I am struggling to create a functioning seperate network for my NAS device, because for some reason my NAS won't join the network which I created for it (192.168.2.0/30) and joins the 192.168.1.0/24 network instead.
The NAS is connected to port 4/4 of my OpenWRT device and my plan was to create a VLAN on that port, reserved for the NAS only. There shall be no Wifi on this interface.
The VLAN seems to work, because sending a wake on lan magic packet via OpenWRT turns the NAS on, but after booting it still receives an IP of the 192.168.1.0/24 net. What am I missing here?
I enabled DHCP to work via the config on the NAS interface and also created the appropriate firewall rules.
Below you can find some information which might be helpful in this regard. Please let me know if you need anything else. I'm glad for any help at this point. (I am not posting the entirety of the configs here for the sake of clarity but am willing to do so if needed.)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.1.101'
option ipv6 '0'
option delegate '0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option type 'bridge'
option peerdns '0'
option ipv6 '0'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option type 'bridge'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '192.168.1.101'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
option description 'LAN'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 1'
option vid '2'
option description 'WAN'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
option ipv6 '0'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
list dns '192.168.1.101'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 5t'
option description 'NAS'
config interface 'NAS'
option proto 'static'
option ipaddr '192.168.2.0'
option netmask '255.255.255.252'
option gateway '192.168.2.1'
option broadcast '192.168.2.3'
option defaultroute '0'
list dns '192.168.1.101'
option device 'eth1.3'
config device
option name 'br-nas'
option type 'bridge'
list ports 'eth1.3'
config rule
option name 'LAN to NAS'
list proto 'all'
option src 'lan'
option dest 'NAS'
option target 'ACCEPT'
config rule
option name 'NAS to LAN'
list proto 'all'
option src 'NAS'
option dest 'lan'
option target 'ACCEPT'
P.S. I know that having my DNS server on my main network is suboptimal. This will be subject to change, as soon as I figured out how creating networks in OpenWRT works...
The NAS is an end user device and might not work with tagged ports
You have option device 'eth1.3' both here and in the bridge section, maybe that works but if you want to use the bridge then replace option device 'eth1.3' with option device 'br-nas'
This is not from the OpenWrt project, as this version has never existed.
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
Thank you for your reply, psherman. It seems that i somehow managed to make a copy-paste error. No idea how that happened, but here is a screenshot of my actual OpenWRT version:
However, you should seriously consider upgrading... you're running a release candidate (pre-release). The current version is 23.05.2. You can keep your configuration across the upgrade process.
Thank you for your notice! I was not aware of the latest release and will upgrade in the near future. I chose the pre-release version at the time because of some troubleshooting attempts.
I have to add something, unfortunately. The NAS now joined its designated network but I can not access its web interface with this configuation. I rolled back to the previous configuration and it worked again. Firewall rules were not changed.
I tried tagging on port 5 (physical port 4) again. Didn't work. Any ideas?
If by that you mean that the interface needs its own IP address: That would make sense. I actually neglected that thought. My configuration looks like this:
Ok, I'll leave it blank. I unfortunately don't understand what gateway I should configure on the client side (NAS) then, since this contradicts what I have learned previously. I also am unable to ping the NAS with this setting.
Do you have a suggestion?
I configured the NAS statically and set the gateway to 192.168.2.1.
I set the device for the NAS interface to 'eth1.3' and deleted br-nas.
I untagged port 5.
config interface 'NAS'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.252'
list dns '192.168.1.101' #will keep this setting for now, if it doesn't mess with anything.
option device 'eth1.3'
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option ednspacket_max '1232'
option localservice '1'
option sequential_ip '1'
option rebind_protection '0'
list server '192.168.1.101'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
list dhcp_option '6,192.168.1.101'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
option netmask '255.255.255.0'
option force '1'
list dhcp_option '6,192.168.1.101'
config dhcp 'IoT'
option interface 'IoT'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wg0'
option interface 'wg0'
option ignore '1'
config host
option name 'PC'
option dns '1'
option ip '192.168.1.3'
option mac 'xxx'
config host
option name 'NAS'
option dns '1'
option mac 'XXX'
option ip '192.168.2.2'
config dhcp 'Drucker'
option interface 'Drucker'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
list dhcp_option '6,192.168.1.101'
config dhcp 'NAS'
option interface 'NAS'
option leasetime '12h'
option force '1'
option start '100'
option limit '150'
option dynamicdhcp '0'
# I cut out most the static leases, since they are numerous...
cat /etc/config/firewall
# There may be some redundancy here and it will be a little messy because of some experiments. If you see something changeworthy, feel free to let me know.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'DROP'
option drop_invalid '1'
option flow_offloading '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
option forward 'DROP'
option input 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Wireguard Incoming'
option src 'wan'
option dest_port 'XXX'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'Wireguard to LAN'
option src 'Wireguard'
option src_port 'XXX'
option dest 'lan'
option dest_port 'XXX'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'WireGuard to WAN'
option src 'Wireguard'
option src_port 'XXX'
option dest 'wan'
option dest_port 'XXX'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'Allow DHCP IoT'
option src 'IoT'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'LAN to NAS'
list proto 'all'
option src 'lan'
option dest 'NAS'
option target 'ACCEPT'
config rule
option name 'NAS to LAN'
list proto 'all'
option src 'NAS'
option dest 'lan'
option target 'ACCEPT'
config rule
option name 'NAS to WAN (temporary)'
option src 'NAS'
option dest 'wan'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-NAS'
list proto 'udp'
option src 'NAS'
option dest_port '67'
option target 'ACCEPT'
config rule
option src 'IoT'
option dest '*'
option target 'DROP'
option name 'IoT Outgoing'
list proto 'all'
config rule
option name 'IoT Incoming'
option src '*'
option dest 'IoT'
option target 'DROP'
list proto 'all'
config zone
option name 'Wireguard'
option output 'ACCEPT'
list network 'wg0'
option forward 'ACCEPT'
list device 'wg0'
option input 'ACCEPT'
config zone 'guest'
option name 'guest'
option output 'ACCEPT'
list network 'guest'
option input 'DROP'
option forward 'DROP'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
list dest_ip '192.168.1.101'
option dest 'lan'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option src_port '68'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config zone
option name 'IoT'
list network 'IoT'
list subnet '192.168.7.0/24'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
config redirect
option dest 'Wireguard'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport 'XXX'
option dest_port 'XXX'
option src_port 'XXX'
config forwarding
option src 'lan'
option dest 'Wireguard'
config forwarding
option src 'wan'
option dest 'Wireguard'
config forwarding
option src 'Wireguard'
option dest 'wan'
config forwarding
option src 'Wireguard'
option dest 'lan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Minecraft Server'
option src 'wan'
option src_dport 'XXX'
option dest_port 'XXX'
option dest_ip 'XXX'
config rule
option name 'MC Incoming'
option src 'wan'
option src_port 'XXX'
option dest 'lan'
list dest_ip 'XXX'
option dest_port 'XXX'
option target 'ACCEPT'
option enabled '0'
config rule
option family 'ipv4'
option src 'lan'
option dest 'Drucker'
list dest_ip '192.168.4.1/29'
option target 'ACCEPT'
list proto 'tcp'
option src_port '9100'
option dest_port '9100'
option name 'LAN zu Drucker (drucken)'
config rule
option name 'Drucker HTTP Incoming from LAN'
option src 'lan'
option dest 'Drucker'
option dest_port '80'
option target 'ACCEPT'
list proto 'tcp'
config rule
option name 'Drucker HTTP Outgoing to LAN'
option src 'Drucker'
option dest 'lan'
option dest_port '80'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Guest zu Drucker'
list proto 'tcp'
option src 'guest'
option src_port '9100'
option dest 'Drucker'
option dest_port '9100'
option target 'ACCEPT'
list dest_ip '192.168.4.1/29'
config rule
list proto 'tcp'
list src_ip '192.168.4.1/29'
option src_port '9100'
option dest 'lan'
option dest_port '9100'
option target 'ACCEPT'
option name 'Drucker zu LAN (drucken)'
option src 'Drucker'
config rule
option name 'Allow-DHCP-Drucker'
list proto 'udp'
option src 'Drucker'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
config rule
option dest 'Drucker'
option target 'DROP'
option src '*'
option name 'Drucker Incoming'
list proto 'all'
config rule
option name 'Drucker Outgoing'
list proto 'all'
option src 'Drucker'
option dest '*'
option target 'DROP'
config rule
option name 'NAS Incoming'
list proto 'all'
option src '*'
option dest 'NAS'
option target 'DROP'
config rule
option name 'WAN to THIS DEVICE Port 80'
option src 'wan'
option target 'DROP'
list proto 'tcp'
list proto 'udp'
option dest_port '80'
option dest '*'
config rule
option name 'WAN to THIS DEVICE Port 443'
option src 'wan'
option target 'DROP'
list proto 'tcp'
list proto 'udp'
option dest_port '443'
option dest '*'
config rule
option name 'WAN to THIS DEVICE Port 53'
option src 'wan'
option target 'DROP'
list proto 'tcp'
list proto 'udp'
option dest_port '53'
option dest '*'
config rule
option name 'Drop Everything Incoming'
option src 'wan'
option target 'DROP'
list proto 'all'
option dest '*'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'guest'
option src_dport '53'
option dest_ip '192.168.1.101'
option dest_port '53'
option name 'DNS Guest'
config rule
option name 'Drop Everything Else'
option src '*'
option dest '*'
option target 'DROP'
list proto 'all'
option enabled '0'
config zone
option name 'Drucker'
list network 'Drucker'
option forward 'DROP'
option input 'DROP'
option output 'ACCEPT'
list device 'br-drucker'
option family 'ipv4'
config forwarding
option src 'Drucker'
option dest 'lan'
config forwarding
option src 'guest'
option dest 'Drucker'
config forwarding
option src 'lan'
option dest 'Drucker'
config redirect
option dest 'Drucker'
option target 'DNAT'
option name 'LAN drucken'
option family 'ipv4'
list proto 'tcp'
option src 'lan'
option src_dport '9100'
option dest_port '9100'
option dest_ip '192.168.4.4'
config redirect
option dest 'Drucker'
option target 'DNAT'
option name 'Guest drucken'
option family 'ipv4'
list proto 'tcp'
option src 'guest'
option src_dport '9100'
option dest_ip '192.168.4.4'
option dest_port '9100'
config zone
option name 'NAS'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'NAS'
option family 'ipv4'
config forwarding
option src 'NAS'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'NAS'
config forwarding
option src 'NAS'
option dest 'wan'
There are a bunch of issues in your config, not sure if they are impacting your NAS network, but let's clean stuff up:
This is missing the ula prefix... not sure what happens with this stanza when that happens.
Remove the option type 'bridge' for both of your wans.
In the wan interface, remove the peerdns '0', or specify the dns here. remove the ipv6 line from the wan as well.
Remove this:
Edit the IoT network to use br-iot (not br-iot.7)
remove the port eth0 from this:
Delete this:
Remove all of these:
Your wifi SSID should only have a single network -- lan. Remove wan and wan6 from here:
And same here:
Remove this, as it is invalid because of your /30 subnet (alternatively, you can change your nas subnet to a /24, or change the values here):
There are a lot of issues with the firewall, too... but I don't have the time at this moment to address those. Make the recommended changes and repost for review. I'll cover the firewall as soon as I have some more time.
These rules can be handled better by simply not allowing forwarding. I'd remove these:
Remvoe the subnet from below:
If the IoT network is intended to be 100% isolated (no routing to or from any other networks) this can be left as is... but the output rule will currently prevent any routing at all.
I think all of your wireguard firewall rules are wrong, but I'll review those later if you want.
Remove this:
There are problems with all of these rules, too... too many to address now.
Delete all of these:
Delete this:
There are still a ton of problems, but this will start to clear things up.
