  src 192.168.3.251
local 192.168.3.251 dev eth0.3 table local scope host  src 192.168.3.251
broadcast 192.168.3.255 dev eth0.3 table local scope link  src 192.168.3.251
broadcast 192.168.4.0 dev eth0.4 table local scope link  src 192.168.4.251
local 192.168.4.251 dev eth0.4 table local scope host  src 192.168.4.251
broadcast 192.168.4.255 dev eth0.4 table local scope link  src 192.168.4.251
broadcast 192.168.10.0 dev eth0.1 table local scope link  src 192.168.10.251
local 192.168.10.251 dev eth0.1 table local scope host  src 192.168.10.251
broadcast 192.168.10.255 dev eth0.1 table local scope link  src 192.168.10.251
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Still lots of work to do to start moving devices over to the various different vlans, then i can start closing down the access between them and just forward specific ports etc! Once again thank you for your help and patiencewith assisting me!