Home Networking with OpenWRT

Hello,
I am trying to setup my home networking with openWRT but i am running with some issues, described below:
Router: Netgear r7800 running the last version of OpenWRT

Right now i have the network segmented as follows:
VLAN 1 - Dont use
VLAN 2 - WAN
VLAN 3 - IOT
VLAN 4 - GUEST
VLAN 5 - HOMELAB

cat/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd9b:6e5d:1f71::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'

config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'

config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'DO NOT USE'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
option description 'WAN'

config interface 'Guest'
option proto 'static'
option device 'br-guest'
list ipaddr '10.20.30.40/24'
option gateway '192.168.1.254'

config interface 'IOT'
option proto 'static'
option device 'br-iot'
option gateway '192.168.1.254'
list ipaddr '10.10.10.10/24'

config device
option type 'bridge'
option name 'br-lan1'
list ports 'eth1.30'

config switch_vlan
option device 'switch0'
option vlan '3'
option ports '6t 3t 1t'
option vid '3'
option description 'IOT'

config switch_vlan
option device 'switch0'
option vlan '4'
option ports '6t 3t 1t'
option vid '4'
option description 'GUEST'

config device
option type 'bridge'
option name 'br-guest'
list ports 'eth1.3'
list ports 'eth1.4'

config device
option type 'bridge'
option name 'br-iot'
list ports 'eth1.3'
list ports 'eth1.4'

config switch_vlan
option device 'switch0'
option vlan '5'
option ports '6t 4 3t 2 1t'
option vid '5'
option description 'HOMELAB'

config device
option type 'bridge'
option name 'br-home-lab'
list ports 'eth1.5'

config interface 'Homelab'
option proto 'static'
option device 'br-home-lab'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option gateway '192.168.1.254'

config interface 'WG_0'
option proto 'wireguard'
option private_key '
option listen_port ''
list addresses '1/24'

config wireguard_WG_0
option description 'clien'

ubus call system board

"kernel": "5.15.134",
"hostname": "Home-lab",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ipq806x/generic",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}

cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Homelab'
list network 'WG_0'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Guest'

config zone
option name 'IOTZone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'

config forwarding
option src 'lan'
option dest 'IOTZone'

config forwarding
option src 'GuestZone'
option dest 'wan'

config rule
option name 'Guest DHCP and DNS'
option src 'GuestZone'
option dest_port '53 67 68'
option target 'ACCEPT'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.2.1'
option dest_port '51820'

Since my router is non dsa i need to config the switch vlans but when I config the vlans on the devices and activate vlan filtering I lose connection to the router and internet, bellow screens of the config:

image (1)1080×381 23.8 KB

Thank you

image (3)1027×873 66.9 KB

Sorry about all the posts, i cant post more then 1 picture

I assume that lan1 is connected to your pc
and wan is connected to your isp modem

so the easy solution is to leave lan2 on untag on vlan1 (br-lan)
connect your PC to lan2 and so you can change all the other options without losing access to your Openwrt router

ps obviously you will leave lan2 unchanged

lan2
vlan1 = untag
vlan2 = off
vlan 3 = off
vlan 4 = off
vlan 5 = off

after all the other ports work correctly (they will receive an IP address compliant with the corresponding VLAN) you can make the change to lan2

Thanks for your answer; In fact, i am using a wireless connection, the cable connected to lan1 its a home server.
I try to activate the vlan filtering using homelab interface, i lose access so i connect to IOT wireless that uses another bridge with a connection to the router to roll back the vlan filtering. But the question is, why vlans are not working? why the filtering is not working as it is supposed?
thanks

I advise you to operate with a direct network cable from your PC to the router ...

so the easy solution is to leave lan3 on untag on vlan1 (br-lan)
connect your PC to lan3 and so you can change all the other options without losing access to your Openwrt router

ps obviously you will leave lan3 unchanged (whit luci and ssh access)

lan3
vlan1 = untag
vlan2 = off
vlan 3 = off
vlan 4 = off
vlan 5 = off

if you make changes to the vlans and apply the changes the system will return the state to the previous configuration after 90 seconds (if errors connections)

Another option is to use a USB Ethernet adapter to make all the changes you want without losing access to the router

I read that post before asking for help since its very similar and i don't find the error what am i doing wrong?
The problem is not losing access to the router, i have always access, the problem is the vlans don't work.

ok sorry I thought you lost access to your router let's see some things I would fix (see the differences with your file) which however don't change your configuration much they just make it easier to read :

the gateway does not need to specify the interfaces, the active wan is enough

example br-lan on my router:

Can you tell me why you tagged lan2 and lan4 in vlans 3, 4, 5?

what is connected (now and/or in the future)?

this image is strange if you are on swconfig shouldn't you have this mask (or to be precise I don't remember seeing it on swconfig)?

I specify the gateway because the gateway is from the router ISP on another IP (The OpenWrt IP is 192.168.2.1 and the gateway is 192.168.1.254).
I have tag lan2 and lan4 on vlans 3,4 and 5 because I will connect 2 AP.

what image?

The Bridge VLAN filtering tab is only for DSA devices, so don't touch it.

If your problem is that you cannot isolate the guest and iot zones, then this is the reason.

Change these sections to:

config device
    option type 'bridge'
    option name 'br-guest'
    list ports 'eth1.4'

config device
    option type 'bridge'
    option name 'br-iot'
    list ports 'eth1.3'

And it should only be accessible from the wan interface, so remove it from all other interfaces as suggested by @ncompact

thank you
how can I be sure that the VLANs are working?
show vlans doesn't work

All networks should be isolated and possible interconnection should only depend on firewall rules (except for lan and Homelab, which are both assigned to the lan zone).

swconfig dev switch0 show | grep VLAN -A3

Thanks!
So I would need to change the ports for vlans, like:
vlan 3 - lan1
vlan 4 - lan2
vlan 5 - lan 1, lan2, lan3
?

result:
swconfig dev switch0 show | grep VLAN -A3

VLAN 2:
vid: 2
ports: 0t 5
VLAN 3:
vid: 3
ports: 1t 3t 6t
VLAN 4:
vid: 4
ports: 1t 3t 6t
VLAN 5:
vid: 5
ports: 1t 2 3t 4 6t

The only Ethernet in br-lan, which is the device of interface lan, is still the default setting of eth1.1. But you have disabled VLAN 1 in the switch, so the lan network 192.168.2.0/24 is not going to be able to reach any Ethernet port. I assume this is the problem you're having.

I have a nuc homeserver in proxmox with some vm's, some vm's belong to IOT and some vm's belong to home-lab, i need to have the 2 vlans in the same switch port am I right?

I don't use br-lan, I use br-home-lan.
i didnt erase the lan interface nor the br-lan bridge to have it as a failsafe.