One WAN port, multiple PPPoE connections to different VLANs

Hello,

I'm using an old laptop as my Owrt router, with 2 ports, one usb 2.5GbE and the internal 1GbE. The 2.5GbE is my wan port, and my ISP allows me to have multiple IPs (to a certain extent), however I do not have any more USB ports to plug a 2nd ethernet adapter.

My questions are:

  1. How can I setup multiple PPPoE wan connections on a single WAN port? SOLVED (just use macvlan or bridge device with the wan port as member + 2 virtual Ethernet devices with different MAC addresses)
  2. I have some VLANs to separate my security system from my home system, and I would like to dedicate a separate WAN IP to them, how can I proceed with that?

What I tried:

  • I tried using macvlan (as shown in mwan3 guide), I do get 2 IPs and all, but only one of them has internet access on the LAN side (it still pings fine to google if I try to do so inside OWrt, while specifying either interface with -I)
  • I tried bridging 2 virtual ethernets and the wan port and dedicate each virtual ethernet to 2 WAN interfaces, connects, but same as before, only one of them gets internet access
  • I am using 4 different Zones: LAN/WAN for home (and they're configured properly), SLAN/SWAN for my security system network, I set them the same way the default LAN/WAN Zones are.
  • Both WAN interfaces get different IPs, but only the last one to connect gets to route its internet traffic to its dedicated Zone: if WAN connects last, SLAN will not have internet access, same if SWAN connects last, LAN will not have internet access

Thank you.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
  • ubus call system board:
{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz",
        "model": "Hewlett-Packard HP ProBook 4540s",
        "board_name": "hewlett-packard-hp-probook-4540s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "x86/64",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
  • cat /etc/config/network:
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd94:328e:9bbc::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'WAN'
        option proto 'pppoe'
        option username 'AAAA'
        option password 'AAAA'
        option ipv6 'auto'
        option mtu '1492'
        option device 'vethA'
        option metric '10'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth1:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '150'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '200'
        list ports 'eth1:t'

config interface 'SecLAN'
        option proto 'static'
        option device 'br-lan.200'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option type 'macvlan'
        option ifname 'eth0'
        option name 'vethA'

config device
        option type 'macvlan'
        option ifname 'eth0'
        option name 'vethB'

config interface 'WAN2'
        option proto 'pppoe'
        option device 'vethB'
        option username 'AAAA'
        option password 'AAAA'
        option ipv6 'auto'
        option metric '20'

config interface 'LAN100'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
  • cat /etc/config/dhcp:
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'BBBB'
        list mac 'BBBB'
        option ip '192.168.0.10'
        option leasetime 'infinite'

config host
        option name 'AAAA'
        list mac 'AAAA'
        option ip '192.168.0.50'

config dhcp 'SecLAN'
        option interface 'SecLAN'
        option start '2'
        option limit '150'
        option leasetime '12h'

config dhcp 'LAN100'
        option interface 'LAN100'
        option start '100'
        option limit '150'
        option leasetime '12h'
  • cat /etc/config/firewall:
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'LAN100'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.0.11'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.0.11'
        option dest_port '443'

config zone
        option name 'SEC'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'SecLAN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config zone
        option name 'WANSec'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'WAN2'

config forwarding
        option src 'SEC'
        option dest 'WANSec'

Why do you need macvlan? Just connect wan port to a software bridge.

I tried both, both give me the same result, however i tried with 2 virt eths as I need 2 different MAC addresses. I think i need to update my post since i found out that both pppoe connections have internet access within openwrt (i can ssh to the router, ping google through each pppoe separately and it would successfully resolve and ping).

My main issue now is to isolate wansec to be exclusive to SEC lan.

Kind of easy - check lan wan mapping rule in firewall front page. Make another for slan swan.

I did, check the bottom part of my firewall rules, however i cannot get internet on the slan side. If I restart swan interface, i would get internet on slan, but ill lose internet on lan side. However if I try ping google from within openwrt, both wan/swan have internet access.

The macvlan interfaces for the pppoe are proper though calling them veth is a bit confusing since linux has a type of interface called veth already

I think you're probably better off making separate vlan interfaces off eth1 rather than trying to use the bridge filtering with one port. I'm sure it probably works fine it just looks kinda messy, and to clean it up you'd probably end up putting a bridge under a bridge, for one port.

Thanks, I'll see what I can do about it. however, I still can't figure out how to properly route each pppoe interface to a specific one. Setting up firewall zones and the routing doesn't seem to help.

mwan3 seem to be a failover/balancer, but I do not need that in my case.

Update:

Solved:

Steps to setup two WAN connections and set one as a gateway to specific VLAN:

Setup a second WAN

  1. Create new WAN connection, set it up with whatever your ISP requires (PPPoE/DHCP...) and remember the name of the new connection, we will need it later.
  2. Go to Advanced Settings > Use gateway metric > Put any value higher than 1 (I used 10, this would put the gateway from this WAN connection lower than your WAN1 connection, making WAN1 your default gateway)
  3. Go to Firewall Settings > Create/Assign > --custom-- > Put a new firewall zone name (will be configured later) > Enter
  4. Save > Save and Apply
  5. Check if your WAN is connected and has its own IP

Note: Depending on your ISP, you might not be able to create multiple sessions, check with your ISP. Some ISPs might require a specific mac address or other requirements, surprisingly my ISP doesn't care at all. If you have a second ISP, set it up as usual with the gateway metric and firewall zones as above.

Once your setup your WAN:

Setup PBR

  1. Go to System > Software > Update lists... > search for pbr > install luci-app-pbr package
  2. once install, press Ctrl Shift R (or Shift F5 or log out and relogin to the GUI) to refresh the GUI
  3. Go to Services > Policy routing > Delete any setup in Policies, DNS Policies and DSCP Tagging (you might also remove custom user file include entries)
  4. Go to Advanced Configuration > Supported Interfaces > add the WAN interface to the list (note that it's case sensitive, write it as you did in step 1 of the previous section above.
  5. Save and apply
  6. You should be able to see your newly added Interface at the top of the page listed under "Service Gateways"
  7. Go to Basic Configuration > Policies > Add
  8. Name: [pick a name] / Local addresses [put your VLAN's subnet, eg: 10.0.0.0/24] / Protocol [All] / Interface [your second WAN]
  9. Save
  10. Save and apply

Setup the firewall

We assume your VLAN is in its own firewall zone, if not, make a new firewall zone with your own sets of rules or copy the default LAN rules for Input/Output/IntraZone FW.

  1. Go to Network > Firewall > Edit the WAN2 zone: Input Reject, Output Accept, Intra Zone Forward Reject, Check Masquerading (this way it would be setup as your WAN firewall zone)
  2. Save
  3. Edit your VLAN FW Zone > Allow forward to destination zones: your second wan zone
  4. Save and apply

This should be it. You can try connecting to your VLAN zone and check for your public IP address, and check it against the IP shown in WAN2 in Network Interfaces.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.