Multiple usb ethernet adapters

I would like to create an OnenWrt router on a raspberry pi ( i tried this both on a 3 and a 4)

*So I have Ethernet "built in" for br-bridge eth0 with a static IP and DHCP
*next I added the driver for my tp- link adapters kmod-usb-net-rtl8152. connected my PI to a monitor and the bootup confirmed that this is the right driver. I added adapter eth1and configured it for wan with DHCP. did the appropriate FW zone changes and everything works great.

  • Next I plugged the second tp-link option eth2 was available so I used that for the my "DMZ" network. configured with a static IP and anther DHCP scope. the link shows traffic but I can't connect to that network or get A DHCP address and manual configuration on my mac can't reach the "DMZ" netwok

What am I doing wrong/ I tied this on RPI3 and 4 and can't get the second USB adapter to serve

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for your response!
ubus call system bord

{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Raspberry Pi 3 Model B Rev 1.2",
	"board_name": "raspberrypi,3-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "bcm27xx/bcm2710",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddf:4b36:943d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

config interface 'nord'
	option proto 'wireguard'
	option private_key 'reducted'
	list addresses '10.5.0.2/32'
	option mtu '1412'
	list dns '103.86.96.100'
	list dns '103.86.99.100'
	option delegate '0'

config wireguard_nord
	option description 'nord-chi'
	option public_key 'reducted'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'us10576.nordvpn.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config interface 'dmz'
	option proto 'static'
	option device 'eth2'
	option ipaddr '10.20.3.1'
	option netmask '255.255.255.0'
	list dns '103.86.96.100'
	option delegate '0'

cat /etc/config/wireless I'm not using wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '100'
	option limit '150'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option interface 'lan2'
	option start '50'
	option limit '75'
	option leasetime '12h'

config dhcp 'dmz'
	option interface 'dmz'
	option start '50'
	option limit '70'
	option leasetime '12h'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config forwarding
	option src 'lan'

config forwarding
	option src 'lan'

config forwarding
	option src 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'nord'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'nord'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'nord'

config zone
	option name 'dmz'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'dmz'
	option mtu_fix '1'

config forwarding
	option src 'dmz'
	option dest 'wan'

Thanks for your help!

As the default policy on DMZ is reject input, DHCP and DNS services on the router will not work unless you add specific rules to permit those. Suggest changing DMZ zone default to input ACCEPT at least for testing.

You also need conditional routing such as pbr to have one network go to the Internet via wan and one via a VPN. Firewall rules alone do not make that happen. The firewall only allows traffic to move after the decision of the destination has been made by the routing tables.

1 Like

You can stop right here. The RPi3 is still limited by its USB 2.0 system bus, performance for multiple USB ethernet cards would be horrible (the situation would be different for RPi4 or RPi5, but even there I would seriously reconsider any plans involving 2+ USB ethernet cards). There is much better hardware (even cheaper) than dealing with the headaches of multiple USB cards on a RPi.

2 Likes

This is a good point, and also I don't think that USB3 Ethernet adapters work very well plugged into a USB2 port.

If the router is going to be a Raspberry Pi 3 it would be better to set up VLANs on the internal port and then separate the networks with a managed switch.

1 Like

(post deleted by author)