Please clarify this... do you mean
- all ports are trunk ports
- all ports are access ports associated with the trusted lan
- all ports are access ports but one port per network
- something else?
Okay, I read a little bit more about that what I need and it will looks like this: one port = one subnet.
so does this imply that you want all ports (other than the ones connecting the two routers) to use the main trusted lan?
Yes, exactly.
Ok... let's start with the main router. From its near-default config, let's add bridge-VLANs:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan3:t'
Now, we'll edit the lan to use br-lan.1:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
And now we'll add the additional networks:
config interface 'mixed'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'iot'
option device 'br-lan.20'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'lan-not'
option device 'br-lan.30'
option proto 'static'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
config interface 'guest'
option device 'br-lan.99'
option proto 'static'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
Now we can add dhcp servers for all of them:
config dhcp 'mixed'
option interface 'mixed'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'lan-not'
option interface 'lan-not'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
Finally, we'll add all of these networks to the lan firewall zone. You should consider changing this later, but it will make it easy to validate that things are working. Later, you can start to isolate the networks. The lan firewall zone already exists -- jsut add the additional networks:
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'lan-not'
list network 'iot'
list network 'mixed'
list network 'guest'
Once you've made all the changes, post your config files for review and we'll move on to the AP.
BTW, I noticed that these devices only have 3 lan ports... so lan 1 and lan 2 are for your regular lan, and lan 3 is for the trunk to the AP.
1 Like
Are you sure about adding bridge-vlans like that? It seems to not working on my router.
Maybe I can add them using LuCi instead of CLI?
In LuCi I haven't got option (under Network->Devices->Add device configuration...) which will be bridge-vlan saved in config.
Let's see the latest configs that you said aren't working:
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/dhcp
I reverted all changes, because router stopped communicate with my laptop.
Under LuCi configurator I've got this options only:
I don't think I've ever created a DSA VLAN configuration with LuCI, but I am confident in what I posted earlier.
It would probably be easier to just add one network for now, and see how that works.
Please post your default configs (network, firewall, dhcp) and I'll make recommendations for the first additional network.
I've reverted it to default config, the same as I posted before here 
ok... so add these to the network config file -- we'll make ports 1 and 2 the standard lan, and port 3 the other network (this will make for easy testing):
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan3:u*'
Edit the lan to use br-lan.1:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
Add one additional network:
config interface 'mixed'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
In the DHCP file, add this:
config dhcp 'mixed'
option interface 'mixed'
option start '100'
option limit '150'
option leasetime '12h'
And finally, in the firewall file, edit the lan zone to add the mixed network:
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'mixed'
reboot the router after making these changes.
You should get an address on the 192.168.1.0/24 network when you plug a computer into lan 1 or lan 2. The 3rd port should get an address in 192.168.10.0/24.
1 Like
I think I figured out what I done wrong. I think now I've added everything as you said few post before:
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdaa:bd62:5b38::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr 'xx'
option netmask 'xx'
option gateway 'xx'
list dns 'xx'
list dns 'xx'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan3:t'
config interface 'mixed'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'not'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
config interface 'guest'
option proto 'static'
option device 'br-lan.99'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
DHCP:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'mixed'
option interface 'mixed'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'not'
option interface 'not'
option start '100'
option limit '150'
option leasetime '12h'
Firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest'
list network 'iot'
list network 'lan'
list network 'mixed'
list network 'not'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Great... now the device connected to lan3 must be configured to expect vlan 1 untagged and all the other VLANs (10, 20, 30, 99) tagged.
Do you need help with that process?
1 Like
Yes! I don't know how to setup it. Would be lovely, if you can help me with that also.
Sure.
We need to know the following:
- Which VLAN is used to manage the AP.
- What address should the AP hold on that network (or should it be DHCP client)?
- What physical port will be used to connect the AP (on the AP... I know it's lan3 on the router).
- Is there a direct connection between the two devices?
- Please post the following from the AP:
ubus call system board
cat /etc/config/network
I want to add AP under "lan" network, but AP should transmit all VLANs over wireless connections.
It should be next IP (static) after main router
If I can use WAN it will be WAN, otherwise lan1
Yes!
It's the same as main router, exactly the same device and default configuration.
Ok... easy enough.
Good.
Yes, we can use the WAN port.
Start by deleting the wan/wan6 interfaces -- from a default config, they should look like this:
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
Now, edit br-lan to add the wan port:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
Create bridge VLANs:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'wan:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'wan:t'
Edit the lan interface to use device br-lan.1 and address 192.168.1.2:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
Add unmanaged interfaces for the other VLANs:
config interface 'mixed'
option device 'br-lan.10'
option proto 'none'
config interface 'iot'
option device 'br-lan.20'
option proto 'none'
config interface 'not'
option device 'br-lan.30'
option proto 'none'
config interface 'guest'
option device 'br-lan.99'
option proto 'none'
Now you can create SSIDs and connect them with each of the networks.
Restart the device, connect the cable between the main router lan3 and the AP wan ports. Test and report back.
Yay! It works great! I've created for now only one SSID linked with guest network.
I've checked cable connection and wireless and both works great, thank you!
Are there any additional steps to go with my configuration?
PS. If I want different IP than from primary subnet over cable what I need to do? Only set static IP in configuration router or something else?
awesome!!
Yes... I'd adjust the firewall to meet your goals regarding access to the internet and/or the other networks. I told you to put all networks in the same firewall zone for the initial setup. Now that it is working, you'll want to revisit this:
You can set the firewall as broadly as you want, or with super specific granular rules -- whatever gets you to your goals.
By putting the networks in different zones, you can easily allow some networks to reach others while not allowing the reverse (if desired), isolate networks but allow them internet access, or prohibit internet, etc.
There are a lot of ways to slice it, too. You can start working on yourself, or if you want to explain the access per network (or point me back to the right post above), I can help with that.
Can you be more specific about what you want here? Do you want to change the management network? Or make the management VLAN tagged? or something else?
I mean currently wired connection between PC and Access Point is using DHCP with 192.168.1.x network. What I need to do if I want change this PC to use 192.168.10.x network (also by wire)?