OpenWRT 23.05 - Sharing and learning. Multiple VLAN with custom dns upstream for each VLAN.
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Hi, for some time I have multiple VLANs (SKYNET, GUESTS, KIDS and IOT) running on a Linksys WRT32X with OpenWRT 23.05.x.
The primary goal was to have multiple VLANs availble with each different redirects to for example AdGuard (also running on the WRT32x).
I wanted to do this, because within AdGuard, it's easy to define different settings per subnet (read VLAN in this case).
This makes it easy to block very strictly for KIDS and GUESTS, but for example only block ads for the main network (SKYNET in this case).
So all running smoothly, so why post this message??? Two things, maybe others like to use this as an example (ask if anyone would like to have more info about this setup).
And the other thing is that I'd like to understand better and learn. So my question is, if there is anything I`m doing wrong here, or maybe I can improve.
I got to this setup by reading on this forum, the OpenWRT docs, and just fail and try. It's working, but that doesn't mean there is room for improvement.
One thing I noticed for example, is that /etc/resolv.conf changes after a reboot. I know this is done by a dnsmasq init script, but the resolv.conf is using SKYNET, IOT, GUESTS, KIDS as a random search domain. I assume this is an issue of some bad config somewhere.
Output follows in the following order:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
# ubus call system board
{
"kernel": "5.15.137",
"hostname": "CoreRouter",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT32X",
"board_name": "linksys,wrt32x",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd75........'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'WAN'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.2'
list dns '1.0.0.2'
config interface 'WAN6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option auto '0'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
config interface 'SKYNET'
option proto 'static'
option device 'br-lan.10'
option netmask '255.255.255.0'
option ipaddr '10.79.10.1'
config interface 'GUESTS'
option proto 'static'
option device 'br-lan.30'
option ipaddr '10.79.30.1'
option netmask '255.255.255.0'
config interface 'KIDS'
option proto 'static'
option device 'br-lan.20'
option ipaddr '10.79.20.1'
option netmask '255.255.255.0'
config interface 'IOT'
option proto 'static'
option device 'br-lan.40'
option ipaddr '10.79.40.1'
option netmask '255.255.255.0'
# cat /etc/config/wireless
# Not in use, using Ubiquiti
# cat /etc/config/dhcp
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dnsmasq 'SKYNET_dns'
option domainneeded '1'
option localise_queries '1'
option local '/SKYNET/'
option domain 'SKYNET'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.SKYNET'
option resolvfile '/etc/resolv.conf.SKYNET'
list interface 'SKYNET'
option localservice '1'
option rebind_protection '0'
option noresolv '1'
list notinterface 'loopback'
list notinterface 'KIDS'
list notinterface 'GUESTS'
list notinterface 'IOT'
config dhcp 'SKYNET'
option instance 'SKYNET_dns'
option interface 'SKYNET'
option start '50'
option limit '250'
option leasetime '1d'
list domain 'SKYNET'
config dnsmasq 'GUESTS_dns'
option domainneeded '1'
option localise_queries '1'
option local '/GUESTS/'
option domain 'GUESTS'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.GUESTS'
option resolvfile '/etc/resolv.conf.GUESTS'
list interface 'GUESTS'
option localservice '1'
option rebind_protection '0'
option noresolv '1'
list notinterface 'loopback'
list notinterface 'SKYNET'
list notinterface 'KIDS'
list notinterface 'IOT'
config dhcp 'GUESTS'
option instance 'GUESTS_dns'
option interface 'GUESTS'
option start '50'
option limit '250'
option leasetime '1d'
config dnsmasq 'KIDS_dns'
option domainneeded '1'
option localise_queries '1'
option local '/KIDS/'
option domain 'KIDS'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.KIDS'
option resolvfile '/etc/resolv.conf.KIDS'
list interface 'KIDS'
option localservice '1'
option rebind_protection '0'
option noresolv '1'
list notinterface 'loopback'
list notinterface 'SKYNET'
list notinterface 'GUESTS'
list notinterface 'IOT'
config dhcp 'KIDS'
option instance 'KIDS_dns'
option interface 'KIDS'
option start '50'
option limit '250'
option leasetime '1d'
config dnsmasq 'IOT_dns'
option domainneeded '1'
option localise_queries '1'
option local '/IOT/'
option domain 'IOT'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.IOT'
option resolvfile '/etc/resolv.conf.IOT'
list interface 'IOT'
option localservice '1'
option rebind_protection '0'
option noresolv '1'
list notinterface 'loopback'
list notinterface 'SKYNET'
list notinterface 'KIDS'
list notinterface 'GUESTS'
config dhcp 'IOT'
option interface 'IOT'
option start '50'
option limit '250'
option leasetime '1d'
# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT' option synflood_protect '1'
config forwarding
option dest 'WAN'
option src 'SKYNET'
config zone
option name 'SKYNET' option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'SKYNET'
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68' option target 'ACCEPT'
option family 'ipv4'
option src 'WAN'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4' option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IGMP'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT' option src 'WAN'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0' list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IPSec-ESP'
option proto 'esp'
option target 'ACCEPT'
option src 'WAN'
option dest 'SKYNET'
config rule
option name 'Allow-ISAKMP'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option src 'WAN'
option dest 'SKYNET'
config include
option path '/etc/firewall.user'
config zone
option name 'GUESTS'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'GUESTS'
config zone
option name 'KIDS'
option output 'ACCEPT'
list network 'KIDS'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'IOT'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'IOT'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option name 'WAN'
list network 'WAN'
list network 'WAN6'
config forwarding
option dest 'WAN'
option src 'GUESTS'
config forwarding
option dest 'WAN'
option src 'KIDS'
config forwarding
option dest 'IOT'
option src 'SKYNET'
config rule
option src 'SKYNET'
option target 'ACCEPT'
option src_port '53 67-68'
option name 'SKYNET - DHCP - DNS - Allow'
config rule
option src 'GUESTS'
option target 'ACCEPT'
option dest_port '53 67-68'
option name 'GUESTS - DHCP - DNS - Allow'
config rule
option src 'KIDS'
option target 'ACCEPT'
option dest_port '53 67-68'
option name 'KIDS - DHCP - DNS - Allow'
config rule
option src 'IOT'
option target 'ACCEPT'
option dest_port '53 67-68'
option name 'IOT - DHCP - DNS - Allow'
config forwarding
option src 'SKYNET'
option dest 'GUESTS'
config forwarding
option src 'SKYNET'
option dest 'KIDS'
config redirect 'dns_int'
option src 'SKYNET'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
option dest_port '5353'
option name 'SKYNET - Redirect DNS'
option src_ip '!10.79.10.1'
option dest 'SKYNET'
config redirect
option target 'DNAT'
option src_dport '53'
option dest_port '5353'
option src 'GUESTS'
option name 'GUESTS - Redirect DNS'
option src_ip '!10.79.30.1'
config redirect
option target 'DNAT'
option src_dport '53'
option src 'KIDS'
option name 'KIDS - Redirect DNS'
option dest_port '5353'
option src_ip '!10.79.20.1'
config redirect
option target 'DNAT'
option src_dport '53'
option dest_port '5353'
option src 'IOT'
option name 'IOT - Redirect DNS'
option src_ip '!10.79.40.1'
config nat
option name 'SKYNET - Prevent hardcoded DNS'
list proto 'tcp'
list proto 'udp'
option src 'SKYNET'
option dest_ip '10.79.10.1'
option dest_port '53'
option target 'MASQUERADE'
config nat
option name 'GUESTS - Prevent hardcoded DNS'
list proto 'tcp'
list proto 'udp'
option src 'GUESTS'
option dest_ip '10.79.30.1'
option dest_port '53'
option target 'MASQUERADE'
config nat
option name 'KIDS - Prevent hardcoded DNS'
list proto 'tcp'
list proto 'udp'
option src 'KIDS'
option dest_ip '10.79.20.1'
option dest_port '53'
option target 'MASQUERADE'
config nat
option name 'IOT - Prevent hardcoded DNS'
list proto 'tcp'
list proto 'udp'
option src 'IOT'
option dest_ip '10.79.40.1'
option dest_port '53'
option target 'MASQUERADE'
config rule
option name 'GUESTS - Hotspot Portal - Allow'
option src 'GUESTS'
option dest 'SKYNET'
option dest_port '8880'
option target 'ACCEPT'
list dest_ip '10.79.10.10'
option enabled '0'
config forwarding
option src 'IOT'
option dest 'WAN'