Hi folks
I'm trying to learn now to use VLANs to segregate my network, but can't seem to get the VLAN and DHCP options to work as I expect.
I have a BT HomeHub 5a running LEDE r3716-cd0f990. I want to have three separate VLANs with three separate subnets, firewalled appropriately (but that's for a later step).
LAN 1 (switch port 4) - Admin LAN 172.24.1.0/24 - VLAN 1
LAN 2 (switch port 2) - Family LAN 172.24.10.0/24 - VLAN 3
LAN 3 (switch port 0) - Guest LAN 172.24.20.0/24 - VLAN 4
LAN 4 (switch port 1) - unused for now.
WAN (switch port 5) - to my ISP
So having read the config docs, I set up:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd9a:a11c:0075::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option xfer_mode 'ptm'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '172.24.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'family'
option type 'bridge'
option ifname 'eth0.3'
option proto 'static'
option ipaddr '172.24.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'guests'
option type 'bridge'
option ifname 'eth0.4'
option proto 'static'
option ipaddr '172.24.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '84:a4:23:0a:5b:02'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option ipv6 'auto'
config device 'wan_dev'
option name 'ptm0'
option macaddr '84:a4:23:0a:5b:03'
config interface 'wan6'
option ifname 'pppoe-wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '2 6t'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0 6t'
config device 'eth0_3'
option type '8021q'
option name 'eth0.3'
option ifname 'eth0'
option vid '3'
config device 'eth0_4'
option type '8021q'
option name 'eth0.4'
option ifname 'eth0'
option vid '4'
/etc/config/dhcp
config dnsmasq 'admin'
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
list interface 'lan'
config dnsmasq 'family'
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/family/'
option domain 'family'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.family'
option resolvfile '/tmp/resolv.conf.family'
option strictorder '1'
option nonwildcard '1'
list interface 'family'
list notinterface 'lo'
config dnsmasq 'guests'
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/guests/'
option domain 'guests'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.guests'
option resolvfile '/tmp/resolv.conf.guests'
option strictorder '1'
option nonwildcard '1'
list interface 'guests'
list notinterface 'lo'
config dhcp 'lan'
option instance 'admin'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'family'
option instance 'family'
option interface 'family'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'guests'
option instance 'guests'
option interface 'guests'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name family
list network 'family'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name guests
list network 'guests'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config forwarding
option src family
option dest wan
config forwarding
option src guests
option dest wan
# We need to accept udp packets on port 53,
# to enable DNS to work
config rule
option name Allow-DNS-family
option src family
option proto 'tcp udp'
option dest_port 53
option target ACCEPT
config rule
option name Allow-DNS-guest
option src guest
option proto 'tcp udp'
option dest_port 53
option target ACCEPT
# We need to accept udp packets on port 67-68,
# to enable DHCP to work
config rule
option name Allow-DHCP-family
option src family
option proto udp
option src_port 67-68
option dest_port 67-68
option target ACCEPT
config rule
option name Allow-DHCP-guests
option src guests
option proto udp
option src_port 67-68
option dest_port 67-68
option target ACCEPT
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
# allow IPsec/ESP and ISAKMP passthrough
config rule
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
Plugging a device in to LAN 1 gets a DHCP address in the expected range.
Plugging into ports 2 and 3 I get no allocation, and end up with a self-assigned address?!
I realise I could have mucked this up in several ways:
- Incorrect VLAN definition / interface allocation / subnet definition against those interfaces
- Improper DHCP config to allocate new addresses inside those subnets
- Failing firewall rules blocking the DHCP traffic from getting where it needs to go.
So rather than flail around in the dark, I thought I'd ask for help in spotting what I've missed or failed to understand.
Any help gratefully received.
Cheers
Mike