openWRT on laptop with vlan tagging through edgerouter x?

similar to the method of plugging a rpi4 into a managed switch and using vlan tags to direct traffic, could the same be done with an old laptop with a gig nic in it?

Isp modem - > edgerouter x, pass traffic directly to laptop, openwrt on laptop manages packages and passes traffic back to the switch where the other lans and access point would be attached

Sure, you can do this.

However, why not just use the ER-X as the router at this point? (possibly a rhetorical question -- if you've got lots of other packages and services you want to run, you might need the extra processing power). From an over-the-wire bandwidth standpoint, though (when assuming you're not using processor intensive features like SQM and the like), you'll be limited to 1Gbps max total throughput (up+down = 1Gbps max).

If you do opt to use the ER-X in this way, be sure you've got the latest bootloader (IIRC, it was included in the 2.0.x firmware) to ensure that the switch doesn't bridge ports while it is first coming up.

actually running openwrt on the edgerouter x, and i am primarily after the sqm shaping power the laptop could provide where the google wifi ac1304 i flashed cant quite cut it lol. its better than the edgerouter but not good enough lol. i am planning a full desktop server with a vm running openwrt and a quad intel nic, but thats all money, im working with what i have now lol.

fair enough... all makes sense. Yes, you can do this with bridge vlan syntax.

i have a 300x10 soon to be 500x20 connection, but its spectrum so the bufferbloat is stupidly bad, i have heard rumors that they are working on a server side sqm called PIE (i used to work at spectrum as a technician, i heard things, not sure how valid they are lol)

this is super encouraging to hear, as a laptop is pretty power efficient, small form factor, with a screen built right in, now i am off to learn about virtual machines in linux / windows and see where the rabbit hole leads

You must make the laptop VLAN-aware. I've done this with systemd on a Debian system. Just use the phrase "systemd vlan" with your prefered search engine and you'll get a lot of proposals.

Currently watching a bunch of onemarcfifty vids and reading a bunch of forum posts to figure out how to get it all going

I’m going to be using port 0 as a system access port , port 1 will be the modem in, port 2 will have the laptop plugged in, port 3 will go to a home dumb switch with an access point attached, and port 4 will go to my work pc

From my understanding I tag incoming packets from port 1 and make them go to port 2, port 2 tags egress packets to go to port 1. I’m still learning lol

You'll be using a bridge-vlan configuration. for ports 1-4 (port eth0 can be removed from the bridge and placed into the 'system access' network interface).

  • Your WAN will use a unique VLAN ID (maybe use VLAN 2 for this), unless your modem/ISP requires a tagged VLAN.
  • You'll likely setup your lan on VLAN 1.
  • So, eth1 will be untagged
  • eth2 will have both VLAN 1 (can be tagged or untagged) and VLAN 2 (tagged)
  • eth3 and eth4 will have vlan1 untagged.

I know a lot of members write to avoid those lower vlan numbers due to incompatibility or security reasons,

So I’ll be setting my vlans up with 4,8,16,32…etc
I actually can’t figure out a way to diagram how it should flow just yet so im looking for a good article about using a managed switch setup using openwrt 23.05 and configuration

The lower VLAN numbers should actually be fine, but it's certainly fine to avoid them.

It is often best to have all tagged networks on a trunk (and no untagged networks), but this is not usually a hard requirement except in some specific situations with hardware that doesn't like the mixed unagged+tagged.


so far i have my virtual machine running connected to the internet, and luci up and running, so im ready to create the router(laptop) side of the vlan setup, with these screen shots what would be the most efficient way to set them up, i added the eth2 just in case its needed but i feel like i only need the 1 interface

Did some more research here

On the switch it has a default config of wan on eth0, if I leave it as is and simply remove eth4 from the br-lan I should be able to set that port up with a static for management

Then setup vlan 4 and vlan 8

If I am understanding it I would create the vlans in devices, and then setup the tagging,

Assign vlan 4 to the wan port, and vlan 8 to the br-lan?

https://www.reddit.com/r/openwrt/s/XjGnG9lnTm

Cross posted to Reddit with pics of both devices, I am documenting my steps for a full guide when I get it all worked out

It doesn’t matter which is the wan since you won’t be using the default config at all.

Your lan is not assigned to a firewall zone - be sure to assign that network to the lan firewall zone.

From your computer, let’s see the config if that openwrt install.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you for the reply, I will grab that output momentarily, I did notice that it was missing a firewall zone when I was following a video guide on this, but it got a little muddy when they mentioned deleting the existing wan and I took a pause to gather and research more.

This is all being done sterile and outside of my home network, it will replace my current home network.

To clarify, the commands and output you would like are from the virtual machine, or would it be prudent to post the command results from both the VM and the switch?

From the virtual machine to start. We will look at the er-x later.

Excellent thank you very much

ubus call system board

>         "kernel": "5.15.132",
        "release": {
>         "hostname": "OpenWrt",
                "version": "23.05.0-rc4",
>         "system": "Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz",
}
>         "model": "innotek GmbH VirtualBox",
>         "board_name": "innotek-gmbh-virtualbox",
>         "rootfs_type": "ext4",
>         "release": {
>                 "distribution": "OpenWrt",
>                 "version": "23.05.0-rc4",
>                 "revision": "r23482-7fe85ce1f2",
>                 "target": "x86/64",
>                 "description": "OpenWrt 23.05.0-rc4 r23482-7fe85ce1f2"
>         }

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd36:25ab:388f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'mng'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.56.2'
        option netmask '255.255.255.0'

config interface 'lan'
        option device 'eth2'
        option proto 'dhcp'


cat /etc/config/wireless
not setup / doesnt exist

cat /etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


cat /etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'mng'
        option network 'mng'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'


You should be using 23.05.0 (not the rc) since the full stable release is available.

It would make sense to actually start with the default config, as you’ve actually made some changes that will need to be undone

I can easily start over.

So use the original 23.05.0 image and start with the default config? I was following the vm install directions post on here