Setting up VLANs - Cudy WR3000 - OpenWrt 23.05.2

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi there

I'm trying to setup 3 x VLANs: One, Two , Three

I thought I knew how to do it from research, but it didn't work to my surprise. I feel close though.

Here's what I tried: (starting from a reset to default settings)

  1. Configure the br-lan bridge. And enable VLAN Filtering. Added 3 VLAN's.
  2. Added 3 interfaces, one for each VLAN. DHCP turned on too.

04
041895×496 84.7 KB

I think this is the basic configuration that should allow my computer to be on a different VLAN, depending on whether I plug in to lan1, lan2, or lan3.

But something seems to be conflicting.
When I have more than one DHCP server enabled, I don't seem to get an IP address.

Hoping I just missed something. Thanks.

2

Update:

  1. I tried again and found that I still had problems getting an IP address, if I had a DHCP server enabled on more than one VLAN.

  2. I realized that I forgot to specify a subnet mask when configuring the VLAN interfaces.
    -I am not sure if setting a subnet is required. But I found I can now get the DHCP servers working on each VLAN. So if I plug my computer into either lan1, lan2, or lan3 - It gives me the expected IP corresponding to the correct VLAN.

  3. I put a device with static IP 192.168.20.11 on VLAN20, and I tried setting up a forwarding rule in the Firewall, so that VLAN10 can reach VLAN20. But I could not reach/ping the device.

I don't know how to resolve the forwarding from VLAN10 to VLAN20.
And I don't really understand subnets. And whether or not specifying 255.255.255.0 will prevent me from reaching a different VLAN.

Thank you.

3

Progress Update:

  • I think it's working! I think it was the subnet mask that I forgot to set, which made the difference.

New Question:

  • I want to access the web GUI of a static IP (192.168.20.11) network camera on VLAN20 (camera), from my computer (192.168.10.101) on VLAN10 (lan).

  • I have set the Firewall forwarding rule. But I still can't seem to access the web GUI of the device on VLAN20 (camera), when I am on VLAN10 (lan).

Please help. Thank you.

Configured from default settings:

merged01
merged011920×621 73.4 KB

4

Update:

Success! I found the 2nd error.

There seems to have been no problem with the zone forwarding rules I set up.

The issue was that I had not set a gateway address when configuring the static IP for the device I was trying to access.

Once set to 192.168.20.1, I was then able to access the device from the other VLAN.

Happy days! :blush:

1 Like
5

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like
6

Wow, is that the only response I receive? :roll_eyes:

Thanks...

7

Not sure what you were expecting.... it seems you have fixed the issue. Is that incorrect?

8

I'm sorry. Thank you for the assistance. :+1:

9

I have three VLAN's: lan, camera, guest

I have setup the firewall to prevent the camera VLAN from accessing the wan, or device zones.

Question: How do I add an exception so that the NVR on the camera VLAN can get to the wan?

Thanks

04
04716×744 43.5 KB

10

Create a traffic rule in the firewall. This can be more restrictive if desired/needed, but the basic rule would be:

  • accept
  • protocol: all
  • source zone: camera
  • source IP:
  • destination zone: wan
1 Like
11

Sorry for the late update :pray:

What I tried doing was:
:black_small_square: Going to Traffic Rules and creating a rule on TCP/UDP, for the specific IP address of the NVR on the "camera" VLAN, allowing it to get to the WAN zone.
:black_small_square: I named it NVR-to-WAN

TrafficRuleForNVR_ToWAN01
TrafficRuleForNVR_ToWAN01468×544 23.6 KB

The NVR's internet access seemed to kick in immediately after that :clap:

I was happy it is working. But I was still unsure whether this was the correct solution. And whether or not it is safe security-wise.

I honestly am not familiar with all the different protocols. So now that I have checked back here. I will update the protocol selection from the TCP+UDP I had selected, to 'all' instead.

Thanks so much for the help :man_bowing:

12

Network Diagram

(updated: version 3)

HomeNetwork_11-02-2024_03
HomeNetwork_11-02-2024_03762×529 68.5 KB

13

Network Diagram B - (Updated: v2)

HomeNetwork_24-02-2024_edit01
HomeNetwork_24-02-2024_edit01572×569 57.6 KB

14

Devices:

Router/AP1 - Cudy WR3000 v1 - OpenWRT 23.05.2
AP2 - Cudy WR1300 v2 - OpenWRT 23.05.2
AP3 - Cudy WR1300 v2 - OpenWRT 23.05.2

AP2 has the "eco: 4" model of the MediaTek MT7621. I noticed that this device just wouldn't work with some 5GHz WiFi channels, whereas the "eco: 3" would.

Devices01
Devices011477×490 141 KB

15

Question: Can AdGuard Home do content filtering per VLAN?

16

Question: What can I add to my network to allow content filtering and WAN speed limiting per VLAN?

17

Try adding @psherman in the text or replying to one of his posts so he gets a notice of the question.

I don't do VLANs so I have no idea.

1 Like
18

Content filtering would be something like AdGuard Home or other DNS filters (including maybe PiHole running on a different device).

Speed limiting would be something like SQM. Depending on the processor in your router and the actual wan speed, you could end up slowing your whole network down.

1 Like
19

Router Uptime:

Router_Uptime_22-03-24

Everything seems to be working stably and intervention free :clap: :grinning:

To recap, my special setup/config implemented thus far is:

  • 3 VLAN's ( LAN , Camera , Guest )
  • SQM on WAN & Guest
  • WiFi (for VLAN's: LAN & Guest )
  • Basic firewall setup based on VLAN requirements

That's the just of what I was looking to do, and it seems to have been achieved. I'm so pleased & grateful for OpenWRT :man_bowing: :pray: :blue_heart:

Working on a solutions post. And will update again.

2 Likes