Openwrt as managed switch to separate 2 VLAN on trunk port for transparent filtering

eijis · May 27, 2023, 5:51am

TLDR at the bottom:

Hello. I don't really know where to start but I figured I try this route. Anyway, I want to make openwrt as a managed switch to separate trunk port VLANS for transparent filtering. Here is my topology.

Modem > [ESXI host: OPNSense router > Sophos UTM (bridge mode)] > Wifi AP

My OPNSense Current Router Setup:

WAN > vmx0 (Physical Port 1) (public IP, dhcp)
LAN > vmx1 (Physical Port 2) (static, 192.168.1.1/24, dhcp server)
OPT1 > vmx2 (vOPT1 (no physical uplink)) (Static, 10.0.0.1, dhcp server) > test port
OPT2>  vmx3 (Physical Port 4) not enabled
VLAN10 vmx3.10 (Static, 172.16.10.1/24 dhcp server) - IOTS
VLAN20 vmx3.20 (Static, 172.16.20.1/24 dhcp server) - Local Wireless LAN
VLAN30 vmx3.30 (Static, 172.16.30.1/24 dhcp server) - Guest Wireless LAN
VLAN40 vmx3.40 (Static, 172.16.40.1/24 dhcp server) - Kids Wireless LAN

Sophos UTM on my test port as bridge

Bridged interface (eth0, eth1): Static, 10.0.0.2/24, Default Gateway 10.0.0.1, PROXY ARP
eth0 > vOPT1
eth1 > Physical Port 3

Then, my wifi AP is connected to Physical Port 4.

Everything works at this setup. I tried to setup Sophos UTM as bridge interface for transparent filtering in a trunk port but no avail. I am able to get it to passthrough traffic, however, when I turn webfiltering on on KIDS Wireless VLAN, it stopped working. But, on my test port, everything works. I figured, probably there are issues when bridging a trunk port.

So, I though about this workaround where I could assign a virtual trunk port without physical uplink to my opensense router on OPT2 and connect it to openwrt VM, from openwrt VM, I can separate VLAN20 and VLAN40, place a sophosUTM VM bridge on both of them, and bridge it to physical trunk port. Please help with the config on OpenWrt. I don't see the option "port" under network.

Before anyone ask, why don't you use zenarmor, or use Sophos UTM as your router, or say Sophos XG, or whatever to make my life easier, you do you and I do me. I just want to learn more about networking.

TLDR: How can I configure OpenWrt as a managed switch in VM to untag VLANs from Opnsense trunk, and retag them again going to my WIFI AP?

psherman · May 27, 2023, 10:33pm

If I understand your topology correctly, your OPNSense router and Sophos UTM are on the same physical host using EXSI virtualization. If that's correct, you need to look at either the Sophos system or your hypervisor's network configuration. OpenWrt isn't going to help you here because you will need 4 links (physical or virtual) in order run your networks untagged from one system to another -- you can only have a single untagged network on a port. So if the Sophos can be configured to expect VLANs 10, 20, 30, and 40 as tagged networks, that will do the trick. Or, if you can setup 4 virtual links with untagged networks between the OPNSense VM and the Sophos one. You'll obviously need Sophos to have 4 incoming interfaces, and a 5th that connects to the physical port that goes to the AP with the networks tagged appropriately.

eijis · May 28, 2023, 4:38am

Thanks. I kinda get what you’re saying. My initial setup was, on my router VM, I have the 4 VLANs on 1 virtual interface. On my sophos, I setup a bridge, virtual interface from router, and physical link in going to wifi AP, and it works, but when I turned the webfiltering on, everything broke. I’m guessing issues with gateway and vlan tags.

So, the other solution you posted, in my understanding, is I can add the 4 virtual ports with my 4 networks in my router VM, then on my sophos, I can connect those 4 virtual links, then bridge all of those links with the physical port (5 interface in total) and add vlan tagging using the bridge interface as parent? I’m guessing I can setup openwrt like the sophos.

psherman · May 28, 2023, 5:07am

Maybe a nit, but you don't want to bridge. The concept of a bridge is that it acts like a software version of an unmanaged switch. What you want to do is simply assign the networks all to a single physical port by means of tagging them with 802.1q tags (VLANs).

I'm honestly not sure... depends on what your sophos is doing. But I still don't see how OpenWrt would play into this scenario anyway -- you don't need to add another platform to the mix here, just use your hypervisor to setup 4 virtual links that will connect between the OPNSense and Sophos systems.

eijis · May 28, 2023, 6:00pm

I need OpenWRT because I'm having issues using Sophos for transparent bridging for webfiltering a trunk port. I need to combine my trunk port with the 2 untagged network I'm putting sophos as MITM on.

So I'm able to get to to work. Here is my setup. On my Opnsense VM, I created a 1 Virtual link as trunk of 2 VLANs, and 2 separate virtual link for my other 2 network.

vmx0 WAN > (Physical Port 1) (public IP, dhcp)
vmx1 LAN > (Physical Port 2) (static, 192.168.1.1/24, dhcp server)
vmx2 OPT1 > (vOPT1 (no physical uplink)) (Static, 10.0.0.1, dhcp server) > test port
vmx3 OPT2 > (vTRUNK (no physical uplink)) not enabled
* vmx3.10 (Static, 172.16.10.1/24 dhcp server) - IOTS
* vmx3.30 (Static, 172.16.30.1/24 dhcp server) - Guest Wireless LAN
vmx4 OPT3 > (vOPT3 (no physical uplink)) (Static, 172.16.20.1/24 dhcp server) - Local Wireless LAN
vmx5 OPT4 > (vOPT4 (no physical uplink)) (Static, 172.16.40.1/24 dhcp server) - Kids Wireless LAN

Here is my openwrt setup

eth0 LAN > (Physical Port 2) (static, 192.168.1.2/24, dhcp off)
eth1 vTRUNK > (OPT2 from Opnsense) (unmanaged)
eth2 LocalWLAN > (OPT3 from Opnsense) (unmanaged)
eth3 KidsWLAN > (OPT4 from Opnsense) (unmanaged)
eth4 pTRUNK > (Physical Port 4 - going to wifi AP) (unmanaged)

At first, I tested adding VLAN20 and VLAN40 on vTRUNK set it to DHCP client, sure enough, I got IP address, I did the same thing with LocalWLAN and KidsWLAN and got IP addresses. However, bridging it to passthrough going to OPT4, I had problems.

I tried bridging eth1, eth2, eth3, eth4, and at first, it was not working, but what I did was I ticked Enable VLAN filtering under Bridge VLAN filtering tab, added VLAN10, VLAN20, VLAN30, VLAN40 and tagged all of eth1, eth4, tagged 20 on eth2, 40 on eth3. And voila! everything works now. Thanks for the guidance.

Here is my final OpenWRT setup

eth0 LAN > (Physical Port 2) (static, 192.168.1.2/24, dhcp off)
eth1 vTRUNK > (OPT2 from Opnsense) (unmanaged)
eth2 LocalWLAN > (OPT3 from Opnsense) (unmanaged)
eth3 KidsWLAN > (OPT4 from Opnsense) (unmanaged)
eth4 pTRUNK > (Physical Port 4 - going to wifi AP) (unmanaged)
br0.10 > (dhcp client)
br0.20 > (dhcp client)
br0.30 > (dhcp client)
br0.40 > (dhcp client)

My Devices setup for eth1, eth2, eth3, and eth4

Network > Interfaces > Devices
click Configure
Advanced device options
"Enable promiscous mode" ☑
"Accept "local" ☑

Added bridge device

General Device options:
Device type: Bridge device
Device name: br0
Bridge ports: eth1, eth2, eth3, eth4

Bridge VLAN filtering
"Enable VLAN filtering"  ☑
Added 4 VLANS

VLAN ID     Local     eth1     eth2     eth3     eth4
 10          ☑         t        -        -       t
 20          ☑         t        t        -       t
 30          ☑         t        -        -       t
 40          ☑         t        -        t       t

Thanks again for the guidance. I know this looks convuluted but I wouldn't have to go to this route if sophos was able to webfilter a trunk port. It probably is a user error on my part, but I got it to work on this setup.

eijis · May 29, 2023, 8:52pm

eijis:

General Device options:
Device type: Bridge device
Device name: br0
Bridge ports: eth1, eth2, eth3, eth4

Bridge VLAN filtering
"Enable VLAN filtering"  ☑
Added 4 VLANS

VLAN ID     Local     eth1     eth2     eth3     eth4
 10          ☑         t        -        -       t
 20          ☑         -        u        -       t
 30          ☑         t        -        -       t
 40          ☑         -        -        u       t

Correction. Luci shows t, but on my network config it's "eth2:u" and "eth3:u" Also, didn't tag eth1 (vTRUNK from OPNsense.)