Overlapping interfaces for VLAN DHCP and Firewall rules. ok or not?

Using OpenWrt 19.4.4 on a fresh install (default settings)
Would it be considered a good practice to achieve VLAN subnetting for DHCP and Firewall purposes as follows:

using LUCI
First I change the default LAN interface ip range to (Class A network?) having no DHCP server.
Then I create a VLAN 10 in Network->Switch with some ports configured
Then I create a new interface (ifname = if_Guest) with an overlapping ip range (Class B network?) on eth0.10 (VLAN10) having a DHCP start of 1 and end of 255x254 = 64770 (I am looking to make all available ip addresses leasable)

Now I am not sure if this would make if_Guest implicitly be part of the LAN interface firewall zone as the IP ranges overlap.

If so, would it be ok if I make a firewall rule that applies to a specific ip range or if_Guest rather than a specific firewall zone (after all the if_Guest does not have a firewall zone defined)

Or should I take a different approach al together?

Network classes have long been deprecated in favor of CIDR.

It is recommended to use smaller subnets such as /24.
In addition, you'd best avoid collisions with as it is often used by ISPs and VPN providers.

There's no need unless you have a really good reason.

Yep, there's multiple ways to configure firewall, but the zone model is considered to be easier to set up, audit and maintain.


zones are attached via interfaces in the zone definition...

what you are attempting to do is an advanced setup... the general advice is to use totally separate L3 networks...

if you wish to test advanced things ( overlapping L3 networks )... you need to be familiar with troubleshooting/openwrt and be able to test things at all levels of the os... and provide the necessary level of debug output when requesting assistance.

typical masq is also interface based... so you'll probably need custom config/init parameters to workaround any overlap...


How is routing supposed to work on those overlapping networks? Why do weird configurations unnecessarily?


wow, It seems I was ill informed believing that the 10.x.x.x was private. Would one know where I can read more about this?

In the meantime I've read this is not so. Slowly I am getting less clueless.

Yes I know, That is why I wrote 'implicitly' as the range of if_Guest overlap with the LAN range that does have a firewall zone. I guess no point in digging deeper into this now since the general consensus here seems to be that my idea is not recommended.

I, as a newcomer to routing and networking in general, have no idea yet. This is why I turn to the forum.
I was under the impression that most if not all members here are well natured enthusiasts that have patience for 'stupid' questions.
But your point is well taken non the less. thanks for that!

It is private, but some ISPs and most VPN providers still use it due to the lack of public IPs.

Forget about the overlapping networks, you do not need them, it adds complexity, and gives no advantage. Just use a different non-overlapping segment for each network.

1 Like