Rpi4 + OpenWrt .. please validate my working setup

Ok, I'm hoping some of you can tell me if things are correct with my setup. My ISP in Canada (Bell) has some specific VLAN requirements for it's FibreOp internet/IPTV service:

Internet VLAN 35

I have the following hardware setup:

RPI4B 8GB with two USB ethernet adapters.

eth0 = my bell WAN connection
eth1 = managed switch that has a few STB's connected to it with a proper VLAN tagging setup
eth2 = unmanaged switch

I created a single bridge (br0) with all ports included (eth0, eth1, eth2) and setup VLAN filtering on that bridge:

Then I setup my interfaces as seen here (and created a new firewall zone called IPTV)

Everything works great. However, on most out of the box setups I've seen with openwrt, there's been two bridges - br-lan and br-wan ... Are there any implications I should be aware of in having just the single bridge that includes both wan and lan ports? Should I have done this setup another way? Is there a benefit to having two bridges that divide the wan and lan ports?

Thanks in advance for your feedback!

It doesn't matter in your case. Your Pi was never designed as a router with predefined WAN and LAN interfaces, and you have three physical separate interfaces you're bridging. The VLANs are tagged, so traffic is separated unless you explicitly set up forwarding between the firewall zones all those bridges are part of. I assume your IPTV bridge interface has a separate zone, just like LAN and WAN. The colour in the web UI at least indicates that is the case.

yes, I did create a firewall zone specifically for IPTV. Thanks for you review, this is the kind of feedback I was looking for.

I think voip is on vlan34. IPTV is vlans 36-39.

I do not understand concept. 'Logical' approach is to create VLANs for interfaces eth0 etc., and AFTER THAT combine specific interfaces in bridge.

Bell Aliant in Atlantic Canada is a bit different vs Ontario

1 Like

Well it seems like there are two ways to reach the same goal, either vlan filtering like I have, or how you describe

What's the reason for eth0 being a tagged member of VLAN 1?
Wouldn't it be simpler to set up VLAN 35 the same as 34 and only have eth1 and eth2 as members of VLAN 1?
Which is assuming you don't have an empty port on your managed switch left and can't simply connect your unmanaged switch to it instead of the RPi.

I might be missing something but don't you bypass the firewall by bridging your WAN and LAN ports?
So, on second thought, please disregard what I wrote about setting up VLAN 35 the same as VLAN 34!
The question about eth0 being a tagged member of VLAN 1 remains though.

@Borromini pointed out my error tagging vlan 1 .. I've since removed that. I believe where WAN and LAN are in different zones, even though they are bridged, the firewall still dictates traffic between the two?

I see, I re-read Borromini's post and the tags belonging to a certain zone is what I might have been missing.
Personally, I'd still be more comfortable with my WAN port not being tagged in the same VLAN as my LAN ports so as to not open myself up to mistakes somewhere down the line.
As you already removed the tagging anyway all is well.

@Borromini @ulmwind @CakeConnoisseur

I've reworked things and I think it's laid out much better now. I'm not using any VLAN filtering.

I've created the required VLAN virtual devices needed for each port and then bridged them accordingly to make the connections. Everything is working perfectly and no more WAN+LAN ports all in the same bridge :slight_smile: (I did put eth0 by itself in a br-wan bridge just to have a nicer label on the interface vs eth0)

Thanks everyone for your feedback.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.