Hello i have three openwrt mt600 flint 2 routers. I wanted to know how to segment the follow
Vlan 10
Management .10.0 -This will be for luci management interfaces
Vlan 20
Servers .20.0 -This will host some homelabbing stuff includding a pihole dns
Vlan 30
Devices
- normal devices that should get a dhcp, dns for vlan 20
vlan 40
Iot, same as vlan 30
its alot but i am very confused vlans seem to break very easily
Main issues are
What do i config
Firewall wise?
what is tagged?
how to setup dhcp and dns in my config.
Thank you!
You need to use bridge VLANs.
Have you been using this method?
Which part in the post should i be looking at?
also what be a example config
Read though the part about setting up VLANs (number 3). There are also countless examples on the forum.
Have you been using bridge-VLANs?
Yes as in going into the default br-lan and tagging a port (to another ap) and untagged to my pc
However after i setup my interface like br-lan0.10 i delete br-lan should i not do that?
I will look around the forum
Do not delete the original bridge. Setup new bridge VLANs as you see in the examples.
Or post your config to show us where you are getting stuck - we can help you though that.
root@OpenWrt:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '000428f760aaf4f6414db01bd8c4b20983e9'
option ula_prefix 'fd6c:c471:b9c9::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan5'
config interface 'Management'
option proto 'static'
option device 'br-lan.10'
option multipath 'off'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2'
config interface 'Server'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option multipath 'off'
root@OpenWrt:/etc/config# ls
attendedsysupgrade luci ubihealthd
dhcp network ubootenv
dropbear rpcd uhttpd
firewall system wireless
root@OpenWrt:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Management'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Management'
config forwarding
option src 'Management'
option dest 'lan'
config zone
option name 'Server'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Server'
config forwarding
option src 'Server'
option dest 'lan'
config forwarding
option src 'Server'
option dest 'Management'
config forwarding
option src 'Server'
option dest 'wan'
config forwarding
option src 'Management'
option dest 'Server'
config forwarding
option src 'Management'
option dest 'wan'
root@OpenWrt:/etc/config# cat
attendedsysupgrade firewall rpcd ubootenv
dhcp luci system uhttpd
dropbear network ubihealthd wireless
root@OpenWrt:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'
config dhcp 'Management'
option interface 'Management'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.20.173'
config dhcp 'Server'
option interface 'Server'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.20.173'
here is my config i can get a dhcp lease on management but i cant access the internet
Try pinging 8.8.8.8 from management. Does that work? If so, the problem is not internet access, but rather dns.
Make sure your pihole is set to accept all traffic.
pihole is now working i permitted traffic from diff subnets what do i do on the dump ap side? or anything else on the main router?
The AP will also use bridge VLANs, but all networks other than the management one will be unmanaged. Typically you’ll setup a trunk port that carries all networks (tagged).
What firewall zone or settings shpuld i use for the dumb ap managment zone
All the management network to the lan zone. The critical thing is the zone level input rule (set to accept).
What should i do with the br-lan (lan) inteface and zone on the main router?
Additionally i added a port to be untagged for devices and plugged my laptop into that one and i cannot get a dhcp lease on .30
On which device? The main router or the ap? And what port?
What is the port-vlan membership you would like on the main router?
one trunk to the dum ap and one management port and one device port both for testing
Can you provide the list of VLANs on each port (for both devices, actually).
Alright i did some work and got most things working one weird bug is when connecting to device untagged port on dump i cannot acces 192.168.10.2 which is its management interface why?
On both devices, let’s see the latest configs.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
root@OpenWrt:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'
root@OpenWrt:/etc/config# cat
attendedsysupgrade firewall rpcd ubootenv
dhcp luci system uhttpd
dropbear network ubihealthd wireless
root@OpenWrt:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '00043c67e7d1211249558fd8dd457360aced'
option ula_prefix 'fd73:41c4:5bbb::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth1:t'
list ports 'lan5'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth1:t'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'eth1:t'
config interface 'Management'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.2'
option netmask '255.255.255.0'
option multipath 'off'
config interface 'Server'
option proto 'none'
option device 'br-lan.20'
option multipath 'off'
config interface 'Devices'
option proto 'none'
option device 'br-lan.30'
option multipath 'off'
config interface 'IoT'
option proto 'none'
option device 'br-lan.40'
option multipath 'off'
root@OpenWrt:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Management'
list network 'Server'
list network 'Devices'
list network 'IoT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Dumb ap