Separate VLANs for private and nonprivate usage (adblock only for one VLAN)

Hello,

I am facing some issues, and getting a bit tired. Please, help me out local gurus, I am starting to feel I am just too dumb to this. So mission is to connect to provider modem with openwrt router so that LAN ports 1-3 are local private area, and port 4 is for another DDWRT router for work and guests. So port 4 has to be fully isolated and be able to go only into the internet. Additionally for port 4, also 2,4Ghz network has to be also for a same purpose (just in case this DDWRT router will be crappy). Problems I am facing are that both (private and non private VLANS) are behind adblock protection. For non private area I do not need any kind of adblocking etc. regulations, just internet. That is I guess where my biggest problem is hiding. I tried to force 8.8.8.8 etc. DNS in DHCP options (code 6) but it seems I have no idea what I am doing.

Another problem is that from that DDWRT router I can still access 192.168.1.1 (main router from internet provider which also has DHCP but is used only for internet sharing without even wifi on). I guess I can block that one from firewall rules, but I am not sure overall that I am doing anything right.

So guys, help me out.

P.S.
If you need some additional config files, tell me how to ask them by telnet, because I am so beginner here... :slight_smile:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXXXXXX::/48'

config device
        option name 'wan'
        option macaddr 'XXXXXXX'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'MainBridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option bridge_empty '1'

config bridge-vlan
        option device 'MainBridge'
        option vlan '21'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'MainBridge'
        option vlan '22'
        list ports 'lan4:u*'

config interface 'Private'
        option proto 'static'
        option device 'MainBridge.21'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config interface 'Work_Guest'
        option proto 'static'
        option device 'MainBridge.22'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
root@OpenWrt:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].filter_aaaa='0'
dhcp.@dnsmasq[0].filter_a='0'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.Private=dhcp
dhcp.Private.interface='Private'
dhcp.Private.start='100'
dhcp.Private.limit='150'
dhcp.Private.leasetime='12h'
dhcp.Private.force='1'
dhcp.Work_Guest=dhcp
dhcp.Work_Guest.interface='Work_Guest'
dhcp.Work_Guest.start='100'
dhcp.Work_Guest.limit='150'
dhcp.Work_Guest.leasetime='1h'
dhcp.Work_Guest.dhcp_option='3, 10.0.0.1' '6, 8.8.8.8, 1.1.1.1'

I'm unfamiliar with interface bridging in any great detail, but something which stands out is this:

  • You want to maintain segregation of your networks, with lan1, 2, and 3 working together and lan4 supplying a different network.
  • You appear to have bridged all four interfaces together.

My own instinctive approach would be to bridge lan1, lan2, and lan3 together, but not lan4, and give the lan1-3 bridge its own IP address.

Then give lan4 a different IP address.

Or, if you absolutely have to have WiFi on the same subnet as lan4, make a second bridge for lan4 and wlan0 (or whatever your wireless interface is called), and give that bridge a different IP address.

Don't bother with any VLAN assignments. Do you have a specific reason why you need 802.1q VLAN tags?

Once you have done that, configure dnsmasq with two DHCP scopes, one for the lan1-3 bridge subnet, and the other for the lan4 (or lan4/wifi) subnet. In the scope for lan1-3, configure one set of DNS servers in the DHCP options. In the scope for lan4 (or lan4/wifi), configure a different set of DNS servers in the DHCP options.

As for preventing access to 192.168.1.1 from devices behind the second router, you can achieve that by configuring firewall rules on either DD-WRT or OpenWRT (or both) which control traffic to 192.168.1.1.

Hello,

I created separate VLAN like in this video was proposed: https://youtu.be/qeuZqRqH-ug

Reason I guess is more secure, easy to maintain and 21 version DSA architecture.. :smiley:

VLANs have their place, certainly; I segregate my own network using 802.1q VLANs for port isolation on managed switches. But if you're not familiar with 802.1q and what's involved, I suspect you'd be better off leaving them out of the equation for now; troubleshooting something you don't know can be an exercise in frustration.

Then again, it could also be a learning experience. Don't be afraid to try something new, but also don't be surprised if getting it working is more challenging than you were expecting. It certainly took me a long time to get 802.1q working fully in my environment, largely due to the implementation being different for every single vendor device I have...

My suspicion - because I don't have the exact same hardware as you to test - is that your DD-WRT router is picking up an IP address in the 192.168.8.0/24 subnet, because that's the scope defined for "Private", and the device associated with "Private" is "MainBridge.21", and the interface "MainBridge" comprises all four ports, not just the first three. I suspect you think you've assigned ports 1-3 to VLAN 21, but that in fact you may have actually assigned all 4 ports to VLAN 21.

The above is speculation but, again, it's what leaps out at me from your configuration.

Off the top of my head - and there may well be errors here due to lack of testing on my part; I'm trying to illustrate the concept rather than dictate a specific configuration - something like this might be more appropriate:

config device
        option type 'bridge'
        option name 'PrivateBridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'GuestBridge'
        list ports 'lan4:u*'
        option bridge_empty '1'

config bridge-vlan
        option device 'MainBridge'
        option vlan '21'

config bridge-vlan
        option device 'MainBridge'
        option vlan '22'

config interface 'Private'
        option proto 'static'
        option device 'PrivateBridge.21'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config interface 'Work_Guest'
        option proto 'static'
        option device 'GuestBridge.22'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

With that in mind, my recommendation would be for something like this instead, removing 802.1q from the equation:

config device
        option type 'bridge'
        option name 'PrivateBridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option bridge_empty '1'

config interface 'Private'
        option proto 'static'
        option device 'PrivateBridge'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config interface 'Work_Guest'
        option proto 'static'
        option device 'lan4'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

This is how it is done sofar:

DHCP seems to work right, and is giving IP's ok. Only problem I had that VLAN 22, didn't have working DNS at all, before I "forced" it to use googles DNS. Now internet works on all LAN ports and WIFI is ok, but adblock still is effecting everywhere, which is main reason I went to try VLANs. I thought that VLAN gives me full ability to split things virtually, each of VLAN has it own DHCP and DNS server etc.

I stand corrected. That screenshot looks good to me. Apologies for any previous confusion and misdirection.

I'm unsure why Adblock would be kicking in on the Guest network, though, unless...

Did you also configure any sort of DNS interception? Does your primary router intercept all traffic on port 53 and redirect it to Adblock, to prevent the very sort of bypass you're trying to achieve?

What are the contents of /etc/config/firewall ?

No, not quite. VLANs operate at OSI layer 2, DHCP and DNS operate at OSI layers 3-7.

Many people who work in networking use the terms VLAN and subnet interchangeably, and the context of the conversation usually indicates which meaning obtains, but they are different (albeit complementary) elements in a network configuration, and mixing the terms up may lead to confusion.

Can you please explain this more deeply? I cannot find these setting in Lucy.

Once you have done that, configure dnsmasq with two DHCP scopes, one for the lan1-3 bridge subnet, and the other for the lan4 (or lan4/wifi) subnet. In the scope for lan1-3, configure one set of DNS servers in the DHCP options. In the scope for lan4 (or lan4/wifi), configure a different set of DNS servers in the DHCP options.

I've just had a quick look at LuCI to check.

I'm accustomed to managing dnsmasq directly (dnsmasq is the service which provides DNS and DHCP in OpenWRT), so I'm familiar with working with different options for different subnets. But how does OpenWRT abstract and present the same features to the OpenWRT administrator?

Looking at LuCI, it's not immediately obvious to me how to achieve what I suggested in LuCI, without editing configuration files directly. So my apologies. It might be possible, and I might just be missing the option due to being tired. I'll take another look later this week when I'm more awake. In the meantime, another forum member might have the answer for you, or you might even stumble across it yourself.

(As an aside, if you want to know more about dnsmasq, I can highly recommend reading the manual at https://dnsmasq.org/docs/dnsmasq-man.html. While it's not written specifically for OpenWRT, it is still extremely informative about dnsmasq's capabilities.)