[Need Ideas] Implementing a network switch with VLAN to monitor each port activity

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone, I'm a new OpenWRT user here and generally new to networking, first time using OpenWRT.

I have a TPLink TL-MR6400 v5 running OpenWRT after I flashed it a few days ago, I want to try running it as kind-of-a network switch (which is what it was used previously on the original router, the internet source (Tenda AC23 is connected to the LAN port with DHCP disabled).

Tenda AC 23 subnet is on 10.5.12.0/26 (mask 255.255.255.192), with this in mind:

  • 10.5.12.1: The Tenda AC23 itself
  • 10.5.12.2 - 10.5.12.19: Reserved static DHCP range for specific devices (10.5.12.3 is what the MR6400 will be on)
  • 10.5.12.20 - 10.5.12.62: DHCP range for general devices

So the primary router in the network is still the Tenda AC23 (on stock firmware) for easy central management.

At first, I just put all of the MR6400 internal switch together in a default VLAN, as in:

|--------------------------------------------------------------------|
| VLAN ID | CPU      | PORT 1   | Port 2   | Port 3   | Port 4 (WAN) |
| 1       | Untagged | Untagged | Untagged | Untagged | Untagged     |
|--------------------------------------------------------------------|

That works as expected where all of the MR6400 LAN* devices gets it's IP from the Tenda AC23, however I seem to be unable to monitor traffic using OpenWRT real time graphs, the only option is to monitor either the whole internal switch or the whole VLAN 1 which is just basically the whole internal switch at this point).

Here's a diagram of my network:

Current Network Diagram
Current Network Diagram571×611 24.4 KB

I tried to make multiple VLAN on the MR6400 as in:

  • VLAN 1 for WAN (10.5.12.3 DHCP from Tenda AC23)
  • VLAN 10 for LAN1 (192.168.10.1/30)
  • VLAN 20 for LAN2 (192.168.20.1/30)
  • VLAN 30 for LAN3 (192.168.30.1/30)

In that configuration, I can monitor each LAN* interface individually, but then it's a whole router instead of a simple dumb switch for the Tenda AC23, so not what I wanted.

Any suggestion on how to configure the OpenWRT in such a way that it is still a network switch but I have the option to monitor each LAN* interface individually ?

Thanks :slight_smile:

2

Nope... as you've discovered, setting up VLANs means that each VLAN is necessarily a different subnet. And with different subnets, that means you must route -- a simple non-routing switch is not an option at that point.

Conversely, when you are running in non-routing mode, you generally do not have visibility into the per-port traffic as a result of the fact that the built-in switch chip handles all forwarding activities. Traffic never reaches the CPU since it is not routed. This means that the CPU doesn't have any way to monitor the traffic that is flowing with the switch.

2 Likes
3

Thank you for the insights.

As an alternative, is it possible for me to set-up a 1:1 NAT routing?

For example, the MR6400 will have multiple MAC address for the WAN interface so it can request multiple IP with DHCP from the Tenda AC23 which then will be NAT'ed to the LAN devices.

As in:

  • WAN 10.5.12.5 => MR6400 NAT => 192.168.10.2 (the device on VLAN 1, subnet 192.168.10.0/30)
  • WAN 10.5.12.6 => MR6400 NAT => 192.168.20.2 (the device on VLAN 2, subnet 192.168.20.0/30)
  • WAN 10.5.12.7 => NAT => 192.168.30.2 (the device on VLAN 3, subnet 192.168.30.0/30)

So far I have no idea to request multiple IPs from a single WAN on the MR6400 by configuration in LuCi.

4

Port mirroring on a capable switch to a dedicated monitoring computer?

You'll get switch like speeds without needing to have an L3 switch/ very powerful router (i.e. something that can run a software bridge at gigabit speeds....)
One would need to check in with the rtl83xx support thread but I think there's port mirroring support? Else would need to find dsa switches on an openwrt router that can handle port mirroring?

I doubt most openwrt routers can handle packet inspection at full line rate for all switch ports....

All else fails getting a non-openwrt switch that can do port mirroring would be sufficient?

If you want individual vlans you can also get a switch that does inter-vlan routing or switching or vlan translation etc. But that's getting out of openwrt.

5

In my scenario, unfortunately I can't do port mirror because all of the port in the MR6400 is already full.

As for the network performance, I think it'll do fine on 100Mbit activity, most of the usage is going to the Tenda AC23 for internet instead of local network, so the bottleneck is probably the 100Mbit line between the MR6400 and the AC23.

I plan on getting a Raspberry Pi as a router with OpenWRT later, so I can put the Tenda AC23 as a Dumb AP (as it is doing a very poor job on being a main router for everything, it can barely handle all of my 20+ IoT devices without extremely slowing down the wireless rate, it is also a reason on why I will use the MR6400 as a AP too).

6

MT7628A probably good for 200mbit bridging total. I guess if you only need 10-50mbit per device =P

Raspberry Pi is single port device? But I guess with vlans can probably do the routing job fine.

But yeah hard to do monitoring without enough CPU to do packet capture and transparent bridging, or using port mirroring on an ethernet switch.

What i'm saying is that you can probably get a switch that does inter vlan translation / port isolation only to upstream, or one that can do port mirroring, or a proper L3 switch that can do all the inter vlan translation.

If you have the budget for a Rasperry Pi in the future you could consider a different architecture than router on a stick for your packet inspection solution.

7

Yeah, when I do have a budget for the Raspberry Pi (and hopefully a Managed switch), I probably would just turn all my cheap all-in-one home routers now as a dumb AP and just migrate all the network stuff to the Raspberry Pi.

At the moment, my internet plan is 50Mbit symmetric for $25/month.
So for now the MR6400 is probably up to do the job just fine haha.

I plan to have another home media server for the smart tv, I probably wire that up to the Tenda AC23 directly as so the tv can enjoy gigabit local network to plexmedia :smiley:

1 Like
8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.