Lan+lan2+wireguard+vlan

The problem is lan lan2 can't work together. I have to close lan to use lan2.

router config same as this, but I use vlan instead of vpn-policy-routing. (I don't know how to add route through vpn-policy-routing) [SOLVED] Wireguard - Firewall (Actually routing)

Similar configuration worked well on openwrt-19.07.3-ramips-mt7621-xiaomi_mir3p (wan was pppoe, now is dhcp).

image790×341 23.3 KB

I also use dnscrypt-proxy2 and double dnsmasq settings which not post.

old vlan: (Image from another same router)

After reboot, wan can't obtain address. Restart wan won't help.

[   66.432563] mt7530 mdio-bus:1f wan: Link is Up - 100Mbps/Full - flow control rx/tx
[   66.440205] br0: port 4(wan) entered blocking state
[   66.445111] br0: port 4(wan) entered forwarding state
[   67.456428] mt7530 mdio-bus:1f wan: Link is Down
[   67.461190] br0: port 4(wan) entered disabled state
[   69.504565] mt7530 mdio-bus:1f wan: Link is Up - 100Mbps/Full - flow control rx/tx
[   69.512195] br0: port 4(wan) entered blocking state
[   69.517091] br0: port 4(wan) entered forwarding state
[   70.528433] mt7530 mdio-bus:1f wan: Link is Down
[   70.533195] br0: port 4(wan) entered disabled state
[   72.576554] mt7530 mdio-bus:1f wan: Link is Up - 100Mbps/Full - flow control rx/tx
[   72.584185] br0: port 4(wan) entered blocking state
[   72.589090] br0: port 4(wan) entered forwarding state
[   73.600435] mt7530 mdio-bus:1f wan: Link is Down
[   73.605199] br0: port 4(wan) entered disabled state

restart network and wan will get ip address, But lan lan2 still don't have internet access.

[   76.369965] br0: port 6(wlan1) entered disabled state
[   76.375224] br0: port 5(wlan0) entered disabled state
[   76.380457] br0: port 3(lan3) entered disabled state
[   76.410843] device lan1 left promiscuous mode
[   76.415658] br0: port 1(lan1) entered disabled state
[   76.454735] device lan2 left promiscuous mode
[   76.459411] br0: port 2(lan2) entered disabled state
[   76.496878] device lan3 left promiscuous mode
[   76.501534] br0: port 3(lan3) entered disabled state
[   76.529967] mt7530 mdio-bus:1f lan3: Link is Down
[   76.541693] device wan left promiscuous mode
[   76.546239] br0: port 4(wan) entered disabled state
[   76.574357] mtk_soc_eth 1e100000.ethernet eth0: Link is Down
[   76.594817] device wlan0 left promiscuous mode
[   76.599517] br0: port 5(wlan0) entered disabled state
[   76.621253] device wlan1 left promiscuous mode
[   76.625967] br0: port 6(wlan1) entered disabled state
[   76.711829] mtk_soc_eth 1e100000.ethernet eth0: configuring for fixed/rgmii link mode
[   76.719747] device eth0 left promiscuous mode
[   76.724642] mtk_soc_eth 1e100000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[   76.727177] mt7530 mdio-bus:1f lan1: configuring for phy/gmii link mode
[   76.740709] 8021q: adding VLAN 0 to HW filter on device lan1
[   76.749357] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   76.756817] br0: port 1(lan1) entered blocking state
[   76.761839] br0: port 1(lan1) entered disabled state
[   76.768453] device lan1 entered promiscuous mode
[   76.773141] device eth0 entered promiscuous mode
[   76.790969] mt7530 mdio-bus:1f lan2: configuring for phy/gmii link mode
[   76.798122] 8021q: adding VLAN 0 to HW filter on device lan2
[   76.807204] br0: port 2(lan2) entered blocking state
[   76.812326] br0: port 2(lan2) entered disabled state
[   76.818446] device lan2 entered promiscuous mode
[   76.835597] mt7530 mdio-bus:1f lan3: configuring for phy/gmii link mode
[   76.842826] 8021q: adding VLAN 0 to HW filter on device lan3
[   76.851659] br0: port 3(lan3) entered blocking state
[   76.856764] br0: port 3(lan3) entered disabled state
[   76.862875] device lan3 entered promiscuous mode
[   76.879424] mt7530 mdio-bus:1f wan: configuring for phy/gmii link mode
[   76.886593] 8021q: adding VLAN 0 to HW filter on device wan
[   76.895348] br0: port 4(wan) entered blocking state
[   76.900340] br0: port 4(wan) entered disabled state
[   76.906821] device wan entered promiscuous mode
[   76.922917] br0: port 5(wlan0) entered blocking state
[   76.928030] br0: port 5(wlan0) entered disabled state
[   76.933692] device wlan0 entered promiscuous mode
[   76.943699] br0: port 6(wlan1) entered blocking state
[   76.948821] br0: port 6(wlan1) entered disabled state
[   76.954637] device wlan1 entered promiscuous mode
[   76.965743] br0: port 6(wlan1) entered blocking state
[   76.970866] br0: port 6(wlan1) entered forwarding state
[   76.976348] br0: port 5(wlan0) entered blocking state
[   76.981549] br0: port 5(wlan0) entered forwarding state
[   76.986923] br0: port 3(lan3) entered blocking state
[   76.992005] br0: port 3(lan3) entered forwarding state
[   77.000499] br0: port 3(lan3) entered disabled state
[   79.904817] mt7530 mdio-bus:1f lan3: Link is Up - 1Gbps/Full - flow control rx/tx
[   79.912515] br0: port 3(lan3) entered blocking state
[   79.917586] br0: port 3(lan3) entered forwarding state
[   79.968730] mt7530 mdio-bus:1f wan: Link is Up - 100Mbps/Full - flow control rx/tx
[   79.976497] br0: port 4(wan) entered blocking state
[   79.981462] br0: port 4(wan) entered forwarding state

Then I found if I stop lan, lan2 will work. It seems that lan lan2 can't work together.

Here is what i did, might have wrong memories, that file dates too old

image791×333 12.1 KB

What do you mean by this? I don't understand what you are saying here... can you please be more specific.

What is your objective with your network? And what specifically is not working?

Your screenshots are not sufficient to understand how things are configured. We need to see the actual config files. Do not redact your RFC1918 address ranges -- this is critical to understanding your topology.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd66:dddd:dddd::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	option device 'br0.2'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'xxxxxxxx='
	list addresses 'x.x.x.x'

config wireguard_wg
	option public_key 'xxs='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option endpoint_port '444'
	option persistent_keepalive '25'
	option endpoint_host 'x.x.x.x'

config interface 'wwan'
	option proto 'dhcp'
	option auto '0'

config device
	option type 'bridge'
	option name 'br0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	option stp '1'

config bridge-vlan
	option device 'br0'
	option vlan '1'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br0'
	option vlan '2'
	list ports 'lan1:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br0'
	option vlan '3'
	list ports 'lan2:u*'

config interface 'lan2'
	option proto 'static'
	option device 'br0.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option proto 'dhcp'
	option device 'br0.1'
	option hostname '*'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option noresolv '1'
	list notinterface 'lan2'
	list interface 'lan'
	option localservice '1'
	list server '127.0.0.53'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dnsmasq 'dnscrypt'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan2/'
	option domain 'lan2'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.lan2'
	list notinterface 'lan'
	list interface 'lan2'
	option force '1'
	option noresolv '1'
	list server '127.0.0.53'
	list server '::53'
	option localservice '1'

config dhcp 'lan2'
	option interface 'lan2'
	option ra 'server'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option leasetime '12h'
	option limit '150'
	option start '100'
	option force '1'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config zone
	option name 'wg2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg'

config zone
	option name 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2'

config zone
	option name 'wwan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan2'
	option dest 'wg2'

config redirect
	option name 'Intercept DNS'
	option dest_port '53'
	option src 'lan'
	option src_dport '53'
	option target 'DNAT'
	option dest 'lan'

config redirect
	option name 'Intercept DNS'
	option dest_port '53'
	option src 'lan2'
	option src_dport '53'
	option target 'DNAT'
	option dest 'lan2'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wg2'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wg2'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wg2'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wg2'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wg2'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wg2'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wg2'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wg2'
	option dest 'lan2'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wg2'
	option dest 'lan2'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wg2'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'

config include
	option path '/etc/firewall.user'

/etc/dnscrypt-proxy2/dnscrypt-proxy.toml

...
listen_addresses = ['127.0.0.53:53','[::53]:53']
...

lan is to access isp network which has a huge fuxk firewall
lan2 is through wireguard to access real internet

1, there is something wrong with wan( RX:0 TX:xx no ip) and dhcp(pc can't get ip) after boot, restart network can fix these problems.
2, then I need to turn off lan to use lan2, restart network until lan2 work, vice versa. (maybe dhcp and pppoe act differently)
3, if lan not Bring up on boot, step 1 is also needed

I found it's route problem

when I use pppoe, there is a route table 1 configured before and I forgot

config interface 'wan'
	option proto 'pppoe'
	option password '12345'
	option username '54321'
	option ip4table '1'
	option ifname 'eth0.2'
	option ipv6 'auto'

config rule 'lan_wan'
	option in 'lan'
	option lookup '1'

dhcp

config interface 'wan'
     ... 
	option ip4table '100'

config rule 'lan_wan'
	option in 'lan'
	option lookup '100'

to test
ip route show table all
ip rule

Options valid for all protocol types

https://openwrt.org/playground/arinc9/networking-basics

fixed a dns problem
lan

lan2

image684×800 83.3 KB

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.