Hello, I'm struggling to set up a new network. I hope someone is willing to verify this.
I'm working with vlans and a "real" switch for the first time and it has been a struggle..
Devices:
1: telecom operator supplied modem
2: openwrt AX3600, connected via ethernet on WAN <> modem and via PPPoE
3: ubiquity switch connected via ethernet openwrt on port 1 <> openwrt LAN1
4: other devices connected to various switch ports: access points ethernet backhaul
My openwrt router also has wifi interfaces which are on the default 1 vlan and that I can use to configure the router.
It seems that I need to tag vlans on both the router's switch + the ubiquity switch. Is that correct?
So far I have managed to create vlans, which function at least for the default network but which do not work for the intended purpose (IOT, guest,...).
I'm configuring the ubiquity AP's (unify) to have 3 or more wireless networks (for vlan's default 1 , iot 2 and guest 11). I can configure that in the unify software but I do not get an IP via DHCP on guest 11 - I also do not get an IP when I plug a device in a switch port natively tagged for vlan 11.
With DHCP and DNS I also have been battling to create specifc dnsmasq configurations per vlan - where dnsmasq seems to want to launch multiple instances and crashes because it is already bound to port 53.
Some things are unclear such as the gateway to mention in each vlan and the DNS configuration/forwarding.,
cat /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option ra 'hybrid'
option master '1'
list dhcp_option '6,8.8.8.8,8.8.4.4,1.1.1.1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dnsmasq 'brlan'
option authoritative '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option rebind_protection '0'
option localservice '1'
list interface 'lan'
list interface 'vlan1'
list interface 'vlan2'
list interface 'vlan11'
list notinterface 'pppoe-redact'
option leasefile '/tmp/dhcp-brlan.lease'
option readethers '1'
option serversfile '/etc/dnsmasq.servers'
option nonwildcard '0'
config dhcp 'vlan1'
option interface 'vlan1'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'vlan2'
option interface 'vlan2'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'vlan11'
option interface 'vlan11'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd3:53dd:b67b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t*'
list ports 'lan2:t*'
list ports 'lan3:t*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1'
config bridge-vlan
option device 'br-lan'
option vlan '3'
config interface 'vlan1'
option proto 'static'
option device 'br-lan.1'
option ipaddr '10.10.1.1'
option netmask '255.255.255.0'
option gateway '10.1.1.1'
option broadcast '10.10.1.255'
list dns '10.1.1.1'
list dns_search 'lan'
option defaultroute '0'
config bridge-vlan
option device 'br-lan'
option vlan '4'
config bridge-vlan
option device 'br-lan'
option vlan '5'
config bridge-vlan
option device 'br-lan'
option vlan '6'
config bridge-vlan
option device 'br-lan'
option vlan '7'
config bridge-vlan
option device 'br-lan'
option vlan '8'
config bridge-vlan
option device 'br-lan'
option vlan '9'
config bridge-vlan
option device 'br-lan'
option vlan '11'
list ports 'lan1:t'
config interface 'vlan2'
option proto 'static'
option device 'br-lan.2'
option ipaddr '10.10.2.1'
option netmask '255.255.255.0'
option gateway '10.1.1.1'
list dns '10.1.1.1'
config interface 'pppoe-redacted'
option proto 'pppoe'
option device 'wan'
option username '*'
option password '*'
option ipv6 '1'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '1.1.1.1'
config interface 'vlan11'
option proto 'static'
option device 'br-lan.11'
option ipaddr '10.10.11.1'
option netmask '255.255.255.0'
list dns '10.1.1.1'
option gateway '10.1.1.1'
config device
option name 'pppoe-redacted*'
option ipv6 '0'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vlan1'
list network 'vlan2'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'redacted'
list device 'pppoe-redacted'
list device 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan11'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'guest'
What you want to do is very easily achievable. However...
I would recommend that you reset your OpenWrt router to defaults because there is a lot of stuff that is either wrong or unnecessary and would need to be cleaned up. It'll be fastest to start fresh. Feel free to make a backup, but we won't be using it.
After the reset, configure just the basics (internet connectivity, wifi, your primary lan IP/subnet). Once that's done, post your config files again and we'll make the necessary additions for one additional network. From there, you'll be able to prove that network to be functional, and then you can use the same recipe to add the others.
I have reset the configuration for a minimal config with internet access over PPPoE. An extra device was created however, not sure what to do with it: Protocol: Virtual dynamic interface (DHCPv6 client)
It appears to not be zoned automatically in the firewall. I deleted the interface last time.
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdeb:95ea:89d3::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'user@telecom'
option password 'password'
option ipv6 'auto'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
Sorry for the delay here -- I missed the fact that you had replied here. Anyway...
I'm not an expert on PPPoE and IPv6, so I don't know if the DHCPv6 client will just work or if it needs other configuration details. That said, if you're not concerned about IPv6, you can just delete the interface. Normally, the wan6 interface should be attached to the wan firewall zone.
Meanwhile, now you are in a good (near-) default state and we can begin setting up the VLANs.
What port is used to connect the router to the switch?
What are the VLAN IDs and subnets that you want to configure on the router (ideally also with the names/functions of the interface -- for example: VLAN 5, 192.168.5.0/24, Guest).
What do you want the other ports of the router to do in terms of VLAN memberships?
What port is used to connect the router to the switch?
lan1
What are the VLAN IDs and subnets that you want to configure on the router (ideally also with the names/functions of the interface -- for example: VLAN 5, 192.168.5.0/24, Guest).
1 mgt 10.10.1.0/24
2 media 10.10.2.0/24
2 iot1 10.10.3.0/24
3 iot2 10.10.4.0/24
4 guest 10.10.5.0/28
What do you want the other ports of the router to do in terms of VLAN memberships?
Not sure I understood this question.
It's various bits and pieces to enable different configurations with a vlan primarily designed in function of its usage.
And ofcourse I like to be learning in the process of doing but right now I'm hitting a wall at the configuration.
Some vlan's should be isolated from the rest with network access but no access to the management interface (guest) with client isolation and are on wifi only. Some parts should have a different DNS server, for example media. Some parts should have unfettered access to everything with mac allow (management vlan?).
I'd like to use the openwrt wifi only for management vlan (so mgt wifi is disabled when unneeded).
iot1 may be internet enabled while iot2 may be internet disabled...
I have deleted the ipv6 interface because it's not sufficiently clear for me how that is zoned - the tunnel interface does not allow the same type of configuration.
I learned from the guide that you need to also need to add dhcp and dns firewall rules. Indeed : that explains not getting an ipv4 address on the guest vlan before.
Sorry... I did miss this one. Didn't mean to leave you hanging.
Did you test with wifi to ensure that the guest network is functioning as expected? If everything is good, we will move on to the following changes (but if not, hold off on these changes and then let me know what issues you've observed).
First, we'll create some bridge-vlans in /etc/config/network -- add this:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
And edit vlan4 to use br-lan.4 (we'll also remove the DNS and gateway lines):
config interface 'vlan4'
option proto 'static'
option device 'br-lan.4'
list ipaddr '10.10.4.1/24'
Now restart your router and connect port lan1 to your switch. Assuming VLAN 4 is setup as tagged on the switch uplink port, your guest network should now spring to life (bonus if you have a port on the switch that is configured with untagged VLAN 4 -- this will allow you to directly plug in a device and verify that the guest network operates as expected).
Ok... running into some issues where this first step causes to lose connectivity.
Regardless if I'm setting up via wireless or ethernet I lose connectivity via both.
I tried "Bridge VLAN filtering" (1=t 2=u* 3=u*) on lan (br-lan).
Also with intermediary step (1=u* 2=u* 3=u*) and then (1=t)
I have connected via both ethernet ports tagged and untagged and also via wifi.
I also have tried doing this in one go and in seperate steps (add vlan, change br-lan interface to use device br-lan.1)
This is probably invalid - only one network can be untagged on a port (although to be fair, I’m not exactly sure what you did based on your description). The best way to do this is via the config file since you can edit everything without an issue of sequencing.
Unfortunately, just changing this (first step) and restarting the network via init causes the device to be unreachable over wifi and ethernet and not just without DHCP but also with a fixed ip...
Funnily enough I can still connect to the guest wifi and post this.
Sorry, I changed some things so that vlan4 becomes br-lan.5 at 10.10.5.1/24.
After much reading, the terminilogy of tagging, trunking, untagged, excluded, default vlan is still unclear. Do you have another good resource to distinguish these terms besides the openwrt info?
Step 1: so far so good. Lesson learnt: change "lan" interface at the same time to use the new management br-lan.1 else it loses connectivity.
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
Step 2:
I guess I'll need to set up the switch before I can test and see this live...
Interestingly, the "vlan5" wifi-only-vlan-network has now been replaced: the wifi network was "vlan4"("vlan5") and now has network "br-lan.5".
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have: