New to OpenWrt, help with VLANs

cgi2099 · July 26, 2022, 2:38pm

Hello All,

I am newish to OpenWRT and was wondering if someone could help me setup some VLANs. I have an Edgerouter 12 (ER12) running 21.02.

I would like for my VLANs to be setup like below, unless there is a better recommended way.

VLAN10 – Wireless Devices 10.10.10.1/24
VLAN20 – Wireless Devices (with NordVPN) 10.10.20.1/24
VLAN30 – CCTV (Security Cameras) 10.10.30.1/24
VLAN40 – Smart Devices 10.10.40.1/24

I am thinking about adding VLAN50 for my Unraid NAS, currently it has an IP of 192.168.1.190 but I'd want it to be on 10.10.50.1/24

I pretty much want to tag all the VLANS to every port that way I can access everything from any device on the network if need be.

I figure VLAN20 is going to be the most difficult

fodiator · July 26, 2022, 6:47pm

Hi,

assuming you are familiar with VLAN and trunks, here are snippets from my config:

OpenWrt (range extender, single ethernet port):

root@OpenWrt5:~# uci show network | grep @switch
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].ports='6t 4'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].description='VLAN1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].ports='6t 4t'
network.@switch_vlan[1].vlan='10'
network.@switch_vlan[1].description='VLAN10'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].ports='6t 4t'
network.@switch_vlan[2].vlan='172'
network.@switch_vlan[2].description='VLAN172'
network.@switch_vlan[3]=switch_vlan
network.@switch_vlan[3].device='switch0'
network.@switch_vlan[3].ports='6t 4t'
network.@switch_vlan[3].vlan='1723'
network.@switch_vlan[3].description='VLAN1723'

EdgeOS (ER-X) :

    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
                vlan {
                    pvid 1
                    vid 10
                    vid 172
                }
            }
            interface eth2 {
                vlan {
                    pvid 1
                    vid 10
                    vid 172
                }
            }
            interface eth4 {
                vlan {
                    pvid 1
                    vid 10
                    vid 172
                    vid 1723
                }
            }
            vlan-aware enable
        }
        vif 1 {
            address 192.168.1.1/24
            description DEFAULT
        }
        vif 10 {
            address 10.0.0.1/24
            description LAN
            mtu 1500
        }
        vif 172 {
            address 172.17.0.1/24
            description GUEST
            firewall {
                in {
                    name GUEST_IN
                }
                local {
                    name GUEST_LOCAL
                }
            }
            mtu 1500
        }
        vif 1723 {
            address 172.30.0.1/24
            description "Other Guests"
            firewall {
                in {
                    name GUEST_UNTRUSTED_IN
                }
                local {
                    name GUEST_UNTRUSTED_LOCAL
                }
            }
        }
    }

cgi2099 · July 26, 2022, 7:26pm

I understand the EdgeOS config but not the OpenWRT.

I installed 21.02 OpenWRT onto the ER12 and am basically trying to recreate my setup from EdgeOS in OpenWRT.

fodiator · July 26, 2022, 7:42pm

Please post the EdgeOS config

cgi2099 · July 26, 2022, 7:57pm

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group LAN_NETWORKS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "allow established"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "drop invalid packets"
            protocol all
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "allow ICMPv6"
            protocol icmpv6
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "allow established"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "drop invalid packets"
            protocol all
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "allow ICMPv6"
            protocol icmpv6
        }
        rule 40 {
            action accept
            description "allow DHCPv6 client/server"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
        rule 50 {
            action accept
            description "DHCPv6 Relay"
            destination {
                port 547
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Local
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth5 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth6 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth7 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth8 {
        address 192.168.10.1/24
        description Local2
        duplex auto
        speed auto
    }
    ethernet eth9 {
        address 192.168.2.165/24
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth10 {
        duplex auto
        speed auto
    }
    ethernet eth11 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth0 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                    vid 40
                    vid 50
                    vid 60
                }
            }
            interface eth1 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                    vid 40
                    vid 50
                    vid 60
                }
            }
            interface eth2 {
                vlan {
                    pvid 30
                    vid 10
                    vid 20
                    vid 40
                    vid 50
                    vid 60
                }
            }
            interface eth3 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                    vid 40
                    vid 50
                    vid 60
                }
            }
            interface eth4 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                    vid 40
                    vid 50
                    vid 60
                }
            }
            interface eth5 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                    vid 40
                    vid 50
                    vid 60
                }
            }
            interface eth6 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                    vid 40
                    vid 50
                    vid 60
                }
            }
            interface eth7 {
                vlan {
                    pvid 1
                    vid 10
                    vid 20
                    vid 30
                    vid 40
                    vid 50
                    vid 60
                }
            }
            vlan-aware enable
        }
        vif 1 {
            address 192.168.1.1/24
        }
        vif 10 {
            address 10.10.10.1/24
            description VPN
        }
        vif 20 {
            address 10.10.20.1/24
            description AP
        }
        vif 30 {
            address 10.10.30.1/24
            description CCTV
            mtu 1500
        }
        vif 40 {
            address 10.10.40.1/24
            description NAS
            mtu 1500
        }
        vif 50 {
            address 10.10.50.1/24
            description SMART
            mtu 1500
        }
        vif 60 {
            address 10.10.60.1/24
            description "SELF- HOSTED"
            mtu 1500
        }
    }
    zerotier zt44xdiic2 {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0.1
    wan-interface eth9
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name AP {
            authoritative enable
            subnet 10.10.20.0/24 {
                default-router 10.10.20.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.10.20.38 {
                    stop 10.10.20.243
                }
            }
        }
        shared-network-name CCTV {
            authoritative enable
            subnet 10.10.30.0/24 {
                default-router 10.10.30.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.10.30.38 {
                    stop 10.10.30.243
                }
            }
        }
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 192.168.10.38 {
                    stop 192.168.10.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
                static-mapping TP-LinkAP245 {
                    ip-address 192.168.1.42
                }
            }
        }
        shared-network-name NAS {
            authoritative enable
            subnet 10.10.40.0/24 {
                default-router 10.10.40.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.10.40.38 {
                    stop 10.10.40.243
                }
                static-mapping NAS {
                    ip-address 10.10.40.190
                }
            }
        }
        shared-network-name SELF-HOSTED {
            authoritative enable
            subnet 10.10.60.0/24 {
                default-router 10.10.60.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.10.60.38 {
                    stop 10.10.60.243
                }
            }
        }
        shared-network-name SMART {
            authoritative enable
            subnet 10.10.50.0/24 {
                default-router 10.10.50.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.10.50.38 {
                    stop 10.10.50.243
                }
                static-mapping EP40_Outdoor_Front_Plugs {
                    ip-address 10.10.50.45
                }
                static-mapping HS200_Carport_Light {
                    ip-address 10.10.50.42
                }
                static-mapping HS200_Front_Porch_Light {
                    ip-address 10.10.50.39
                }
                static-mapping Honeywell_Thermostat {
                    ip-address 10.10.50.40
                }
                static-mapping KP400_Outdoor_Back_Plugs {
                    ip-address 10.10.50.38
                }
            }
        }
        shared-network-name VPN {
            authoritative enable
            subnet 10.10.10.0/24 {
                default-router 10.10.10.1
                dns-server 103.86.96.100
                dns-server 103.86.99.100
                lease 86400
                start 10.10.10.38 {
                    stop 10.10.10.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 10000
            listen-on eth8
            listen-on switch0.10
            listen-on switch0.20
            listen-on switch0.40
            listen-on switch0.1
            listen-on switch0.60
            listen-on switch0.50
            name-server 1.1.1.1
            name-server 1.0.0.1
            options listen-address=10.10.20.0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth9
            type masquerade
        }
        rule 5020 {
            destination {
                address 192.168.1.42
            }
            outbound-interface switch0.1
            source {
                address 10.10.20.0/24
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    gateway-address 192.168.2.1
    host-name EdgeRouter-12
    name-server 1.1.1.1
    name-server 1.0.0.1
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository stretch {
            components "main contrib non-free"
            distribution stretch
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

cgi2099 · July 26, 2022, 7:59pm

Note some of the VLANs from EdgeOS I am wanting to change or remove. Also I never could get the NordVPN VLAN to work, VIF 20

fodiator · July 26, 2022, 8:47pm

Ok. Using uci, you could set e.g. (assuming 12 would be the single CPU that functions as internal trunk, use 'swconfig dev switch0 help' to see which port(s) are your CPU(s) ). Note that you can also do this in the Luci UI (under switch) graphically...

Then, as example for VLAN1, use 'uci set [key]=[value]"

network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].ports='0 1 3 4 5 6 7 12t'
network.@switch_vlan[0].vlan='1'

and continue with the others, notice the -t for non-pvid vlans on trunk

Then assign matching 802.1q devices (starting from 1 here, assuming the br-lan is already in place).
Note that you can do this also in the Luci UI (under Interfaces, with it's sub tabs) graphically...

network.@device[1].name='eth0.1'
network.@device[1].type='8021q'
network.@device[1].ifname='eth0'
network.@device[1].vid='1'
network.@device[1].name='br-vlan1'

, and continue with the others...

Then assign the interfaces...

network.VLAN1=interface
network.VLAN1.proto='static'
network.VLAN1.ipaddr='192.168.1.1'
network.VLAN1.netmask='255.255.255.0'
network.VLAN1.device='br-vlan1'

Then assign the services, e.g. (not in your config, just made it up as example).
This can also be set graphically in Luci UI under Network -> DHCP and DNS

dhcp.VLAN1=dhcp
dhcp.VLAN1.interface='VLAN1'
dhcp.VLAN1.start='100'
dhcp.VLAN1.limit='150'
dhcp.VLAN1.leasetime='12h'
dhcp.VLAN1.ra_flags='none'

, and continue with the others...

Then set up dnsmasq - best to refer to https://openwrt.org/docs/guide-user/base-system/dhcp

Finally, don't forget the uci commit !

Hope that clarifies.

cgi2099 · July 27, 2022, 1:26am

Thank you so much!

So if ports 0-7 are the switch ports, 8 & 9 can be used as wan in, 10 & 11 are sfp and then there is another port for console. Does this change anything you posted?

I'll use both 8 and 9 as wan in. I also think the sfp ports can be used as wan in but I am not 100%

Also is the vlan1 (192.168.1.1) needed?

cgi2099 · July 27, 2022, 11:02am

Sorry for my amateur-ness. It took me forever to figure out the VLANs on EdgeOS and it still wasn't 100% how I wanted it : /

fodiator · July 27, 2022, 12:18pm

no worries, actually it gets better with practice . You’ll just need to bridge your WAN and other connections (serial I suppose you can supply with dedicated address).

Please make sure you check the CPU’s (if you have more than one). Your WAN needs to be either on the same (best performance), or tagged. Also, you’ll likely want DHCP configured there.

Also keep an eye on the firewall, by default OpenWRT allows inter-VLAN communication…

Good luck with the set up!

psherman · July 27, 2022, 7:16pm

This is not entirely true, but it depends on the firewall configuration. As it turns out, EdgeMax does allow inter-VLAN routing by default, but the firewall has a different mode of operation. In a zone based firewall (ZBF), there are several ways to allow/prohibit inter-VLAN routing.

see the below, for example:

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

Because in this zone, forward is set to 'ACCEPT' , any networks that are included in this zone will have inter-VLAN routing allowed (this is intra-zone). If you set it to 'DROP' or 'REJECT', intra-zone (and thus inter-VLAN) routing is no longer possible (at least not without additional firewall rules) between any two networks in the same zone.

If each network is assigned to a different zone, you need to have an explicit rule (or rules) to allow inter-VLAN routing... by default it is not allowed.

A rule like the one below will allow one zone/network to initiate connections to the other, but not the other way around (obviously you can create another forwarding stanza with the source and destination reversed).

config forwarding
	option src 'lan'
	option dest 'wan'

You can also create additional firewall rules with slightly different structures to allow or prohibit inter-zone or inter-VLAN routing, depending on your needs/goals, including very granular rules that operate at the level of the host. protocol, port, or time, as well.