Setup two VLAN raspberry PI + WireGuard

lowrisk75 · February 12, 2022, 8:15pm

I need to setup my Raspberry Pi 4 behind a UniFi switch to connect to a Wireguard server and reroute the traffic to ETH (only one NIC for now / although I have a spare USB-C > Eth but with my experience they never really reliable.)

I want the clients connected to OpenWrt to be isolated and only get internet traffic from the wireguard router and nothing else, but I think my brain is dead and I can't think how to setup the whole thing.

The raspberry Pi is connected to a Ubiquiti Office Flex Mini (UniFi) but if any better I can connect it to a Edgeswitch (UNMS).

If my brain still work a bit, I suppose I need to create a VLAN on my UDM PRO (uniFi) just for the "LAN" of my clients used by the OpenWRT and a second VLAN for the WAN of OpenWRT ?

at present I temporary enabled wifi but the WAN don't seems to work

-- ideally my WAN would get DHCP from UniFI (then I guess I need to think about the UNiFI Firewall for the OpenWRT router... starting by forwarding WG

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr ##:##:##:##:##:##  
          inet addr:10.60.60.1  Bcast:10.60.60.255  Mask:255.255.255.0
          inet6 addr: ####:####:####::1/60 Scope:Global
          inet6 addr:  ####:####:####/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15059 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8427 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2732747 (2.6 MiB)  TX bytes:2290026 (2.1 MiB)

eth0      Link encap:Ethernet  HWaddr ##:##:##:##:##:## 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16623 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4151374 (3.9 MiB)  TX bytes:2447497 (2.3 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1410 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:114268 (111.5 KiB)  TX bytes:114268 (111.5 KiB)

wlan0     Link encap:Ethernet  HWaddr ##:##:##:##:##:##   
          inet6 addr: ####:####:####/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18602 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21729 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2914781 (2.7 MiB)  TX bytes:6875084 (6.5 MiB)

trendy · February 12, 2022, 9:35pm

My adapter based on r8152 works flawlessly for more than a year.

right
You need something like this:

root@magiatiko:[~]#uci show network.lan
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.device='eth0.4'
network.lan.ipaddr='10.0.2.1'
network.lan.metric='11'
network.lan.ip6weight='100'
root@magiatiko:[~]#uci show network.iot
network.iot=interface
network.iot.device='eth0.3'
network.iot.proto='static'
network.iot.ipaddr='172.30.30.1'
network.iot.netmask='255.255.255.0'
network.iot.ip6assign='64'
network.iot.ip6hint='30'
network.iot.ip6weight='10'

Just use the appropriate dot vlan device name.

lowrisk75 · February 12, 2022, 10:00pm

Thanks a lot !!!! I can’t wait to try that !

For the USB-C Ethernet, I had to change them every year so far but to be fair the last one I bought (Belkin) seems much better, I might use it instead of saturating the raspberry PI NIC, and maybe get a another one as backup (and set it as failover).

Anyway thanks again !