I am currently trying to setup VLANs on openwrt 22.03. The settings have changed since openwrt 21 which is what most youtube tutorial cover. I would like to assign my IOT network to ethernet port 3 and the guest network to ethernet port 2. The main network to port 1 and 4. I am having difficulty assigning a VLAN to an interface "IOT" and "GUEST". I do not know how to set up a device for the VLAN and then link it to an interface. Please help.
Also, when setting up devices, "switch ports" do not show up
Goal:
Setup access of "TheLoft_IOT" on ethernet port 3
Setup access of "TheLoft_Guest" on ethernet port 2
Images below:https://imgur.com/a/syTB6UX
They have if your device transitioned to DSA. From your images, it appears yours still uses swconfig, which would suggest that the process should not have changed.
Your images are not showing the whole story -- we need the text configs to see that (below). But, you appear to have two major errors:
your guest and IoT networks appear to be tied directly to wifi (and incorrectly, at that), rather than a bridge. If you want them to operate on both wifi and ethernet, they need to be in a bridge.
You've got the CPU (eth0) "off" in the VLAN configuration for the IoT and guest networks... it should be tagged.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
I have fixed #2 by tagging VLAN IOT and guest network.
How do I fix your proposed #1 ? How do I bridge the Guest and IOT networks to wifi and ethernet? That is what I am struggling with.
you create a bridge device.
Post your configs and I'll specifically show you how it is done.
1 Like
etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '12h'
etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GUESTZone'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'GUEST'
config zone
option name 'IOTZone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config forwarding
option src 'lan'
option dest 'IOTZone'
config forwarding
option src 'GUESTZone'
option dest 'wan'
config rule
option name 'Guest DHCP and DNS'
option src 'GUESTZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '1194'
option name 'wireguard'
option dest_ip '192.168.1.131'
option dest_port '1194'
etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddc:8416:29ef::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 4 1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config interface 'GUEST'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
config interface 'IOT'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option description 'TheLoft_Guest'
option ports '0t 3'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option description 'TheLoft_IOT'
option ports '0t 2'
etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option cell_density '0'
option channel '36'
option htmode 'VHT80'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key 'deleted_password'
option ieee80211r '1'
option mobility_domain 'kkkk'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ssid 'TheLoft'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option channel '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key 'deleted_password'
option ieee80211r '1'
option mobility_domain 'xxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ssid 'TheLoft'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'TheLoft_Guest'
option encryption 'psk2'
option key 'deleted_password'
option ieee80211r '1'
option mobility_domain 'xxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'GUEST'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'TheLoft_Guest'
option encryption 'psk2'
option key 'deleted_password'
option ieee80211r '1'
option mobility_domain 'xxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'GUEST'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'TheLoft_IOT'
option encryption 'psk2'
option key 'deleted_password'
option ieee80211r '1'
option mobility_domain 'xxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'IOT'
config wifi-iface 'wifinet7'
option device 'radio0'
option mode 'ap'
option ssid 'TheLoft_IOT'
option encryption 'psk2'
option key 'deleted_password'
option ieee80211r '1'
option mobility_domain 'xxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'IOT'
So actually your wireless connection to the networks is fine... you just need to do this:
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.3'
config interface 'GUEST'
option proto 'static'
option device 'br-guest'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
Repeat for IoT network (br-iot, eth0.4).
Is this setup correct for cheap IP cameras? I would like to connect them to the IOT wireless network and be able to access them while connected to the main network which is "The_loft"
Sure. It is fine. You may want to set the iot firewall zone input rule to reject and then allow dhcp and dns as you did for the guest zone.
Keep in mind that some cheap cameras may not work across different subnets. There was a thread about this recently. If I can find it, I’ll link it here.
Found it. These cameras were not able to deal with a different subnet. They could only work when the client was on the same subnet.
Hi,
I have a TP-Link Archer7v2 (V22.03.3),configured as router, and four Xiaomi 4A 100M (SNAPSHOT r21626) devices, configured as APs following the great videos from OneMarcFifty in a batman-adv mesh.
Like Marc, I have three zones configured in the firewall 'lan' 'guest' 'iot'
Everything works as expected, only one thing does not:
I can't access the devices in the 'iot' zone from the 'lan' zone, but the forwarding is setup to do so.
I can ping the devices from the router (ssh). If I attach a…
Don't I want incoming traffick to the cameras? In order to connect to them from the other network?
Also, why allow dhcp and dns?
I do have trouble connecting to my IOT network, I wonder if its because it does not assign ip address
“Input” on the firewall refers to the ability for a host to access the router itself. You probably don’t want the cameras to be able to connect to the router for any admin functions, just in case they become compromised and try to do stuff to the router itself (slim, but non zero possibility).
Allowing dhcp and dns is generally required if you set input to reject because otherwise the devices would not be able to get a dhcp lease or dns resolution from the router.
This would be expected if your firewall has input = reject and you didn’t create the rule to allow dhcp and dns.
Post your latest configuration if you can’t get it working.
The "TheLoft_IOT" network wont connect. It has had this problem before. Sometimes my devices can connect to it, sometimes they cannot. I now plan on connecting to the camera on the same network. I just need the network to work now.
etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '12h'
etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GUESTZone'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'GUEST'
config zone
option name 'IOTZone'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'IOTZone'
config forwarding
option src 'GUESTZone'
option dest 'wan'
config rule
option name 'Guest DHCP and DNS'
option src 'GUESTZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '1194'
option name 'wireguard'
option dest_ip '192.168.1.131'
option dest_port '1194'
config rule
option name 'IOT DHCP and DNS'
option src 'IOTZone'
option dest_port '53 67 68'
option target 'ACCEPT'
etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddc:8416:29ef::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 4 1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config interface 'GUEST'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
option device 'br-guest'
config interface 'IOT'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
option device 'br-iot'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option description 'TheLoft_Guest'
option ports '0t 3'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option description 'TheLoft_IOT'
option ports '0t 2'
config device
option type 'bridge'
option name 'br-guest'
list ports 'eth0.3'
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth0.4'
etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option cell_density '0'
option channel '36'
option htmode 'VHT80'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key 'xxxx'
option ieee80211r '1'
option mobility_domain 'xxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ssid 'TheLoft'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option channel '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key 'xxxxx'
option ieee80211r '1'
option mobility_domain 'xxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ssid 'TheLoft'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'TheLoft_Guest'
option encryption 'psk2'
option key 'xxxxx'
option ieee80211r '1'
option mobility_domain 'xxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'GUEST'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'TheLoft_Guest'
option encryption 'psk2'
option key 'xxxxx
option ieee80211r '1'
option mobility_domain 'xxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'GUEST'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'TheLoft_IOT'
option encryption 'psk2'
option key 'xxxxx'
option ieee80211r '1'
option mobility_domain 'xxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'IOT'
config wifi-iface 'wifinet7'
option device 'radio0'
option mode 'ap'
option ssid 'TheLoft_IOT'
option encryption 'psk2'
option key 'xxxxx'
option ieee80211r '1'
option mobility_domain 'xxxxxx'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'IOT'
You don’t currently allow the iot zone access to the internet. Some devices (like mobile phones) will not connect if they can’t get internet access (they’ll fallback to cellular because they is a better experience). Try connecting a laptop to that network and verify that it gets an ip address in the right subnet. Do this both wired and wireless.
You also have 802.11r enabled. This may cause difficulty - some devices just don’t work when fast roaming is enabled.
A good ole reboot of the router made it work. My IOT wifi is able to connect to the Reolink 410W IP camera.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
system
February 11, 2023, 3:03pm
20
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
