One WAN port, multiple PPPoE connections to different VLANs

midi · September 6, 2024, 10:35pm

Hello,

I'm using an old laptop as my Owrt router, with 2 ports, one usb 2.5GbE and the internal 1GbE. The 2.5GbE is my wan port, and my ISP allows me to have multiple IPs (to a certain extent), however I do not have any more USB ports to plug a 2nd ethernet adapter.

My questions are:

~~How can I setup multiple PPPoE wan connections on a single WAN port?~~ SOLVED (just use macvlan or bridge device with the wan port as member + 2 virtual Ethernet devices with different MAC addresses)
I have some VLANs to separate my security system from my home system, and I would like to dedicate a separate WAN IP to them, how can I proceed with that?

What I tried:

I tried using macvlan (as shown in mwan3 guide), I do get 2 IPs and all, but only one of them has internet access on the LAN side (it still pings fine to google if I try to do so inside OWrt, while specifying either interface with -I)
I tried bridging 2 virtual ethernets and the wan port and dedicate each virtual ethernet to 2 WAN interfaces, connects, but same as before, only one of them gets internet access
I am using 4 different Zones: LAN/WAN for home (and they're configured properly), SLAN/SWAN for my security system network, I set them the same way the default LAN/WAN Zones are.
Both WAN interfaces get different IPs, but only the last one to connect gets to route its internet traffic to its dedicated Zone: if WAN connects last, SLAN will not have internet access, same if SWAN connects last, LAN will not have internet access

Thank you.

brada4 · September 7, 2024, 4:10am

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

midi · September 7, 2024, 10:01am

ubus call system board:

{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz",
        "model": "Hewlett-Packard HP ProBook 4540s",
        "board_name": "hewlett-packard-hp-probook-4540s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "x86/64",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

cat /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd94:328e:9bbc::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'WAN'
        option proto 'pppoe'
        option username 'AAAA'
        option password 'AAAA'
        option ipv6 'auto'
        option mtu '1492'
        option device 'vethA'
        option metric '10'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth1:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '150'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '200'
        list ports 'eth1:t'

config interface 'SecLAN'
        option proto 'static'
        option device 'br-lan.200'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option type 'macvlan'
        option ifname 'eth0'
        option name 'vethA'

config device
        option type 'macvlan'
        option ifname 'eth0'
        option name 'vethB'

config interface 'WAN2'
        option proto 'pppoe'
        option device 'vethB'
        option username 'AAAA'
        option password 'AAAA'
        option ipv6 'auto'
        option metric '20'

config interface 'LAN100'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

cat /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'BBBB'
        list mac 'BBBB'
        option ip '192.168.0.10'
        option leasetime 'infinite'

config host
        option name 'AAAA'
        list mac 'AAAA'
        option ip '192.168.0.50'

config dhcp 'SecLAN'
        option interface 'SecLAN'
        option start '2'
        option limit '150'
        option leasetime '12h'

config dhcp 'LAN100'
        option interface 'LAN100'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'LAN100'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.0.11'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.0.11'
        option dest_port '443'

config zone
        option name 'SEC'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'SecLAN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config zone
        option name 'WANSec'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'WAN2'

config forwarding
        option src 'SEC'
        option dest 'WANSec'

brada4 · September 7, 2024, 10:05am

Why do you need macvlan? Just connect wan port to a software bridge.

midi · September 7, 2024, 10:37am

I tried both, both give me the same result, however i tried with 2 virt eths as I need 2 different MAC addresses. I think i need to update my post since i found out that both pppoe connections have internet access within openwrt (i can ssh to the router, ping google through each pppoe separately and it would successfully resolve and ping).

My main issue now is to isolate wansec to be exclusive to SEC lan.

brada4 · September 7, 2024, 10:44am

Kind of easy - check lan wan mapping rule in firewall front page. Make another for slan swan.

midi · September 7, 2024, 10:57am

I did, check the bottom part of my firewall rules, however i cannot get internet on the slan side. If I restart swan interface, i would get internet on slan, but ill lose internet on lan side. However if I try ping google from within openwrt, both wan/swan have internet access.

wilsonyan · September 7, 2024, 12:07pm

The macvlan interfaces for the pppoe are proper though calling them veth is a bit confusing since linux has a type of interface called veth already

I think you're probably better off making separate vlan interfaces off eth1 rather than trying to use the bridge filtering with one port. I'm sure it probably works fine it just looks kinda messy, and to clean it up you'd probably end up putting a bridge under a bridge, for one port.

midi · September 7, 2024, 1:55pm

Thanks, I'll see what I can do about it. however, I still can't figure out how to properly route each pppoe interface to a specific one. Setting up firewall zones and the routing doesn't seem to help.

mwan3 seem to be a failover/balancer, but I do not need that in my case.