InterVLAN routing - Router on a stick

Hello,

I am a new OpenWrt user and have installed OpenWrt on a Belkin RT 3200. My setup is as follows:

ISP > Modem > OpenWrt as router/switch device.

For my own learning purposes, I am trying to recreate the interVLAN routing method aka "Router on a stick" as discussed in the following video:

Objective

I have created the following two networks across two different VLANs (to test as per the video):
'HomeWifi' and 'GuestWifi' (configuration output is included in the following paragraphs).

The objective is as follows:

  • Communicate from 'HomeWifi' to ‘GuestWifi'
  • Communication should always be initiated from 'HomeWifi’. Any device connected to 'GuestWifi' should only be responding to requests from 'HomeWifi’. (I assume a firewall rule would take care of this, but please correct me if I am wrong).

Bottleneck

  1. The current issue is as follows:

    • As per the video linked earlier, we would need to create two sub-interfaces for the router and set them as the default gateway for each VLAN. This is the part where I am not sure how to proceed.
    • I am not sure how to create the default gateway for each VLAN and specify each IP address per VLAN.
  2. Also, please correct me if I am wrong in the following part:

    • I have created my primary vlan ID on 'eth0' and said port is untagged. The reasoning is, I'd like to keep all other LAN (physical) ports untagged and open for other devices to connect.
    • If the above reasoning is incorrect, could you please let me know why I would want to avoid this set up, or, what alternative setup would you recommend to ensure I can implement the “router on a stick” method discussed in the YouTube video link shared earlier.

Thank you so much for your help.

======================================

root@OpenWrt:~# cat /etc/config/network

======================================
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'caa1:1bv2:3d92::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option delegate '0'

config device
        option type 'bridge'
        option name 'VLANs'
        option ipv6 '0'
        option bridge_empty '1'
        option acceptlocal '1'
        list ports 'eth0'
        list ports 'VLANs.3'
        list ports 'VLANs.5'
        list ports 'VLANs.7'

config bridge-vlan
        option device 'VLANs'
        option vlan '3'
        list ports 'VLANs.3:t'

config bridge-vlan
        option device 'VLANs'
        option vlan '5'
        list ports 'VLANs.5:t'
        list ports 'eth0:u*'

config bridge-vlan
        option device 'VLANs'
        option vlan '7'
        list ports 'VLANs.7:t'

config interface 'HomeWifi'
        option proto 'static'
        option device 'VLANs.5'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option name 'VLANs.5'
        option type '8021q'
        option ifname 'VLANs'
        option vid '5'
        option ipv6 '0'
        option acceptlocal '1'

config interface 'GuestWifi'
        option proto 'static'
        option device 'VLANs.3'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option defaultroute '0'

config device
        option name 'VLANs.3'
        option type '8021q'
        option ifname 'VLANs'
        option vid '3'
        option acceptlocal '1'

config interface 'NOT'
        option proto 'static'
        option device 'VLANs.7'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option name 'VLANs.7'
        option type '8021q'
        option ifname 'VLANs'
        option vid '7'
        option acceptlocal '1'
        option ipv6 '0'

config device
        option name 'lan2'
        option acceptlocal '1'

config device
        option name 'eth0'
        option ipv6 '0'


======================================

root@OpenWrt:~# cat /etc/config/dhcp

======================================

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.132'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'HomeWifi'
        option interface 'HomeWifi'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'PieHole'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx' 
        option ip '192.168.1.132'
        option leasetime '0'


config dhcp 'GuestWifi'
        option interface 'GuestWifi'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'NOT'
        option interface 'NOT'
        option start '100'
        option limit '150'
        option leasetime '12h'


============================================================

root@OpenWrt:~# cat /etc/config/firewall

============================================================

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fex0::/xx'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'HomeWifi'
        option output 'ACCEPT'
        option forward 'DROP'
        option input 'DROP'
        list network 'HomeWifi'

config forwarding
        option src 'HomeWifi'
        option dest 'wan'

config rule
        option src 'HomeWifi'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option name 'DHCP & DNS HomeWiFi'

config forwarding
        option src 'lan'
        option dest 'HomeWifi'

config zone
        option name 'GuestZone'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        list device 'VLANs.3'
        list network 'GuestWifi'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'GuestZone'

config rule
        option name 'DHCP & DNS Guest'
        option src 'GuestZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        option name 'NOT'
        list network 'NOT'

config forwarding
        option src 'lan'
        option dest 'NOT'

config rule
        option name 'DHCP NOT Devices'
        list proto 'udp'
        option dest_port '67 68'
        option target 'ACCEPT'
        option src 'NOT'

A few things here:

  1. Your configuration has a ton of problems. It will be far easier to reset to defaults and start over than it will be to clean up the current configs. I'd recommend that as your first step.

  2. VLANs (as in the 802.1q standard) only applies to ethernet. If you are creating networks that are wifi only, you don't actually need to use VLANs. All you need in that case is a new network interface on a different subnet than your other network(s). If, however, you need those networks on ethernet, too (such as if you have wired devices to connect to those networks or other AP that is wired to your main router), then VLANs will be needed.

  3. Start with just one additional network, then build from there. You've put many networks in place, most with the same issues. This makes fixing the problems harder and more tedius. Get one new network functioning end-to-end, then replicate the recipe.

  4. Take a look at the guest wifi documentation that is hosted on the OpenWrt wiki. This will cover wifi-only guest networks.

  5. Similarly, review the DSA mini-tutorial if you need ethernet (VLANs) for those new networks.

If you want help with your first new network, post your config after you have reset-to-defaults. Then we can show you how to get the first one going. After that, it's rinse and repeat.

@psherman

Hello,

Thank you for taking the time to reply.

Regarding point 2:

If you are creating networks that are wifi only, you don't actually need to use VLANs.
If, however, you need those networks on ethernet, too (such as if you have wired devices to connect to those networks or other AP that is wired to your main router), then VLANs will be needed.

You are right in saying I should start from scratch. Before doing so, I would like to try to better explain what I have in mind so you can let me know which option (of the two mentioned earlier) may best fit the purpose.

When I began my study with the network configuration (described earlier), my goal was to have isolated devices on their own WiFi networks for additional security. I was also testing how to get any device(s) connected to a physical LAN port to talk to any of the devices on those isolated WiFi networks.

  • For instance, if I plug in a Raspberry Pi on a physical LAN port that runs Home Assistant OS, that Raspberry Pi should be able to “see” and communicate with IOT devices that are on the isolated WiFi network(s).
  • I would not want the opposite, however, i.e., I would not want any of the isolated WiFi network devices to be able to initiate any communication with any of the devices connected to the physical LAN ports.

Based on the above scenario, I thought VLANs would be the best choice, but maybe I was wrong with my assumption. I am happy to go with any further recommendation you can provide, and I will start everything from scratch and re-post my default configuration.

Thank you once again for your help.

Based on your description, you do not need to use VLANs on Ethernet, unless your specific situation requires that the Pi (running Home Assistant) sits on that same IoT/isolated network. If the Pi will be a member of your normal lan, you won't need to do anything at all with VLANs.

You'll simply create a new network and attach a wifi SSID to that network. The guest wifi link I sent earlier should get things working in general, and then we can tweak a few things to get your exact situation covered (like setting up a firewall rule to allow the lan to reach the IoT network, but not the other way around).

2 Likes

@psherman

Thank you once again for your input and time to reply. Regarding the following:

No, there is no such requirement. The Pi can reside on the main LAN so it can act as a bus from/to the isolated network(s). In that regard, I can go ahead with your recommendation about setting up a test WiFi network.

Before I reset everything, I read the Guest Wi-Fi extras, but also, I wanted to ask you something with regards to the Wi-Fi extras.

  • Besides securing the network (by providing encryption), is there any other fine-tuning you would recommend to apply for this isolated WiFi network and use case? For my purpose, I am just creating this wireless network for IoT devices, hence my asking.

Once we finalize any details about fine-tuning, I will do the following:

  1. Reset to default settings.
  2. Create the test Wifi network and fine-tune it, if need be.
  3. Provide the config, firewall, and dhcp output so we can further tweak firewall settings.

(If I am missing something please let me know).

Thank you once again for your time.

Kind regards,

Fine tuning can be done later, based on performance. You can follow the basic guest wifi guide for now. The most important bit of fine tuning is actually more global for the radio -- power levels and channels to enable maximum performance in your space. This is really important if you use more than one AP, but still has value to improve the performance when there are neighboring APs that are also using the airwaves.

1 Like

@psherman

Hello again,

Thank you for the advice.

As per our earlier discussion, I have reset everything and followed along the Guest Wi-Fi basics to create the new IoT wireless network.

The current output is described below. If things look good, I assume the next step would be to set up a firewall rule to allow the LAN to reach the IoT network, but not the other way around.

=====================================
cat /etc/config/network
=====================================

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'IOT_dev'
        option type 'bridge'
        option name 'IOT'

config interface 'IOT'
        option proto 'static'
        option device 'IOT'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

=====================================
cat /etc/config/dhcp
=====================================
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'IOT'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IOT'
        option interface 'IOT'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option netmask '255.255.255.0'

=====================================
cat /etc/config/firewall
=====================================

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'IOT'
        option name 'IOT'
        option network 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'IOT_wan'
        option src 'IOT'
        option dest 'wan'

config rule 'IOT_dns'
        option name 'Allow-DNS-IOT'
        option src 'IOT'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'IOT_dhcp'
        option name 'Allow-DHCP-IOT'
        option src 'IOT'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

Looks okay to me. Does it work so far? If so, the only rule you need to add at this point is access from lan > IOT (but not the other way around)... that is achieved with this rule:

config forwarding
        option src 'lan'
        option dest 'IOT'
1 Like

@psherman

Hello,

Thank you for following up.

Yes, so far the current set up works fine, and I tested the firewall rule and confirm it works. I have two more follow up questions. The first question is with regards to the forwarding rule:

config forwarding
        option src 'lan'
        option dest 'IOT'

I SSH'ed to my device and navigated to the directory: cat /etc/config/firewall
It seems I must be missing something because, when I pasted the command, I got an error message along these lines:

optionsrc 'lan' not found

First, I thought there may be a case-sensitivity issue. I changed case, as well, but eventually I got the same error. At the end, I reverted to creating the rule via Luci:


Q1: For my own learning purposes and future reference, I am wondering, when trying to edit firewall rules via terminal, do I have to amend the command with something like uci add firewall rule? The other firewall examples are similar to the rule you mentioned, and it seems a straightforward thing to do, but I am not sure why I got that error via terminal.


One more question about the current set up is rather hypothetical, but it would help me understand some concepts about OpenWrt and networking.

  • Let's assume I have a mobile device on the isolated IOT network. That mobile device wants to launch and access the Home Assistant Pi page. The Pi is connected to the lan network. We already know, with the current set up, such action is not possible. Also, my assumption is, these two devices are in different subnets, and such action would require routing via the default gateway/router in this case.

Q2. Is the above assumption about routing correct? If yes, what other rule, or combination of rules, would make such communication possible?

I hope I am not overwhelming you with these questions.

Thank you once again for your time.

How exactly did you try to add the firewall rule?

Here, there is a missing space (should be option src 'lan'), but that could just be a typo as you put it into the forum.

Anyway, there are 3 ways to edit the config files: LuCI web interface, UCI syntax directly on the command line, or direct editing of the text files using a text editor (such as vi which is preinstalled, or nano or others that you can install if desired). I personally tend to directly edit the text files, but this is not necessarily recommended unless you are really careful (UCI CLI methods have basic syntax validation, direct text editing does not).

Yes (firewall rules aside), but this should be a non-issue unless the router/gateway is not defined for the hosts for some reason. The main router knows about the existence of both of these networks, so if a connection request (or reply) comes in from a host on one network that is directed towards a host on another network, the router can just do its job and route between them. Nothing special needs to be done on the hosts or the router in this case.

You've got a rule allowing the lan to initiate connections with the IoT network, but not the other way around. If you wanted to make it bidirectional, simply allow forwaridng from IOT > lan.

Or, you can make it as granular/specific as you want (you could allow one or more specific hosts on IOT to connect to lan, but prohibit others; you could allow all or some to connect to a specific port or group of ports, you could allow some or all to reach a specific host on the lan but only that host, etc.... you can combine these concepts, too... so it depends on your goals.

1 Like

@psherman

Hello,

Thank you once again for your advice.

How exactly did you try to add the firewall rule?

I am a new user, and being unaware of the UCI syntax, I tried to enter the rule you mentioned directly on the command line, but it seems this is not the right way. I did not have much time to further investigate this, but following a quick search, my understanding is, the above forwarding rule could be entered as follows in UCI syntax:

uci add firewall forwarding 
uci set firewall.@forwarding[1].dest=IOT 
uci set firewall.@forwarding[1].src=lan

Regarding the text editors, I have some experience with nano, but I will need to check out "how-to" pages and other guides. This is an interesting topic in itself.

Or, you can make it as granular/specific as you want (you could allow one or more specific hosts on IOT to connect to lan,

Ok, knowing that it is feasible, I will continue my study and further experiment with these rules for my own learning purposes.

Because the initial question is answered, I assume it would be 'ok' to mark the topic as resolved as per this post. I will create a new topic if there are further questions on the current set up.

Thank you once again for your help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.