Separate subnet on physical port #4

I have an interface called "GUEST" (br-guest) I created for the guest wireless. It is setup on it's own IP range and in its own firewall zone. Can I simply go into the "Switch" tab and setup port 4 to use this interface?

I'm not quite clear on the settings need to use for my newly created VLAN 3 or if this is even possible.


EDIT: The wiki mentions that my device (R7800) has an embedded switch ... not sure how/if that matters for my use-case?

# ls -l /sys/class/net/
lrwxrwxrwx    1 root     root             0 Oct 19 09:37 br-guest -> ../../devices/virtual/net/br-guest
lrwxrwxrwx    1 root     root             0 Oct 19 09:37 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx    1 root     root             0 Dec 31  1969 eth0 -> ../../devices/platform/soc/37200000.ethernet/net/eth0
lrwxrwxrwx    1 root     root             0 Dec 31  1969 eth1 -> ../../devices/platform/soc/37400000.ethernet/net/eth1
lrwxrwxrwx    1 root     root             0 Dec 31  1969 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Oct 19 09:37 wlan0 -> ../../devices/platform/soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0
lrwxrwxrwx    1 root     root             0 Oct 19 09:39 wlan0-1 -> ../../devices/platform/soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0-1

Yes. From your picture, it appears you will do the following to accomplish this:

  1. First, be certain LAN 4 is labeled in the correct order - SEE TABLE OF HARDWARE
  2. Use WI-Fi, LAN 2 or 3 to complete this (in case the ports are labeled in reverse)
  3. Add VLAN 3 to CPU/eth1 as "Untagged"
  4. Remove VLAN 1 from LAN 4 by changing it to "Off"
  5. Add VLAN 3 by changing it from "Off" to "Untagged" (verify this in Switch documentation, as my CPU has these tagged by default)
  6. Hit "Save and Apply"

Port 4 should now be on your new VLAN 3.

On a fresh installation of LEDE on my R7800, here is the default switch page:

I don't think I got this setup correctly... it's angry about untagged status:

Have you changed the status to "tagged" for all VLANs on cpu/eth1 and tested?

I haven't tried... let's take a step back. I deleted VLAN 3. What would you like me to try changing in VLAN1 and VLAN2?

You wouldn't change anything on VLANs 1 and 2, as they are configured properly. You are working with VLAN 3.

I'm not sure whant you mean by:

You need a VLAN specified in interfaces setup including its IP range, etc. If you deleted that, you'll have to add it again. Regarding the Switch settings, I only mentioned tagging the CPU:

  • Add VLAN 3 to CPU/eth1 as “Tagged”
  • Change VLAN 1 on CPU/eth1 to “Tagged”
  • Remove VLAN 1 from LAN 4 by changing it to “Off”
  • Add VLAN 3 to LAN 4 by changing it from “Off” to “Untagged”
  • Hit “Save and Apply”

Sorry... I thought you were suggesting something about the default state of mine vs. yours.... I re-added VLAN3 and made the changes you proposed as summarized in the screenshot below. Upon hitting "save and apply," a yellow box came up stating: Interface "lan" device auto-migrated from "eth1" to "eth1.1".


I went into Network>interfaces>GUEST>Edit>Physical Settings and checked "Switch VLAN: "eht1.3" Then booted a machine (dhcp) connected directly to port 4 but it did not receive an IP in the range defined in my guestzone. How do we associate VLAN3 with the guestzone interface?


VLAN 3 appears to be properly setup on the Router and Switch...You should be able to test at this point by statically assigning an IP and attempting to reach the router. But let's work on the DHCP for your VLAN 3...

Did you enable DHCP server and specify how many hosts should receive dynamic IPs (size of the DHCP pool)?

  • First, you go to INTERFACES > then click on your Guest-LAN
  • Under the Common Confguration section, you should see DHCP.
  • Be sure to specify the beginning IP to be issued and how many IPs to hand out (e.g. place "2" and a limit of "10" to make a dynamic pool of - The lease time should have a default of 12h.
  • Lastly, check the "Dynamic DHCP" button on the advanced tab.

Also, make sure that your router accepts inbound DHCP Request traffic from the Guest Firewall Zone, as the issue could be your DCHP request packets are being dropped or rejected.

I browsed to the hardware page but didn't see anything about mapping. I then did an experiment: I plugging cable into port 1 and watched the icon in Network>Switch. I saw "no link" over 1,2, and 3 and "1000baseT full-duplex" over 4. After walking for cable down the other ports I determined that they are mapped precisely backwards.

Physical 1 --> LAN4
Physical 2 --> LAN3
Physical 3 --> LAN2
Physical 4 --> LAN1

SO... I left the device to be wired-connected to Physical 4 and adjusted Network>Switch as shown below and it did indeed get a correct IP address in the subnet I wanted it to!


Now have I been trying and failing to create a firewall rule to allow the ssh traffic on port 49999 from any host on LAN to a specific host in the guestzone.

Here is the summary rule that does not work (I get ssh: connect to host odroid64 port 49999: Connection refused when I try):

Here is the long version...

Note - I know odroid64 is accepting ssh on port 49999 because I can ssh into the LEDE router and from there successfully connect via:

ssh -p 49999 user@odroid64

Halting the firewall on the router /etc/init.d/firewall stop allows the connect to work so it has to be something I setup incorrectly. Thanks for your insights and continued patients with me :slight_smile:

EDIT2: This is scary... it seems as through LAN and WAN are also mis-mapped. If I attempt to ssh to my external IP address using the above rule, I actually connect just fine.

ssh -p 49999
Last login: Thu Oct 19 18:16:42 2017 from ...

myuser@odroid64 ~ %
  • First...does device have port tcp/22 open or port tcp/49999 for SSH?
  • You don't connect to the router as no Network Address Translation is needed...both devices are known to the system, it can route it...that brings me to this...
  • You appear to have made a Port Forward, instead of a Traffic Rule
  • Your Traffic Rule should read: "IPv4-tcp From any host in lan to IP at port 22 in guestzone" (use 49999 only if you configured that SSH server to use that port instead of 22)
1 Like

Yes, it's listening on both ports.

Yes! I misunderstood your suggestion for a port forwarding setup and in fact I needed a traffic rule. That solved the problem for me:

Thanks again for your help... I would have never figured out the switch settings without it :slight_smile:

If I wanted to make it more generic so I could connect to any number of machines in the guestzone, would I just define the IP in the guestzone as or is there a more proper way?

Well...are you testing this from the INTERNET or from inside your LAN???

  • If you're testing from the LAN, that's why the rules works when you switch it (meaning, you also need a local firewall rule if they are in 2 difffernt zones)
  • You have to test the HTTPS connection from the correct zone (the Internet)
  • If both client and server are on the same LAN, use the Public IP address, and make sure you enabled "Enable NAT Loopback"
  • Testing between LANs may be a little more complex, you may have to configure NAT re-directs (which place the packet in the other LAN, then routes it) or a port forward, allowing the router to NAT (this is what you configured)

If you want to make it generic, remove and change it to ANY or

1 Like

Thanks... I figured it out and edited after you quoted me, but I think I'm good with it now as I typed it.

Thank you very much for all the advise and direction you provided to me. :trophy:

Should I open a bug report or the like about the mis-mapped ports?

1 Like

No, as they're not mis-mapped. That's why I mentioned the reversed ports (and to use 2 and 3 for configuration). Ports tend to be identified by LEDE in reverse-order from the instructions provided by the router's OEM (this is because the OEM can configure their firmware and molded plastic casing to make the ports appear in ascending-counting order from Left-to-Right of the consumer's view). Some devices even have a phantom 6th port (for fiber SFPs or other PHYs to be added to the board, that causes more confusion).

If you have access to the Wiki, you may want to contribute that information, though.

I updated the comments on this page.

1 Like

...I just noticed a behavior change now that we have the subset configured. With the out-of-the-box LEDE setup, If I ran the following nmap command on a device connected to the lan (not guestzone), the IP addresses would also return hostnames. Currently, the hostnames are omitted. Any thoughts?

% sudo nmap -sn -oG -  
# Nmap 7.60 scan initiated Sat Oct 21 09:53:40 2017 as: nmap -sn -oG -
Host: ()	Status: Up
Host: ()	Status: Up
Host: ()	Status: Up
Host: ()	Status: Up
# Nmap done at Sat Oct 21 09:53:42 2017 -- 256 IP addresses (4 hosts up) scanned in 1.79 seconds

the original LAN also wasn't a I'm unsure...

If your DHCP is default, and you configured the same, you should see hostnames.

The n argument in a lot of softwares denotes "do not resolve hostnames"...maybe that's it...?


-n (No DNS resolution) .
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.

I changed the original lan from to The option for nmap isn't actually -n it's -sn (Ping Scan - disable port scan) ... if you run the corresponding nmap stanza on your network, do you get hostnames?

Nmap is not installed by default.

But i can do an nslookup on all IPs on my network with nostnames, and receive its reverse address...