Netgear WNDR3700v2 - How to setup VLANS?

Compact · July 19, 2019, 6:28am

Hello. I'm trying to setup another VLAN for port 2 in my router. Internet cable will be connected to that port. Now, my current configs look like this:

cat /etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:ad22:abe3::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.10'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 3 5t'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '2 5t'

config interface 'VLAN2'
        option proto 'none'
        option ifname 'eth0.2'
        option auto '1'

cat /etc/config/firewall


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'VLAN'
        option network 'VLAN2'
        option log '1'
        option forward 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option target 'ACCEPT'
        option src 'VLAN'
        option name 'VLAN'
        option proto 'all'
        option dest 'lan'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option name 'LAN - VLAN'
        option proto 'all'
        option dest 'VLAN'

config forwarding
        option dest 'lan'
        option src 'VLAN'

config forwarding
        option dest 'VLAN'
        option src 'lan'

fw3 print

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -N zone_VLAN_input
iptables -t filter -N zone_VLAN_output
iptables -t filter -N zone_VLAN_forward
iptables -t filter -N zone_VLAN_src_ACCEPT
iptables -t filter -N zone_VLAN_dest_ACCEPT
iptables -t filter -N input_VLAN_rule
iptables -t filter -N output_VLAN_rule
iptables -t filter -N forwarding_VLAN_rule
iptables -t filter -A zone_VLAN_input -m comment --comment "!fw3: Custom VLAN input rule chain" -j input_VLAN_rule
iptables -t filter -A zone_VLAN_output -m comment --comment "!fw3: Custom VLAN output rule chain" -j output_VLAN_rule
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3: Custom VLAN forwarding rule chain" -j forwarding_VLAN_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3: VLAN" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: LAN - VLAN" -j zone_VLAN_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3: Zone VLAN to lan forwarding policy" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to VLAN forwarding policy" -j zone_VLAN_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A zone_VLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_VLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_VLAN_input -m comment --comment "!fw3" -j zone_VLAN_src_ACCEPT
iptables -t filter -A zone_VLAN_forward -m comment --comment "!fw3" -j zone_VLAN_dest_ACCEPT
iptables -t filter -A zone_VLAN_output -m comment --comment "!fw3" -j zone_VLAN_dest_ACCEPT
iptables -t filter -D zone_VLAN_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_VLAN_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_VLAN_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_VLAN_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_input
iptables -t filter -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_input
iptables -t filter -D OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_output
iptables -t filter -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_output
iptables -t filter -D FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_forward
iptables -t filter -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -N zone_VLAN_postrouting
iptables -t nat -N zone_VLAN_prerouting
iptables -t nat -N prerouting_VLAN_rule
iptables -t nat -N postrouting_VLAN_rule
iptables -t nat -A zone_VLAN_prerouting -m comment --comment "!fw3: Custom VLAN prerouting rule chain" -j prerouting_VLAN_rule
iptables -t nat -A zone_VLAN_postrouting -m comment --comment "!fw3: Custom VLAN postrouting rule chain" -j postrouting_VLAN_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -D PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_prerouting
iptables -t nat -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_VLAN_prerouting
iptables -t nat -D POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_postrouting
iptables -t nat -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_VLAN_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

There is no internet access at all, so this configuration must be wrong. What do I need to change to have internet on port 2, which is on VLAN2, working and forwarded to the rest of the ports on VLAN1?

mikma · July 19, 2019, 7:24am

You should configure interface VLAN2 with proto static, and configure ipaddr, netmask, (and ip6assign if you want to use ipv6). You also need to add a VLAN2 config section in /etc/config/dhcp similar to the lan section if you want to run the DHCP server on VLAN2 which you probably want.

Compact · July 19, 2019, 7:42am

I actually don't want DHCP on this interface. I just want I will call it "pseudo WAN", a seperate interface, which outgoing traffic will take, on which I can use TC or netem. I know, I should've worded my initial post better.

I tried setting up ip addr and everything on that interface, devices on VLAN1 couldn't access the internet.

I should've also mentioned that this router(WNDR3700v2) is behind another one which is doing NAT. I want my netgear to be transparent, without NAT. I can't setup static routes on upstream router, it doesn't support it(ISP provided router).

mikma · July 19, 2019, 7:58am

If you want it to be transparent then it means adding eth0.2 to the lan bridge instead of having the VLAN2 interface. But it also means the ISP routes will be the DHCP server instead of OpenWrt since VLAN 1 and VLAN 2 will be bridged. You also need to change the IP address of the lan interface to the same subnet as the ISP router.

I don't use TC myself. It seems you can use it on bridge ports, but I can't find any OpenWrt documentation

Compact · July 20, 2019, 8:31am

Is it possible to have it working without bridge? So eth0.2 is a "pseudo WAN", where LAN traffic is forwarded to? This is kind of setup I want to try making:
VLAN 1 - PCs are connected to this VLAN, they will have internet access from VLAN2
VLAN 2 - Internet cables on port 2 is connected here, pseudo WAN

I tried setting TC on bridge, it seems to not work.

mikma · July 20, 2019, 9:08am

Since you ruled out static routes on the upstream router and NAT on openwrt, then I guess only proxy ARP is left if you want to use routing instead of bridging.

system · July 30, 2019, 9:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.