Please help me to separate vpn and wan traffic via two different ethernet ports

bulat · September 1, 2019, 10:29am

I am very new to OpenWrt and networking in general.
I have setup WireGuard VPN client on my edgerouter x(openwrt 18.06.4).
I would like to use two ethernet ports(1,2) for vpn traffic and the other ethernet ports(3,4) for general internet traffic.

At the moment I get vpn traffic on all ethernet ports.
I spent a week trying different solutions from this forum, but without any success.

NETWORK:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option dns '10.200.200.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr ‘a8:ba:2a:0a:bf:d4'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'a8:ba:6a:0a:bf:gr’

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'wg'
	option proto 'wireguard'
	option private_key '***************************************************************'
	list addresses '10.200.200.2/32'

config wireguard_wg
	option public_key '****************************************************************'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host ’85.40.41.16'
	option endpoint_port '51820'
	option persistent_keepalive '21'

FIREWAAL:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wgzone'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'wg'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'wgzone'
	option src 'lan'

ip route:

root@OpenWrt:~# ip route list
default dev wg proto static scope link 
10.10.1.0/24 dev eth0.2 proto kernel scope link src 10.10.1.104 
85.40.41.16 via 10.10.1.1 dev eth0.2 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

Could you please help me to solve this problem!
Many thanks

vgaetera · September 1, 2019, 12:54pm

bulat · September 1, 2019, 2:51pm

Do I need to create an interface for newly created vlan?

Should I just copy and past it to console?

vgaetera · September 1, 2019, 3:04pm

Yes, I tested it on my router using the commands on the second link.

Not blindly, of course.
Your port numbers should be adjusted to the switch configuration.

Check the switch config:

swconfig list; swconfig dev switch0 show

Then plug in the cable, check the config again and see which port becomes up.
In general case, port IDs don't match port numbers printed on the router.

bulat · September 1, 2019, 3:26pm

I don’t understand some of the commands.

Can’t I just create new vlan, interface and firewall rules for it using Luci? (It seems easier to do it via web interface)

I actually already created new interface. When I apply firewall rules to my new vlan/interface, my wg(WireGuard) interface dropping connection to my vpn sever.

vgaetera · September 1, 2019, 3:28pm

Yes, both methods should work.
Although the separate firewall zone and rules are not mandatory.

bulat · September 1, 2019, 4:13pm

I created new vlan and added it to LAN firewall zone.
My vpn interface no longer can connect to vpn server.

bulat · September 1, 2019, 4:41pm

I reboot after every major change to the system.

bulat · September 1, 2019, 4:45pm

this seems to be wrong.
Before creating new vlan interface, my WAN interface was in that place.

bulat · September 1, 2019, 5:14pm

before creating new vlan interface
root@OpenWrt:~# route:

Kernel IP routing table
Destination     Gateway  Genmask         Flags Metric Ref  Use Iface
default         *        0.0.0.0         U     0      0     0  wg
10.10.1.0      	*        255.255.255.0   U     0      0     0  eth0.3
85.40.41.16    10.10.1.1 255.255.255.255 UGH   0      0     0  eth0.3
192.168.1.0    	*        255.255.255.0   U     0      0     0  br-lan

root@OpenWrt:~# ip route list:

default dev wg proto static scope link 
10.10.1.0/24 dev eth0.3 proto kernel scope link src 10.10.1.128 
85.40.41.16 via 10.10.1.1 dev eth0.3 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

and after crating vlan interface

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway        Genmask       Flags Metric Ref  Use Iface
default           10.10.1.1    0.0.0.0         UG     0    0    0   eth0.3
10.10.1.0         *            255.255.255.0   U      0    0    0   eth0.3
85.40.41.16     OpenWrt.lan    255.255.255.255 UGH    0    0    0   eth0.2
192.168.1.0       *            255.255.255.0   U      0    0    0   br-lan
192.168.2.0       *            255.255.255.0   U      0    0    0   eth0.2

root@OpenWrt:~# ip route list:

default via 10.10.1.1 dev eth0.3 proto static src 10.10.1.128 
10.10.1.0/24 dev eth0.3 proto kernel scope link src 10.10.1.128 
85.40.41.16 via 192.168.2.1 dev eth0.2 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev eth0.2 proto kernel scope link src 192.168.2.1

vgaetera · September 1, 2019, 6:15pm

Let's check the settings:

uci show network; uci show firewall; \
swconfig list; swconfig dev switch0 show

bulat · September 1, 2019, 6:46pm

root@OpenWrt:~# uci show network; uci show firewall:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.dns='10.200.200.1'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='a8:ba:2a:0a:bf:d4'
network.wan=interface
network.wan.proto='dhcp'
network.wan.delegate='0'
network.wan.peerdns='0'
network.wan.ifname='eth0.3'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='a8:ba:6a:0a:bf:gr
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='1 2 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0 6t'
network.@switch_vlan[1].vid='3'
network.wg=interface
network.wg.proto='wireguard'
network.wg.private_key=‘**********************************************’
network.wg.addresses='10.200.200.2/32'
network.@wireguard_wg[0]=wireguard_wg
network.@wireguard_wg[0].public_key='**********************************************'
network.@wireguard_wg[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg[0].route_allowed_ips='1'
network.@wireguard_wg[0].endpoint_host='85.40.41.16'
network.@wireguard_wg[0].endpoint_port='51820'
network.@wireguard_wg[0].persistent_keepalive='21'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].ports='3 4 6t'
network.@switch_vlan[2].vid='2'
network.lan2=interface
network.lan2.proto='static'
network.lan2.ifname='eth0.2'
network.lan2.ipaddr='192.168.2.1'
network.lan2.netmask='255.255.255.0'
network.lan2.gateway='192.168.2.1'
network.lan2.broadcast='192.168.2.255'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan lan2'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='wgzone'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='wg'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wgzone'
firewall.@forwarding[0].src='lan'

root@OpenWrt:~# swconfig dev $(swconfig list | cut -d " " -f "2") show:

Global attributes:
	enable_vlan: 1
	mib: Switch MIB counters
PPE_AC_BCNT0: 0
PPE_AC_PCNT0: 0
PPE_AC_BCNT63: 0
PPE_AC_PCNT63: 0
PPE_MTR_CNT0: 0
PPE_MTR_CNT63: 0
GDM1_TX_GBCNT: 0
GDM1_TX_GPCNT: 0
GDM1_TX_SKIPCNT: 0
GDM1_TX_COLCNT: 0
GDM1_RX_GBCNT1: 0
GDM1_RX_GPCNT1: 0
GDM1_RX_OERCNT: 0
GDM1_RX_FERCNT: 0
GDM1_RX_SERCNT: 0
GDM1_RX_LERCNT: 0
GDM1_RX_CERCNT: 0
GDM1_RX_FCCNT: 0
GDM2_TX_GBCNT: 0
GDM2_TX_GPCNT: 0
GDM2_TX_SKIPCNT: 0
GDM2_TX_COLCNT: 0
GDM2_RX_GBCNT: 0
GDM2_RX_GPCNT: 0
GDM2_RX_OERCNT: 0
GDM2_RX_FERCNT: 0
GDM2_RX_SERCNT: 0
GDM2_RX_LERCNT: 0
GDM2_RX_CERCNT: 0
GDM2_RX_FCCNT: 0

Port 0:
	mib: Port 0 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 5868
TxMulti    : 14
TxBroad    : 3
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 252
Tx65Byte   : 5598
Tx128Byte  : 9
Tx256Byte  : 25
Tx512Byte  : 0
Tx1024Byte : 1
TxByte     : 503613
RxDrop     : 0
RxFiltered : 34
RxUni      : 413
RxMulti    : 12891
RxBroad    : 22364
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 7220
Rx65Byte   : 3035
Rx128Byte  : 5182
Rx256Byte  : 19884
Rx512Byte  : 288
Rx1024Byte : 59
RxByte     : 9066394
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 3
	link: port:0 link:up speed:1000baseT full-duplex 
Port 1:
	mib: Port 1 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 127
TxMulti    : 219
TxBroad    : 313
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 407
Tx65Byte   : 95
Tx128Byte  : 65
Tx256Byte  : 69
Tx512Byte  : 22
Tx1024Byte : 1
TxByte     : 83469
RxDrop     : 0
RxFiltered : 32
RxUni      : 3709
RxMulti    : 203
RxBroad    : 34
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 101
Rx65Byte   : 3637
Rx128Byte  : 44
Rx256Byte  : 96
Rx512Byte  : 38
Rx1024Byte : 30
RxByte     : 412554
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 1
	link: port:1 link:up speed:1000baseT full-duplex 
Port 2:
	mib: Port 2 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 5575
TxMulti    : 102
TxBroad    : 26
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 514
Tx65Byte   : 3244
Tx128Byte  : 704
Tx256Byte  : 680
Tx512Byte  : 145
Tx1024Byte : 417
TxByte     : 1334955
RxDrop     : 0
RxFiltered : 26
RxUni      : 7892
RxMulti    : 259
RxBroad    : 58
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 609
Rx65Byte   : 6352
Rx128Byte  : 366
Rx256Byte  : 169
Rx512Byte  : 710
Rx1024Byte : 3
RxByte     : 1110619
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 1
	link: port:2 link:up speed:1000baseT full-duplex 
Port 3:
	mib: Port 3 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 0
TxMulti    : 0
TxBroad    : 0
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 0
Tx65Byte   : 0
Tx128Byte  : 0
Tx256Byte  : 0
Tx512Byte  : 0
Tx1024Byte : 0
TxByte     : 0
RxDrop     : 0
RxFiltered : 0
RxUni      : 0
RxMulti    : 0
RxBroad    : 0
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 0
Rx65Byte   : 0
Rx128Byte  : 0
Rx256Byte  : 0
Rx512Byte  : 0
Rx1024Byte : 0
RxByte     : 0
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 2
	link: port:3 link:down
Port 4:
	mib: Port 4 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 0
TxMulti    : 0
TxBroad    : 0
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 0
Tx65Byte   : 0
Tx128Byte  : 0
Tx256Byte  : 0
Tx512Byte  : 0
Tx1024Byte : 0
TxByte     : 0
RxDrop     : 0
RxFiltered : 0
RxUni      : 0
RxMulti    : 0
RxBroad    : 0
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 0
Rx65Byte   : 0
Rx128Byte  : 0
Rx256Byte  : 0
Rx512Byte  : 0
Rx1024Byte : 0
RxByte     : 0
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 2
	link: port:4 link:down
Port 5:
	mib: Port 5 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 0
TxMulti    : 0
TxBroad    : 0
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 0
Tx65Byte   : 0
Tx128Byte  : 0
Tx256Byte  : 0
Tx512Byte  : 0
Tx1024Byte : 0
TxByte     : 0
RxDrop     : 0
RxFiltered : 0
RxUni      : 0
RxMulti    : 0
RxBroad    : 0
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 0
Rx65Byte   : 0
Rx128Byte  : 0
Rx256Byte  : 0
Rx512Byte  : 0
Rx1024Byte : 0
RxByte     : 0
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 0
	link: port:5 link:down
Port 6:
	mib: Port 6 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 11874
TxMulti    : 13305
TxBroad    : 22439
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 41
Tx65Byte   : 20727
Tx128Byte  : 5241
Tx256Byte  : 20496
Tx512Byte  : 1030
Tx1024Byte : 85
TxByte     : 10739485
RxDrop     : 0
RxFiltered : 3404
RxUni      : 11469
RxMulti    : 36
RxBroad    : 3654
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 199
Rx64Byte   : 4656
Rx65Byte   : 8793
Rx128Byte  : 699
Rx256Byte  : 672
Rx512Byte  : 127
Rx1024Byte : 411
RxByte     : 2088801
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 0
	link: port:6 link:up speed:1000baseT full-duplex 
Port 7:
	mib: Port 7 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 0
TxMulti    : 0
TxBroad    : 0
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 0
Tx65Byte   : 0
Tx128Byte  : 0
Tx256Byte  : 0
Tx512Byte  : 0
Tx1024Byte : 0
TxByte     : 0
RxDrop     : 0
RxFiltered : 0
RxUni      : 0
RxMulti    : 0
RxBroad    : 0
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 0
Rx65Byte   : 0
Rx128Byte  : 0
Rx256Byte  : 0
Rx512Byte  : 0
Rx1024Byte : 0
RxByte     : 0
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 0
	link: port:7 link:down
VLAN 1:
	vid: 1
	ports: 1 2 6t 
VLAN 2:
	vid: 2
	ports: 3 4 6t 
VLAN 3:
	vid: 3
	ports: 0 6t

vgaetera · September 1, 2019, 6:59pm

uci set network.@switch_vlan[1].vid="2"
uci set network.@switch_vlan[2].vid="3"
uci commit network
service network restart

bulat · September 1, 2019, 7:05pm

Can you explain what these commands do?

ulmwind · September 1, 2019, 7:08pm

It creates VLANs with tags 2 and 3 (tag 1 already presents). Numbers in square brackets are just "indices" of virtual array, containing elements - sections of config.

vgaetera · September 1, 2019, 7:10pm

I didn't test the situation when vlan doesn't match vid or when vlan matches vid from another switch_vlan section.
No idea, whether that works properly or not, so either make them math or remove vid from all switch_vlan sections.

bulat · September 1, 2019, 7:12pm

but I created vlans in witch section of Luci

bulat · September 1, 2019, 7:15pm

my Wireguard vpn interface is still down

ulmwind · September 1, 2019, 7:16pm

OK, what is your question?
You can create VLANs in GUI. See, what happens with contents of the file /etc/config/network. In your configuration WAN is member of tagged 3 VLAN, remember it in configuring interfaces.

vgaetera · September 2, 2019, 12:28pm

Check this thread: