Playground for VLAN

linuxuser · May 17, 2021, 10:25pm

I have an Archer C7 with 18.06.1, r7258-5eb055306f. I know it is outdated, but it should be ok to understand VLAN better.


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '....:....:....::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.178.57'
	option gateway '192.168.178.1'
	option dns '192.168.178.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'none'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'none'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

So at the moment it is configured to connect ot an AVM Frizbox.

Now I would like to create 2 VLAN with IP-addresses 192.168.111.x for the LAN of the Archer C7 and 192.168.133 for the WLAN of the C7

I will connect the C7 with 1 cable to a Mikrotik Switch CRS326 and then do some ping tests.

Read a lot and watched Youtube tutorials. All examples look a lot more complex what I want do. So can you give me some help please what I have to do.

faser · May 18, 2021, 1:40am

Well as you wrote "Playground" I suggest you start playing around and learn with that.
You start if with the page above and adding VLAN's. Generally it would be tagged on the CPU and untagged on the physical port that your new LAN (VLAN) clients are connected to. Be reminded that a signle physical port can only be untagged on one VLAN.

In regards to your IP addresses and also your WLAN assignment that is a secondary step that you would do under Interfaces where you assign the interface to the VLAN.

linuxuser · May 18, 2021, 12:36pm

Thanks, what i don't understand, if I can keep my current configuration working or do I have to destroy it?

The Archer C7 with openWRT ist configured in the Fritzbox net 192.168.178. and I can connect to this router via Webinterface.

I want to create 2 VLANs, 1 for the WLAN of the router and 1 for the LAN. IMHO I believe I have to change the current configuration, so I cannot connect anymore from the Fritbox-net / my PC:

I can make a szenario with a notebook and any IP-address. Please tell me what you recommed.

mpa · May 22, 2021, 2:56pm

Reconfigure the OpenWrt LAN interface to use an IP address in the 192.168.111.x network; remove the gateway and dns options.

Connect the Archer C7's WAN port to the Fritzbox. You can keep the OpenWrt WAN interface set as DHCP client, which is the OpenWrt default. Connect your notebook to one of the Archer C7's LAN ports.

Under Network->Interfaces, add an interface for the 192.168.133.y subnet. Assign the interface to the LAN firewall zone, or create a new firewall zone for it, depending on your desired policy.
Under Physical settings, make sure the bridge option is enabled, and assign the physical interface eth0.3 as a preparation for adding wired ethernet ports via the built-in switch. Do not add any wireless interface to the bridge here - this happens automatically based on the following configuration.

Go to Network->Wireless, edit the wireless interface. There, under Interface configuration -> general setup, set the network to the interface you created in the previous step, and repeat this for each wireless interface you want to move over to this subnet.

In order to add wired ethernet ports to the 192.168.133.y subnet, create VLAN 3 in the OpenWrt switch config. On the ethernet port which connects the OpenWrt device to the Mikrotik switch, any VLAN you want to extend to the switch (say VLAN1 + VLAN3) should be configured as tagged. The same tagging needs to be done on the Mikrotik switch.

With the notebook connected to OpenWrt's LAN interface, you should be able to reach any host in your network, when allowed by your firewall policy. However, NAT may still be enabled on the OpenWrt WAN interface. You can switch it off (which I would recommend), but then you have to add static routes on the Fritzbox for the 192.168.111.x and 192.168.133.y networks.

linuxuser · May 22, 2021, 6:37pm

Thanks and first I have to say, I am ill at the moment and everything happens very slowly.

Additional info:
Mikrotik RouterBOARD 4011iGS+RM (AL21400) - https://mikrotik.com/product/rb4011igs_rm will be used as Firewall
Mikrotik Switch CRS326-24G-2S+IN (98DX3236) - https://mikrotik.com/product/crs326_24g_2s_in will be used as Switch

The switch uses 192.168.88.1 per default.

So do you still recommend to use 192.168.111.x?

mpa · May 22, 2021, 7:43pm

I wish you to get well soon.

Within a VLAN, use IP addresses out of the same subnet. Either change the switch to 192.168.111.0/24, or change the other devices in the LAN to use IPs from 192.168.88.0/24; that's your choice.

Eventually, you might want to create another VLAN where you connect all the management interfaces of network infrastructure devices such as switches, routers and access points.

linuxuser · May 22, 2021, 8:20pm

Yes, I thought to give the switch and the firewall an own net, but I want to keep it easy for beginning.

The most important thing at the moment is, if my thoughts in Router with Wireless bridge-vlan support - #2 by mpa can be realized. I would like to have a separation of LAN and WLAN using a wireless bridge. Otherwise VLANs would make no sense.