RT-AC68U (19.07.6) VLANs

Hello all,

I am trying to configure some VLANs on this RT-AC68U with 19.07.6 install. Hoping someone can help.

I have created everything with Luci.

All the VLANs are issuing IPs they just don't have internet access. Below are the configs:

NETWORK

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdaa:8d3e:f9db::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.1 tap0 tap-server'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option metric '1'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '78:24:AF:7d:03:e9'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5t 1 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5t 0'

config interface 'VPN'
	option proto 'none'
	option ifname 'tun0'
	option auto '0'

config interface 'VPNS'
	option proto 'none'
	option ifname 'tun-server'
	option auto '0'

config interface 'TAP'
	option proto 'none'
	option ifname 'tap0'
	option auto '1'

config interface 'TAPS'
	option proto 'none'
	option ifname 'tap-server'
	option auto '0'

config interface 'wwan'
	option proto 'dhcp'
	option metric '2'

config interface 'wwan6'
	option proto 'dhcpv6'

config switch_vlan
	option device 'switch0'
	option vlan '20'
	option ports '5t 1t 2t 3t 4t'

config interface 'TpLinkAP'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.10.20.0'
	option gateway '192.168.2.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option ifname 'eth0.20'

config switch_vlan
	option device 'switch0'
	option ports '5t 1t 2t 3t 4t'
	option vlan '30'

config switch_vlan
	option device 'switch0'
	option ports '5t 1t 2t 3t 4t'
	option vlan '50'

config interface 'SmartDevices'
	option ifname 'eth0.50'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.10.50.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'CCTV'
	option ifname 'eth0.30'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.10.30.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan1'
	option proto 'dhcp'
	option metric '10'
	option ifname 'wan1'

config interface 'wan2'
	option proto 'dhcp'
	option metric '20'
	option ifname 'wan2'

config interface 'wg0'
	option proto 'wireguard'
	option auto '0'
	list addresses ''

config interface 'wg1'
	option proto 'wireguard'
	option auto '0'
	list addresses ''

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'CCTV'
	list network 'SmartDevices'
	list network 'TpLinkAP'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'wan1'
	list network 'wan2'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'vpnzone'
	option name 'VPN'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'VPN'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding 'vpnforward'
	option dest 'VPN'
	option src 'lan'

config zone 'vpnzones'
	option name 'VPNS'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'VPNS'
	option input 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config forwarding 'vpnforwards'
	option dest 'VPNS'
	option src 'lan'

config zone 'wgzone'
	option name 'wg'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wg0 wg1'
	option input 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

The IP address is wrong here (and in all of your VLANs). Make it 10.10.20.1 (.0 refers to the network, but is not a valid host address). Also remove the gateway. Similar for your other networks.

Just changed everything and rebooted.

Still can't get internet to anything other than an actual computer. Streaming devices, switches and phones all don't have internet. But computers connected will get internet

Did you force all of the devices to renew their DHCP leases? What do those devices have for their IP, subnet mask, gateway, and dns settings?

I did not but will and see if it works. I did notice that the DNS settings aren't taking either

Dns won’t make a difference in the network interface stanza. If you want to advertise those dns settings, you do that via dhcp. Or if you want to use the router as the dns server but have the upstream specified as a custom, that happens on the wan interface.

Given that you're on an EOLed release and are doing quite invasive configuration changes, consider upgrading to a supported version (21.02.x or the current -rc5 of 22.03~) first. While that won't really make anything easier, it saves you from having to do it again in the near future.

Ah I see, I will change there. Still no internet connect after force renew

I thought this as well but the dsa method looks more confusing

Was definitely a DHCP thing, after I waited 12hr everything is working fine.

One question though how do I make each vlan use a different DNS. Say vlan20 use 1.1.1.1 and vlan50 use 8.8.8.8?

Set option 6 in the dhcp server settings. That allows the dhcp server to advertise a desired dns server.

I am sorry for my amateur-ness with openwrt but I can't figure the DNS per vlan part out.

My option 6 under DHCP general shows:

example.org/10.1.2.3

So here would I put:

10.10.20.1/24/1.1.1.1,1.0.0.1
10.10.50.1/25/8.8.8.8,8.8.4.4

Got 21.02 on the AC68U now, looks like the VLAN process is pretty different now