How do I trunk multiple subnets over 1 port/cable with minimal changes

1. I have configured 2 subnets, A for regular use, and B for IoT
2. I have 1 physical machine (which has only 1 NIC) connected to OpenWrt LAN port1 running multiple virtual machines (using Proxmox)
3. How do I get a virtual machine to be in A and another to be in B?
4. I have tried adding 1 more Linux Bridge vmbr1 in Proxmox and made the new VM use vmbr1, but it fails to get an IP using DHCP

I think my issue is, I'm not sure if I have to configure OpenwWrt/Proxmox or both and unsure of the specific technical terms to google the documentation. Any help is greatly appreciated. Thank you.

In my VM sernaio, I configure VLANs on the OpenWrt and trunk both networks' traffic to the physical VM host.

I then use VirtualBox and default Ubuntu networking to establish the networks proper on the host - so I'm not sure how the settings work with varying host software, but it should be similar.

Host configuration is outside the scope of the forum.

1. VLANs would be equivalent to my subnet A and B, correct?
2. Can share your VLAN and trunking config?

• Yes, but VLANs aren't enabled normally on all OpenWrt devices (i.e., DSA switches)
• Actually, we need to see your config, as it differs based on devices and OpenWrt version

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
fig/firewall{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Linksys EA8100",
        "board_name": "linksys,ea8100-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd63:3d37:2f9b::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '78:24:AF:E4:F9:00'

config device
        option name 'lan2'
        option macaddr '78:24:AF:E4:F9:00'

config device
        option name 'lan3'
        option macaddr '78:24:AF:E4:F9:00'

config device
        option name 'lan4'
        option macaddr '78:24:AF:E4:F9:00'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option ipaddr '192.168.214.1/24'

config device
        option name 'wan'
        option macaddr '78:24:AF:E4:F9:00'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'device_guest'
        option type 'bridge'
        option name 'br-guest'

config interface 'subnet_guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.247.1/24'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

config device 'device_iot'
        option type 'bridge'
        option name 'br-iot'

config interface 'subnet_iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.249.1/24'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

config device 'device_home'
        option type 'bridge'
        option name 'br-home'
        list ports 'lan1'

config interface 'subnet_home'
        option proto 'static'
        option device 'br-home'
        option ipaddr '192.168.9.1/24'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '10'
        option limit '200'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option ip '192.168.214.1'
        option name 'gateway'

config domain
        option ip '192.168.214.3'
        option name 'avexcode.com'

config domain
        option ip '192.168.214.3'
        option name 'dv1.avexcode.com'

config domain
        option ip '192.168.214.3'
        option name 'ha.e115.com'

config domain
        option ip '192.168.214.3'
        option name 'pve.e115.com'

config domain
        option ip '192.168.214.3'
        option name 'satis.avexcode.com'

config domain
        option ip '192.168.214.3'
        option name 'sv1.avexcode.com'

config domain
        option ip '192.168.214.3'
        option name 'techbox.stage.e115.com'

config domain
        option ip '192.168.214.3'
        option name 'techbox10.dv1.e115.com'

config domain
        option ip '192.168.214.102'
        option name 'mqttbroker'

config domain
        option ip '192.168.214.112'
        option name 'mailhog'

config dhcp 'net_guest'
        option interface 'subnet_guest'
        option start '100'
        option limit '150'
        option leasetime '1h'

config dhcp 'net_iot'
        option interface 'subnet_iot'
        option start '100'
        option limit '150'
        option leasetime '1h'

config dhcp 'net_home'
        option interface 'subnet_home'
        option start '100'
        option limit '150'
        option leasetime '1h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'zone_home'
        option dest 'wan'

config zone 'zone_guest'
        option name 'zone_guest'
        option network 'subnet_guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'rule_guest_wan'
        option src 'zone_guest'
        option dest 'lan'

config rule 'rule_guest_dns'
        option name '[guest] Allow-DNS'
        option src 'zone_guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'rule_guest_dhcp'
        option name '[guest] Allow-DHCP'
        option src 'zone_guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config zone 'zone_iot'
        option name 'zone_iot'
        option network 'subnet_iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'rule_iot_wan'
        option src 'zone_iot'
        option dest 'lan'

config rule 'rule_iot_dns'
        option name '[iot] Allow-DNS'
        option src 'zone_iot'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'rule_iot_dhcp'
        option name '[iot] Allow-DHCP'
        option src 'zone_iot'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config zone 'zone_home'
        option name 'zone_home'
        option network 'subnet_home'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config rule 'rule_home_dns'
        option name '[home] Allow-DNS'
        option src 'zone_home'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'rule_home_dhcp'
        option name '[home] Allow-DHCP'
        option src 'zone_home'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option src 'zone_home'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'zone_home'

A is br-lan
B is br-iot

Do you think you're comfortable browsing to the Network > Devices tab and editing the master br-lan to perform VLAN filtering?

Or you may need more specific guidance?

Sure, both UI and uci are fine, I will eventually convert them to uci script

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

This Wiki should help then. Web GUI instructions are also there.

Specifically: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_networks_using_vlan_tagging

Do I need VLAN filtering or VLAN tagging?

You need both:

• Filtering tells the hardware to number, look, add and strip tags
• Tagging is how you tell the interface (port) to include a tag or tags in the Ethernet frame (trunking)

My interpretation of the example is:

1. LAN4 is the trunk
2. Logically, I would have tagged both VLANs, why does the example show only VLAN1 tagged?
3. And why not the other way round? i.e. VLAN1 untagged, VLAN2 tagged

I think answers to my questions will help with my understanding. Thank you.

1. Yes - that is the port that is trunked in the example
2. VLAN1 is the Software VLAN number used to trunk the main OpenWrt network named "LAN"
3. I don't understand the question - the example just did that (in the past, it wasn't advised to mixed tagged networks with an untagged one anyway - I assume it merely provides a modern example where it's done)

In your case, you may wish to tag both [V]LANs you send, or do as the example, so the host gets an IP on that untagged network without additional configuration (if the host OS will handle both tagged and untagged) - your choice.

I think the example was merely showing how to convert the existing default LAN into VLAN1.

1. Thanks, I asked about the untagged VLAN because of the next scenario: if VLAN2 can be untagged, can I send both VLANS untagged? I'm guessing the answer is no.

2. I think your answer also addressed my next concern about tagging, what happens if I wipe my Proxmox and restart from scratch, is it able to get to the internet on that trunked cable... And it can, if and only if, there is an untagged VLAN (to be used as a default), correct?

Let me think through this a bit and give it a shot.

You are correct. That is akin to incorrectly plugging to physical LANs together, I'm actually not sure how the scenario solves your original issue, though.

Which makes me think, you could merely add another network number to the same interface (i.e., 2 subnets) - I only considered because you made this inquiry.

Well, I donno how you host works. In most modern OSes, it is possible to configure the port to take connection on a tagged VLAN on the Ethernet interface.

In my case, my Ubuntu host is configured to connect normally to the Ethernet interface and not wait for an IP. I then configure the VLAN x configuration for that said Ethernet connection - as a normal IPv4/IPv6 client. I then enumerate the other VLANs (not to obtain IPs), so the VM Software can recognize them for client configs.

(for future readers)
Windows also has a similar config.

I don't remember the installer options for Proxmox exactly, but we shall not further digress here. I was just trying to factor in the worst case recovery scenarios.

Do you know how I can do what you suggested? Sending the packets of 2 subnets on 1 port?

• Yea, it's called routing - and it's not clear the use case or purpose, so it's difficult to answer with certainty.
• In general, if you mean actually address the OpenWrt's LAN as both 192.168.214.1/24 and 192.168.247.1/24 - yes that's possible also. But this is not advised or standard configuration (in /etc/config/network change to option list address and make 2 entries for each), especially since your eventual use case for doing so isn't clear.

There's even a further non-standard config users manage to create 2 OpenWrt interfaces on the same PHY - and address them differently. But in this case they also manage to place them in different firewall zones. I digress here to say, it usually causes more issues than it solved.

image728×396 14.5 KB

1. I tried the above and my VMs immediately lost their connectivity
2. I was trying to send in the usual traffic br-lan plus tagged ones from the br-iot
3. As I have several subnets, how do I tell OpenWrt which subnet VLAN ID 2 refers to?

1. I assume port 1 is your trunk and you at least setup VLAN 2 according to the host OS and Proxmox and you setup br-lan.1 and 2 on the OpenWrt and converted the original LAN?
2. I'm guessing you didn't follow the steps to make br-lan.1 and br-lan.2 out of your 2 networks?
3. You convert them to br-lan.x and tag them on the trunk port

I can't guess what you wish, so I don't know which network you intend for the VM, or which to be untagged and why, etc.