Hi,
sorry if this has been answered already, but i searched a lot and could not find this.
I am using openwrt on a 1043ND as sort of dumb switch/AP, but serving multiple vlans separated on multiple ports and WLAN's. At the moment i still have one connection to my ISP router untagged plugged into one port part of eth0/VLAN1 and openwrt lan interface set to static ip within the correct range. I use another connection to my ISP router which is tagged and contains all VLANs needed (VLAN 10 and 11 for the moment), which is split to needed ports (untagged) and to two separate WLAN interfaces. All works well.
But now i would like to get rid of untagged direct connection from ISP router to openwrt box as basically this is currently only used for accessing LuCi. How can this be accomplished?
Do i need to change the LAN interface to include physical interface VLAN10 and set a static ip in the address range used for VLAN10? I hate to just "try" as i will likely use connection to my box if i do something wrong.....
thanks for your help.
Raoul
Yes i did that, actually created a bridge as for both vlan 10 and vlan 11 there is also a separate WLAN created, but i still do not see how it will prevent the lockout.
I will try to give more detail. VLAN10 has a DHCP server giving 192.168.10.x addresses. VLAN11 the same with 192.168.11.x addresses. Any PC connected to my ISP router through different path is currently on another network with DHCP range 192.168.1.x. As the OpenWRT route ALSO has a cable plugged into a port which sits on default VLAN1 AND the default LAN interface has static IP 192.168.1.2, i am able to reach LuCi through 192.168.1.2. But if i unplug this cable, anyone trying to reach 192.168.1.2 will not be able to as the VLAN trunk will only pass traffic to 192.168.10.x and 192.168.11.x. So i need to change the static ip address of the openWRT box to be on one of these ranges, right?
I guess the question here is if the "CPU" trunked entry in the switch will always look for traffic on VLAN1 when it comes in over a trunked port?
I hope my question is clearer now....
thanks
Ummm...because in my suggestion, you never touch lan's config or any port it's assigned to.
So bridging these two networks makes no sense.
I guess you're confused, I understand how to make a trunk port. Maybe I'll show an example pic. This show's what's noted as "Port 4" as a trunk of VLANs 10 and 11, VLANs 1 and 2 are the default LAN and WAN:
ok, thanks i got it now. I think i misphrased my question then. I can see i cannot lock myself out as long as i can plugin a cable into one of the ports, you are correct.
But what i want to accomplish in the end is being able to reach the LuCi interface through one of the pc's on VLAN10 which has a 192.168.10.x address and cannot (through the trunk line) ever get to 192.168.1.2 on VLAN1/interface LAN
So my tagged line with VLAN10 is plugged into port LAN4 and LAN 2 can access it.
But how can i access LuCi, which has static 192.168.1.2 on VLAN1 from a PC whcih is on VLAN10 (and comes in over LAN4 tagged line?
I'm confused. This sound like the VLANs are bridged.
Two options to access:
Use the IP you assigned to the VLAN 10, simple
If LAN (eth0.1) and the VLAN 10 interface were placed in the same firewall zone when you set it up, then this traffic should forward by default to VLAN 1
Hi,
just wanted to let you all know i solved the issue, although it is not clear to me why it is solved.
So as the VLAN 10 and 11 have also a DHCP server in the ISP router, i decided when creating the interface on OpenWRT for eth0.10 (VLAN10) and eth0.11 (VLAN11) to NOT set them to a fixed ip address (I used 192.168.10.11 and 192.168.11.11, outside of normal dhcp range) but use dhcp instead and have these same IP address be assigned by the dhcp server as fixed ip addresses.
Now everything works as expected, my interface get these IP addresses and i can access LuCi from any of these as well.
I am still unsure why setting the fixed ip addresses to the same values caused the box to become unreachable every time i tried it.
thanks for all your help !!
Ummm...because in my suggestion, you never touch lan's config or any port it's assigned to.
