How to "isolate" switch port lan4

burnone · January 14, 2025, 6:59pm

Hi there.

Currently on switch port lan4 I have connected one IP camera. I would like to "isolate lan4 port on the openwrt router. I intend to plug extra 3 ipcams through that port by attaching POE capable switch in the near future...

But currently I'd like for that ip cam taht is plugged in port4 on openwrt to be "isolated" i.e. cannot access my lan network, cannot accses wan, but lan users can access rtsp on that isolated network.

I've already tried to create a new interface:

protocol: static address
device: switch port: lan4

Result was my wifi stopped working, and also dhcp stopped working, so I had to manually assign ip to one of pc's and revert back. I assume problem is because currently lan interface has br-lan (all ports included?)

dimitris · January 14, 2025, 7:54pm

Most likely yes. You should be able to remove lan4 from br-lan (edit: don't change the lan network itself though!), then your approach should work. How to do so depends on whether your device is a DSA flavor one or not.

lleachii · January 14, 2025, 8:33pm

And depends on the OpenWrt version.

psherman · January 14, 2025, 8:35pm

We can take a look at your config to help you achieve the goal and/or resolve any issues that may have come up.

Do you want to have a wifi connection available for this camera network, too, or is it ethernet only on port lan4?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

openwrtforever · January 15, 2025, 12:49am

I already do this for my camera, guide here https://saudiqbal.github.io/Linux/openwrt-vlan-setup-guide-using-luci-for-iot-and-wireless-with-dsa.html

burnone · January 15, 2025, 6:14pm

I want to have wifi in the near future when I add my esp32 boards to the network...

Here is the info:

ubus call system board

{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:ac1a:e1b9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'secret'
	option password 'secret'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1/24'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'secret'
	option listen_port '51820'
	list dns '192.168.1.1'
	list addresses '10.10.50.1/24'
	list addresses 'fdde:adc0:0c1e:50::1/64'

config wireguard_vpn
	option description 'xa2'
	option public_key 'secret'
	option private_key 'secret'
	list allowed_ips '10.10.50.2/24'
	option endpoint_host 'secret.duckdns.org'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config wireguard_vpn
	option description 'p40'
	option public_key 'secret'
	option private_key 'secret'
	list allowed_ips '10.10.50.3/24'
	option route_allowed_ips '1'
	option endpoint_host 'secret.duckdns.org'
	option endpoint_port '51820'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'SI'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'secret'
	option encryption 'sae-mixed'
	option key 'secret'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option country 'SI'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'secret'
	option encryption 'sae'
	option key 'secret'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option network 'secret'
	option ssid 'secret'
	option encryption 'psk2'
	option key 'secret'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	list addnmount '/bin/busybox'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '1h'

config host
	option duid '00030001A02942B06CCE'
	option mac 'AA:AA:42:B0:6C:CE'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'lan'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

psherman · January 16, 2025, 3:11am

Ok... so we're going to setup bridge-VLANs to achieve this.

Start in the network config file and add the following:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan4:u*'

Now, edit the lan interface to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

And now we can add the iot network:

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

Next, in the DHCP file, we'll add a server for the iot network:

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Finally, you already have an iot zone in the firewall, but it doesn't have a network yet... we'll add that, as well as forwarding from lan > iot and iot > wan (if you don't want these, or if you want something else to happen with respect to the inter-vlan routing, that can be done differently). Edit the iot zone:

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

Then add the forwarding:

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

Restart and test.

burnone · January 17, 2025, 11:29am

Thank you so much!

system · January 27, 2025, 11:30am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.