I have a Raspberry Pi 4b acting as my primary openwrt router (connected to my cable modem using a TP-Link USB ethernet adapter). The ethernet port on the RPi is my LAN port. This is connected to a TP-Link TL-SG116E switch with VLAN tagging enabled. I have two VLANs: Untagged VLAN 1 for normal traffic and VLAN 99 for Guest and IoT traffic.
VLAN 1 is assigned 192.168.1.0/24
VLAN 99 is assigned 192.168.2.0/24
The goal is to prevent the two VLANs from routing between each other but allowing both to connect out over the WAN.
VLAN 1 works fine so I will only be mentioning VLAN 99.
RPi is the gateway to the internet for VLAN 99 and is assigned 192.168.2.1/24
I have assigned the WRT1900ACv1 VLAN 99 interface to 192.168.2.3/24
The WRT1900ACv1 is connected to LAN1 for the uplink to the switch. No other ports are connected (except when I mention my testing below)
I'm not able to ping between the two devices even though I have the firewall set to accept for the Guest Network.
As a sanity test, I configured port 9 on the SG116E with PVID 99 and Untagged 99 with the port not being a member of VLAN 1. Connected up a laptop and was assigned an IP address on the 192.168.2.0/24 network and was able to reach the internet but not reach the other devices on VLAN 1. So, based on that, I believe the configuration issue is with the WRT1900ACv1 (that is acting as an AP, not a router).
The last thing I tried to get it work was connect up the WAN port on the WRT1900ACv1 to port 9 on the switch that was still configured for my testing (only VLAN 99 untagged). However, the router does not seem to like that set up. I also tried connecting to LAN2 and configuring that for the Guest network but that doesn't work, either.
My /etc/config/network is below (in its current state with me trying to use the WAN port):
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option ipv6 '0'
config globals 'globals'
option ipv6 '0'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '94:10:3e:00:a0:50'
config device
option name 'lan2'
option macaddr '94:10:3e:00:a0:50'
option ipv6 '0'
config device
option name 'lan3'
option macaddr '94:10:3e:00:a0:50'
option ipv6 '0'
config device
option name 'lan4'
option macaddr '94:10:3e:00:a0:50'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.3'
option gateway '192.168.1.1'
option ipv6 '0'
option delegate '0'
list dns '192.168.1.1'
list dns '8.8.8.8'
option metric '1'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option type 'bridge'
option ipaddr '192.168.2.3'
option gateway '192.168.2.1'
option ipv6 '0'
option defaultroute '0'
option metric '10'
option device 'eth1'
config device
option name 'wlan0'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'wlan0-1'
option ipv6 '0'
config device
option name 'wlan1'
option ipv6 '0'
config device
option name 'wlan1-1'
option ipv6 '0'
config device
option name 'wan'
option ipv6 '0'
Where is this VLAN assignment shown in your network config?
You would just make sure there is no config forwarding rules between the two zones - assuming you placed lan and guest in two different zones.
Where is your WAN interface setting??? You would just allow lan and guest to forward to wan - assuming you create a wan interface and wan firewall zone
???
What you described regarding "preventing routing" (and I think you meant "firewalling to prevent traffic") is contrary to this.
You never show your firewall config
Is there any other gateway - where is this other "WAN network"?
Otherwise, it seems you're referencing "WAN" and "VLAN 99" as two separate networks, when they're actually the same network and interface (and hence must have the same firewall rules).
You may be able to make an alias interface on the same PHY (and place in a different firewall zone, i.e. WAN) with an IP/more-specific range of 192.168.2.3/29 with .1 as your gateway - then set more secure WAN firewall rules.
Thank you very much for the comprehensive reply. My apologies on the confusion with my post. Hopefully I can sort it out below:
In my attempts for troubleshooting, I saw in other forum posts that these consumer routers don't always like having more than one VLAN per interface, which is why I set up the wan/eth1 port for the guest network and then connected the device to a port on my switch with PVID 99 and Untagged for 99 with VLAN 1 not being a part of the network.
Apologies on the wording here, I have that all working and the firewall is behaving as expected.
Since VLAN 99 should be able to reach VLAN 99 without any firewall policies, that's all I'm trying to state. I can't reach it even though it should be allowed. This is later confirmed by the fact that I hooked up a laptop to the switch port that has PVID 99 and it grabs an IP off of 192.168.2.0/24 and I'm able to reach the internet without any troubles. I would expect that I could at least log in to the WRT1900AC and do a ping -I 192.168.2.3 192.168.2.1 and it should reply, but it isn't.
Apologies, please see below for the pertinent parts:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'guest'
option output 'ACCEPT'
list network 'guest'
option input 'ACCEPT'
option forward 'ACCEPT'
Yes, the Raspberry Pi 4B with OpenWRT is my internet gateway and handles DHCP, DNS, NAT'ting, routing, etc. The WRT1900AC is only acting as an access point.
Yes, I tried the "wan" first but that didn't work so I tried eth1. I'll try wan again. Update: Haha, I literally tried this yesterday and it didn't work but it's working today! Changed it in the config and did a network restart and now I can ping. I won't be able to really test it fully until I get home tonight (doing this via remote ssh), but it looks like I'm heading in the right direction.
Thank you! I will send over a note tonight once I get a chance to test.
It's a good idea to set up an independent "admin" network with a wifi AP and log into the router via wifi so you don't lose contact if Ethernet stops working.
Mixing tagged and untagged on the same cable is not always compatible and should be avoided. So configure the switch so that both VLANs are tagged on the cable going to the 1900. This is called a trunk cable then.
Ah so that's what I was missing, I need to set both to tagged! I think my weakness is that I was a Network Engineer in the past (and still kind of am, but management over the whole of IT for my company) so I try to bring my knowledge of enterprise switches over to the consumer side and it just doesn't work. I was overthinking it.
Sincerely appreciate you both! Will update once I get a chance to test.
"You state facts" as some of my students say...and since there should be "no firewall" here (i.e. traffic never crosses an [OpenWrt] routing/firewall plane), something else is wrong if you get contrary behavior. If you have defined multiple interfaces (it seems you might) then the FORWARD rule for the FOO zone would/should need to be ACCEPT.
Tested this evening and it's working after setting up the VLANs as @mk24 suggested. For whatever reason, once I introduced the guest wireless into the equation, using the wan port didn't work.
In hopes this thread may help someone else who stumbles upon this thread:
Under br-lan (Network -> Interfaces then Devices tab):
Be sure not to save changes until you make all the above changes lest you'll lose access. Also need to coordinate the changes on the switch right after submitting the change so that it will update. Changed the port from untagged VLAN 1 to tagged on VLAN 1.
If you want to use the wan port in a general way, bring it into br-lan and treat it the same as the other four ports. Having all the switch ports in a single bridge is the only way that hardware switching will work properly.
The simplified construct wan.N (e.g. wan.835) works only for a single VLAN, such as when it is necessary to tag packets to an ISP modem.
