[Solved] How to setup separate two (2) LANs networks on OpenWrt 18.06.5

Hello everyone,

I have an Edgerouter X running OpenWrt 18.06.5 with the default configuration.
All of my wired and wireless network clients are connected in a single LAN or VLAN1.

For network security purposes I need to create two LANs with two subnets. 192.168.11.0/24(LAN1) for wireless clients and 192.168.22.0/24 LAN2 for wired clients. Both LANs will be connected to the internet through port eth0 or WAN.

I wanted to divide and assign physical ports of the router such as eth1 and eth2 as LAN1(VLAN1) for Wireless Clients using two access points. The Wired Clients will be using two ports eth3 and eth4 as LAN2 (VLAN3) connected with two switch hubs. Please see the Network Diagram for more details of the network requirements.

I understand from my current research and readings that VLAN is the key and I need to configure the /etc/config/network and /etc/config/firewall config files. VLAN3 has to be created within the switch(Luci) tab and named it as lan2 in the network config file with DHCP enabled. I am hesitant to do it or do some experimentations because I might screw up my Edgerouter X box and won’t be able to use it again.

Might someone out there already have an existing and tested configuration for this kind of setup.

I really appreciate if you could help me. Thanks in advance.

1 Like

It is relatively easy task.

  1. Create new VLAN 3 on the switch.
  2. Remove the physical ports from VLAN1 and assign them to VLAN3 (tagged or untagged, depends on the switches 1 and 2). Also include the CPU port as tagged on VLAN3.
  3. Create new interface LAN2 and use physical interface ethX.3 (where X is the number of the internal interface of the Edgerouter switch), add IP/MASK and DHCP settings.
  4. Assign interface LAN2 to a new firewall zone lan2 and allow forwarding to wan zone.

Just in case take a backup before you start.
Connect from the ports labeled eth1 or eth2 when you do all these, not to get locked.
Make use of the Luci roll-back functionality, in case you find yourself locked out, to revert changes.

3 Likes

Upgrade to 18.06.7 initially, or to 19.07.1

Hi Trendy,
Many thanks for your support! and it's really an easy task. For the benefits of the readers here are the simple detailed steps I have made.

Login to Luci web interface.

A. Create New VLAN3.

  1. Click Network --> Switch then click "Add" button to create new vlan3 as shown in the picture ports 3 and 4 are untagged and CPU is tagged.
  2. Click the "Save and Apply" button.

B. Create a new Interface (lan2).

  1. Click Network --> Interfaces Click "Add new interface" button.
    Set the "Name of new interface:" to lan2
    Set the "Cover the following interface" to eth0.3
    Leave the "Protocol of the new interface" to its default setting "Static address" the click the "submit" button.
  2. LAN2 will be created as a new interface click the edit button.
    Set the following fields.
    IPv4 Address: 192.168.22.1
    IPv4 netmask: 255.255.255.0
    IPv4 gateway: 192.168.22.1
    Use custom DNS servers: Leave this blank
    Note: Please Do not use DNS server unreachable from lan2 interface.

C. Create a new Firewall zone.

  1. Click Network --> Firewall click "Add" button under Zones.
  2. Set the following in the "General Settings" Tab.
    Name: lan2
    Input: Accept
    Output: Accept
    Forward: Accept
    Covered Networks: select "lan2"

Inter-Zone Forwarding
Allow forward to destination zone: select "wan wan6"

  1. Click "Apply & Save" button.

That's it and you are done!

Again thank you so much!

2 Likes

Some remarks:

  1. Better don't "Use custom DNS servers" that are unreachable from that interface. If you want the hosts on lan2 to use directly 8.8.8.8, then use option 6 in dhcp server-Advanced Settings tab of the interface.
  2. You can assign the lan2 interface to a new zone also from the Firewall Settings of the lan2 interface tab.
1 Like

Thanks for your remarks trendy.
I updated the steps above, the custom DNS of lan2 has been remove. No need to specify Custom DNS coz my Openwrt box's DNS is configured with Stubby+dnsmasq for privacy,security and dns encryption. DNSSec Validation is enable in dnsmasq.

New zone also named as lan2 is already been assigned from the firewall setting of lan2 interface tab.

BTW trendy, do I have to enable the bridge interface option in Physical Settings Tab of LAN2 or i have to leave it unchecked?

Not needed. In this field you input the DNS servers that OpenWrt can reach on this interface, so that dnsmasq can use them. In your LAN you don't have any DNS server, so leave it empty.

If you won't bridge it with Wifi, leave it as is.

1 Like

Thank you so much trendy! :grinning:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.