I've read Open WRT's page on VLANs and have been struggling to setup my router so that an arbitrary LAN port is on its own VLAN. I've got a number of questions ranging from general VLAN questions to ones specific to my router that I'm hoping people can help me with. In particular, from general to specific to my router:
1.) To isolate a LAN port on a OpenWRT router or control access to it via the firewall, it seems like one must put it in its own VLAN. Could someone explain why this is the case? I take it the CPU does not see all traffic by default so that must mean the VLAN switch handles all LAN port traffic? Also, for some reason I have the impression that traffic to a particular LAN port also gets sent to every other LAN port in the same VLAN, which seems like a security issue. Is this correct and if so why?
2.) I'm a little confused about switch hardware VLAN vs driver/software based VLAN. Is the distinction that the hardware VLAN switch is there to handle basic VLAN operations like VLAN tagging and very basic VLAN routing like routing only to ports which match a packet's VLAN whereas software VLAN is used for more fine-grained control and routing between the different components connected to the CPU, such as often the WAN port and WIFI? It seems like the hardware VLAN is really only there for the physical LAN ports and not e.g. a "wifi port"?
3.) Specifically in regards to setting up my router to isolate LAN port 1, I follow what was suggested in https://forum.openwrt.org/t/vlan-inplementation/17470/12 except that I tag port 0 as that's my router's CPU port and put port 1 in its own VLAN. One perhaps important difference between my router and the other is that my router's WAN port seems to be connected to the switch as port 5 while his/hers is connected directly to the CPU.
Here is my original, working /etc/config/network file:
When I restart the router after making the changes to /etc/config/network I cannot connect to the internet ('DNS_PROBE_FINISHED_NO_INTERNET' error in chrome) and am unable to access LUCI or SSH into the router over wired or wireless. I reset my router and repeated the above but also played with some other settings, including the firewall settings, and continued to have the same problems but was able to get into LUCI and in the network overview section saw that bothIPv4 Upstream and IPv6 Upstream displayed "not connected" for the protocol. Any suggestions?
VLANs are segments of a larger LAN. You have a switch of 5 ports, by default all hosts connected to it will be able to communicate with the others. By creating VLANs you group the ports as you desire and isolate the hosts.
That would happen if you had a hub, not a switch. Other than that only broadcasts are sent to all ports participating in the same vlan.
There is no such thing as hardware and software VLAN. VLAN functionality is achieved by adding a vlan tag inside the frame before it is transmitted to the wire or the air. So everything is software driven. Also routing has nothing to do with VLAN, as it operates in different layer of the OSI model (network or 3) compared to mac layer or 2.
Have you taken in consideration that physical port 1 on the switch is 4 in the internal mapping? Other than that I don't see any mistake in your configuration. Maybe there is some problem in firewall configuration.
I'm still a bit confused. OpenWRT's page on VLAN's https://openwrt.org/docs/guide-user/network/vlan/switch_configuration has a separate section titled "Creating driver-level VLANs". Can you tell me what the significance / difference of driver-level VLANs is compared to the VLAN setup and discussion in the earlier sections?
I did notice that the physical port is numbered differently than the switch port. Regarding the firewall settings, I didn't change anything from the default except to for a few tweaks of the zones: lan => wan + isolated and isolated => wan + lan . Can you think of anything I'm forgetting or that might be worth trying? Based on the error messages I got, it seems like there's some DNS or DHCP problem?
In principal there is no difference. In any system with an interface you can create a vlan subinterface, provided that it is supported by the software and the driver has such an instruction.
Better post these to see if you missed something. cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
Mhegab: Thanks for pointing out. I corrected it. No idea if the VLAN setup for my original config is correct, but I can confirm I did not accidentally cut out a piece and that that's the default, which seems to work fine.
Trendy: Thanks for the explanation. Had to wait to find a time when no one would mind the router being down, but I reset the router to default OpenWRT settings and repeated what I did earlier except that I tried adding a dhcp section for 'isolated'. I made the changes to the /etc/config files and then copied them because once I reset the router I cannot access it, so I was unable to ssh into the router and run the ip commands unless the output is helpful before I change the configuration files. Here's the output you suggested:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name isolated
list network 'isolated'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config forwarding
option src isolated
option dest wan
config forwarding
option src isolated
option dest lan
# Just including this to be safe for troubleshooting
config forwarding
option src lan
option dest isolated
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# Figure if needed for lan probably good to have for isolated too
config rule
option name Allow-IPSec-ESP
option src wan
option dest isolated
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest isolated
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
Actually by moving my computer's LAN cable to the isolated port, I was able to ssh into the router (still no WAN access) and run the ip commands. Here's the output:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.11.1/24 brd 192.168.11.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.12.1/24 brd 192.168.12.255 scope global eth0.2
valid_lft forever preferred_lft forever
192.168.11.0/24 dev br-lan scope link src 192.168.11.1
192.168.12.0/24 dev eth0.2 scope link src 192.168.12.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
So the WAN interface is also on a VLAN rather than being directly on eth0 (or eth1 on your case). i understand that you had connection with the default config, but could it be that when you start adding more VLANs for the LAN, it doesn't like it?
Also I noticed that your original config file contained
mhegab:
Neither the router nor clients has internet access with the updated settings. I could try putting the WAN on its own VLAN, like yours, but I'm confused about the settings for that. For example, what proto would I use? I see yours has a username and password, which confuses me.
Correct, no tagging for port 0 in original config. My understanding is that when creating multiple VLANs the CPU port should be tagged so that it one can set it up to filter the data based on the VLANs of the data that passes through it (similar to https://forum.openwrt.org/t/vlan-inplementation/17470/12), which is why I tagged it in the updated settings.
trendy: I think it does appear, but just to be safe, here's the output of that command (I put x's in places I thought might be security or privacy related):
Sorry, that's because my WAN connection is a PPPoE connection. You don't need to change that.
I see that your switch doesn't include the WAN port. That's very different from what I have. I don't know if it's supposed to be like that our if there is something wrong.
swconfig just gives help for the command, so I'm guessing you'd find 'swconfig list' helpful and did that to get:
Found: switch0 - 90000.mdio
According to https://openwrt.org/toh/asus/rt-ac58u, port 5 is my router's WAN port. I'm not sure what the distinction is between that and eth1, but I could try adding port 5 to its own vlan, perhaps that would help?
And you would adjust the WAN interface accordingly.
config interface 'wan'
option ifname 'eth1.3'
option proto 'dhcp'
To be honest, I am not sure if it will work but you will have to try. My switch shows in addition to the CPU(s) and the 4 LAN port, the WAN port. So I don't know why yours doesn't.
Interesting, seems like the right track. Now, when plugged into the isolated port I can get out to the internet and everything works fine, but when plugged into any of the other LAN ports, I still cannot connect to the router or get out to the internet.
It appears that the wan interface (eth1) doesn't have an IPv4 address. Is that correct?
May I suggest to create a new vlan for your LAN, let's say 3.
Add there untagged the LAN ports 2-4 and tagged the CPU.
For vlan1 turn all LAN ports to off and CPU untagged, as it was in the default setting.
Finally in network config file under LAN change ifname 'eth0.1' to eth0.3
I figured out the problem! For some reason the router has a problem when a vlan with id 0 or 2 is specified in /etc/config/network (id of 1 didn't seem to cause problems in my test). So to get around the problem I simply used large vlan ids above 2, sigh.
The idea occurred to me after stumbling on a dd-wrt page that mentioned something about them having carefully picked the default vlan ids and to not mess with them, which made me think perhaps the ones I picked were conflicting with some latent vlan ids of the router. Perhaps this behavior is related to the router's default settings missing any reference to the WAN port on port 5 and having no tagged ports?
Anyway, mhegab and trendy, I appreciate the help from both of you, thanks.
VLAN 1 and 2 are not created in my /etc/config/network file, so it does seem to explain the problem I was having. Not sure why they're automatically created, especially VLAN 1. VLAN 1 seemed like a bit of a security issue having all those tagged ports, so in /etc/config/network I created a switch_vlan and only include port 1 as tagged in it to try and override this default behavior since I trust the computer on port 1 and having it in its own VLAN doesn't seem like it'd be a problem. It seems to have worked and now I get:
