No Internet Connection on VLAN Setup with Archer C7 v5 running OpenWrt 23

Wow, I think that was it!

When I am on SSID OpenWRT, I can reach LuCi at 10.0.0.2, but not 10.0.10.1. I have internet access and I can ping 10.0.10.1 and other sites.

When I am on SSID VLAN10_Wifi, I cannot reach LuCi at 10.0.0.2 or 10.0.10.1. I have internet access, but I cannot ping the main router at 10.0.0.1 nor the AP at 10.0.0.2.

Thank you so much! I really appreciate all of your help. Now I'm going to make a few more VLANs :grin:

Awesome! I'm really sorry for that typo... so incredibly small, but so consequential!!!

Glad it is all working now! Enjoy!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

SOLUTION SUMMARY: (over several postings)

  1. First I factory reset and made the following configuration changes.
  1. I made an SSID called VLAN10_Wifi for this and confirmed that it was working (on the lan) and that a device connecting to it gets an address in the 10.0.0.0/24 subnet and is able to access the internet.

  2. I then added the gateway and DNS to the lan interface

  1. I added these to my network config file.
config device
	option name 'br-vlan10'
	option type 'bridge'
	option bridge_empty '1'

config interface 'vlan10'
	option proto 'static'
	option device 'br-vlan10'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'
  1. And these to my dhcp file.
config dhcp 'vlan10'
	option interface 'vlan10'
	option start '100'
	option limit '150'
	option leasetime '12h'
  1. And these to my firewall.
config zone
	option name 'vlan10'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan10'

config forwarding
	option src 'vlan10'
	option dest 'lan'
  1. I added masquerading to the lan firewall zone.
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'
  1. I changed my SSID (VLAN10_Wifi) to use vlan10, then I rebooted and tested the wifi.
config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'VLAN10_Wifi'
	option encryption 'psk2'
	option key 'CANUscu10'
	option network 'vlan10'
  1. I edited the vlan10 zone to reject input.
config zone
	option name 'vlan10'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan10'
  1. I added traffic rules to allow DHCP and DNS and to block access from the upstream network.
config rule
	option name 'Allow-DHCP'
	list proto 'udp'
	option src 'vlan10'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS'
	option src 'vlan10'
	option dest_port '53'
	option target 'ACCEPT'
config rule
	option name 'Isolate-vlan10'
	list proto 'all'
	option src 'vlan10'
	option dest 'lan'
	list dest_ip '10.0.0.0/24'
	option target 'REJECT'

...And it worked! I tested throughout and rebooted as I made changes. Big thanks to @psherman for all of the help.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.