New and having issues with understanding the naming and organisation of OpenWrt

Hi everyone, I'm kinda new to OpenWrt and I think I'm going crazy. It feels like nothing is named the way I expect and nothing I do have the effect I assume it will have.

What I wanna do is frankly quite simple. Firstly I wanna divide my network into VLAN:s, secondly I wanna set IP-adresses and hostnames for my devices, and thirdly I wanna be able to VPN into my network whiles away.

I tried changing the VLAN of one of the Switch ports but nothing seams to have happened at all. It acts as if I've done nothing. The device still gets an IP-adresses following the rules of the main VLAN, and is accessible from another VLAN. (Does OpenWrt not distinguish between different subnets[comment 1] and just treats everything like it's in the same network? In that case, why have a VLAN selector?) On a similar point, I also can't find where I chose which VLAN the router is on, and in which subnet it should exist.

I also tried to set up IP-adresses for my different devices, but the DHCP-server only let's me pick already occupied IP-adresses, which just feels crazy. Surely I must be doing something wrong

I tried setting up a Wireguard server, and the software gives me no option of assigning the Wireguard clients any IP-adresses (it doesn't even allow me to give them a subnet range in the standard LAN) or VLAN, so I have no idea which VLAN they will end up in (or subnet).

I also tried to divide my VLAN:s into subnets, but can't find any way of doing that.

Please help. It feels like everything has different names then I'm use to, what does OpenWrt call these things, and where are these functions hidden?

PS.

I would also love finding the device index showing me the layer 2/3 connections of the router, so I can troubleshoot some devices Im having issues identifing on the network.

And I'd love to find where the main DHCP-database is hidden (with subnet and VLAN ID:s). The one I found doesn't seem to understand neither what a VLAN is or a subnet (or these maybe have other names in OpenWrt).

[Comment 1] Before anyone comments: I'm aware that subnets and VLAN:s aren't the same thing. What I'm referring to is that you normally can't access a computer on a different subnet, and every VLAN contains its own subnets so that for example 10 192.168.1.4 (where 10 is the VLAN ID), and 20 192.168.1.4 (where 20 is the VLAN ID), may look like the same device, but because they are in different VLAN:s and each VLAN is a network of its own containing its own subnets, they are in fact different devices (unless we've chosen to bridge the device or place it in multiple VLAN:s with the same IP in both[incase the device has built in VLAN tagging support], as we may with a router, DNS Server or Firewall).

All of this is possible.

We'll need to see your config to be able to help with this... but VLANs are absolutely possible and do work (with the exception of a few specific devices where there are bugs; that's the exception, not the rule).

At the bottom of the dropdown, you'll see a text entry box where you can type in the address you want to use. Enter the desired address into the box and then hit enter/return.

WireGuard is a routed VPN protocol, so it cannot use the subnet of any other network on your router. This is true regardless of the OS that WG is deployed on -- the subnet must be different because it is routed. Therefore, the peer allowed IPs must be in a different subnet than the lan/VLANs. The typical approach is to make the WG interface a unique subnet with size /24, and then each peer will have an address (/32) in that WG subnet.

Let's look at your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

There are a few good videos that might help you: https://openwrt.org/docs/guide-user/network/wifi/dumbap#external_videos_for_reference

Basically setup different interfaces on different subnet and enable VLAN tagging. Without knowing more about your setup, it is difficult to comment further.

I realized I didn't fully address all your questions:

This is not a thing... VLANs apply to ethernet only (although we often use the term loosely to refer to the idea of using multiple subnets). You can only have one subnet assigned to a VLAN. So, you can divide your overall network into multiple different subnets, and then assign those subnets into a given VLAN (assuming you're using ethernet) or assign them to wifi radios if that's the use case), but you can't put multiple subnets onto a single VLAN or wifi radio* (there is a way to use a single SSID with multiple passwords, and the passwords actually define which subnet is assigned to the client during authentication; but this is a more advanced thing and very different than the typical use).

Many of the terms OpenWrt uses are relatively standard, but there are certainly definitions/terms that are different between vendors/OSs. What are you used to using, and what terms/concepts are you having trouble finding in OpenWrt?

Let's first get through your main config... then we'll address these things. (but basically you'll be able to see them via route, ip route and ip neigh).

cat /tmp/dhcp.leases

The DHCP server is not aware of the VLAN IDs -- this is again an ethernet/L2 thing, and the DHCP server is running as part of an L3 interface. A common practice is to use /24 networks and then designate the 3rd octet as the same as the VLAN ID. So for example, if I have VLAN 101, I might use that with subnet 10.0.101.0/24. Then it is very clear which address belongs with which VLAN ID.

This is a function of the firewall configuration, and is absolutely possible to do.

This certainly isn't possible on any routing OS that I am aware of. You have defined the exact same address on two VLANs. That's not possible in any OS. Further, they would be part of overlapping subnets... If you have the same or overlapping addresses/subnets assigned to multiple interfaces, there would be routing ambiguity and things would break. What routing OS were you using that allowed this and can you show an example of this configuration working?

## System info
kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "Netgear R6020",
        "board_name": "netgear,r6020",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"

## Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ' BLANK '

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr ' BLANK '

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config switch_vlan
        option device 'switch0'
        option ports '2 6t'
        option vlan '50'
        option description 'IP-Telefoni'

config interface 'PHONE TEST'
        option proto 'wireguard'
        option private_key ' BLANK '

## Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option channel '1'
        option band '2g'
        option legacy_rates '1'
        option cell_density '0'
        option country 'SE'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid ' BLANK '
        option encryption 'sae-mixed'
        option key ' BLANK '
        option disassoc_low_ack '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid ' BLANK '
        option encryption 'sae-mixed'
        option key ' BLANK '

## DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'ssl-server.nethost.lan'
        option ip '192.168.1.90'

config domain
        option name 'storage.nethost.lan'
        option ip '192.168.1.98'

config host
        option name 'smarthome.nethost.lan'
        list mac ' BLANK '
        option ip '192.168.1.99'

## Firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Context

I've reset many parts of the router today to try and clear up any mess I may have made.

The basic system I've worked with up to know is that IP-adresses between 0-99 are reserved and the DHCP-server hands out addresses from 100-150. This is so that I can run easily assign IP-adresses.

Since early January I've been trying to segregate my network, however I've continued to run into very basic issues, and generally felt a bit overwhelmed, so I've tried to take it slow.

Todays project was the Wireguard server, but since I couldn't segregate out my IP-phone I didn't wanna turn on the system (my IP-phone is from a ISP, and it is not a trusted device therefor I don't want it running in the same network as any other device).

Most firewall rules should be close to standard (if I haven't screwed anything up), and the whiles I feel like the interface list is weird looking, I belive most of the weirdity (like having multiple standard lan:s, one of them a bridge?) is from standard configuration with my router.

My skill level in these things is what I'd call intermediate, I have a theoretical understanding of how networks work, and some professional knowledge, however I'm also kinda new, and don't have a lot of experience with different systems, so while I feel comfortable sketching and planning a system, and deploying some brands, switching between different "brands/OS:es" is still quite hard.

Most of my configuration this far has been done through the Web interface as I didn't wanna dig to much in my home router, but I suspect the CLI, is easier when I get a more thorough understanding of OpenWrt

I've mostly used PFSense, Cisco, Aruba, and Ubiquiti, however I don't know how standard those deployments where.

Many of the deployments where for different Business networking companies who more or less used the VLAN:S in parallel to manage multiple customers networks on the same routers, where each VLAN acted more or less as Router in its own right, however the provider (ISP+Business nerworking company) could manage them in the same system.

The main routers did cost a few million euros each, so this may not be standard in the networking world.

Ive switched fields so not in that company any longer. However they had some really fun equipment deployments.

Not quite...

• Address .0 (on a /24 subnet) is not a valid host address, so it cannot be used.
• Address .1 is commonly, but not required to be used by the router itself.
• Addresses .2-.99 are available, but the DHCP server (by default) is not configured to distribute these as part of the pool.

Again, not quite right here...

• When looking at the default config, the start address is .100, so that is correct.
• The limit is the size of the pool -- by default this is 150. That means there are 150 addresses in the pool.
• The equation for the range is start - (start + limit - 1) which means that the DHCP server pool is .100-. 249

This is good.

The lack of current separation of your IP-phone doesn't have any impact or effect a VPN server type configuration.

But which would you like to tackle first? A VLAN for your IP phone, or a WG server config.

Quick glance says yes, this is okay.

The lan bridge is a standard construct. The config looks mostly normal except for the VLAN50 stanza on the switch and the (incomplete) wireguard config.

None of these devices would allow you to use the same address on multiple VLANs and have those assigned to different devices. All of these brands use standard routing topologies where every attached network/subnet must be unique.

Well yes, sorry I'm a bit tiered

Yeah, once again my fault, you're right.

Separating out the devices is higher priority so that I know which devices are able to speak to whom.

Good, then I haven't fucked up my network to much. The Wireguard deployment can wait.

Interesting, well I worked as a consultant and the companies I worked with did a lot of weird stuff involving a lot of virtulisation so I have no idea what the upstream looked like exactly, this was just how the devices lower down acted like. They may run their own custom system in the backend. We were only told enough to assist in their deployments.

For example. For me an interface is always physical, so a physical port or antenna, and a device is always something external connected to the switch or router. I'd never seen a system which used interface or device to refer to anything else until I opened OpenWrt.

The terms port, device, and interface can certainly be confusing within OpenWrt. That one is just something you'll have to get used to.

So, based on your current config, I'm guessing you want to put the phone on VLAN 50. This is assigned to logical port 2 (which may or may not be physical port 2 as labeled on your router).

You need to create a new network interface, and probably a DHCP server. You will also need to assign it to a firewall zone. So let's do that:

Add this to your network config file:

config interface 'phone'
        option device 'eth0.50'
        option proto 'static'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'

and add this to your dhcp file:

config dhcp 'phone'
        option interface 'phone'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

And finally, in your firewall, add this:

config zone
        option name 'phone'
        list network 'phone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'phone'
        option dest 'wan'

We can tighten the phone firewall zone later, but this current config reduces the number of potential issues.

Restart your router after making the changes. Then, plug a device (ideally your computer) into each port of your router -- one of them will issue an IP in the 192.168.50.0/24 network (ideally it is port 2, but it could be a different one, depending on the logical<->physical port mapping).

That new network will have access to the internet, but the two networks will be isolated from each other.

I'll try that in a second. However my Internet connection just disappeared on restart, so I'll have to try to reset it first. One moment.

And thanks for all your patience, I'm not in my best state today this have been an ongoing frustration for a while now