Lost connection when trying to enable VLAN20 on router

alexhoopes · December 30, 2023, 9:26pm

My home network setup is as follows:

Cisco 3560-E managed switch

Raspberry Pi 4 OpenWrt router - has trunk from switch port 47:

interface GigabitEthernet0/47
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,30
 switchport mode trunk

VLAN10 is used as the main network on the Pi router, VLAN30 is eventually going to be a combination of VLAN10, 20, and 30 but is currently just on the Pi router. DHCP runs through Pi router (see https://forum.openwrt.org/t/able-to-access-router-from-vlan10-but-not-vlan30/ for more there)

Linksys WRT1900ACV2 OpenWrt router - WAN comes from a VLAN10 port and currently has an access port from switch port 48 to router LAN port 1:

interface GigabitEthernet0/48 
 switchport access vlan 20
 switchport mode access

I have the following VLANs setup on the switch:

VLAN10 - Pi only network
VLAN20 - Linksys only network
VLAN30 - Combination of VLAN10 and VLAN20, able to access intranet devices on both while getting IP address from VLAN10

The Linksys main network is supposed to be VLAN20 and I have this current configuration:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:132d:8d00::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config device
        option name 'wan'
        option macaddr 'c2:56:27:6d:0e:5b'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '20'
        option name 'eth0.20'

Right now I am trying to just get VLAN20 to work, however, once I apply settings for changing the LAN interface to eth0.20 instead of br-lan, remove the LAN ports from br-lan and change the switchport connected to LAN 1 to trunk with VLAN20 access

interface GigabitEthernet0/48
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 20
 switchport mode trunk

I lose connection on my computer (access port from switch VLAN20) and no longer am able to get an IP address or access the router (was able to from 192.168.20.1)

Once connection is lost, I have to press reset button on router and set router back up and change the switchport to access mode to get connection again

Could I get some guidance into what I'm doing wrong here? Was trying to following a similar setup I had on the Pi (linked aboved) but am not able to get it work. Thanks in advance!

NPeca75 · December 31, 2023, 7:36am

Hi

you are mixing things

and change the switchport connected to LAN 1 to trunk with VLAN20 access

interface GigabitEthernet0/48
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 20
 switchport mode trunk

it is not access

maybe you should draw a network topology what you want

 VLAN10 port and currently has an access port from switch port 48 to router LAN port 1:

interface GigabitEthernet0/48 
 switchport access vlan 20
 switchport mode access

now it is 10 ? or 20 ?

alexhoopes · January 3, 2024, 5:31am

Apologies for the late reply,

First network topology I've made so let me know if I can clear anything up. This is the topology of what I want, below are the current configurations I have:

Config #0 (Router 1)
N/A, router has 0 customization options

Config #1 (Router 2)
OpenWrt network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd54:d324:dfaa::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option device 'eth0.10'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'

config interface 'vlan30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option device 'eth0.30'

config device
        option name 'br-lan'
        option type 'bridge'

OpenWrt DHCP config:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '2'
        option limit '50'
        option leasetime '48h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan30'
        option interface 'vlan30'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

OpenWrt Firewall config:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan30'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Switch config:

interface GigabitEthernet0/47
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,30
 switchport mode trunk

interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10

interface GigabitEthernet0/2
 switchport mode access
 switchport access vlan 10

This current setup does not have access to VLAN20 since I was trying to set that up on the Linksys router first. When connecting my Windows desktop to VLAN10 I am able to get an IP address in the 192.168.10.0/24 subnet and when I connect to VLAN30 I am able to get an IP address in the 192.168.30.0/24 subnet. Currently from both subnets I have access to the other and 192.168.12.0/24, but I figure that will be solved with routing rules down the line.

Config #2 - Router 3

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1b:67cb:c42f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'c2:56:27:6d:0e:5b'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '20'
        option name 'eth0.20'

OpenWrt DHCP config:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

OpenWrt Firewall config:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Switch config:

interface GigabitEthernet0/48
 switchport mode access
 switchport access vlan 20

interface GigabitEthernet0/13
 switchport mode access
 switchport access vlan 20

interface GigabitEthernet0/14
 switchport mode access
 switchport access vlan 20

VLAN 30 Switch Config:

interface GigabitEthernet0/25
 switchport mode access
 switchport access vlan 30

Before trying to add VLAN10 and 30 to the Linksys router I am trying to get VLAN20 working and making sure that the default traffic on the Linksys router goes through VLAN20 like I have for VLAN10 on the Pi router. My computer is connected to port 14 while accessing the Linksys router. I am trying to apply the following network change from the web UI:

Then within the 90 seconds of checking for connection, I change the following switch configuration:

interface GigabitEthernet0/48
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 20
 switchport mode trunk

Port 1 (switch) stays the same as it is only being used for the WAN port on the Linksys router
Port 14 (switch) stays the same as it is being used to test VLAN20 connection

Once that config is applied I am unable to get a DHCP address, unable to connect to router via static and using 192.168.20.1 as the gateway. I was going through these same steps to setup my Pi router but am not having success here. I hope this clears thing up, thank you!

NPeca75 · January 3, 2024, 5:43am

Before we continue, i don't understand what is the purpose of R#3 (linksys) ?
furthermore, you made a mess, doubled the Vlan10 on R#3
it could work that way with STP/RSTP but ...
nooo, really don't understand need for R#3
you have Cisco as managed switch to tag/untag/trunk vlans, and R#2 for routing
it is overcomplicated with R#3

alexhoopes · January 3, 2024, 5:48am

The Linksys router is needed as it will be connected to an OpenVPN server and have port forwarding go through it, it isn't there for no reason but wasn't sure if context was needed. This is the only way to port forward in a CG-NAT network that also blocks incoming traffic to IPv6

I want VLAN10 to not be on that VPN network as download speeds are slower and I want VLAN20 to be on the that VPN network as port forwarding is needed

As above config shows, router 3 (interface GigabitEthernet0/48) does not have access to VLAN10 so it shouldn't be doubled, if my planned network topology shouldn't have included VLAN10 in the trunk then please ignore

NPeca75 · January 3, 2024, 5:50am

now i am confused
you have R#2 as router
what is a reason to avoid putting OVPN on R#2, make a Vlan20 on R#2 and downstream it to Cisco ?

alexhoopes · January 3, 2024, 5:57am

Do you mean making the OpenVPN connection only go through VLAN20 on the R#2? I wasn't aware I could do that if so - completely new to OpenWrt and haven't set up the OpenVPN connection on R#3 yet as I had just transferred the router from dd-wrt setup to OpenWrt

Would I then create VLAN30 on R#2 then do the routing rules to allow traffic between the two VLANs, and disallow the traffic between the two on the other VLANs?

If that's the case I sure overcomplicated things

NPeca75 · January 3, 2024, 6:03am

Lets look at this on different way

you have single entry point from internet ? right? 12.1 cgnat router R#1
internet connections are processed on R#2 (Pi)
so, make a
Vlan10 + firewall + dhcp on R#2
Vlan30 + firewall + dhcp on R#2
Ovpn client + bridge + Vlan20 + dhcp (if needed) + firewall on R#2

adjust all firewalls on R#2, which zone could pass to WAN or talk to another zone (vlan)

put vlan10.20.30 as trunk to Cisco
on Cisco you could tag/untag needed vlans/ports

... and, you are done

one router, one place to config, one firewall. Life is simple

alexhoopes · January 3, 2024, 6:05am

I will give this a shot and come back with an update, thank you I appreciate the help!

alexhoopes · January 3, 2024, 5:07pm

I was able to get this working, thanks again!

system · January 13, 2024, 5:09pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.