Need to run a linux container with VLANs on RPi4

I need to run a LXC on my RPi4. The RPi4's internal NIC is setup to Bridge VLAN Filtering like this:

Enable VLAN filtered [X]

VLAN ID  Local   eth0
----------------------
   1      [X]      u
   3      [X]      t

VLAN ID 1 is my main zone; VLAN ID 3 is for my guest zone.

I need to add a LXC (running pihole) that users on both VLANs can access.

AFAIK, I can only get the LXC to attach to a bridge interface, so I cannot have it use the VLAN device br-main.3.

I tried creating another tagged VLAN (ID 4), and a corresponding new bridge (br-lxc) which I attached to it. That works to start the container, but only users on VLAN ID 1 can connect to the container. Users on VLAN ID 3 cannot.

Enable VLAN filtered [X]

VLAN ID  Local   eth0
----------------------
   1      [X]      u
   3      [X]      t
   4      [X]      t

I do not know how to get the setup working.

I also have a dumb AP setup with two SSIDs (one for VLAN ID 1 and other for VLAN ID 3). I do not know if the new VLAN is needed or if some thing else with the firewall is needed.

Does this have to do with OpenWrt?

The RPi4 is running the latest snapshot of OW. It's a configuration issue.

Is OpenWrt running in a container, or is it the host os?

OpenWRT is the Host OS.

let's see your /etc/config/network file and the /etc/config/firewall file, too.

1 Like
/etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1a:184b:b879::/48'
	option packet_steering '1'

config device
	option name 'br-main'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option proto 'static'
	option ipaddr '10.1.2.1'
	option netmask '255.255.255.0'
	option device 'br-main.1'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option device 'br-wan'

config bridge-vlan
	option device 'br-main'
	option vlan '1'
	list ports 'eth0'

config bridge-vlan
	option device 'br-main'
	option vlan '3'
	list ports 'eth0:t'

config device
	option name 'br-main.1'
	option type '8021q'
	option ifname 'br-main'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-main.3'
	option type '8021q'
	option ifname 'br-main'
	option vid '3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'eth1'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-main.3'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config bridge-vlan
	option device 'br-main'
	option vlan '4'
	list ports 'eth0:t'

config device
	option type 'bridge'
	option name 'br-lxc'
	list ports 'br-main.4'
	option ipv6 '0'

config interface 'LXC'
	option proto 'static'
	option device 'br-lxc'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config device
	option name 'br-main.4'
	option type '8021q'
	option ifname 'br-main'
	option vid '4'
	option ipv6 '0'

/etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-main.1'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	list device 'br-wan'
	option input 'ACCEPT'
	list network 'wan'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-main.3'
	option input 'REJECT'
	list network 'guest'
	list network 'wg0'
	list network 'LXC'

config rule
	option name 'guest ping'
	list proto 'icmp'
	option src 'lan'
	option dest 'guest'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest dhcp and dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

I ended up solving this by:

  1. Creating VLAN ID 4 on both the router and AP
  2. Creating a new firewall zone for the LXC and setting up some slightly different rules

This allows the LXC (pihole) to functional on both the LAN, GUEST, and WG0 interfaces.

For VLAN ID 4, on the router:

Enable VLAN filtered [X]

VLAN ID  Local   eth0
----------------------
   1      [X]      u
   3      [X]      t
   4      [X]      t

And on the dumb AP:

VLAN ID  Local   lan1   lan2   lan3   lan4
-------------------------------------------
   1      [X]      u      u      u      u
   3      [X]      -      -      t      -
   4      [X]      u      u      t      u

For the firewall zones:

And my interfaces for the record:

Sorry I didn't get back to you before you resolved the issue (got sidetracked with other things)... glad you found a solution!

1 Like