I have an interface called "GUEST" (br-guest) I created for the guest wireless. It is setup on it's own IP range and in its own firewall zone. Can I simply go into the "Switch" tab and setup port 4 to use this interface?
I'm not quite clear on the settings need to use for my newly created VLAN 3 or if this is even possible.
EDIT: The wiki mentions that my device (R7800) has an embedded switch ... not sure how/if that matters for my use-case?
# ls -l /sys/class/net/
lrwxrwxrwx 1 root root 0 Oct 19 09:37 br-guest -> ../../devices/virtual/net/br-guest
lrwxrwxrwx 1 root root 0 Oct 19 09:37 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx 1 root root 0 Dec 31 1969 eth0 -> ../../devices/platform/soc/37200000.ethernet/net/eth0
lrwxrwxrwx 1 root root 0 Dec 31 1969 eth1 -> ../../devices/platform/soc/37400000.ethernet/net/eth1
lrwxrwxrwx 1 root root 0 Dec 31 1969 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx 1 root root 0 Oct 19 09:37 wlan0 -> ../../devices/platform/soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0
lrwxrwxrwx 1 root root 0 Oct 19 09:39 wlan0-1 -> ../../devices/platform/soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0-1
Sorry... I thought you were suggesting something about the default state of mine vs. yours.... I re-added VLAN3 and made the changes you proposed as summarized in the screenshot below. Upon hitting "save and apply," a yellow box came up stating: Interface "lan" device auto-migrated from "eth1" to "eth1.1".
I went into Network>interfaces>GUEST>Edit>Physical Settings and checked "Switch VLAN: "eht1.3" Then booted a machine (dhcp) connected directly to port 4 but it did not receive an IP in the range defined in my guestzone. How do we associate VLAN3 with the guestzone interface?
VLAN 3 appears to be properly setup on the Router and Switch...You should be able to test at this point by statically assigning an IP and attempting to reach the router. But let's work on the DHCP for your VLAN 3...
Did you enable DHCP server and specify how many hosts should receive dynamic IPs (size of the DHCP pool)?
First, you go to INTERFACES > then click on your Guest-LAN
Under the Common Confguration section, you should see DHCP.
Be sure to specify the beginning IP to be issued and how many IPs to hand out (e.g. place "2" and a limit of "10" to make a dynamic pool of xxx.xxx.xxx.2 - xxx.xxx.xx.11). The lease time should have a default of 12h.
Lastly, check the "Dynamic DHCP" button on the advanced tab.
Also, make sure that your router accepts inbound DHCP Request traffic from the Guest Firewall Zone, as the issue could be your DCHP request packets are being dropped or rejected.
I browsed to the hardware page but didn't see anything about mapping. I then did an experiment: I plugging cable into port 1 and watched the icon in Network>Switch. I saw "no link" over 1,2, and 3 and "1000baseT full-duplex" over 4. After walking for cable down the other ports I determined that they are mapped precisely backwards.
Well...are you testing this from the INTERNET or from inside your LAN???
If you're testing from the LAN, that's why the rules works when you switch it (meaning, you also need a local firewall rule if they are in 2 difffernt zones)
You have to test the HTTPS connection from the correct zone (the Internet)
If both client and server are on the same LAN, use the Public IP address, and make sure you enabled "Enable NAT Loopback"
Testing between LANs may be a little more complex, you may have to configure NAT re-directs (which place the packet in the other LAN, then routes it) or a port forward, allowing the router to NAT (this is what you configured)
If you want to make it generic, remove 172.17.1.200 and change it to ANY or 172.17.1.0/24
No, as they're not mis-mapped. That's why I mentioned the reversed ports (and to use 2 and 3 for configuration). Ports tend to be identified by LEDE in reverse-order from the instructions provided by the router's OEM (this is because the OEM can configure their firmware and molded plastic casing to make the ports appear in ascending-counting order from Left-to-Right of the consumer's view). Some devices even have a phantom 6th port (for fiber SFPs or other PHYs to be added to the board, that causes more confusion).
If you have access to the Wiki, you may want to contribute that information, though.
...I just noticed a behavior change now that we have the subset configured. With the out-of-the-box LEDE setup, If I ran the following nmap command on a device connected to the lan (not guestzone), the IP addresses would also return hostnames. Currently, the hostnames are omitted. Any thoughts?
% sudo nmap -sn 10.9.8.0/24 -oG -
# Nmap 7.60 scan initiated Sat Oct 21 09:53:40 2017 as: nmap -sn -oG - 10.9.8.0/24
Host: 10.9.8.1 () Status: Up
Host: 10.9.8.103 () Status: Up
Host: 10.9.8.124 () Status: Up
Host: 10.9.8.131 () Status: Up
# Nmap done at Sat Oct 21 09:53:42 2017 -- 256 IP addresses (4 hosts up) scanned in 1.79 seconds
-n (No DNS resolution) .
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.
I changed the original lan from 192.168.1.0 to 10.9.8.0. The option for nmap isn't actually -n it's -sn (Ping Scan - disable port scan) ... if you run the corresponding nmap stanza on your network, do you get hostnames?