Hi,
Let me start by saying that I've spent a long time googling and searching for a solution. I've flashed the router, all is fine, but I can't create bridges, VLANs or basically segregate and separate networks on my router which is what my main goal is:
to separate my work laptop and pc from everything else
to isolate a Tegra TX2 which runs Tor, XMR Nodes and other P2P from everything else.
to attach a WiFi to that VLAN so I can ssh into the Tegra from my laptop by connecting to the Wifi.
to attach a second WiFi to the first VLAN because my laptop doesn't have an ethernet adapter.
I have installed OpenWRT 21.02.2 and can SSH or access Luci via HTTPS.
Steps I've taken:
I use the existing br-lan to try setup two VLANs
I go under Network > Interfaces > Devices and select br-lan and Configure
The selected bride ports are lan1, lan2, lan3 and lan4
Under Bridge VLAN filtering I setup filtering with Local checked:
VLAN1 is using untaggedlan1 and lan2 and VLAN 2 is using **untagged lan3 and lan4
When I press "save&apply" it hangs. The exact message is "Failed to confirm within 90s, waiting for rollback".
If I press the reset button I end up rolling back to before I tried this. I'm obviously doing something wrong or I've miss-understood something.
My understanding is that this is a DSA router. All the above are done via LuCi, but I have also tried over ssh to no avail. Any help is greatly appreciated!
Ok, I finally managed to get it to work. I did the following:
Reset to Defaults
Setup the LAN static IP (it was conflicting with the Modem's IP range)
SSH into the 1900ACS (I decided LuCi wasn't doing it for me).
Installed package bridge once I verified I could connect to the internet.
This is where it gets more bizarre;
I tried the bridged approach (two different bridges) from the DSA tutorial; the 2nd bridge simply didn't work.
I tried the VLAN approach from the DSA tutorial; it now worked.
All the setting up was done over SSH using vim.
I still had to setup the firewall and routes manually, but that's most likely due to me messing the settings up as I learn.
I still haven't figured out how to isolate one of the VLANs from the router (I don't want the VLAN to have access to the "internal" side of the VLAN/router as it will be hosting publicly available services, but I suppose that's a question for another day.
Was the installation of bridge required? Or is LuCi for this version bugged? I must have tried at least 15 times using the web ui and I simply couldn't get it to work.
Set each network into its own firewall zone. Then, set input = reject on the zone(s) that should not have access to the router itself. You'll probably need to allow DHCP (67-68) and maybe DNS (53) in separate rules.