Setup for unmanaged network switch and router?

I'm a bit new here and have recently been running 3 networks off my router running Open-WRT and it's been great.

I recently picked up a few servers and a cheap 8-port unmanaged switch. Currently, 3 of the servers and plugged directly into the switch with a cat6 ethernet cable and the first port of the switch is plugged into port 3 of my router.

My goal is to have inbound and outbound access to/from these 3 servers, but they should be on their own subnet. (192.168.70.0/20). Now I'm wondering, do I create a bridge device assigned to port 3 then an additional interface of type Static Address with it's own DHCP server?

Additionally, one of the nodes currently has an old IP assigned to it (192.168.1.185), but I was thinking it would inherit a new IP from the DHCP server, so I'm a bit confused. Any pointers would be awesome.

image1298×786 50.6 KB

Just to make sure I understand...

Port 3 of your current OpenWrt router will be connected to the unmanaged switch, correct? And you want all of the devices that are connected to that switch to be on the 192.168.70.0/20 subnet?

Why a /20 (I'd recommend a /24 which is just a bit more straightforward, unless you really need to deal with 4K hosts)?

To be clear -- the unmanaged switch should only have a single network (untagged) running through it, so the configuration should be pretty straight forward in that we'll take port 3 and allocate it to the new network.

Let's take a look at your configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

/24 works as well! That's correct. Currently, despite forcing DHCP renew on one of my nodes, it is still stuck with an IP of 192.168.1.90 or something in the main subnet of my home network, which I don't want.

I'm using Luci UI to manage this since it's a bit more comfortable for me, but pasted some config below.

ubus call system board

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.1.63",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Dynalink DL-WRX36",
	"board_name": "dynalink,dl-wrx36",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r24455-df167450a5",
		"target": "qualcommax/ipq807x",
		"description": "OpenWrt SNAPSHOT r24455-df167450a5"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0b:c24d:66f8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config device
	option type 'bridge'
	option name 'br-vpn'
	option bridge_empty '1'
	list ports 'lan1'

config interface 'vpn'
	option proto 'static'
	option device 'br-vpn'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'

config interface 'WGVPN'
	option proto 'wireguard'
	option nohostroute '1'
	option private_key 'REDACTED'
	list addresses 'REDACED/32'
	list addresses 'REDACTED'

config rule
	option src '192.168.10.1/24'
	option in 'vpn'
	option lookup '3'

config wireguard_WGVPN
	option description 'us-lax-wg-201.conf'
	option public_key 'REDACTED'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host 'REDACTED'
	option endpoint_port '51820'

config route
	option interface 'WGVPN'
	option target '0.0.0.0/0'
	option table '3'

config rule
	option in 'guest'
	option lookup '3'
	option disabled '1'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'lan2'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'

config rule
	option in 'vpn'
	option out 'lan'

config device
	option type 'bridge'
	option name 'ClusterBridge'
	list ports 'lan3'
	option bridge_empty '1'

config interface 'Cluster'
	option proto 'static'
	option device 'ClusterBridge'
	option ipaddr '192.168.70.0'
	option netmask '255.255.255.0'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vpn'
	option interface 'vpn'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config host
	option ip '192.168.1.229'
	option mac 'CE:15:18:FB:AD:36'

config host
	option name 'SonosZP'
	option ip '192.168.1.124'
	option mac '5C:AA:FD:D7:4E:34'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Cluster'
	option interface 'Cluster'
	option start '100'
	option limit '150'
	option leasetime '12h'

I'd recommend upgrading to the latest stable release unless you have a reason to be using a snapshot build.
https://firmware-selector.openwrt.org/?version=23.05.2&target=ipq807x%2Fgeneric&id=dynalink_dl-wrx36

The rest of this is really simple:

Remove lan3 from br-lan:

Then use it as the device in the new network:

config interface 'servers'
	option device 'lan3'
	option proto 'static'
	option ipaddr '192.168.70.1'
	option netmask '255.255.255.0'

Create a DHCP server for it:

config dhcp 'servers'
	option interface 'servers'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Assign the network to a firewall zone -- you could create a new one, but for simplicity now, just put it in the lan zone.

Reboot and test.

Updated my OP with image of desired result, hopefully that makes it clear.

However, awesome! Your response made me realize I had conflicting things here as my other bridge had also assigned port 3, so I assume that's what made the IP assignment not work as intended?

I should already have a DHCP server for my mini cluster labeled as Cluster in the above response.

What's the protocol for rebooting here. Do I reboot the router? Save and apply, etc.

I hadn't seen that, actually... but, you can use the cluster bridge if you want, just don't use the port lan3 in more than one place.

That said, the problem with your cluster config was actually this:

The IP address was wrong --- the .0 address is invalid in a /24 network. Use .1 and you'll be golden.

Depends how you achieved the changes... but yes, save and apply usually works. I like a reboot because it restarts all services at the same time... so you'll know if things are working as expected.

Don't forget to bounce the ports for the servers (you could reboot those devices, force them to renew DHCP leases, unplug ethernet momentarily, or power cycle the switch).

We are back in business, Merry Christmas and thank you!

Last question. In my case with an unmanaged switch, bridge is the thing that makes the most sense and not a VLAN, right?

Yes, you can't use real-VLANs on an unmanaged switch anyways. Technically you wouldn't even need a bridge (unless you want to bridge more ports or AP interfaces into it), just the plain lan3 interface.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.