OpenWRT VLANs and LAN subnet configuration

Installing and Using OpenWrt
1

I'm working on a setup with two routers and running into a couple of issues I could use some help with.

My setup:

  • Router A (main upstream router)
    • IP: 192.168.2.1
    • LAN subnet: 192.168.2.0/24
    • DHCP: Enabled
  • Router B (OpenWRT, downstream router)
    • WAN: DHCP client of Router A → gets 192.168.2.3
    • LAN: 192.168.3.1 with its own DHCP server
    • VLAN 99 = my internal LAN (configured as shown here)
    • VLAN 10 & VLAN 20 = guest and IoT networks
    • All VLANs are working and get internet correctly

What I want to do:

  1. Change Router B’s LAN from 192.168.3.x to 192.168.2.x
  • Can I do this while still using Router B as a router (or an access point)?
  • If yes, how do I configure this properly via LUCI?
  • I want to avoid breaking DHCP or creating conflicts.
  1. Block VLANs 10 and 20 from accessing 192.168.2.x
  • Right now, devices in VLAN 10 and 20 can reach things like 192.168.2.1 and 192.168.2.3
  • I want them to have internet only — no access to the upstream LAN
  • What’s the best way to do this in LUCI?

Any help, tips, or example configs would be really appreciated. Thanks in advance.

2

you can do it if you move vlan 10,20,99 from router B to router A,
It depends on what's running on router A. Is it Openwrt or something different?

router A will become the only router on the network with DHCP, etc...
router B will become a dump-AP...

ps:
https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap#notes

here if you want you can do it at firewall level (even with the current configuration)

ps: This applies to IPv4 addresses and private network addresses.

example:

config rule 'guest_private'
        option name 'Drop forward guest zone to private nets'
        option src 'guest'
        option family 'ipv4'
        option dest '*'
        option target 'REJECT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        list dest_ip '192.168.0.0/16'
        list dest_ip '172.16.0.0/12'
        list dest_ip '10.0.0.0/8'

config rule 'iot_private'
        option src 'iot'
        option name 'Drop forward iot zone to private nets'
        option dest '*'
        option family 'ipv4'
        option target 'REJECT'
        list proto 'all'
        list dest_ip '192.168.0.0/16'
        list dest_ip '172.16.0.0/12'
        list dest_ip '10.0.0.0/8'
3

Unfortunately, Router A is not OpenWRT-compatible and lacks VLAN configuration capabilities. Given this limitation, is there an alternative method to reassign Router B’s LAN IP range from 192.168.3.x to 192.168.2.x?

If that's not feasible, I’m prepared to maintain two separate subnets. However, I’m currently facing a challenge: from Client 0 (192.168.2.188, connected to Router A), I’m unable to reach Client 1 (192.168.3.145, connected to Router B). The command:

ping 192.168.3.145

results in a timeout.

How can I enable access from Router A’s network to all clients on Router B’s LAN or VLANs, considering Router A does not support static routing to the 192.168.3.0/24 subnet?

4

Make B WAN into a bridge and place any Ethernet ports or wifi APs that you want to be in the A network (192.168.2.0) into that bridge. Devices connected to that AP or port will be directly assigned IP addresses by A and routed by A. The other networks on B will still be routed by B. B's wan network on br-wan (the new bridge) will still hold 192.168.2.3.

A cleaner approach requires having some control of Router A, specifically being able to install a static route in it. If you can do that (most stock firmware and some ISP provided "gateway" routers allow it), then you can configure A with a route like this:
192.168.3.0/24 via 192.168.2.3
Then in router B turn off the Masquerade on the wan and add a rule allowing wan->lan forwarding (in addition to the existing lan->wan forwarding). This is called symmetric routing. A device in the A network can use its .2.X address to reach a .3.X address because the A router knows that the .3 network is reachable at router B's WAN IP. The B firewall can be used to selectively allow or block certain IP addresses and/or ports if you want.

5

Thank you. I followed your advice but did not manage to connect my VLANs. Here are the steps I took:

  1. In my br-lan, I bridge all eth ports and wan together
  2. Br-lan has also VLAN filtering enabled: I assign VLAN 99 both to port 1 and wan, port 2 to VLAN 20, 3 to 3 etc
  3. I make sure that br-lan acts as a DHCP client (or has a statistic ip address to 192.168.2.3).
  4. As wan is bridged, I remove this interface.
  5. When I connect over port 1, I indeed get an IP address by router A in the domain 2.X. However I cannot connect to the internet via any of my VLANs. I make sure that their gateway is 192.168.2.1 but it does not change anything.
  6. I checked in the firewall - even with accept across the board, VLANs do not reach the internet.

Do you have any explanation? If I go with the cleaner approach (ie keeping two different domains), it works.

6

Let's see the current complete configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
7

Thank you.

When I trace route from 192.168.10.x (vlan 10) to 192.168.2.1 (which should be the main gateway on router A), the packet seems to be stuck at 192.168.10.1 (on router B) and does not reach router A. Same issue with wifi_IoT.

Note that VLAN 30 should not reach the internet by configuration.

Below the configuration:

ubus call system board

{
	"kernel": "x",
	"hostname": "openwrt",
	"system": "xxxx",
	"model": "xxxx",
	"board_name": "xxxx",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "x",
		"target": "x",
		"description": "OpenWrt 24.10.0 r",
		"builddate": "x"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'x'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.99'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.2.1'
	list dns '8.8.8.8'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan4'

config interface 'vlan_20'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'vlan_10'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'vlan_30'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config interface 'wifi_IoT'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option device 'ap-IoT'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '2'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan_20'
	option interface 'vlan_20'
	option start '2'
	option limit '20'
	option leasetime '12h'

config dhcp 'vlan_10'
	option interface 'vlan_10'
	option start '2'
	option limit '20'
	option leasetime '12h'

config dhcp 'vlan_30'
	option interface 'vlan_30'
	option start '2'
	option limit '20'
	option leasetime '12h'

config dhcp 'wifi_IoT'
	option interface 'wifi_IoT'
	option start '2'
	option limit '150'
	option leasetime '12h'

cat /etc/config/firewall

config defaults
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option log '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vlan_20'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'vlan_20'

config forwarding
	option src 'vlan_20'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vlan_20'

config zone
	option name 'vlan_10'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'vlan_10'

config forwarding
	option src 'vlan_10'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vlan_10'

config zone
	option name 'vlan_30'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'vlan_30'

config forwarding
	option src 'lan'
	option dest 'vlan_30'

config rule
	option name 'Allow-192.168.2.0-to-LAN'
	option src 'wan'
	option target 'ACCEPT'
	list proto 'all'
	list src_ip '192.168.2.0/24'

config rule
	option name 'Allow-192.168.2.0-to-LAN'
	option src 'wan'
	option target 'ACCEPT'
	list src_ip '192.168.2.0/24'
	list proto 'all'
	option dest '*'

config rule
	option name 'VLAN 20 DHCP and DNS'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option src 'vlan_20'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'VLAN 20 Drop forward to private nets'
	option src 'vlan_20'
	option family 'ipv4'
	option dest '*'
	option target 'DROP'
	list dest_ip '192.168.0.0/16'
	list dest_ip '172.16.0.0/12'
	list dest_ip '10.0.0.0/8'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config rule
	option name 'VLAN 10 DHCP and DNS'
	option src 'vlan_10'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config rule 'vlan_20'
	option name 'VLAN 20 Drop forward to private nets'
	option src 'vlan_20'
	option family 'ipv4'
	option dest '*'
	option target 'DROP'
	list dest_ip '192.168.0.0/16'
	list dest_ip '172.16.0.0/12'
	list dest_ip '10.0.0.0/8'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config rule
	option name 'VLAN 30 DHCP and DNS'
	option src 'vlan_30'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config rule
	option name 'VLAN 30 Drop forward to private nets'
	option src 'vlan_30'
	option family 'ipv4'
	option dest '*'
	option target 'DROP'
	list dest_ip '192.168.0.0/16'
	list dest_ip '172.16.0.0/12'
	list dest_ip '10.0.0.0/8'
	list proto 'icmp'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'WIFI IoT DHCP and DNS'
	option src 'wifi_IoT'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config rule
	option name 'WIFI IoT Drop forward to private nets'
	option src 'wifi_IoT'
	option family 'ipv4'
	option dest '*'
	option target 'DROP'
	list dest_ip '192.168.0.0/16'
	list dest_ip '172.16.0.0/12'
	list dest_ip '10.0.0.0/8'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config forwarding
	option src 'wan'
	option dest 'lan'

config zone
	option name 'wifi_IoT'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'wifi_IoT'

config forwarding
	option src 'wifi_IoT'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wifi_IoT'