Managed Switch or OpenWrt?

slh · November 17, 2021, 3:56am

Not necessarily, if your ISP router allows you to configure static routes, you can disable masquerading (NAT) on the router.

systemfriendly · November 17, 2021, 3:57am

The thing is I don't have control over the ISP router...otherwise I would just use OpenWrt and be done with it.

eduperez · November 18, 2021, 7:50am

If your OpenWrt router has enough LAN ports, you will not need the managed switch.

bobafetthotmail · November 18, 2021, 11:03am

Devices that see the VLAN need to be configured to understand VLAN traffic so you cannot connect a VLAN trunk port directly to the ISP router.

If you segregate traffic with VLANs then you have at least 2 subnets, (one per VLAN) so for example 192.168.1.0 and 192.168.2.0.

It is useless to run the same subnet on multiple VLANs as all devices will still be able to talk to each other through the port connected to the ISP router.

So if you have no access to ISP router you have to get a OpenWrt router that will NAT all the subnets you want to make with VLANs into the single subnet that the ISP router understands. And an additional switch if you need more ports.

Yes this is double NAT if you cannot touch the ISP router. It should be OK for most web application use but can be an issue with some games or special applications.

Some ISPs will do the configurations on the ISP router if you ask through the customer support tickets. Most ISPs with cable in US usually have remote control access to the device.

drbrains · November 18, 2021, 11:09am

Can you or customer support set the ISP router in bridge mode? This should solve a lot of your problems and you can run your own (OpenWrt) router behind it.

systemfriendly · November 19, 2021, 2:57am

Will that be ok for IRC, P2P games, UPnP and alike?

I will try that.

Thank you for your informative answer.

systemfriendly · November 19, 2021, 2:58am

How about a L3 switch?

systemfriendly · November 19, 2021, 2:58am

Bridge mode is not ideal for me.

drbrains · November 19, 2021, 3:04am

I don't understand? Ideal would be to replace the ISP device, which in a lot of cases can't be done. The alternative to bridge mode is double NAT as mentioned by @bobafetthotmail which I would consider less ideal.

But based on "not ideal" it does suggest that you would be able to do it.

slh · November 19, 2021, 3:13am

A L3 managed switch is just a switch with limited routing capabilities beyond mere switching, but the situation is still the same as with a 'normal' router. Either you can set a static route on your ISP router XOR you have to do masquerading (and end up with double-NAT).

psherman · November 19, 2021, 4:12am

There is one other option... use a setup similar to the dumbAP + guest network route. Your additional VLANs would still be double-NAT'd, but you would still be able to have one of the networks only behind the single NAT layer (of the ISP's router).

bobafetthotmail · November 19, 2021, 8:29pm

any service that relies on UPnP or opening ports on the router will not work (as it requires a port forwarding in the ISP router that is not accessible).

A lot of modern applications are designed with this limit in mind, but I don't know about games or consoles, afaik they still may need you to open ports or use UPnP on the router.

That's a router, same issues.

It would be ideal if the ISP router could be put in bridge mode actually, that usually means it disables its firewall and will just "passthrough" the IP of its own WAN interface to the WAN interface of your router, so you are not doing double NAT anymore.
This is something you can ask the customer support of your ISP.

systemfriendly · November 24, 2021, 2:29am

I managed to get a netgear router working instead of my ISP.

How can I make 3 ethernet ports working with regular ethernet without vlans tags and just 1 with 1 vlan tag? it's a 5 port router.

eginnc · November 24, 2021, 3:30am

Does this mean the netgear router is now connected to the ISP router in bridge mode, or the netgear router is connected to a modem only device, or something else?

Also, the instructions to do what you want are a little different depending on whether your netgear OpenWrt router has been converted to DSA or is still using swconfig. What model netgear router are you using, and what version of OpenWrt is installed on it?

systemfriendly · November 26, 2021, 12:02pm

Sorry for the delay.

It is connected to a modem only I was told.

It is a Netgear R6800 and I just installed OpenWRT [21.02.1] and left stock for now.

eginnc · November 27, 2021, 12:56pm

Your R6800 is a MT7621 device. This ramips target has been converted to DSA.

Instructions for setting up VLANs with DSA are found here:
https://openwrt.org/docs/guide-user/network/dsa/start

There is also quite a bit of good information and discussion in this thread:
mini-tutorial-for-dsa-network-config

This information covers what you would like to do and is also good general knowledge for expanding or changing your network in the future.

systemfriendly · November 28, 2021, 6:20pm

Maybe I'm dumb but shouldn't be br-lan.4 if you wanted VLAN tagged traffic on the example above?

Also since I just need one port using tagged VLANs I think using one port for br-home and all others to office should suffice? is it possible to assign just one port to one and the rest to the other(home and office)?

eginnc · November 29, 2021, 2:56am

You're correct - the examples linked above show the concepts involved, but do not accomplish your specific case.

Here is an example for a single home network port (lan interface) on port eth1 and three small home office ports (interface SHO) on ports eth2, eth3 and eth4. The home lan has vlan ID 1 and subnet 192.168.1.x. The small home office has vlan ID 10 and subnet 192.168.2.x. Your ISP modem is plugged into port eth0 in this example (wan interface).

In this example ports eth1-eth4 are all bridged on br-lan; however, port eth1 only receives untagged vlan 1 traffic and ports eth2-eth4 only receive untagged vlan 10 traffic. In other words, your home lan and small home office networks are completely isolated from each other. You could also choose to send both lan and SHO to a port or ports by tagging the port(s), provided you attach devices to those ports that understand vlan tags, as mentioned above.

Except for assigning vlan ID 1 to your lan (because it is the default vlan ID assigned to the lan for OpenWrt devices still using swconfig, which I think answers your question about why you would assign a vlan ID to your lan), I recommend numbering additional vlans starting at 10 so that you do not create conflicts with, for example, vlan ID 2 used as the default for the wan on OpenWrt devices still using swconfig.

In this example, I have also assigned two dns servers (Cloudflare and Quad 9, both ipv4 and ipv6 addresses) as a replacement for your ISP's dns server. They don't need to analyze all your dns requests

I am showing you how to do this with the configuration files, as it would involve too many screen shots of LuCI pages to walk you through everything, so I assume you are able to edit text files on your OpenWrt router. Just in case, here are some helpful commands to log into your router from a command terminal and install the nano editor (if you do not already know how to use vi, you'll find nano easier):

ssh root@192.168.1.1
opkg update
opkg install nano
cd /etc/config
nano network
nano dhcp
nano firewall
exit

Here is the /etc/config/network file (start with the section config device and following):


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd59:181c:b2d4::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.2'
	list dns '9.9.9.9'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2606:4700:4700::1112'
	list dns '2620:fe::fe'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'	

config interface 'SHO'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

Here are the additions to the /etc/config/dhcp file to give your SHO a DHCP server (add to bottom of file):

#
# Give SHO a DHCP server
#
config dhcp 'SHO'
	option interface 'SHO'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'
#

Here are the additions to the /etc/config/firewall file to give your small home office network access to the internet (add where indicated):

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user

config zone
	option name 'sho'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'SHO'
	option input 'REJECT'

config forwarding
	option src 'sho'
	option dest 'wan'

config rule
	option name 'Allow-sho-DNS'
	option src 'sho'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-sho-DHCP'
	list proto 'udp'
	option src 'sho'
	option target 'ACCEPT'
	option dest_port '67-68'

You did not mention setting up wireless, but this is done by adding SSID's for your home lan network (lan) and/or your small home office network (SHO) and then configure them as desired.

systemfriendly · November 29, 2021, 10:00pm

Such a detailed answer! I will definitely try out.

system · December 9, 2021, 10:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.