Setting up VLANs - Cudy WR3000 - OpenWrt 23.05.2

Hi there

I'm trying to setup 3 x VLANs: One, Two , Three

I thought I knew how to do it from research, but it didn't work to my surprise. I feel close though.

Here's what I tried: (starting from a reset to default settings)

  1. Configure the br-lan bridge. And enable VLAN Filtering. Added 3 VLAN's.
  2. Added 3 interfaces, one for each VLAN. DHCP turned on too.

I think this is the basic configuration that should allow my computer to be on a different VLAN, depending on whether I plug in to lan1, lan2, or lan3.

But something seems to be conflicting.
When I have more than one DHCP server enabled, I don't seem to get an IP address.

Hoping I just missed something. Thanks.

Update:

  1. I tried again and found that I still had problems getting an IP address, if I had a DHCP server enabled on more than one VLAN.

  2. I realized that I forgot to specify a subnet mask when configuring the VLAN interfaces.
    -I am not sure if setting a subnet is required. But I found I can now get the DHCP servers working on each VLAN. So if I plug my computer into either lan1, lan2, or lan3 - It gives me the expected IP corresponding to the correct VLAN.

  3. I put a device with static IP 192.168.20.11 on VLAN20, and I tried setting up a forwarding rule in the Firewall, so that VLAN10 can reach VLAN20. But I could not reach/ping the device.

I don't know how to resolve the forwarding from VLAN10 to VLAN20.
And I don't really understand subnets. And whether or not specifying 255.255.255.0 will prevent me from reaching a different VLAN.

Thank you.

Progress Update:

  • I think it's working! I think it was the subnet mask that I forgot to set, which made the difference.

New Question:

  • I want to access the web GUI of a static IP (192.168.20.11) network camera on VLAN20 (camera), from my computer (192.168.10.101) on VLAN10 (lan).

  • I have set the Firewall forwarding rule. But I still can't seem to access the web GUI of the device on VLAN20 (camera), when I am on VLAN10 (lan).

Please help. Thank you.

Configured from default settings:

Update:

Success! I found the 2nd error.

There seems to have been no problem with the zone forwarding rules I set up.

The issue was that I had not set a gateway address when configuring the static IP for the device I was trying to access.

Once set to 192.168.20.1, I was then able to access the device from the other VLAN.

Happy days! :blush:

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

Wow, is that the only response I receive? :roll_eyes:

Thanks...

Not sure what you were expecting.... it seems you have fixed the issue. Is that incorrect?

I'm sorry. Thank you for the assistance. :+1:

I have three VLAN's: lan, camera, guest

I have setup the firewall to prevent the camera VLAN from accessing the wan, or device zones.

Question: How do I add an exception so that the NVR on the camera VLAN can get to the wan?

Thanks

Create a traffic rule in the firewall. This can be more restrictive if desired/needed, but the basic rule would be:

  • accept
  • protocol: all
  • source zone: camera
  • source IP:
  • destination zone: wan
1 Like

Sorry for the late update :pray:

What I tried doing was:
:black_small_square: Going to Traffic Rules and creating a rule on TCP/UDP, for the specific IP address of the NVR on the "camera" VLAN, allowing it to get to the WAN zone.
:black_small_square: I named it NVR-to-WAN

The NVR's internet access seemed to kick in immediately after that :clap:

I was happy it is working. But I was still unsure whether this was the correct solution. And whether or not it is safe security-wise.

I honestly am not familiar with all the different protocols. So now that I have checked back here. I will update the protocol selection from the TCP+UDP I had selected, to 'all' instead.

Thanks so much for the help :man_bowing:

Network Diagram

(updated: version 3)

Network Diagram B - (Updated: v2)

Devices:

Router/AP1 - Cudy WR3000 v1 - OpenWRT 23.05.2
AP2 - Cudy WR1300 v2 - OpenWRT 23.05.2
AP3 - Cudy WR1300 v2 - OpenWRT 23.05.2

AP2 has the "eco: 4" model of the MediaTek MT7621. I noticed that this device just wouldn't work with some 5GHz WiFi channels, whereas the "eco: 3" would.

Question: Can AdGuard Home do content filtering per VLAN?