Hi folks,
this is a long post, so I highlight the TL;DR parts and add the config files on the end 
My Vision is to have three separate VLANs, one for my home network devices, one for my IoT trash devices an one for guest. Every VLAN should have internet access but should not be allowed to communicate to another VLAN.
Later on I want to secure one WIFI with Radius and add Adblocking. Before I buy a powerful device like the AVM Firtzbox 4040, I tried to test the setup with my TP-Link TL-WR1043ND v4 and later switching out the device when everything worked and I have saved some money.
But I can’t get it to work.
As I said, I want different VLANs and every VLAN should have its own port on the integrated switch an a wifi assigned to it.
I’m testing now for two days and nothing woks. So please help me. I reset my openwrt router and made notes of my last try. And this is my journey where I try to setup two additional and separated VLANs:
Installed version on the router is OpenWrt 19.07.2 r10947-65030d81f3 / LuCI openwrt-19.07 branch git-20.057.55219-13dd17f.
First thing I have done was to set a root password and updating the IP of the ‘lan’ interface from 192.168.1.1 to 10.0.0.99 because 192.168.1.1 is my gateway device that is connected to the ‘wan’ port.
new settings are:
IP 10.0.0.99
Netmask: 255.0.0.0
So the ‘lan’ no longer conflicts with the ‘wan’ and the router has internet, time to update...
I assigned ssh to the ‘lan’ interface and connect via ssh to the router and run this commands to update alle packages:
opkg update && opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
Worked well, except for this error:
Collected errors:
* resolve_conffiles: Existing conffile /etc/config/dhcp is different from the conffile in the new package. The new conffile will be placed at /etc/config/dhcp-opkg.
* resolve_conffiles: Existing conffile /etc/config/luci is different from the conffile in the new package. The new conffile will be placed at /etc/config/luci-opkg.
So I moved dhcp-opkg to dhcp and luci-opkg to luci, then i rebooted the router.
I Went to network→switch and added two more VLANs and assign each to one single port on the switch.
So it will look like this:
vlan1 → eth0.1 (switch port 1)
vlan2 → eth0.2 (wan port)
vlan3 → eth0.3
vlan4 → eth0.4
The ports are all untagged except for the CPU Column, there they are all tagged.
I want to leave the ‘lan’ interface nearly as it is (except for the IP change), assign it only to port 1 and bridged with the default wireless network (SSID: OpenWrt). This will be used for management purpose only and should have no devices attached to it permanently. Of course I disable the wifi and configure it as an encrypted one.
Further on I added two new interface in network→interfaces, ‘vlan3’ and ‘vlan4’
vlan3:
protocol: static
ip: 10.0.3.1
netmask: 255.0.0.0
bridged: yes
interfaces: eth0.3
dhcp server: enabled
vlan4:
protocol: static
ip: 10.0.4.1
netmask: 255.0.0.0
bridged: yes
interfaces: eth0.4
dhcp server: enabled
Then I went on to the firewall and added two zones for the new VLANs.
Zone vlan3:
input: accept
output: accept
forward: accept
covered networks: vlan3
allow forward destination zone: wan
Zone vlan4:
input: accept
output: accept
forward: accept
covered networks: vlan4
allow forward destination zone: wan
Back to network→ interfaces and the interfaces ‘vlan3’ and ‘vlan4’ now have a nice coloring because of the assigned firewall rules.
So last thing todo is the wifi. As mentioned I want to use radius authentication for my wifi in the future, so I removed ‘wpad-basic’ and install ‘wpad’ in system→software and then rebooted the router.
Then I added the two new wireless networks in networks→wireless.
SSID: vlan3
network: vlan3
encryption: wpa-psk (strong)
SSID: vlan4
network: vlan4
encryption: wpa-psk (strong)
With this setup it thought it should be possible to connect to the wifi ‘vlan3’ or ‘vlan4’ and have internet access.
But it does not work. I can connect to the wireless networks and when I check with the command
ip a && ip r I can see that I get an IP assigned and that the used route is the IP of the network interface of the VLAN: 10.0.3.1 as gateway for wireless network ‘vlan3’ and 10.0.4.1 for the wireless network ‘vlan4’.
But no internet. I even can’t access LuCi, neither by 10.0.0.99 nor by 10.0.3.1 or 10.0.4.1.
Can some one please help me to get the VLANs running, or is it not possible with my device?
greetings
sfm
Here are my config files:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd38:8b08:383f::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option netmask '255.0.0.0'
option ipaddr '10.0.0.99'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '84:16:f9:66:44:a7'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 3'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 2'
option vid '4'
config interface 'vlan3'
option proto 'static'
option ifname 'eth0.3'
option type 'bridge'
option netmask '255.0.0.0'
option ipaddr '10.0.3.1'
config interface 'vlan4'
option proto 'static'
option ifname 'eth0.4'
option type 'bridge'
option netmask '255.0.0.0'
option ipaddr '10.0.4.1'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vlan3'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'vlan3'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'vlan3'
config zone
option name 'vlan4'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'vlan4'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'vlan4'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'vlan3'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'vlan3'
config dhcp 'vlan4'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'vlan4'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet1'
option ssid 'vlan3'
option encryption 'psk2'
option device 'radio0'
option mode 'ap'
option network 'vlan3'
option key 'supersecure'
config wifi-iface 'wifinet2'
option ssid 'vlan4'
option encryption 'psk2'
option device 'radio0'
option mode 'ap'
option network 'vlan4'
option key 'supersecure'
