Hi
I have three VLAN's setup on each of my two OpenWrt routers and two smart switches I own, and It works perfectly.
VLANs
- VLAN 5 (Private_LAN)
- VLAN 10 (Guest_LAN)
- VLAN 20 (WAN)
However, after messing around with the LAN settings on a second AP I lost connection to it. I then realised there is one flaw to my setup and that was not utilising a management/admin VLAN as back-bone to each device in the event that one of the LAN's I'm connected to is unable to connect. I've now gone about creating an admin
VLAN as listed below.
- Created a new interface called
admin
- Setup a static IP and a different sub-net on
admin
interface - Setup up DHCP on
admin
interface - Created a firewall zone called
admin
- Assigned firewall zone to interface
- Allow forward to destination zone
Private_LAN
zone onadmin
zone - Allow forward from source zone
Private_LAN
zone onadmin
zone - Added a new VLAN with ID of
8
and attached to CPU (eth0) - Assign
eth0.8
VLAN toadmin
interface - Created a VLAN trunk between my
Guest_LAN
andadmin
VLANs and tagged them to the router's physical port 4 - Setup the corresponding VLAN on my 24-port switch
My plan is to put all of my switches and routers onto the new admin
VLAN and then setup inter-VLAN connectivity on the main OpenWrt router so that I can access each device from the Private_LAN
on certain devices. Unfortunately my firewall zone and traffic rules don't seem to be working unless I set accept
on all three parameters to the General Settings.
Even though I am going to be using this for inter-VLAN connectivity only I wanted to test acquiring an internet connection on a device connected to the admin
VLAN. With my Guest_LAN
network, all this is, is a separate interface and zone which is configured to forward to the destination zone WAN
, the zone's input set to reject
and two traffic rules to only allow accept ports 53 (DNS) and 67 (DHCP).
With that simple concept in mind, I wanted to apply it to the admin
VLAN but with the zone input
set to accept so that I didn't need to worry about restricting it to only DNS and DHCP. Sadly this didn't work. In fact the only way I got internet connection was to set accept
on all three parameters of the Global Settings. I have included my configs below for reference:
/etc/config/firewall
config defaults
option syn_flood '1'
option output 'ACCEPT'
option flow_offloading '1'
option flow_offloading_hw '1'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan'
option forward 'REJECT'
config zone
option output 'ACCEPT'
option network 'guest_lan'
option name 'guest_lan'
option forward 'REJECT'
option input 'REJECT'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'tor'
option network 'tor'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'wan'
option src 'guest_lan'
config forwarding
option dest 'wan'
option src 'tor'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest_lan'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest_lan'
config rule
option target 'ACCEPT'
option dest_port '1194'
option name 'Allow-OpenVPN'
option enabled '0'
option src 'wan'
option proto 'tcp udp'
option dest 'tor'
config rule
option src 'tor'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option name 'Tor DHCP'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'tor'
option name 'Tor DNS'
option proto 'udp'
option dest_port '9053'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'tor'
option name 'Tor Tranparent DNS'
option proto 'tcp'
option dest_port '9040'
option enabled '0'
config redirect
option target 'DNAT'
option proto 'tcp udp'
option name 'OMV_FTP_SERVER'
option dest 'lan'
option src 'wan'
option src_dport '20-21'
option dest_port '20-21'
option dest_ip '192.168.1.12'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp udp'
option dest 'lan'
option name 'OMV_FTP_PASSIVE'
option dest_ip '192.168.1.12'
option dest_port '49152-65534'
option src_dport '49152-65534'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '990'
option dest_port '990'
option name 'OMV_FTPS'
option dest_ip '192.168.1.12'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '3074'
option dest_port '3074'
option name 'PlayStation_4'
option dest_ip '192.168.1.14'
option enabled '0'
config redirect
option name 'Redirect-Tor-Traffic'
option src 'tor'
option src_dip '!10.0.0.1'
option dest_port '9040'
option proto 'tcp'
option target 'DNAT'
option dest 'tor'
option enabled '0'
config redirect
option name 'Redirect-Tor-DNS'
option src 'tor'
option src_dport '53'
option dest_port '9053'
option proto 'udp'
option target 'DNAT'
option dest 'tor'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'wan-luci'
option enabled '0'
config redirect
option dest_port '6672'
option src 'wan'
option name 'GTA V (1)'
option src_dport '6672'
option target 'DNAT'
option dest_ip '192.168.1.14'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'GTA V (2)'
option target 'DNAT'
option dest_ip '192.168.1.14'
option dest 'lan'
list proto 'udp'
option dest_port '61455-61458'
option src_dport '61455-61458'
config redirect
option dest_port '1935'
option src 'wan'
option name 'RTMP'
option src_dport '1935'
option target 'DNAT'
option dest_ip '192.168.1.18'
option dest 'lan'
option enabled '0'
config zone
option name 'admin'
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
config rule
list proto 'all'
list src_ip '192.168.1.226'
list src_ip '192.168.1.18'
option dest 'admin'
option target 'ACCEPT'
option src 'lan'
option enabled '0'
option name 'Admin VLAN Access'
config rule
option src_port '53'
option src 'admin'
option name 'Admin VLAN DNS'
option target 'ACCEPT'
option dest_port '53'
list proto 'tcp'
list proto 'udp'
option enabled '0'
config forwarding
option dest 'lan'
option src 'admin'
config forwarding
option dest 'admin'
option src 'lan'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcf:15da:0492::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option broadcast '192.168.1.255'
option igmp_snooping '1'
list dns '192.168.1.1'
option delegate '0'
option stp '1'
option ifname 'eth0.5'
config interface 'wan'
option ifname 'eth1.20'
option proto 'pppoe'
option password '*****'
option ipv6 'auto'
option username '*****'
option peerdns '0'
list dns '208.67.222.222'
option mtu '1492'
config interface 'guest_lan'
option proto 'static'
option type 'bridge'
option ipaddr '172.16.0.1'
option netmask '255.255.255.240'
option broadcast '172.16.0.15'
option ifname 'eth0.10'
option igmp_snooping '1'
option stp '1'
option delegate '0'
config interface 'tor'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.240'
option broadcast '10.0.0.15'
list dns '192.168.1.1'
option auto '0'
option ifname 'eth0.9'
config interface 'vpn_lan'
option proto 'none'
option delegate '0'
option ifname 'tun0'
config interface 'vpn_guest_lan'
option proto 'none'
option ifname 'tun1'
option delegate '0'
option auto '0'
config interface 'vpn_tor'
option proto 'none'
option ifname 'tun2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '5'
option ports '5t 3'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '20'
option ports '6t 4'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '10'
option ports '5t 0t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '9'
option ports '5t'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '8'
option ports '5t 2 0t'
config interface 'admin'
option ifname 'eth0.8'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.127.1'
/etc/config/dhcp
config dnsmasq
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option rebind_protection '0'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option limit '254'
option leasetime '12h'
option start '10'
config dhcp 'guest_lan'
option interface 'guest_lan'
option leasetime '5m'
option start '0'
option limit '254'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'tor'
option interface 'tor'
option start '200'
option limit '254'
option leasetime '15m'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'admin'
option interface 'admin'
option start '1'
option leasetime '1h'
option limit '10'
Many thanks in advance
Will