OpenWrt VLAN Interfaces

bennnnm07 · November 16, 2021, 6:42pm

Hi,

I'm new to OpenWRT and I am slightly confused with VLANs and firewall zones. I have 3 physical interfaces, eth0 WAN, eth1 TEST, eth2 Contains VLAN interfaces.
I am on version 21.02.1.

eth2 is eth2.10 (LAN), eth2.20 (CCTV)

eth1 TEST, can access the internet fine.
eth2 VLANs, cannot access the internet or other zones but has the same setup as TEST eth2.10 (LAN)

                  input  output  forward  masquerading

TEST => LAN & WAN - accept - accept - accept - unticked
LAN => TEST & WAN - accept - accept - accept - unticked

Devices get IP addresses from the DHCP server associated to their VLAN, can ping default gateway, can talk layer 2 to other devices.

Any ideas?

psherman · November 16, 2021, 7:30pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

bennnnm07 · November 16, 2021, 9:06pm

Please see below.
VLAN config is slightly different to what I described, CCTV is vlan30 and gaming is vlan20.

/etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'LAN2'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option device 'eth1'

config device
        option type '8021q'
        option ifname 'eth2'
        option vid '10'
        option name 'eth2.10'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth2'
        option vid '20'
        option name 'eth2.20'
        option ipv6 '0'

config interface 'VLAN10'
        option proto 'static'
        option device 'eth2.10'
        list ipaddr '192.168.1.1/24'
        list dns '192.168.1.34'

config interface 'VLAN20'
        option proto 'static'
        option device 'eth2.20'
        list ipaddr '192.168.20.1/24'

config device
        option type '8021q'
        option ifname 'eth2'
        option vid '30'
        option name 'eth2.30'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth2'
        option vid '40'
        option name 'eth2.40'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'eth2'
        option ipv6 '0'

config device
        option name 'tun0'
        option ipv6 '0'

config interface 'VLAN30'
        option proto 'static'
        option device 'eth2.30'
        list ipaddr '192.168.200.1/24'

config interface 'VLAN40'
        option proto 'static'
        option device 'eth2.40'
        list ipaddr '192.168.40.1/24'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'LAN2'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'LAN2'

config dhcp 'LAN'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'LAN'

config dhcp 'VLAN10'
        option interface 'VLAN10'
        option start '100'
        option leasetime '12h'
        option limit '200'
        list dhcp_option '6,192.168.1.34'
        list ra_flags 'none'

config dhcp 'VLAN20'
        option interface 'VLAN20'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'VLAN30'
        option interface 'VLAN30'
        option leasetime '12h'
        option start '40'
        option limit '25'
        list ra_flags 'none'

config dhcp 'VLAN40'
        option interface 'VLAN40'
        option leasetime '12h'
        option start '50'
        option limit '60'
        list ra_flags 'none'

config host
        option name 'iPhoneBen'
        option dns '1'
        option mac '00:00:00:00:00:00'
        option ip '192.168.1.50'

config host
        option name 'pihole'
        option mac '00:00:00:00:00:00'
        option ip '192.168.1.34'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'lan'
        option family 'ipv4'
        list network 'VLAN10'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option input 'REJECT'
        list network 'wan'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'openvpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'openvpn'

config forwarding
        option src 'openvpn'
        option dest 'wan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'VLAN20'
        option forward 'ACCEPT'
        option name 'gaming'

config forwarding
        option src 'gaming'
        option dest 'lan'

config forwarding
        option src 'gaming'
        option dest 'openvpn'

config forwarding
        option src 'gaming'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'gaming'

config forwarding
        option src 'openvpn'
        option dest 'gaming'

config forwarding
        option src 'openvpn'
        option dest 'lan'

config zone
        option name 'cctv'
        option forward 'REJECT'
        list network 'VLAN30'
        option output 'REJECT'
        option input 'ACCEPT'

config zone
        option name 'hass'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'VLAN40'
        option forward 'ACCEPT'

config forwarding
        option src 'hass'
        option dest 'cctv'

config forwarding
        option src 'hass'
        option dest 'gaming'

config forwarding
        option src 'hass'
        option dest 'lan'

config forwarding
        option src 'hass'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'cctv'

config forwarding
        option src 'lan'
        option dest 'hass'

config forwarding
        option src 'openvpn'
        option dest 'cctv'

config forwarding
        option src 'openvpn'
        option dest 'hass'

config forwarding
        option src 'gaming'
        option dest 'cctv'

config forwarding
        option src 'gaming'
        option dest 'hass'

config rule
        option src 'wan'
        option target 'ACCEPT'
        list src_ip 'x.x.x.x/x'
        option name 'Allow IPs to WAN'
        option family 'ipv4'
        list proto 'all'

config rule
        option name 'Allow ICMP to WAN'
        list proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow OenVPN'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '1194-1196'
        option family 'ipv4'

config rule
        option name 'Allow CCTV to NTP'
        list proto 'udp'
        option src 'cctv'
        option dest_port '123'
        option target 'ACCEPT'
        option dest 'wan'
        option family 'ipv4'

config rule
        option name 'Allow CCTV to LAN'
        list proto 'udp'
        option src 'cctv'
        option dest 'lan'
        option dest_port '14118-14124'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow CCTV to DNS'
        option src 'cctv'
        option dest 'lan'
        list dest_ip '192.168.1.34'
        option dest_port '53'
        option target 'ACCEPT'
        option family 'ipv4'

config zone
        option name 'test'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'LAN2'

config forwarding
        option src 'test'
        option dest 'cctv'

config forwarding
        option src 'test'
        option dest 'gaming'

config forwarding
        option src 'test'
        option dest 'hass'

config forwarding
        option src 'test'
        option dest 'lan'

config forwarding
        option src 'test'
        option dest 'wan'

config nat
        option name 'Nat Outbound'
        list proto 'all'
        option src 'wan'
        option src_ip '192.168.0.0/16'
        option target 'MASQUERADE'

mk24 · November 16, 2021, 9:18pm

If this is an x86 or similar device that has each Ethernet port independently connected to the CPU (no hardware switch), you can omit the 802.1q devices and just create tagged vlans with the notation eth2.10 in a bridge or if there is only one physical port on the interface, right in the config interface.

Of course when a port is configured to emit tagged packets, the device on the other end of the cable needs to be VLAN aware and configured to accept those VLAN numbers.

When you are using a commercial VPN service to reroute all Internet use, you would configure forwarding from lan gaming etc to the openvpn zone and also enable masquerade on the vpn zone. If you want some Internet use to go via VPN and other directly through your ISP*, that will require vpn policy routing.

meaning Internet usage other than of course the link from the OpenVPN client running on the router to the VPN service has to go through the "raw" ISP. That exception is accounted for in conventional routing. It is not necessary to forward anything to wan in order for that to work.

bennnnm07 · November 16, 2021, 9:27pm

The device is an APU4D4, not sure on specs in terms of hardware switch or not. The plan is to trunk those vlans down at least 1 physical interface, preferable 2, using LACP. Not sure on openWRT capabilities yet, as I am moving to this from pfSense.

The other end is a Meraki switch which is VLAN aware.

The vpn service is for a server/client connection between this host and a pfSense box. currently there will be no routing out to the internet via openvpn. But clients on lan, gaming should be able to talk to openvpn clients and vice versa.

slh · November 16, 2021, 11:44pm

No hardware switch, 3 independent (onboard-) ethernet 'cards', mk24's advice applies.

bennnnm07 · November 18, 2021, 3:05pm

Does that method still give a layer 3 interface for each VLAN?

mk24 · November 18, 2021, 10:13pm

Yes it does, config interface is layer 3.

Now if you wanted that interface active on more than one port you'd need to build a bridge, then attach layer 3 to it:

config device
    option type 'bridge'
    option name 'br-vlan20'
    list ports 'eth2.20'
    list ports 'eth1'

config interface 'vlan20'
    option device 'br-vlan20'
    option proto 'static'
    option ipaddr '192.168.20.1/24'
    ...

Here the "vlan20" connects to eth1 untagged and eth2.20 tagged. This also enables layer 2 switching between the two Ethernet ports and the virtual CPU port which holds IP 192.168.20.1. Necessarily, the CPU is involved to simulate a hardware switch and move Ethernet-to-Ethernet packets, although on an x86 it is a negligible amount of CPU load.

This configuration syntax only works on devices without a hardware switch.

bennnnm07 · November 19, 2021, 1:52pm

Thanks for that info.
Have you got an example code, if I wanted multiple VLANs down a single interface?