Mini PC x86 many VLAN on 2 ethernet ports

Hi team

I have mini PC with 5 Ethernet ports (let call it "OWRT router"). I have 2 switches connected to this OWRT router.

I'm planing to create home lab with development, staging and production environments. On top of that I have some IoTs, home devices etc.

I would like to create dedicated VLANs managed by OWRT router, to keep services and risks in isolated segments as shown on below picture:

For sure, I would like to allow limited manageable communications between VLANs:

targeted_network_communication

I have installed latest version of OpenWRT (23.05.3), read some OWRT wiki pages and few posts on forum. As result, I have configured OWRT as shown on below schema:

My problem : I can not configure OWRT to share 2 and more VLANs (id 103 AND 104) across 2 ports.

Reproduce the problem:

  1. configure OWRT router as show above (see more details on OpenWRT_experiments )
  2. create VLAN on laptop : ip link add link enp1s0 name enp1s0.103 type vlan id 103
  3. up new VLAN: ip link set dev enp1s0.103 up
  4. ask router to provide laptop with IP address: dhclient -d -nw enp1s0.103
  5. Monitor IP traffic on br-rght bridge on OWRT router: tcpdump -ne -i br-rght
# success, we have VLAN ID 103 incoming packages to br-rght bridge:

21:11:12.638252 50:7b:9d:64:c9:bb > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 103, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 50:7b:9d:64:c9:bb, length 300
21:11:31.510623 50:7b:9d:64:c9:bb > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 103, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 50:7b:9d:64:c9:bb, length 300
21:11:40.029741 50:7b:9d:64:c9:bb > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 103, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 50:7b:9d:64:c9:bb, length 300
  1. Monitor IP traffic on bridge VLAN: tcpdump -ne -i br-rght.103
# oops, VLAN packages are converted into untagged ones:

21:14:43.653446 50:7b:9d:64:c9:bb > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 50:7b:9d:64:c9:bb, length 300
21:14:51.244139 50:7b:9d:64:c9:bb > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 50:7b:9d:64:c9:bb, length 300
21:15:09.914862 50:7b:9d:64:c9:bb > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 50:7b:9d:64:c9:bb, length 300
  1. Monitor IP traffic on bridge mid: tcpdump -ne -i br-mid
# packets do not reach br-mid  : (

Question: how to configure OWRT router to allow some VLANs go to eth port 6 only (it works with above config), some VLANs go to eth port 7 only (it works with above config), some VLANs go to both eth 6 an7 ports (doesn't work with above config)?

More details you can fin on my GitHub repo OpenWRT_experiments as well as in below output:

ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "Intel(R) Atom(TM) CPU C3758R @ 2.40GHz",
	"model": "Default string QDNV01",
	"board_name": "default-string-qdnv01",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "x86/64",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc0:c328:4e46::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth8'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth8'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-left'
	list ports 'eth7'
	option ipv6 '0'

config bridge-vlan
	option device 'br-left'
	option vlan '102'
	list ports 'eth7:t'

config bridge-vlan
	option device 'br-left'
	option vlan '103'
	list ports 'eth7:t'

config bridge-vlan
	option device 'br-left'
	option vlan '104'
	list ports 'eth7:t'

config device
	option type 'bridge'
	option name 'br-rght'
	list ports 'eth6'
	option ipv6 '0'

config bridge-vlan
	option device 'br-rght'
	option vlan '101'
	list ports 'eth6:t'

config bridge-vlan
	option device 'br-rght'
	option vlan '103'
	list ports 'eth6:t'

config bridge-vlan
	option device 'br-rght'
	option vlan '104'
	list ports 'eth6:t'

config interface 'stg'
	option proto 'static'
	option device 'br-left.102'
	option ipaddr '192.168.102.1'
	option netmask '255.255.255.0'

config interface 'dev'
	option proto 'static'
	option device 'br-rght.101'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-mid'
	list ports 'br-left.103'
	list ports 'br-left.104'
	list ports 'br-rght.103'
	list ports 'br-rght.104'

config bridge-vlan
	option device 'br-mid'
	option vlan '103'
	list ports 'br-left.103:t'
	list ports 'br-rght.103:t'

config bridge-vlan
	option device 'br-mid'
	option vlan '104'
	list ports 'br-left.104:t'
	list ports 'br-rght.104:t'

config interface 'prod'
	option proto 'static'
	option device 'br-mid.103'
	option ipaddr '192.168.103.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option proto 'static'
	option device 'br-mid.104'
	option ipaddr '192.168.104.1'
	option netmask '255.255.255.0'



cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'stg'
	option interface 'stg'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'dev'
	option interface 'dev'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'prod'
	option interface 'prod'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

There are two ways to approach this:

  1. put all ports in a single bridge and then use bridge-vlan syntax (like you have done) to specify the VLAN port membership and tagging status.

or

  1. use dotted notation and setup bridges with the dotted notation on the ports. An example below (not following your specific schema, but you'll see how it works):
config device
	option name 'br-vlan10'
	option type 'bridge'
	list ports 'eth4.10'
	list ports 'eth5.10'
1 Like
  1. usually makes more sense on x86_64 with multiple individual network cards.
2 Likes

@psherman, @slh , many thanks for your guidance. It works like a charm.

I'm sorry for keeping silence so long :snail:. It took me some time :hourglass_flowing_sand: to understand, experiment and test solution :microscope:.

For OpenWRT community :unicorn: :penguin: I've composed step-by-step guidance :scroll: how to configure many isolated VLANs on few ethernet ports.

@psherman, @slh I will very appreciate your criticism / comments how to make this solution / document closer to "best practice" in my particular case.

For general overview I publish below an extract from above mentioned document.

#=========================
# cat /etc/config/network
#=========================


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth8'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth8'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'brl102'
	list ports 'eth7.102'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'brm103'
	list ports 'eth6.103'
	list ports 'eth7.103'
	option ipv6 '0'

config interface 'stg'
	option proto 'static'
	option device 'brl102'
	option ipaddr '192.168.102.1'
	option netmask '255.255.255.0'

config interface 'prod'
	option proto 'static'
	option device 'brm103'
	option ipaddr '192.168.103.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'brm104'
	list ports 'eth6.104'
	list ports 'eth7.104'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'brr101'
	option ipv6 '0'
	list ports 'eth6.101'

config interface 'iot'
	option proto 'static'
	option device 'brm104'
	option ipaddr '192.168.104.1'
	option netmask '255.255.255.0'

config interface 'dev'
	option proto 'static'
	option device 'brr101'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br99'
	list ports 'eth6'
	list ports 'eth7'
	option ipv6 '0'

config interface 'net_plug'
	option proto 'static'
	option device 'br99'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'


#=========================
# cat /etc/config/firewall
#=========================
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'xxxx::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'fw_stg'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'stg'

config forwarding
	option src 'fw_stg'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'fw_stg'

config zone
	option name 'fw_prod'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'prod'

config forwarding
	option src 'fw_prod'
	option dest 'wan'

config rule
	option name 'stage dhcp and dns'
	option src 'fw_stg'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'prod dhcp and dns'
	option src 'fw_prod'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config zone
	option name 'fw_iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'fw_iot'

config zone
	option name 'fw_dev'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'dev'

config forwarding
	option src 'fw_dev'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'fw_dev'

config rule
	option name 'iot dhcp and dns'
	option src 'fw_iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config zone
	option name 'fw_netplug'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'net_plug'

config rule
	option name 'net plug dhcp and dns'
	option src 'fw_netplug'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'fw_dev'
	option dest 'fw_stg'


#=========================
# cat /etc/config/dhcp
#=========================

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'stg'
	option interface 'stg'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'prod'
	option interface 'prod'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'dev'
	option interface 'dev'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'net_plug'
	option interface 'net_plug'
	option start '100'
	option limit '150'
	option leasetime '12h'

Kind regards

:lion:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.