Openwrt, vlan and network configuration

puppurlu · February 1, 2025, 4:27pm

This time no libvirt.
This is the situation:

Router (Fritz Box 7490) connected to internet via dsl, Router has ip 192.168.0.1
Nas (192.168.0.3 bare metal) connected to Router
Http server (lxc container) on nas

My idea is to create a dmz (192.168.179.0/24) which can be reached from internet but cannot reach the lan (192.168.0.0/24). I know the lxc container is not 100% isolated, but is unprivileged, I hope is safe.

On Router I have configured the dmz in this way

/etc/config/network


config device
        option type '8021q'
        option ifname 'lan3'
        option vid '1'
        option name 'lan3.1'

config interface 'dmz'
        option proto 'static'
        option device 'lan3.1'
        option ipaddr '192.168.179.1'
        option netmask '255.255.255.0'

of course lan3 is removed from the bridge

this is the firewall configuration, I want lan can reach dmz but not dmz reach lan


config zone
        option name 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'lan3.1'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'dmz'
        option dest 'wan'

I restart the network and I can see the ip is pingable from lan (192.168.0.0/24)

ping 192.168.179.1
PING 192.168.179.1 (192.168.179.1) 56(84) bytes of data.
64 bytes from 192.168.179.1: icmp_seq=1 ttl=64 time=5.56 ms
64 bytes from 192.168.179.1: icmp_seq=2 ttl=64 time=6.15 ms

Now I go to Nas (192.168.0.3) and I create the bridge and vlan interface

iface enp7s0.1 inet manual

auto br1.1
iface br1.1 inet manual
      bridge_ports enp7s0.1
      bridge_fd 0
      bridge_maxwait 0

I put the network up

ifup enp7s0.1
ifup br1.1

Then I configure the lxc part


/etc/lxc/lxc-usernet

lxcunpriv veth br1.1 40

I configure the container using the vlan bridge

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br1.1
lxc.net.0.flags = up
lxc.net.0.hwaddr = SECRET
lxc.net.0.name = eth0

I start the container and ... nothing work.

On container I use the ip 192.168.179.2

eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ********** brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.179.2/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 *******/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

The container is isolated and alone, cannot ping internet, cannot ping lan


[root@http ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.179.2 icmp_seq=1 Destination Host Unreachable
From 192.168.179.2 icmp_seq=2 Destination Host Unreachable
From 192.168.179.2 icmp_seq=3 Destination Host Unreachable
From 192.168.179.2 icmp_seq=4 Destination Host Unreachable
From 192.168.179.2 icmp_seq=5 Destination Host Unreachable
From 192.168.179.2 icmp_seq=6 Destination Host Unreachable
From 192.168.179.2 icmp_seq=7 Destination Host Unreachable
From 192.168.179.2 icmp_seq=8 Destination Host Unreachable
From 192.168.179.2 icmp_seq=9 Destination Host Unreachable
From 192.168.179.2 icmp_seq=10 Destination Host Unreachable

--- 8.8.8.8 ping statistics ---
13 packets transmitted, 0 received, +10 errors, 100% packet loss, time 12273ms
pipe 4
[root@http ~]# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
From 192.168.179.2 icmp_seq=1 Destination Host Unreachable
From 192.168.179.2 icmp_seq=2 Destination Host Unreachable
From 192.168.179.2 icmp_seq=3 Destination Host Unreachable

--- 192.168.0.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3052ms
pipe 4
[root@http ~]# ping 192.168.179.1
PING 192.168.179.1 (192.168.179.1) 56(84) bytes of data.
From 192.168.179.2 icmp_seq=1 Destination Host Unreachable
From 192.168.179.2 icmp_seq=2 Destination Host Unreachable
From 192.168.179.2 icmp_seq=3 Destination Host Unreachable
From 192.168.179.2 icmp_seq=4 Destination Host Unreachable

What I miss? I have to set some nat rules even in the Nas?

psherman · February 1, 2025, 4:31pm

From what I can see, there are already some issues with the way you've defined the VLANs. Let's start with a complete config listing so that we can see the full context.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

puppurlu · February 1, 2025, 4:50pm

Actually I think there is not possible to run lxc container with vlan, at least not unprivileged (no way to use privileged, too unsafe)

lxc.net.0.type = vlan
lxc.net.0.vlan.id = 1
lxc.net.0.link = br1.1
lxc.net.0.flags = up
lxc.net.0.hwaddr = **********
lxc.net.0.name = eth0

but...

lxc-start: http: ../src/lxc/network.c: lxc_create_network_unpriv: 3583 Invalid argument - Networks of type vlan are not supported by unprivileged containers

I had to resign?

Those are the configuration files full

ubus call system board
{
	"kernel": "6.6.70",
	"hostname": "router",
	"system": "xRX200 rev 1.2",
	"model": "AVM FRITZ!Box 7490 (Micron NAND)",
	"board_name": "avm,fritz7490-micron",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r28556-277642c035",
		"target": "lantiq/xrx200",
		"description": "OpenWrt SNAPSHOT r28556-277642c035",
		"builddate": "1736633575"
	}
}

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '***********'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'av'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '*******'

config device
	option name 'lan2'
	option macaddr '*******'

config device
	option name 'lan3'
	option macaddr '*******'

config device
	option name 'lan4'
	option macaddr '*******'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'dsl0'
	option macaddr '***********'

config interface 'wan'
	option device 'dsl0.835'
	option proto 'pppoe'
	option peerdns '0'
	option ipv6 '1'
	option username 'username'
	option password 'pass'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

	config device
        option name 'eth1'

config device
        option type '8021q'
        option ifname 'lan3'
        option vid '1'
        option name 'lan3.1'

config interface 'dmz'
        option proto 'static'
        option device 'lan3.1'
        option ipaddr '192.168.179.1'
        option netmask '255.255.255.0'

/etc/config/wireless don't exist

/etc/config/dhcp

config dnsmasq
	option domainneeded	1
	option boguspriv	1
	option filterwin2k	0  # enable for dial on demand
	option localise_queries	1
	option rebind_protection 1  # disable if upstream must serve RFC1918 addresses
	option rebind_localhost 1  # enable for RBL checking and similar services
	#list rebind_domain example.lan  # whitelist RFC1918 responses for domains
	option local	'/lan/'
	option domain	'lan'
	option expandhosts	1
	option nonegcache	0
	option cachesize	1000
	option authoritative	1
	option readethers	1
	option leasefile	'/tmp/dhcp.leases'
	option resolvfile	'/tmp/resolv.conf.d/resolv.conf.auto'
	#list server		'/mycompany.local/1.2.3.4'
	option nonwildcard	1 # bind to & keep track of interfaces
	#list interface		br-lan
	#list notinterface	lo
	#list bogusnxdomain     '64.94.110.11'
	option localservice	1  # disable to allow DNS requests from non-local subnets
	option ednspacket_max	1232
	option filter_aaaa	0
	option filter_a		0
	#list addnmount		/some/path # read-only mount path to expose it to dnsmasq

config dhcp lan
	option interface	lan
	option start 	100
	option limit	150
	option leasetime	12h
        option ignore '1'
config dhcp wan
	option interface	wan
	option ignore	1

/etc/config/firewall

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

config zone
        option name 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'lan3.1'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'dmz'
        option dest 'wan'

config redirect
       option name            'Http redir'
       option target          DNAT
       option src             wan
       option dest            dmz
       option proto           tcp
       option src_dport       80
       option dest_ip         192.168.179.2
       option dest_port       80
       option enabled         1

config redirect
       option name            'Https redir'
       option target          DNAT
       option src             wan
       option dest            dmz
       option proto           tcp
       option src_dport       443
       option dest_ip         192.168.179.2
       option dest_port       443
       option enabled         1

psherman · February 1, 2025, 4:52pm

With that in mind, are you still trying to setup VLANs, or are you abandoning that path?

puppurlu · February 1, 2025, 4:58pm

Try to setup vlan. The vlan "direct" on lxc is impossible, is possible only on privileged containers, on unprivileged only veth is possible. On Libvirt I had success using those commands

ip link set virbr7 type bridge vlan_filtering 1
bridge vlan add vid 1 dev vnet1

I have tried the same on lxc but network is still isolated nas cannot ping http container and http container cannot ping anything

psherman · February 1, 2025, 5:03pm

So what I see here is that you have a VLAN setup against lan3.1. This means that it is going to be VLAN 1, tagged, on port lan3. That means that the device connected to port lan3 needs to expect tagged frames on VLAN 1, and no other physical/virtual L2 interfaces can connect to the dmz network interface.

Is that your intent here?

puppurlu · February 1, 2025, 5:06pm

Yes. An isolated lan wich can reach the internet and can be reached from internet and lan but cannot reach lan. I explain better:

http will have 192.168.179.2 address

can ping 8.8.8.8? YES
can ping 192.168.0.1? NO
can be reached from 192.168.0.0/24 lan? YES
can reach 192.168.0.0/24 lan? NO

psherman · February 1, 2025, 5:10pm

Ok... before we go further, let's make sure things are clear...

where ae the lxc containers running? Is that on a host physically outside the OpenWrt router?
Is this the main router in the network?
There is a ton of non-standard stuff happening in the config.... for example, there is no DHCP server setup on the lan among other things... is this your intent and are things working as you expect except for the dmz network?

puppurlu · February 1, 2025, 5:19pm

all containers run in a bare- metal pc called "nas" which have ip 192.168.0.3
yes is the main router

3)I have a separated dhcp server, the main network (192.168.0.0/24) works fine, my idea was to created a separate network (a virtual lan or vlan) which can be reach internet, can be reached from lan but cannot reach lan

psherman · February 1, 2025, 5:25pm

Delete this:

Change the device to simply lan3:

Remove the device from here:

And add this to the dmz firewall zone:

        option network 'dmz'

Reboot the router. Then connect a device to port lan3. Remember that there is no DHCP server, so the IP address must be set manually on the host(s) in the 192.168.179.0/24 network. Also keep in mind that there are no DNS services offered by the router at this time, so use a public DNS instead (at least for now).

puppurlu · February 1, 2025, 5:28pm

This can work, but there is not vlan as I see.

psherman · February 1, 2025, 5:29pm

Please explain on a per-port basis what you want to happen.... are multiple networks active (as a trunk) on any given port(s)? And/or do you need the (singular) network to be tagged (instead of untagged) on port lan3?

puppurlu · February 1, 2025, 5:37pm

I have only two networks 192.168.0.0/24 and 192.168.179.0/24
i want the 192.168.179.0/24 isolated (can reach internet, can be reached from lan 192.168.0.0/24 , cannot reach lan 192.168.0.0/24)

psherman · February 1, 2025, 5:43pm

That should be the case with the current configuration.

It's true that you're not technically using VLANs, but you have port 3 set to the 192.168.179.0/24 network and the other lan ports on 192.168.0.0/24.

Is there something else you want/need?

puppurlu · February 1, 2025, 5:54pm

I want to use vlan, my object is http server in a separate network (logical, not physical so I use vlan) and define vlan with tag 1 to assign at network 192.168.179.0/24

psherman · February 1, 2025, 5:58pm

Your host must be vlan aware and configured to use a tagged network. This is a requirement.

And to be clear, there is no need to use VLANs in this context - it makes zero functional difference.

But if you still want to make the network tagged:

Simply replace the device with lan3.x where x is the tagged vlan id that you want to use. Remember, the host(s) connected to port lan3 must be both vlan aware and configured for the same tagged vlan id.

puppurlu · February 1, 2025, 6:00pm

I forgot, host (nas) is connected to port1, port3 is empty, but I can ping the 192.168.179.1 address from any pc of my lan (192.168.0.2, 192.168.0.3) I can't only ping from the http lxc container (which has 192.168.178.3/24 address)

puppurlu · February 1, 2025, 6:01pm

I have already make this

config interface 'dmz'
        option proto 'static'
        option device 'lan3.1'
        option ipaddr '192.168.179.1'
        option netmask '255.255.255.0'

psherman · February 1, 2025, 6:17pm

Well, that's a rather critical difference.

So no amount of configuration on that port will do anything.

Yes, this is expected and not an issue. You're reaching the router itself in this case, so it's actually not related to any inter-vlan routing or firewall rules. And, you stated that you want to be able to reach the dmz from your lan anyway.

Because it's plugged into a port 1. And port 1 is associated only with the 192.168.0.0/24 network.

Please describe exactly what you want each port to do.

puppurlu · February 1, 2025, 8:04pm

Probably I understand the problem. I have used the port number 3 (empty) and I was "tricked" by a previous libvirt configuration using for testing with two separate lan. I forgot a little "thing", the vlan must be connected at physical level, if I configure two separate nic they must be connected with a cable/switch, libvirt use virtual-switch and this "scam" and confuse me a little.
Now I try the configuration using a single lan, first on libvirt for testing, then in real world.
I hope will work, thanks for help.