Routing Between Zones

technononsense · July 17, 2024, 9:02am

Hi all,

I'm trying to seperate my (large) network into VLANs but I'm not able to reach nodes in one subnet/zone from another, despite configuring it (obviously incorrectly, more below).

I have a switch, with vlans configured as a mix of trunk and access ports, and I'm trying to congure OpenWRT as a router-on-a-stick. Here's the architecture:

The Wifi AP is vlan aware. Whether I'm connected to WiFI or an ethernet port on the switch, I can reach nodes within the same subnet, without issues. I'm quite confident that my issue lies in the OpenWRT config.

OpenWRT handles DHCP for all VLANs except VLAN 20 - My ISP router handles that subnet. It's not VLAN aware, so the switch handles the VLAN tagging.

I have configured:

Interfaces for each VLAN, on eth0 as eth0.x
One firewall zone per VLAN and applied each vlan interface to the corresponding zone.
Configured which zones to forward traffic to (initially, I'm just focusing on traffic from Management to all other zones)

Here's some uci output, that hopefully has some errors someone can see:

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1d:49d2:cc4a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '30'
        option name 'eth0.30'
        option ipv6 '0'

config interface 'Management'
        option proto 'static'
        option device 'eth0.30'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '10'
        option name 'eth0.10'
        option ipv6 '0'

config interface 'IoT'
        option proto 'static'
        option device 'eth0.10'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '40'
        option name 'eth0.40'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '50'
        option name 'eth0.50'
        option ipv6 '0'

config interface 'TWO'
        option proto 'static'
        option device 'eth1'
        option ipaddr '10.254.0.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        option defaultroute '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '20'
        option name 'eth0.20'
        option ipv6 '0'

config interface 'Media'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

Firewall

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        list interface 'IoT'
        list interface 'Management'
        list interface 'TWO'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'CATCH'
        option interface 'CATCH'
        option start '101'
        option limit '150'
        option leasetime '10m'

config dhcp 'Management'
        option interface 'Management'
        option start '10'
        option limit '90'
        option leasetime '2'
        list dhcp_option '6,1.1.1.1'

config dhcp 'IoT'
        option interface 'IoT'
        option start '100'
        option limit '100'
        option leasetime '2'

config dhcp 'TWO'
        option interface 'TWO'
        option start '20'
        option limit '10'
        option leasetime '2m'

config dhcp 'Media'
        option interface 'Media'
        option start '100'
        option limit '150'
        option leasetime '2m'
        list dhcp_option '6,1.1.1.1'
        option ignore '1'

Any help would be appreciated.

egc · July 17, 2024, 9:52am

Forwarding only goes one way so to have bidirectional traffic e.g. between lan and iot you have to make two rules:
/etc/config/firewall

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'lan'

Just a general advice as I am not in the matrix so have difficulty reading your uci output

_FailSafe · July 17, 2024, 12:11pm

Would you mind posting* your /etc/config/network and /etc/config/firewall configs in another reply within code blocks (preformatted text)?

It will be far more parsable for those of us with aging eyeballs

*Feel free to remove any sensitive bits before posting.

technononsense · July 17, 2024, 12:23pm

Yes, the file contents are much more human readable!

I've updated the first post with them both.

technononsense · July 17, 2024, 12:28pm

I don't need/want two way - I just need to start with

`Management` -> `IoT`

and

`Management` -> `Media`

egc · July 17, 2024, 12:31pm

It looks like the OpenWRT router is just a dumb AP getting all its VLANs from the main router

So the firewall rules should be set on the main router, the OpenWRT router looks like only forwarding the VLANs

_FailSafe · July 17, 2024, 12:41pm

@technononsense Sorry for the more primitive sounding questions for a moment, but I'm trying to get a better understanding of your desires here.

Is there a compelling reason for keeping your ISP router at the top of the food chain, so to speak? Why not put it behind your OpenWrt router and just set it in a bridge (non-NAT) mode? Is your ISP router providing some sort of video delivery stream to set-top boxes over VLAN 20?

FWIW, I run four VLANs, three of which are known to my switches and APs. But I have a topology that looks like:

Internet (FTTH) 
       | 
Media Converter
       |
OpenWrt x86 Router/Firewall
       |
Core Switch (running OpenWrt)
  |                       |
Access Switches     3x APs running OpenWrt
(several 802.1Q      (Trunking three VLANs into
capable)             each AP. One SSID per VLAN)

So any device that connects to the core switch, access switches, or WAP can be segregated into the correct VLAN, be it "LAN", Guest, or IoT.

technononsense · July 17, 2024, 1:22pm

Basically, the ISP router is terrible for features, but has the best line-speed and a rock-solid connection.

It's a VDSL modem/router/firewall/switch that doesn't have a bridge or modem only mode. It handles the PPPoE connection and NAT. I previously had another modem/router flashed with OpenWRT (a BT HomeHub 5) but the performance was poor - about a 20% loss on a 60mb connection.

So the current strategey is to use the ISP's router, and mostly leave it default. I work from home, so need to know that I always have thier kit connected and have support when I need it from them. However, as my network has grown (50-100 devices), the ISP router can't cope. So the current plan is to have a second router, and hang my other networks from that.

Since I stopped using the HomeHub5, my setup has been: ISP router -> OpenWrt -> Switch -> APs/devices.

I wasn't VLANing, I just used a single network. Now I want seperation of devices and control over their network access.

technononsense · July 17, 2024, 1:30pm

No, it's the other way around:

The OpenWRT router has a single physical interface that's VLAN aware:

eth0.10
eth0.20
eth0.30

The switch is vlan aware, and trunks these three VLANs to OpenWRT.

The ISP router has a single interface connected to the switch. The switch port is configured as an access port. The ISP router has no VLAN capability and is unaware that it's connected to a VLAN capable switch. It just sees the devices on VLAN20 via it's single physical port and serves them addresses via DHCP.

egc · July 17, 2024, 1:36pm

Interesting, maybe you should then look at the switch

I am not sure but I have a feeling you cannot do it on the router the way you have setup with only vlan devices and no bridges, but I could be wrong

technononsense · July 17, 2024, 1:43pm

I have

There is connectivity between all devices on the same VLAN:

Management nodes can reach management nodes,
IoT nodes can reach IoT nodes,
Media nodes can reach Media nodes, and becuase the ISP router is servig their addresses and gatewy, they can get to the internet.

This is true whether nodes are directly connected to the switch via ethernet, or connected to a specific SSID on the AP (each SSID is VLAN tagged by the AP and forwarded to the switch over an ethernet trunk to the switch).

egc · July 17, 2024, 1:47pm

Yes I understand that but see my previous (corrected) answer

_FailSafe · July 17, 2024, 2:35pm

I intend to catch up on this thread more later when I have more time. I posted this in another thread recently and wonder if it (namely the graphic I posted from my FW config) might help give any clues here, given my topology I previously posted above: