RT-AC56U br-lan vlans not functioning as expected

rtac56u-2618×490 22.6 KB

I'd like to set up my Asus RT-AC56U with the standard 24.10.0 build so that each LAN port operates on a separate VLAN (WAN is unused/disabled). I think the device should support DSA but haven't confirmed.

• VLAN 10 - Management - interface static address 192.168.1.1/24 - local access only
• VLAN 20 - Trusted - interface static address 192.168.2.1/24 - outbound access to WAN, and outbound to IOT VLAN.
• VLAN 30 - IOT - interface static address 192.168.3.1/24 - outbound access to WAN only
• VLAN 40 - Guest - interface static address 192.168.4.1/24 - outbound access to WAN only

I created these VLAN devices on br-lan per #3 here: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial, and set up the interfaces with static IPs and with DHCP servers. I added some basic firewall rules but am having the following issues:

• PC connected to lan1 can ping all four static addresses without firewall rules allowing outbound access
• PC connected to lan2-4 does not receive an IP address from the DHCP server
• PC connected to lan2-4, when configured with a static IP, still cannot ping the router's interface static IP address
  The fact that lan2-4 don't behave the same as lan1 makes me think the VLAN configuration is doing something, but not working correctly.

I tried disabling IPv6 everywhere I could find it, since I read this causes issues with some devices. I also tried adding to the DHCP server config.

Here's my network config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config device
	option name 'wan'
	option macaddr '<redacted>'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan4:u*'

config interface 'Trusted'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'Guest'
	option proto 'static'
	option device 'br-lan.40'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

And DHCP config:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Trusted'
	option interface 'Trusted'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Can you please help advise what may be the issue? Thanks in advance?

in the meantime welcome to the Openwrt community

to complete everything you can also post the firewall configuration ...

cat /etc/config/firewall

since I assume you will have created zones for the "guest" and "iot" network but without the configuration I can't be sure

and maybe you also created a "management" zone that could be merged with the "trusted" zone, but without seeing the firewall configuration it's just my guess

WARNING do not make any changes at this time

a video explanation create zone guest:

WARNING do not make any changes at this time

a video explanation on this point if you have changed the configuration:

Just to understand your intentions do you have:
many routers or only one router

many routers:
wan (internet) <--> main router <--> dump ap <-->
pc1 on vlan 10,
pc2 on vlan20,
etc

or

single router:
wan (internet) <--> main router <-->
pc1 on vlan 10,
pc2 on vlan20,
etc

ps: a general tip if you plan to create a network with a main router and one or more access points ( dump-ap ) that will then distribute the traffic you will need to configure some "trunk" ports. You're already at a great point if that's what you want to do ...

example:

main router (trunk port lan4) <--> dump-ap (trunk port lan5)

on main router vlan10 + vlan20 + vlan30 (the ones defined on my router are different so I have darkened them in the images so as not to confuse you)

on dump ap vlan10 + vlan20 + vlan30 (the ones defined on my router are different so I have darkened them in the images so as not to confuse you)

main router:

vlan 10 - ip=192.168.1.1 netmask=255.255.255.0 management/trusted
vlan 20 - ip=192.168.3.1 netmask=255.255.255.0 iot
vlan 30 - ip=192.168.4.1 netmask=255.255.255.0 guest

immagine898×491 37 KB

dump-ap:

vlan 10 ip=192.168.1.2 netmask=255.255.255.0 gateway=192.168.1.1
vlan 20 proto none
vlan 30 proto none

immagine898×491 41.1 KB

yes

long explanation and warning:

WARNING please do not install the swconfig package

you just need to check if you have "swconfig" among the installed packages, if the answer is yes then you don't have DSA, if the answer is no then it is DSA

on my router DSA this command gives a null output result

opkg list-installed | grep "swconfig"

and I can't find the "swconfig" package installed on the "24.10.0" version so DSA (So it's certain that you have DSA)

Thanks for the welcome and the thoughtful reply! Here's my firewall config. I basically copied the original lan config to my other zones just to get started. I thought DHCP on other lan ports shouldn't be related to firewall rules. I'm currently using another main router so this is all offline until I test it and get it working.

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'trusted'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Trusted'
	list network 'wan'
	option family 'ipv4'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option family 'ipv4'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'
	option family 'ipv4'

config forwarding
	option src 'trusted'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

I'll check out those videos a little later. For now, to answer your question:
I have a few old routers that I plan to use as dumb AP's/switches for each VLAN. Some support OpenWRT or DD-WRT, but some do not so I can't run trunks to all of them. I could do a double NAT with them (Steve Gibson's three router config) but am trying to avoid that.

I saw this command on the forums/wiki to try to identify if DSA is supported:
grep -sq DEVTYPE=dsa /sys/class/net/*/uevent
If your opkg command is more reliable, maybe we should update the wiki here? https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

here are the rules you need to make sure that clients in each zone receive an IP address and can make DNS requests to the router

delete this lines:

config zone
	option name 'trusted'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Trusted'
	# list network 'wan'  <-- delete this line
	# option family 'ipv4'  <-- delete this line

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	# option family 'ipv4'  <-- delete this line

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'
	# option family 'ipv4'  <-- delete this line

add this lines:

config rule 'trusted_dns_dhcp'
        option name 'Allow-dns-dhcp-Trusted'
        option src 'trusted'
        option dest_port '53 67'
        option family 'ipv4'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule 'guest_dns_dhcp'
        option name 'Allow-dns-dhcp-Guest'
        option src 'guest'
        option dest_port '53 67'
        option family 'ipv4'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule 'iot_dns_dhcp'
        option name 'Allow-dns-dhcp-Iot'
        option src 'iot'
        option dest_port '53 67'
        option family 'ipv4'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config forwarding
	option src 'trusted'
	option dest 'iot'

and restart firewall /etc/init.d/firewall restart

It is definitely better than searching for the package installed on my router already in DSA from this output:

if grep -sq DEVTYPE=dsa /sys/class/net/*/uevent; then 
>   echo "You have DSA"
> fi
You have DSA

This worked perfectly, thank you! I'm happy to make some good use of this old router.

My goal with the 'lan' / 'management' VLAN is to create an isolated/"out of band" management interface, like I've seen on some Cisco switches, so I set all firewall rules to 'REJECT' for the 'lan' zone and that seems to work too. I'm not sure if this actually hardens things at all, but it doesn't seem to hurt.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.