Managed Switch or OpenWrt?

systemfriendly · November 17, 2021, 3:49am

I do not have control over my router.

I want to seggregate my traffic with vlans.

Do I need to buy a managed switch or can I use an OpenWrt router?

The ISP router is a blackbox.

Will it knows my managed switch/OpenWrt router vlans?

What's the best way?

slh · November 17, 2021, 3:52am

You'll need a router, to do the network segmenting (into VLANs) and do the routing between the different VLANs on L3, switches work on L2.

systemfriendly · November 17, 2021, 3:53am

ISP > OpenWrt router > switch? will that have double NAT?

slh · November 17, 2021, 3:56am

Not necessarily, if your ISP router allows you to configure static routes, you can disable masquerading (NAT) on the router.

systemfriendly · November 17, 2021, 3:57am

The thing is I don't have control over the ISP router...otherwise I would just use OpenWrt and be done with it.

eduperez · November 18, 2021, 7:50am

If your OpenWrt router has enough LAN ports, you will not need the managed switch.

bobafetthotmail · November 18, 2021, 11:03am

Devices that see the VLAN need to be configured to understand VLAN traffic so you cannot connect a VLAN trunk port directly to the ISP router.

If you segregate traffic with VLANs then you have at least 2 subnets, (one per VLAN) so for example 192.168.1.0 and 192.168.2.0.

It is useless to run the same subnet on multiple VLANs as all devices will still be able to talk to each other through the port connected to the ISP router.

So if you have no access to ISP router you have to get a OpenWrt router that will NAT all the subnets you want to make with VLANs into the single subnet that the ISP router understands. And an additional switch if you need more ports.

Yes this is double NAT if you cannot touch the ISP router. It should be OK for most web application use but can be an issue with some games or special applications.

Some ISPs will do the configurations on the ISP router if you ask through the customer support tickets. Most ISPs with cable in US usually have remote control access to the device.

drbrains · November 18, 2021, 11:09am

Can you or customer support set the ISP router in bridge mode? This should solve a lot of your problems and you can run your own (OpenWrt) router behind it.

systemfriendly · November 19, 2021, 2:57am

Will that be ok for IRC, P2P games, UPnP and alike?

I will try that.

Thank you for your informative answer.

systemfriendly · November 19, 2021, 2:58am

How about a L3 switch?

systemfriendly · November 19, 2021, 2:58am

Bridge mode is not ideal for me.

drbrains · November 19, 2021, 3:04am

I don't understand? Ideal would be to replace the ISP device, which in a lot of cases can't be done. The alternative to bridge mode is double NAT as mentioned by @bobafetthotmail which I would consider less ideal.

But based on "not ideal" it does suggest that you would be able to do it.

slh · November 19, 2021, 3:13am

A L3 managed switch is just a switch with limited routing capabilities beyond mere switching, but the situation is still the same as with a 'normal' router. Either you can set a static route on your ISP router XOR you have to do masquerading (and end up with double-NAT).

psherman · November 19, 2021, 4:12am

There is one other option... use a setup similar to the dumbAP + guest network route. Your additional VLANs would still be double-NAT'd, but you would still be able to have one of the networks only behind the single NAT layer (of the ISP's router).

bobafetthotmail · November 19, 2021, 8:29pm

any service that relies on UPnP or opening ports on the router will not work (as it requires a port forwarding in the ISP router that is not accessible).

A lot of modern applications are designed with this limit in mind, but I don't know about games or consoles, afaik they still may need you to open ports or use UPnP on the router.

That's a router, same issues.

It would be ideal if the ISP router could be put in bridge mode actually, that usually means it disables its firewall and will just "passthrough" the IP of its own WAN interface to the WAN interface of your router, so you are not doing double NAT anymore.
This is something you can ask the customer support of your ISP.

systemfriendly · November 24, 2021, 2:29am

I managed to get a netgear router working instead of my ISP.

How can I make 3 ethernet ports working with regular ethernet without vlans tags and just 1 with 1 vlan tag? it's a 5 port router.

eginnc · November 24, 2021, 3:30am

Does this mean the netgear router is now connected to the ISP router in bridge mode, or the netgear router is connected to a modem only device, or something else?

Also, the instructions to do what you want are a little different depending on whether your netgear OpenWrt router has been converted to DSA or is still using swconfig. What model netgear router are you using, and what version of OpenWrt is installed on it?

systemfriendly · November 26, 2021, 12:02pm

Sorry for the delay.

It is connected to a modem only I was told.

It is a Netgear R6800 and I just installed OpenWRT [21.02.1] and left stock for now.

eginnc · November 27, 2021, 12:56pm

Your R6800 is a MT7621 device. This ramips target has been converted to DSA.

Instructions for setting up VLANs with DSA are found here:
https://openwrt.org/docs/guide-user/network/dsa/start

There is also quite a bit of good information and discussion in this thread:
mini-tutorial-for-dsa-network-config

This information covers what you would like to do and is also good general knowledge for expanding or changing your network in the future.

systemfriendly · November 28, 2021, 6:20pm

Maybe I'm dumb but shouldn't be br-lan.4 if you wanted VLAN tagged traffic on the example above?

Also since I just need one port using tagged VLANs I think using one port for br-home and all others to office should suffice? is it possible to assign just one port to one and the rest to the other(home and office)?