How to manage few tagged and untagged vlans?

newman · November 9, 2024, 5:08pm

Hi, it's me again Hatdware: Xiaomi AX3000T wirh snapshot supporting AN8855. I managed to get a basic network running on OpenWRT via łan and wifi, but I'm having trouble configuring VLANs. I don’t quite understand it. Initially, I have a bridge interface set up for all devices, WAN, and a virtual WAN6 after configuring the internet connection via PPPoE. How should I create VLANs? From what I’ve read, I need to create a separate VLAN for each LAN port? But why?

What I need is a trunk with 3 VLANs on 1 port and 2 untagged ports with only 1 VLAN each. The untagged VLAN should have access to the internet and the local network. Tagged VLANs should be:

VLAN 3: internet only

VLAN 2: local network

VLAN 1: local network and internet

I've already looked at firewall rules as I configured traffic to enable two servers at home. I set up port forwarding and assigned static IPs, but I might need some help here. Can you offer some advice?

psherman · November 9, 2024, 5:15pm

No, you don't need to do this. It is a valid approach for some networks/users/situations, but this is by no means necessary or one-size-fits-all.

Please define the port-VLAN membership like this (just making this up):

Port lan1: VLAN 1 untagged, VLANs 2 and 3 tagged
Port lan2: VLAN 2 and 3, both tagged.
Port lan3: VLAN 1 untagged.
...

Then, post your current config and we'll take a look to see how it should be implemented:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

newman · November 9, 2024, 5:40pm

OK. I need.

VLAN 1: internet only - will be connected to server. It shoud have only acces to inetrnet - not local network
VLAN 2: local network - it will be connect to print server - acces only from local devices
VLAN 3: local network and internet - rest of devices with acces dor example to each other - without server - to print server and internet. I do not want to give by it acces to vlan 2 to go outsie

PORT2:
VLAN1 + VLAN2 + VLAN3 - i will manage them on switch after that
PORT3:
VLAN3
PORT4:
VLAN3
WIFI 2.4 + WIFI 5 Ghz
VLAN3

ubus call system board

{
        "kernel": "6.6.56",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r0-66c5aae",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r0-66c5aae"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc2:5d58:57d6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '*****'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device
        option name 'wan'
        option macaddr '******'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username '******'
        option password '*****'
        option ipv6 'auto'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'fiberway.pl_76'
        option encryption 'psk2'
        option key '****'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'fiberway.pl_76_5GHz'
        option encryption 'psk2'
        option key '****'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '20'
        option limit '170'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        list mac '****'
        option ip ****'
        option leasetime 'infinite'

config host
        list mac '****'
        option ip '*****'
        option leasetime 'infinite'

config host
        list mac '****'
        option ip '****'
        option leasetime 'infinite'

cat /etc/config/firewall
    

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

psherman · November 9, 2024, 5:44pm

Before we go any further... is this the main router?

This wan firewall zone looks very strange"

And, in fact, the entire firewall file looks like it's been heavily modified.

newman · November 9, 2024, 5:45pm

It is after briddge. Probably i changed it. If you know that it is not ok i will be garetefull for clue how to improve it.

psherman · November 9, 2024, 5:46pm

Can you elaborate? After what bridge?

newman · November 9, 2024, 5:47pm

GPON bridge - router from internet provider changed to bridge option.

newman · November 9, 2024, 5:48pm

Additionaly i think that i have to make good rules because i have got unlocked ports 80 and 443. And they do not protect me as well as before with theirs firewall

psherman · November 9, 2024, 5:50pm

Sounds like you need to reset your OpenWrt router to defaults. Please do that now.

Then, report the first two octets of the following output (in bold: aaa.bbb.ccc.ddd)

ifstatus wan | grep address

newman · November 9, 2024, 5:56pm

I have done reset but i do not have any response from that command
I suppose that i have to configure ppoe first?

psherman · November 9, 2024, 5:57pm

Ah, yes... configure PPPoE.

newman · November 9, 2024, 6:01pm

Ipv4 91.218

psherman · November 9, 2024, 6:04pm

Ok... you should be back online normally now, right?

now, let's see your config again.

newman · November 9, 2024, 6:12pm

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.56",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r0-66c5aae",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r0-66c5aae"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdaf:d630:b41d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '***'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username '****'
        option password '*****'
        option ipv6 'auto'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

psherman · November 9, 2024, 6:13pm

I'm now realizing that this is not from OpenWrt.
Where did this image come from? And is there any particular reason you are using this instead of a standard release build from the official project?

https://firmware-selector.openwrt.org/?version=23.05.5&target=mediatek%2Ffilogic&id=xiaomi_mi-router-ax3000t

newman · November 9, 2024, 6:16pm

IT comes from image which is made by user from this forum. Official snapshot and stable release docnot support an8855 switch in newer versions of Xiaomi ax3000t that i have

psherman · November 9, 2024, 6:39pm

Ok... if the advice I give doesn't work, please tag in the person who generated that image since they may have ideas about why it isn't working properly and/or need to know about the problems in order to help fix the underlying code.

You'll start by adding bridge VLANs:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan2:t'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

Next, edit the lan to use br-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

And now we can create new network interface stazas:

config interface 'vlan2'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'vlan3'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

Create DHCP servers for each of the new networks (/etc/config/dhcp)

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan3'
        option interface 'vlan3'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

And now we'll move onto the firewall (/etc/config/firewall):

Create new zones for the two new networks:

config zone
        option name 'vlan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan2'

config zone
        option name 'vlan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan3'

We'll now add the forwards you've requested:

config forwarding
        option src 'vlan3'
        option dest 'wan'

config forwarding
        option src 'vlan2'
        option dest 'van3'

config forwarding
        option src 'vlan3'
        option dest 'vlan2'

The above will allow the following:

lan (vlan1) > wan
vlan2 > vlan3
vlan3 > vlan2
vlan3 > wan

Reboot and test.

newman · November 9, 2024, 8:51pm

I have problem with configuration on switch. I do not have access to it directly from network - i have to connect to it via ethernet. I have made some changes - add different IP range, port mapping and i assigned some static ips.
Additionaly i changed a little foward rules. I do not know if it is ok with that rules.

psherman · November 9, 2024, 9:04pm

No, what you've done, especially on the wan, is bad. Change that back immediately.

Why did you make changes relative to my suggestions? I had made those suggestions specifically based on what you said were your goals?

newman · November 10, 2024, 1:31am

Ok, IT works! I had problem with configuring vlans on switch. Right now i have a little problem with resoloving public domains from reverse proxy in local network. I am always redirecet to 1st domain or 2nd domain can not be resolved. IT works great from another network. Thank you for your help.