Inter VLAN routing/connections on downstream device

Hi,

I'm here because I'm looking for some help with optimizing my home network setup. I struggle with packets going around my whole network instead of taking short route.

Here's a brief outline of my network topology:

image

  1. Device A: A wired router, connected to the internet and Device B. All zones and traffic rules for VLANs are set on this device.
  2. Device B: An access point with a simple switch, providing WiFi access to part of the apartment, connected to Device A and Device C.
  3. Device C: Another access point with a simple switch, providing WiFi to another part of the apartment.

All three devices are running OpenWrt 21.02.3 r16554.

I have segmented my network into three VLANs for better security and organization:

  • Normal LAN VLAN: For trusted devices.
  • IoT VLAN: For IoT devices.
  • Corporate VLAN: For my employer's devices.

The VLANs are configured so that the IoT and Corporate VLANs can't communicate with other VLANs, though they can access the internet. Devices on the Normal LAN VLAN can access the IoT and Corporate VLANs.

Currently, I have a personal PC (wired to Device C) on the Normal LAN VLAN and a corporate laptop (connected via WiFi to Device C) on the Corporate VLAN. I use remote desktop software to connect from my PC to the corporate laptop. However, the connection has been somewhat unstable.

Upon running tracepath, I discovered that the packets are being routed through Device A and Device B before reaching the corporate laptop. This roundabout route is likely contributing to the instability of the remote desktop connection.

Goal: I'd like to configure the setup such that the packets between my personal PC and the corporate laptop only go through Device C, making the connection more direct and hopefully more stable.

I believe this might involve setting up inter-VLAN routing on Device C, along with ensuring correct firewall rules and possibly setting up static routes. However, I'm not entirely sure of the steps involved in OpenWRT to achieve this.

I would greatly appreciate any guidance on how to proceed with this, especially any specific steps or configurations within OpenWRT that could help achieve a more direct connection between my personal PC and corporate laptop via Device C.

Thank you in advance for your assistance!

They should only show a hop thru device A if that's the router. I assume you merely mean they pass thru Device B.

You would merely make Device C the router instead of A. Are there other considerations that aren't noted?

I have to note - I'm no expert here, and even though I have worked in IT for some years I probably still lack knowledge and understanding of some network concepts.

I'm not insisting on any particular solution.

Yes, the tracepath only shows Device A, my reference to Device B was only to point out that connections go unnecessary through two extra devices.

I'm looking for a solution that would work in other similar cases, like another laptop connected over WiFi to Device B that I would like to use to connect to the device in corporate VLAN with the shortest path possible. So for example let's imagine the same case for Device B as the one I described for Device C.

In general, I want to use this network better with the current VLAN setup.

I only am a bit concerned if this is achievable while all my traffic rules are currently on Device A.

At the moment I don't recall any more constraints

OK cool, then moving: the VLAN setups, routing, traffic rules, etc. to Device C should solve your concerns.

But what if I have a similar case as I mentioned for Device B? I understand that I would have to move the whole setup each time to one of 3 devices.

Edit:
Also, I think moving everything to Device C is really not an option, Device A is the one connected to the internet, and it is configured to handle any outgoing connection by having all zones, interfaces, and devices set up to use that internet connection. For eg. the WAN zone is configured to use the WAN interface which is configured to use a particular ethernet port connected to my ISP.

I'm sorry if my initial post was confusing but I cannot change the topology of the network, I cannot connect the internet cable to Device C.

It's not ideal to have mutiple devices routing for the same VLAN in a network - mostly because they also need to have the same firewall rules (ideally), and you must statically address the hosts to use this other gateway for said traffic. It seems that's you're desire.

You're just describing a need to fruther VLAN the network.

I had a similar issue where I had a server and a camera in addition to remote cameras. I had to likewise arraignment my network so it takes the shorter physical path. For example, in a HD situation, this could be a quite serious issue to resolve.

This is genuinely why I asked about other considerations.

You can likewise trunk WAN like any other VLAN, issue is you then are relying on 2 or 3 physical devices to maintain WAN instead of 1 (i.e. Device A) - hence another consideration. You don't even consider the distance to WAN. In a SoHo sence, it's quite negligible if all devices are same speed (e.g. Gigabit Ethernet). :wink:

That introduces another consideration, routing instead of switching is slower and will add latency. Be sure you don't introduce asymmetry or loops.

Actually, this is not my desire, it might be a solution (one I'm not sure I fully understand yet), my desire is to shorten the path for remote desktop connection within my home network while keeping current VLAN segmentation and network topology, because simply speaking, I'm transferring up to 50Mbit/s while using this remote connection through 2 extra devices, which seems occasionally unstable and takes up transfer for other things, like downloading 20GB from NAS server connected to Device B.

I'm still not sure what steps should I take, but I will check some network routing articles to see if there is some wisdom there

Unless the devices A, B, and C are ancient, there should be no instability with 2 or 3 extra wired hops. Especially devices B and C only move ethernet frames with minimal overhead.
You should be looking at the wireless utilization of device C and the cpu utilization of all the devices when there is a lot of traffic.
Knowing the device models could also help a bit.
Your current configuration is correct and you really shouldn't be making any changes there.

3 Likes

+1 or +2 hops in wired lan environment does not add delay, unstability is more to the fact you connect from a wired device to a wireless device, assuming couple of things:

  • your APs are working correctly and not some very ancient, look-ok-but-silently-dying devices, there is no cooling problem and or hardware/software problems (e.g. low on memory, power supply issue)
  • your cabling is working correctly, i.e. you see no packet drops or errors in interface stats
  • you connect your APs lan-to-lan, B and C acts as dumb AP (basically as wired+wireless switch without firewall+dns) and all logic is in master device A acting also as router (WAN access)

if you have issues then:

  • check wifi config & stats - you may have neighbor interference, or too many wifi devices on single AP can slow down overall speed, or a very slow wifi client can also degrade overall speed,
  • check usage patterns: you mentioned NAS transferring 20GB that is heavy, unless you set qos it can consume all traffic
  • check your logs for anomalies like too frequent dhcp requests or wifi authentication requests
3 Likes

Device A
Raspberry Pi Compute Module 4 Rev 1.0, /w Router Carrier Board Mini from DFRobot

Device B
Netgear Nighthawk X4S R7800,

Device C
TP-Link Archer C6U v1

I'm not the only user of the network and sometimes I move bigger files from NAS connected to device B

I will take a look, in general network was set up a year ago, and the cables are good 10Gbit ready, although I only tested them for 1Gbit connections and all was fine.

At the moment I have 5 devices connected to Device B and 8 connected to C over WiFi, so I wouldn't say it's a lot, Wifi seemed fine for the whole last year. The apartment is long with some solid walls, this is why I have 2 APs - two solid construction walls between B and C, which also reduce noise for other devices. Channels selection is tricky since this is a big apartment building but at least those APs are running different channels on 2.4 and 5 GHz with 802.11r enabled - no issues while moving around.

It seems I'm maybe overreacting and for the sake of testing, I may also try and connect this laptop to the network using a cable. I kinda assumed that those extra hops are messing things up - also they don't look very optimal - you know, like every time I want to go to other room I go outside first, not like I don't understand VLAN concept, but I kinda hoped for some solution that would optimize this scenario

If you have VLANs, then it is expected that packets will traverse all the way to the router to be routed to the other network. Any other scenario is vlan-hopping, which is considered security flaw.
Possible workarounds would be to:

  1. Connect devices by cable, but each in own vlan.
  2. Move the PC to the Corporate vlan.
  3. Set a bandwidth limit to the file transferring devices or applications.

The devices are quite alright, except the C6U. As long as it is not doing much more than bridging, then it won't be a bottleneck.

3 Likes