Routing between VLANs

Good Morning

I am new to OpenWrt, VLAN and Routing.

Can anyone help me route to this Vlans

Routers of the Vlan have the Ips

10.1.1.1
10.2.2.1
10.3.3.1
10.4.4.1

Routing in this case is simply a function of allowing it in the fireall.

let's see your configs in text form.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
1 Like

also, according to your picture, these are all .2 on this device... is this device not the primary router?

2 Likes

Same firewall content in both.

Post output of uci export network

Aside from the fact that you are missing Wohnung_0 from this zone, the way the zone is structured should allow inter-network routing for the 10.4.4.0/24, 10.2.2.0/24, and 10.1.1.0/24 networks (10.3.3.0/24, is Wohnung_0 which is missing form the zone).

The real issue is the routers 1-4 on the bottom of the diagram. Why are those there and can they be removed?

What does this mean

I see the internet connection that is at the top of the diagram and it makes sense that the internet goes through the 10.10.10.0/24 network which is where the wan of OpenWrt is connected... that makes sense.

The only place I see 192.168.168.1 is at the bottom left and I'm not sure what you mean by the first sentence above.

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fda0:27fa:490e::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.120.1'
        option device 'Switch'

config device
        option name 'wan'
        option macaddr '70:8B:CD:c3:51:01'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'static'
        option ipaddr '10.10.10.11'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'Switch'
        list ports 'eth0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'Switch'
        option vlan '20'
        list ports 'eth0:t'
        list ports 'lan1'

config bridge-vlan
        option device 'Switch'
        option vlan '40'
        list ports 'eth0:t'
        list ports 'lan2'

config bridge-vlan
        option device 'Switch'
        option vlan '60'
        list ports 'eth0:t'
        list ports 'lan3'

config bridge-vlan
        option device 'Switch'
        option vlan '80'
        list ports 'eth0:t'
        list ports 'lan4'

config interface 'Wohnung_1'
        option proto 'static'
        option device 'Switch.20'
        option ipaddr '10.1.1.2'
        option netmask '255.255.255.0'

config interface 'Wohnung_2'
        option proto 'static'
        option device 'Switch.40'
        option ipaddr '10.2.2.2'
        option netmask '255.255.255.0'

config interface 'Wohnung_03'
        option proto 'static'
        option device 'Switch.60'
        option ipaddr '10.3.3.2'
        option netmask '255.255.255.0'

config interface 'Stall'
        option proto 'static'
        option device 'Switch.80'
        option ipaddr '10.4.4.2'
        option netmask '255.255.255.0'

Firewall


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Stall'
        list network 'Wohnung_03'
        list network 'Wohnung_1'
        list network 'Wohnung_2'
        option name 'VLAN'

config forwarding
        option src 'wan'
        option dest 'lan'

config forwarding
        option dest 'wan'
        option src 'VLAN'

Can we start from the beginning?

Why? Nothing of substance changed. My questions from above still should be answered in order to move forward.

The Routers are there because of the use of Mesh and for better seperating

This looks like a DSA device (since we don't know the make/model/version) and the way you have tried to configure VLANs on DSA is all wrong. It likely would be best to start over at the beginning.

Device is Asus RT-AC68U

The way you have things configured seems the opposite of mesh... mesh would be multiple APs on a single subnet, and they would be using wireless backhaul. This appears to be 4 independent networks that are wired to the main OpenWrt router.

If you're just aiming for wireless coverage, you should be doing this all on a single subnet, and then using each of the other routers as dumb APs.

Can you explain your goals here? Why do you have 4 networks? Why are they going into another NAT layer (in routers 1-4)?

I have 4 apartment and i want to seperate those networks and to see where is which device

And what is your goal with respect to inter-apartment traffic? Block? Allow? Something more granular?

Allow inter-apartment traffic

Ok. So the routers in the apartments would be best configured as dumb APs. Is there a reason you don’t want thet?

Because i have different routers and models with there own software and when one router dies or i replace it i dont want to flash to a new router Openwrt.