How to add exception route to guest network setup?

Installing and Using OpenWrt Network and Wireless Configuration
21

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth2.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 'off'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	option ipv6 'off'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'guest'
	option device 'eth2.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'eth2'
	option vid '1'
	option name 'eth2.1'
22

Is eth2.1 just the tagged network for the lan (192.168.1.0/24)?

23

Trunk port1 on DD-WRT AP (vlan1 and vlan3) is connected by cable to OpenWrt eth2.
As you suggested I added guest interface which has device eth2.3. I changed it from eth1.2 as cable is connected to OpenWrt eth2. And for guest I use vlan tag 3 - some DD-WRT or router specific reasons for that. Guest network is 192.168.3.0/24

As far as I understand eth2.1 stands for vlan1 tag on eth2. For nothing else is eth2.1 being used in my configuration. At least by intention - my knowledge might be limited here.
So 192.168.1.0/24 yes, but 192.168.1.0/24 is shared with OpenWrt's managed lan (24-port switch connected to OpenWrt eth1).

Without adding eth2.1 to br-lan, devices connected to vlan1 on DD-WRT had no access to lan, wan nor guest. They didn't even get DHCP.

Additionally I added

config forwarding
	option src 'lan'
	option dest 'guest'

to firewall for devices in lan to access iot devices in guest network.

I also enabled AP isolation on DD-WRT router for client isolation.

Only thing that is unsolved at the moment is guest access to lan exception by client mac address to allow certain guest devices to access certain resources in lan zone.

24

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.