Help with VLAN not working

Hello,

I recently upgraded Archer C7 v2 from Openwrt v19 to the latest Openwrt v23. On Openwrt v19 I was able to connect from (LAN) 192.168.1.1 to (SRV) 10.10.1.1. I recreated all the settings I know into Openwrt v23, however I can't find the "Physical Settings" (Bridge Interfaces) on the Interfaces. I think I need to bridge the interface of (SRV) to (LAN) to make this work?

LAN (VLAN1) = 192.168.1.1/24

SRV (VLAN10) = 10.10.1.1/24

The Bridge Interfaces Setting thats missing
Openwrt v19

Openwrt v23

Here is the VLAN Switch

Currently the SRV computer is connected to LAN 4 and I'm able to RDP into LAN 2 computer

If I move the SRV computer to LAN 1 (VLAN10) giving me a 10.10.1.x ip address and try to RDP into LAN 2 it does not seem to work

 ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link Archer C7 v2",
        "board_name": "tplink,archer-c7-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd98:346a:e786::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 3 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
        option vid '2'

config interface 'wwan'
        option proto 'dhcp'

config interface 'srv'
        option proto 'static'
        option device 'eth1.10'
        list ipaddr '10.10.1.1/24'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t 2'
        option vid '10'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option ports '0t 4'
        option vid '99'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'srv'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'srv'

config forwarding
        option src 'lan'
        option dest 'srv'

ip route show
10.10.1.0/24 dev eth1.10 scope link  src 10.10.1.1
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1

Thank you

Downgrade back to v19, restore nackup and proceed upgrading one revision at the time as written in release notes.
Vlan 2 and 99 physical cables are not connected.

Assuming that you started from a default 23.05 config and then recreated your previous configuration (this seems to be the case based on your OP), you don't need to do any rollback.

It appears to me that you are trying to use the srv (VLAN 10) network on both ethernet and wifi, is that correct? If so:

Create a bridge:

config device
        option name 'br-srv'
        option type 'bridge'
        list ports 'eth1.10'

Then edit srv to use the bridge as its device, like this:

config interface 'srv'
        option proto 'static'
        option device 'br-srv'
        list ipaddr '10.10.1.1/24'

This will allow you to use both ethernet and wifi on the srv network.

However, addressing your other issue:

This traffic is being routed from VLAN 10 (srv) to VLAN 1 (lan). You don't currently allow that in your firewall. You do allow the lan to reach srv, but not the other way around. Therefore, you need to add this to the firewall (if you want, the allowance can be more granular -- this is the broad approach):

config forwarding
        option src 'srv'
        option dest 'lan'

If that doesn't work, you may also have a host level firewall on the lan device in question that prohibits connections from other subnets. This is a default setting in the windows firewall and must be modified accordingly (you can turn off the firewall temporarily to test, if necessary).

1 Like

Thanks again psherman!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.