Network config sanity check

megacar1 · February 17, 2025, 4:53pm

thanks, done.

do you mind having a look at my tplink router config to see if you find any inconsistencies or non recommended configs..thx

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	option ipv6 '0'

config interface 'LAN'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option device 'br-lan'
	option delegate '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 4 3 2 1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '6 5'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 4t 3t 2t 1t'
	option vid '3'
	option description 'NOVPN'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4t 3t 2t 1t'
	option vid '4'
	option description 'GUEST'

config interface 'LTE'
	option device 'eth0'
	option proto 'dhcp'
	option classlessroute '0'

config interface 'NOVPN'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.5.1'
	option device 'eth1.3'
	option type 'bridge'

config interface 'GUEST'
	option proto 'static'
	option device 'eth1.4'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'VPN'
	option proto 'wireguard'
	option private_key 'xxxx'
	list addresses '10.9.0.2/32'
	option listen_port '51830'
	option delegate '0'
	option force_link '1'
	option defaultroute '0'
	option mtu '1420'

config wireguard_VPN 'wg0'
	option public_key 'xxx'
	option route_allowed_ips '1'
	option persistent_keepalive '0'
	option endpoint_port '51830'
	list allowed_ips '10.9.0.1/32'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '10.9.0.3/32'
	list allowed_ips '10.9.0.4/32'
	option endpoint_host 'xxxx'

config device
	option name 'eth0'
	option ipv6 '0'
	option acceptlocal '0'

psherman · February 17, 2025, 5:56pm

I've moved this to a new thread since it was veering off-topic on the previous one.

There are a few things I'd recommend changing...

Typically, all VLANs should be tagged at the CPU, but VLAN 1 is not:

To fix this, change the ports line to look like this:

	option ports '0t 4 3 2 1'

When you do this, you must also update br-lan to expect the tagged CPU port:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option ipv6 '0'

You can remove the classless route option below:

Network interfaces must not contain the bridge line... delete this:

If the above network is attached to wifi (specifically on this device), you'll need to create a new bridge and then update the device in use for this network. This is not needed if wifi is not part of the equation on this specific router. But, if necessary, it would look like this:

config device
	option name 'br-novpn'
	option type 'bridge'
	list ports 'eth1.3'

config interface 'NOVPN'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.5.1'
	option device 'br-novpn'

For your VPN, this looks like it is acting as a 'client' device...

megacar1:

config interface 'VPN'
	option proto 'wireguard'
	option private_key 'xxxx'
	list addresses '10.9.0.2/32'
	option listen_port '51830'
	option delegate '0'
	option force_link '1'
	option defaultroute '0'
	option mtu '1420'

With that in mind, you can change the address to 10.9.0.2/24, remove the delegate line, and the force_link should not be required either. I'm pretty sure you don't want the default route line, either, but I don't know exactly why you added it, so it's possible you have it there for a good reason.

Then...

megacar1:

config wireguard_VPN 'wg0'
	option public_key 'xxx'
	option route_allowed_ips '1'
	option persistent_keepalive '0'
	option endpoint_port '51830'
	list allowed_ips '10.9.0.1/32'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '10.9.0.3/32'
	list allowed_ips '10.9.0.4/32'
	option endpoint_host 'xxxx'

You can remove the 10.9.0.x allowed_IPs from the above... they're not needed because we have both the 10.9.0.2/24 in the interface address (which will allow it to reach other hosts on that subnet) and we have 0.0.0.0/0 which means "all IPs".

megacar1 · February 19, 2025, 9:14am

thanks,
i will apply the local network suggestions!

regarding the wireguard section, yes its a client, and entire network behind this router has vpn internet access via this openwrt (depending on the rules in PBR service on the same router) hence the default route. Also, external clients 0.3 and 0.4 need to access the network behind this openwrt machine, the only way of getting this to work was by adding their individual addresses here, couldnt get it to work by just ading 10.9.0.0

edit: i have applied all your recommendation, there is no wifi on this device (disabled due to old age and crapiness, external antennas removed) so no need for bridging, probably leftovers from legacy (mis)configuration.
on WG section, i removed force link and delegate, without default route 0 it routes everybody via wireguard, and I dont want that since policy based routing is taking care of who goes where.
I didnt fiddle with the last section of the wg config (subnets) due to explanation above)

thanks again for your help and expertise!

psherman · February 19, 2025, 9:43pm

Glad things are working as expected!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · March 1, 2025, 9:44pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.