Jruuu
March 7, 2022, 6:15pm
1
Do you have to create a 802.1q/801.qd device and use tagging when setting up a VLAN in openwrt 21.02.2? I wanted to create a VLAN for ethernet port #1 on my WRT3200acm, which can only access the internet and not have access to my lan(and vice versa). Instead of creating a VLAN 802.1q/801.qd device and tagging the ethernet ports, I created a "network device" with port #1 (lan1), and removed lan1 from br-lan. Everything works as expected with firewall rules added to allow DNS and DHCP.
Did I set this up correctly? Are there any drawbacks doing it this way instead of tagging? All the openwrt help documentation talks about tagging; but this only seems to make sense if you want to have multiple VLANs through one port. In my case I only want one VLAN running on the port and nothing else.
Here is what the network device I created looks like:
and the interface:
Thanks in advance
What you've shown is not sufficient to answer your question... let's see your whole config
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Jruuu
March 7, 2022, 7:21pm
3
Thanks, here it is:
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd39:5e68:aa7d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option vlan_filtering '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
config device
option name 'wan'
option macaddr '62:38:e0:xx:xx:z0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix '64'
option peerdns '0'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'vlan'
option proto 'static'
option ipaddr '192.168.173.1'
option device 'lan1'
option netmask '255.255.255.0'
config device
option name 'lan1'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option country 'CA'
option cell_density '0'
option distance '15'
option noscan '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr '60:38:e0:xx:xx:z2'
option ssid 'o'
option key 'removed'
option wpa_disable_eapol_key_retries '1'
option encryption 'psk2+ccmp'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option band '2g'
option country 'CA'
option cell_density '0'
option htmode 'HT20'
option channel '11'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr '60:38:e0:xx:xx:z1'
option ssid 'o'
option key 'removed'
option wpa_disable_eapol_key_retries '1'
option encryption 'psk2+ccmp'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option channel '34'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'guest'
option isolate '1'
option wpa_disable_eapol_key_retries '1'
option network 'guest'
option key 'removed'
option macaddr '60:38:e0:xx:xx:z3'
option encryption 'psk2+ccmp'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
list server '127.0.0.1#5354'
list server '::1#5354'
option dnsseccheckunsigned '0'
option filterwin2k '1'
option strictorder '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option leasetime '6h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'vlan'
option interface 'vlan'
option start '100'
option limit '3'
option leasetime '6h'
list ra_flags 'none'
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option limit '500/second'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option limit '500/second'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option limit '500/second'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_lan5354'
option name 'Adblock DNS (lan, 5354)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5354'
option dest_port '5354'
option target 'DNAT'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config redirect 'adblock_guest53'
option name 'Adblock DNS (guest, 53)'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_guest5354'
option name 'Adblock DNS (guest, 5354)'
option src 'guest'
option proto 'tcp udp'
option src_dport '5354'
option dest_port '5354'
option target 'DNAT'
config zone
option name 'vlan'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan'
option input 'REJECT'
config forwarding
option src 'vlan'
option dest 'wan'
config rule
option name 'VLAN DNS'
option src 'vlan'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'VLAN DHCP'
list proto 'udp'
option src 'vlan'
option dest_port '67-68'
option target 'ACCEPT'
config redirect 'adblock_vlan53'
option name 'Adblock DNS (vlan, 53)'
option src 'vlan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_vlan5354'
option name 'Adblock DNS (vlan, 5354)'
option src 'vlan'
option proto 'tcp udp'
option src_dport '5354'
option dest_port '5354'
option target 'DNAT'
If it is working, that's great. The firewall appears to be configured properly to achieve your goals.
Tagging is only necessary when you have multiple networks that are mapped to the same port. And when you have tagged networks, you also need to have downstream devices capable of working with those tags (usually a managed switch or a VLAN aware AP). Most typical end devices do not work with tagged frames (some don't have the capability and/or don't have this feature exposed to the user, others just simply don't do it by default) -- they expect only standard untagged frames. So your strategy of using LAN1 is likely exactly right for your situation.
1 Like
Jruuu
March 7, 2022, 7:33pm
5
Thank you for reviewing my config. Take care.
system
March 17, 2022, 7:33pm
6
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
