Modem+Router WAN/LAN physical configuration

johannes-z · October 19, 2022, 7:41pm

I start with a short summary of my problem: My modem is physically separated (different room) than my wifi router, but the modem is in a central location where I also want to keep my switch for ethernet cables to other rooms. I can't (don't want to) put my router in the same location as the modem, as it's in a metal box and drastically reduces wifi signal strength.

I've created two graphs that I hope visualizes the problem I'm facing:

"Variant 1" is my prefered solution, but I'm unsure if it would work how I want it to. I want to use an old, slower Router for the one that interfaces WAN and LAN - it shouldn't handle things such as Firewall, QoS, DHCP, etc.
The other Router (WiFi Router / AP) would be a new ax router.
Am I right assuming that Variant 2 wouldn't work how I expect it would?

"Variant 2" is the one I know works for sure, but it requires me to put in two in-wall Ethernet cables (Modem -> Router -> Back to Switch)

I'm grateful on any advice!

andyboeh · October 19, 2022, 8:44pm

Variant 1 definitely works if your "slower" router handles Firewall and Routing. Your WiFi Router is then configured in dumb AP mode. If not, how is the firewalling achieved?

You can reduce the cabling in variant 2 if you use a VLAN capable switch and run a trunk from the switch to your router (i.e. WAN and LAN share the same cable, but are on different tagged VLANs. Both your router and the switch must support tagged VLAN). This is basically variant 1, but the "old" router is replaced by a VLAN capable switch. If your old router supports VLANs, you could even use that.

johannes-z · October 19, 2022, 9:53pm

That's awesome! Thanks for your input. I didn't think about VLANs as I'm not so familiar with them, but that will safe me a ton of work putting in in-wall cables

andyboeh · October 20, 2022, 5:21am

Same for me. When we renovated our house, I had the problem that the modem + small switch were on the second floor while the new network cabinet with the router would be located in the basement with just a single Gigabit uplink. Never had anything seriously to do with VLANs before that, but since I set them up it's running nicely! And since all switches run OpenWrt, too, management is a consistent experience!

johannes-z · October 20, 2022, 7:18am

Do you happen to have a good tutorial for this kind of configuration at hand? I read and watched some tutorials but I have a hard time fully understanding what VLAN/interface configurations I'd actually need.

nicefile · October 20, 2022, 8:21am

I have somewhat similar config VDSL modem (FB7362SL) in basement where is configured in modem only but I'm using its Gbit Ethernet and access point to connect NAS and my business .

Internet packets fly via single Gbit ethernet via VLAN to Router (MR1800X) and LAN is available for me to use in a basement for my equipment.
OpenWRT on VDSL modem and Router

johannes-z · October 20, 2022, 11:04am

So this would be my updated topology. I color coded the devices and (ethernet) cables to show which are LAN (green) and which are WAN (red). The "Managed Switch" will be my old OpenWRT Router basically configured as dumb as possible, but with tagged VLANs. The WAN port of this router will be the WAN coming from the Modem. LAN1 will be the WAN/LAN connecting to the WiFi Router's WAN port. LAN2-4 are normal LAN ports.
The WiFi Router's LAN ports can also be used normally.

Will this work? I guess if I do it this way I have to configure the WiFi Router accordingly, otherwise it won't be able to use the same cable that I use for the VLAN 10 connection, right? So the WAN-port on the WiFi Router has to be configured as a normal LAN port, but mapped to VLAN 10.

The managed Switch's VLAN configuration would look like this:

And on the WiFi Router I configure an interface, presumably using eth0.10.

nicefile · October 20, 2022, 12:50pm

Old router WAN should be bridged with its single LAN_vlan10 just to tag all incoming traffic .
Main router should have bridged all LAN+WAN .WAN_vlan10 should be added and use as internet source.
This setup is similar like I have (single wire WAN+LAN) .Now with DSA but had it swconfig as well

johannes-z · October 21, 2022, 9:19am

Sadly I have some troubles configuring both OpenWRT instances correctly. I'm unable to get the connection between both routers working from a single PC (I have to connect via cable to the one, and via wifi to the other).

Also, my managed switch does not receive an IP from the router. Probably because of the Router's WAN port being configured as DHCP client?

This is the configuration for my managed switch:

root@OpenWrt-Managed-Switch:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd78:0f0b:237f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        list ports 'eth0.10'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2t 1t'
        option description 'WAN'
        option vid '10'

And this is the configuration of the router:

root@Router:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fdec:64d7:c120::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option proto 'dhcp'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option peerdns '0'
        option device 'eth0.10'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'eth0.1'
        list ports 'eth0.10'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4 5'

Here's what I did for the managed switch:

Create the 2 VLANs in Network - Switch
Disable wifi, firewall, dnsmasq, odhcpd
Add both eth0.1 and eth0.10 to the br-lan interface.

Do I have to do anything else for the managed switch? Do I have to enable the VLAN (802.1q) devices?

For the Router I did the following:

Add a new WAN interface with eth0.10
Add eth0.1 and eth0.10 to br-lan.

Do I also have to configure the VLAN switch and devices for the router?

johannes-z · October 21, 2022, 1:20pm

So after a lot of trial and error I had to give up - I couldn't figure out how to configure it properly. Either the connection from managed switch to router didn't work, I didn't get a public IP at all, or my end device got the public IP instead (BAD!!).

Managed Switch:

VLAN ID	LAN1	LAN2	LAN3	LAN4	WAN
1	untagged	untagged	untagged	untagged	off
10	tagged	off	off	off	tagged

In Network->Interfaces/Devices I mapped eth0.1 and eth0.10 to br-lan.

Router:

VLAN ID	LAN1	LAN2	LAN3	LAN4	WAN
1	untagged	untagged	untagged	untagged	off (or untaged?)
10	off	off	off	off	tagged

With WAN = tagged, I'm unable to get a public IP if i directly plugin the modem on that port. Likewise, I'm not getting a public IP if I plug the cable in the managed switch and from there plug into the WAN port. untagged worked however.

I tried mapping eth0.1 and eth0.10 to br-lan but that caused my routers to become unresponsible because of flooding (I think packets were sent circularly).

Any help is greatly appreciated!

andyboeh · October 22, 2022, 5:10am

Your switch config is not correct: The port on both switches that needs to carry both VLANs must be tagged in both (similar to the CPU port 0). You are not going to have a port which is tagged and untagged, in your config it's either tagged or off.
I can send you more details later, I'm on the phone right now.

johannes-z · October 22, 2022, 3:12pm

I think I got it working now - could verify if I did it correctly?

Switch:

VLAN ID	Description	CPU (eth0)	LAN 1	LAN 2	LAN 3	LAN 4	WAN
1	LAN	tagged	tagged	untagged	untagged	untagged	off
10	WAN	tagged	tagged	off	off	off	untagged

br-lan bridges eth0.1 and eth0.10. I turned off dns, dhcp, firewall

Router:

VLAN ID	Description	CPU (eth0)	LAN 1	LAN 2	LAN 3	LAN 4	WAN
1	LAN	tagged	untagged	untagged	untagged	untagged	tagged
10	WAN	tagged	off	off	off	off	tagged

Interfaces/Devices are configured as per usual. br-lan is eth0.1 only and bound to the LAN interface. WAN is eth0.10. And of course the firewall is configured as wan => REJECT.

andyboeh · October 22, 2022, 3:34pm

The VLAN config looks good, but on the switch you should not bridge eth0.10 and eth0.1 - that would again unify the networks. Since you don't need WAN on the switch, you could omit it entirely. The switch hardware is responsible for the VLAN tagging/management.

johannes-z · October 22, 2022, 3:48pm

Awesome, works perfectly. Thanks so much! With your last comment I was able to fit the last piece of the puzzle!

system · November 1, 2022, 3:48pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.