OpenWrt, VLAN, switch

My Openwrt-environment is i7-computer with two network card. Eth0 is LAN, eth1 WAN. In nutcell, very typical configuration between bad world (it is internet hole in wall, in my case, 5G modem) and local network. So, my Openwrt is it "x86". As it looks, also physically it is simple: tower computer, two RJ45-hole. And my own handscript "LAN" and "WAN".

After it is switch, HP 1820, 24 port switch.

Now I start build VLAN, and it is not so clear. I try build "my own network", "guest" and "other guest". Between VLANs not any traffic- so VLAN in my opinion is very typical. "network1, network2, network3" etc.

Switch is quite clear. 24+2 port. Tagged/untagged/exclude. VLAN. Reason of clarify I forget port 1 and 2- sometimes 1 and 2 are any special use.

1: Switch. Port3,4,5 VLAN1, port6,5,7 VLAN2, port8,9,10 VLAN3 etc. Router is connected to port 24.

2. Router. How configure it? I read OpenWrt VLAN-manual, and I understand and not understand. So... router must contain physical port per VLAN and it must be connect physically with wire to switch? So in OpenWrt, must be port for VLAN 1 and connect it physically to switch VLAN1, own port for VLAN2 and connect it physically to switch? Or is it possible connect all VLAN to this eth0 "tagged"?

In my opinion, problem is, all VLAN school in internet show "how to make separate VLAN". But, no one tell "how connect it to internet". So, it is very fine make separate network- but without internet connection. No one VLAN school show "how add it way to internet"...

So, inside switch HP it looks clear how to build sepate VLAN. But how configure it inside router? And how to set it own ip-addresses to every VLAN?

First the concept of VLANs is really only applicable to packets traveling on a physical media, such as the Ethernet cable between your eth0 port and the HP switch.

Inside the kernel, think of separate "networks" or "interfaces" instead of "VLANs". Start by creating a new interface named guest. This interface's physical device could be eth0.5 which means that packets with a VLAN tag of 5 to / from the switch will be in this network interface. The interface must have an IP address using the static IP protocol, set it to 192.168.X.1/24. The number X must be different from your other networks. Using the last number as 1 is conventional since it is the router for this network.

Almost always you'd want guests to get DHCP addresses from your router. This is controlled in /etc/config/dhcp. Make another instance block the same as lan, but named guest with guest as the network.

Routing to the Internet is controlled by the firewall. You could start by making a guest firewall zone that is the same as lan, and a forward from guest to wan. This is overly simple since guests won't be firewalled from trying to hack into your router. There are wiki pages about setting up a more secure firewall scenario.

Configuring the switch is outside the scope of this forum but most such switches have an existing VLAN numbered 1 which is dedicated to administration and trusted users. Change the port connected to the router to be tagged with 1 and change the physical device in OpenWrt's br-lan to be eth0.1 matching it. It is not best practice to send tagged and untagged packets on the same cable.

etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc1:e63d:b73e::/48'



config device
	option ifname 'eth0'
	option vid '3'
	option name '3-alatalo'

config interface 'lan3'
	option type 'bridge'
	option ifname '3-alatalo'
	option proto 'static'
	option ipaddr '10.50.0.1'
	option netmask '255.255.255.0'

config device
	option ifname 'eth0'
	option vid '4'
	option name '4-sisaverkko'

config interface 'lan4'
        option type 'bridge'
        option ifname '4-sisaverkko'
        option proto 'static'
        option netmask '255.255.252.0'
        option ip6assign '60'
        option ipaddr '10.16.0.1'


config device
	option ifname 'eth0'
	option vid '5'
	option name '5-guest'

config interface 'lan5'
        option type 'bridge'
        option ifname '5-guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.51.0.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option hostname 'client2'

dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan4'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '254'
	option start '10.16.1.1'

config dhcp 'lan3'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '200'
	option start '10.50.0.1'

config dhcp 'lan5'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '200'
	option start '10.51.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Maybe this way...

There is a lot wrong in these files.

You'll probably be best served by resetting to defaults and then building up (one VLAN at a time).

Using the above as an example...

• the bridge type should not be included in the interface definition.
• you should not specify the device as you have done, so that section should be deleted.
• Instead, you should include option device eth0.3 if you want VLAN ID 3 (tagged) on eth0. This is the standard dotted notation.

likewise, looking at this DHCP entry as an example:

• interface should be lan3 (the name of the actual interface), not lan.
• start should not include the router's address on that network (so the router uses 10.50.0.1 already, your starting address should be 10.50.0.2 or higher
• start should be just a single value, not a full IP address. So if you want it to actually start at 10.50.0.10, you would put 10 in that field.
• make sure that your limit is not so high as to exceed the network size.
  • the max IP address that will be issued is start + limit - 1. So if your start is 10 and your limit is 100, your max IP is 109. Make sure you calculate this property -- if the max IP exceeds 254 (when using a /24 network), you may have problems.

In this phase, I put this final configuration of the My System.

router-etc749×370 71.6 KB

Now continue studying...

Ok: this is for one VLAN, my own network. In picture it is "4-mynetwork". What it looks? So, in Openwrt: "All VLAN go to eth0". And in HP-swithch: "this eth0 is connected to HP switch physical hole number 22".

All VLAN are separate, as it original VLAN idea must be. But. Switch physical port 22 is "to router". Maybe VLAN number 6, "6-router" must be contain ALL physical ports? this 22 of course, but also 1-21, 24, 25, 23? It is only way how this hole 22 put router traffic to other holes? 22 hole must be tagged so VLAN numbers go to in??

network-file:

#comment: <lorem-ipsum>
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc1:e63d:b73e::/48'
#comment: </lorem-ipsum>

#Make a basic bridge device, all based this
config device
        option type 'bridge'
        option name 'br-BASIC'
        option bridge_empty '1'
        list ports 'eth0'

#this create VLAN. Inside HP-switch this is VLAN numbered 4.
config device
        option name 'br-myownroyalnetwork.4'
        option type '8021q'
        option ifname 'br-BASIC'
        option vid '4'
#repeat for all VLAN


#This connect VLAN number 4 to router physical port 4.
config bridge-vlan
        option device 'br-BASIC'
        option vlan '4'
        list ports 'eth0:t' 
#repeat for all VLAN


#This make ip-space for VLAN4.
config interface 'LAN4'
        option proto 'static'
        option device 'br-myownroyalnetwork.4'
        option netmask '255.255.252.0'
        option gateway '????????? ?????'
        option ipaddr '10.16.0.1'
        list dns '8.8.8.8'
#Maybe option gateway not need?
#repeat for all VLAN




#This configure that eth1 is from internet- eth1 is wan, connection to bad world
config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option hostname 'client2'

Then dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

#THIS configure DHCP for VLAN4
config dhcp 'LAN4'
	option interface 'LAN4'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '254'
	option start '10.16.1.1'
#And repeat this to every VLAN with it own way

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

#COMMENT: Maybe this "zone lan" removed reason now it will be vlan1, vlan2 etc. So we use LAN1 =vlan1, LAN2=vlan2 etc etc? remove this section...?
config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'

#COMMENT: NOW instead lan is LAN and vlan-number.
config zone 'LAN4'
	option name 'LAN4'
	list network 'LAN4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
#AND repeat this to every VLAN

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

#COMMENT, originally this, but now VLAN... remove this section
config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

#Configure forward lan-wan VLAN-version...
config forwarding 'lan_wan'
	option src 'LAN4'
	option dest 'wan'
#And repeat this to every VLAN

#this is basic lorem-ipsum..... <lorem-ipsum>
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
#</lorem-ipsum>

#This is any allow ISAwhatta... remove this section?
config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

#and now VLAN...
config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'LAN4'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
#repeat this to every VLAN


config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

none of this is correct.

I provided guidance of how to configure your x86 OpenWrt router in my earlier response.

I would highly recommend that you:

1. Reset to defaults (router and switch)
2. Configure your main/trusted/management network by editing the standard lan interface (if your desired config differs from the default)
3. Configure only one additoinal network/VLAN end-to-end
4. Verify that the 2 networks work as expected
5. duplicate the methods from #3 and #4 for each of the additional networks you need to configure, one at a time.

Currently, there are so many things wrong that it is not clear if anything would work properly at all. And since it would take a lot of effort to clean it up, the reset is going to be the easiest route. Then, don't try to do everything at once -- you need to build knowledge and confidence in the configuration methods step by step in a methodical way.

Ok, "none of this is correct".

1: Switch. Switch is quite dummy in my opinion. HP switch. But, in my opinion, only VLAN is important in switch. So it is quite general: all wisdom of VLAN is only wisdom. It is, I want use traditional port based VLAN reason it is easy to understand and network is little. So, it is, VLAN 3 is "guest1" and physical port 25. 4 is my own network, vlan 4 and port number 1-21. Guest2, vlan 5, port 23. Vlan 6, port 22, is physical wire to Openwrt router. So, I want build many separate VLAN. This is just as from VLAN bible. Only open question, and very big question it is, "how to make internet connection to the VLANs? What is it magic, which make it connection to internet?"

Problem is, I have two device: Openwrt router, it is, i7 with two network card. Named "lan" and "wan". Then, I have external switch. If I want build this system with OpenWrt and i7, I must found network card with 24 eth. It is, if I want build this with i7, I must take 24 USB-network card. Not clever idea, maybe.

2: Step by step I try. So, first step is file named "network". Now my router work: maybe 2 year ago or 1 year ago (I does not remember) I make Openwrt router. Then I build three site-to-site vpn network. All this work well now.
Present, fully working network without vlans

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc1:e63d:b73e::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.252.0'
	option ip6assign '60'
	option ipaddr '10.16.0.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option hostname 'client2'

OK, THEN NETWORK-FILE FOR ONLY-ONE VLAN, EG. 4 (MY OWN):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc1:e63d:b73e::/48'


#Make a basic bridge device, all based this
config device
        option type 'bridge'
        option name 'br-BASIC'
        option bridge_empty '1'
        list ports 'eth0'

#this create VLAN. Inside HP-switch this is VLAN numbered 4.
config device
        option name 'br-myownroyalnetwork.4'
        option type '8021q'
        option ifname 'br-BASIC'
        option vid '4'
#repeat for all VLAN


#This connect VLAN number 4 to router physical port 4.
config bridge-vlan
        option device 'br-BASIC'
        option vlan '4'
        list ports 'eth0:t' 
#repeat for all VLAN


#This make ip-space for VLAN4.
config interface 'LAN4'
        option proto 'static'
        option device 'br-myownroyalnetwork.4'
        option netmask '255.255.252.0'
        option gateway '????????? ?????'
        option ipaddr '10.16.0.1'
        list dns '8.8.8.8'
#Maybe option gateway not need?
#repeat for all VLAN




#This configure that eth1 is from internet- eth1 is wan, connection to bad world
config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option hostname 'client2'

**THEN, we open this step by step: **

#Make a basic bridge device, all based this
config device
        option type 'bridge'
        option name 'br-BASIC'
        option bridge_empty '1'
        list ports 'eth0'

Is this right? This start make a "basic bridge".

Next, vlan create:

#this create VLAN. Inside HP-switch this is VLAN numbered 4.
config device
        option name 'br-myownroyalnetwork.4'
        option type '8021q'
        option ifname 'br-BASIC'
        option vid '4'
#repeat for all VLAN

Is this right? Here is this notation ".4".

#This connect VLAN number 4 to router physical port 4.
config bridge-vlan
        option device 'br-BASIC'
        option vlan '4'
        list ports 'eth0:t' 
#repeat for all VLAN

Right?

Then ip space for vlan4:

#This make ip-space for VLAN4.
config interface 'LAN4'
        option proto 'static'
        option device 'br-myownroyalnetwork.4'
        option netmask '255.255.252.0'
        option gateway '????????? ?????'
        option ipaddr '10.16.0.1'
        list dns '8.8.8.8'
#Maybe option gateway not need?
#repeat for all VLAN

And finally it "wan", no difference present:

#This configure that eth1 is from internet- eth1 is wan, connection to bad world
config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option hostname 'client2'

Is this way right? If, then I can continue to dhcp and firewall.

You do not need bridges in your x86 based router (there are only two physical interfaces, and bridges are therefore not necessary for most configurations).

VLANs can be created with device eth0.x where x is the vlan id. Do not use the dsa config syntax that you have used. It doesn’t apply here.

Remove all the extra stuff you added. Take the very basic config and then add vlan 4. It should look like this:

config interface 'lan4'
        option proto 'static'
        option device 'eth0.4'
        option netmask '255.255.252.0'
        option ipaddr '10.16.0.1'

network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc1:e63d:b73e::/48'

config interface 'lan4'
	option proto 'static'
        option device 'eth0.4'
	option netmask '255.255.252.0'
	option ipaddr '10.16.0.1'

config interface 'lan3', eth0.3, mask, ip
config interface 'lan5' etc etc.

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option hostname 'client2'

dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

#this just my present, working dhcp, simply add 'lan4'
config dhcp 'lan4'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '254'
	option start '10.16.1.1'

config dhcp 'all other vlans same way'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

#this is original and non-modified: config zone 'lan', option name lan, list network lan ----> lan4, lan3 etc, all VLANs
config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
#and so on, all lan, lan3, lan4 etc etc....

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

#!!!!!
#this is original and non-modified: 
config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'
#change this ----->
config forwarding 'lan_wan'
	option src 'lan4'
	option dest 'wan'

config forwarding 'lan_wan'
	option src 'lan3'
	option dest 'wan'
#etc etc all VLAN
#!!!!!!

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

#maybe this rules must be modify...
config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

This is wrong. Again, look at my earlier response on the dhcp config.

These don’t do anything. All VLANs are part of the lan firewall zone. If you want them to have different rules, you need to structure accordingly.

No, not write exactly :).

#this just my present, working dhcp, simply add 'lan4'
config dhcp 'lan4'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '254'
	option start '10.16.1.1'

#this just my present, working dhcp, simply add 'lan4'
config dhcp 'lan4'

config dhcp 'lan4'
	option interface 'lan4'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '254'
	option start '10.16.1.1'

config dhcp 'lan3'
	option interface 'lan3'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
#so here will be dhcp-area of the vlan3:
	option limit 'XXYY'
	option start 'IP' 

#And then etc etc:
config dhcp 'lan5'
	option interface 'lan5'

** So "config dhcp 'lan<Number Of Lan Same As Network File', option interface 'Same Number' and ip-address. **

Firewall:

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

Work this really? "Network"-file does not contain this "lan", there is only:

config interface 'lan4'
	option proto 'static'
        option device 'eth0.4'
	option netmask '255.255.252.0'
	option ipaddr '10.16.0.1'

FOR EVERY VLAN* "config interface 'lan4', option device 'eth0.4". As I wrote earlier, "network-file". So, if in firewall is only "config forwarding lan wan, source lan (without number) dest wan. "All VLANs are part of the lan firewall zone" you wrote; how router understand it?

This is wrong. You do not appear to be following the guidance I gave you.

The firewall is zone based, not network based. You appear to have put all of the networks into a single zone called lan.

If that is the case, all of them will be in the same zone.

Do me a favor: post your current configuration files without any comments. The comments you have added are confusing. I do not need your comments to be able to see if you have configured the files correctly or not. You are best served by trying to add only one network now. You can add the others later - after the first new network is working exactly as expected.

Ok. Now looks clear. I collect all your information.

FIRST AT ALL, this is my network finally

VLANETC790×361 146 KB

SYSTEM1983×922 122 KB

I remove "management" VLAN reason it make system too complicate. "Step by step" is good idea, but not now reason looks it make system fuzzy. System is easy and VLAN quantity so low- better make all at time.

NETWORK

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc1:e63d:b73e::/48'

config globals 'globals'
	option ula_prefix 'fdc1:e63d:b73e::/48'


config interface 'lan3'
	option proto 'static'
        option device 'eth0.3'
	option netmask '255.255.255.0'
	option ipaddr '10.51.0.1'

config interface 'lan4'
	option proto 'static'
        option device 'eth0.4'
	option netmask '255.255.252.0'
	option ipaddr '10.16.0.1'

config interface 'lan5'
	option proto 'static'
        option device 'eth0.5'
	option netmask '255.255.255.0'
	option ipaddr '10.50.0.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option hostname 'client2'

DHCP

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan3'
	option interface 'lan3'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '233'
	option start '10.51.0.21'

config dhcp 'lan4'
	option interface 'lan4'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '254'
	option start '10.16.1.1'

config dhcp 'lan5'
	option interface 'lan3'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '233'
	option start '10.50.0.21'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

FIREWALL

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

You wrote "All VLAN are part of the lan firewall zone". I try use google "how" but cannot found information: so, I am quite sure "all VLAN are automatically". So, "config zone lan", "list network lan" in firewall-file make automatically all VLAN belong it zone.

I try collect all information found inside this discussion, and now looks all what I found are ok. Please correct if any place is wrong. Then I will start testing

I have told you several times already: the start value should not be a full address. It is just a single number (like 21 instead of 10.51.0.21).

You appear to have entirely removed your lan firewall zone. You currently have no firewall zone(s) to which you would assign your networks. I have no idea why you deleted your lan zone. Currently, the networks will fall under be default (no-zone assignment) configuration.

And you also removed your default lan from the network config (not sure if you were planning to use it or not)

You are also not following my advice about working one at a time to get a network working end to end. So every mistake you make requires 3 times the effort to resolve.

Hm, looks here is any big mistake- PRESENT configuration without VLAN worked even 2 year. Without problem.

Present network is 10.16.0.0/30:
network

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.252.0'
	option ip6assign '60'
	option ipaddr '10.16.0.1'

DHCP

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option limit '254'
	option start '10.16.1.1'

Earlier was my complete configuration. This work. I know this work reason it.... work. Static IP-area is 10.16.0.1....10.16.0.254. Dynamic ip area is 10.16.1.1...10.16.1.254.

New configuration, so, this "VLAN", this "10.16" go to VLAN number 4.

This I cannot understand: "I have told you several times already: the start value should not be a full address. It is just a single number (like 21 instead of 10.51.0.21)." This must be wrong!?

Compare: "network", 10.16.0.1 etc, dhcp 10.16.1.1 etc. This work, all my network is filled with static-ip-devices (printers, etc). And when I put dhcp-device, voilá, ip is 10.16.1.1...254!

Now I add it two area more, 10.50.0.0/24 and 10.51.0.0/24. Of course: network-file "10.50.0.1" and dhcp 10.50.0.21 (and 51 same).

This logic does not go to my brains. Now "static 10.16.0.1, dhcp 10.16.1.1 and this is ok. But suddendly 10.50.0.1 static, DHCP NOT 10.50.0.21. Why this is not logical? "Sometimes in dhcp you must use full ip, sometimes only start- it is no any rule why, if ask why, it is no reason.... so, use dice..."

Network: No, I does not delete lan-zone. I read information you wrote earlier. "You does not need bridge" etc.

Here is one earlier configuration, now I fill it with last right information. But you said it was wrong...

config device
        option type 'bridge'
        option name 'br-BASIC'
        option bridge_empty '1'
        list ports 'eth0'

config device
        option name 'br-hobbyhouse.3'
        option type '8021q'
        option ifname 'br-BASIC'
        option vid '3'

config device
        option name 'br-mynetwork.4'
        option type '8021q'
        option ifname 'br-BASIC'
        option vid '4'

config device
        option name 'br-guestwlan.5'
        option type '8021q'
        option ifname 'br-BASIC'
        option vid '5'

config interface 'lan3'
        option proto 'static'
        option device 'br-hobbyhouse.3'
        option netmask '255.255.255.0'
        option gateway '10.51.0.1'
        option ipaddr '10.16.0.1'
        list dns '8.8.8.8'

config interface 'lan5'
        option proto 'static'
        option device 'br-guestwlan.5'
        option netmask '255.255.255.0'
        option gateway '10.50.0.1'
        option ipaddr '10.16.0.1'
        list dns '8.8.8.8'

config interface 'lan4'
        option proto 'static'
        option device 'br-mynetwork.4'
        option netmask '255.255.252.0'
        option gateway '10.16.0.1'
        option ipaddr '10.16.0.1'
        list dns '8.8.8.8'

This was any earlier configuration I try. I complete it now with last information, "locked" vlan numbers, names, ip:s. Now I cannot understand- is it any exact way how to make this? Please see my last complete configuration. So, I must add it "lan" to it set, but If I does not use bridge, how I add it? Please notify, my last complete configuration set.... I try follow your information as exact as possible. I read and read earlier discuss, also I google, read other thread, check videos- and no, no any information. My brains say, "only way make this is use bridge", but looks it is also wrong way?

I remove it lan... reason you said earlier this configuration was wrong :(.

--

In my opinion this my case is very, very typical. But, it is too typical- it is not possible found sample network, dhcp and firewall-files... but, I follow exactly all you wrote, but when I follow, "this is wrong". Also some details are fuzzy- eg. it dhcp start, "sometimes complete ip, sometimes only one number"- no logic....

HA! Now I understand!

NETWORK

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc1:e63d:b73e::/48'

config globals 'globals'
	option ula_prefix 'fdc1:e63d:b73e::/48'


config interface 'lan'
	option proto 'static'
        option device 'eth0.6'
	option netmask '255.255.252.0'
	option ipaddr '10.16.0.1'

config interface 'lan3'
	option proto 'static'
        option device 'eth0.3'
	option netmask '255.255.255.0'
	option ipaddr '10.51.0.1'

config interface 'lan4'
	option proto 'static'
        option device 'eth0.4'
	option netmask '255.255.252.0'
	option ipaddr '10.16.0.1'

config interface 'lan5'
	option proto 'static'
        option device 'eth0.5'
	option netmask '255.255.255.0'
	option ipaddr '10.50.0.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option hostname 'client2'

Now I understand it :). Simply adding interface "lan" and connect it to vlan "6-router", vlan number 6, and static ip of the router, which is 10.16.0.1!

config interface 'lan'
	option proto 'static'
        option device 'eth0.6'
	option netmask '255.255.252.0'
	option ipaddr '10.16.0.1'

Not work... some mistake, cannot understand what. Last example I wrote must be right... but not work...