[Solved] Issue with setting up VLANS

Hi there. I'm attempting to configure a raspberry Pi 4B running 23.05, but I'm having some difficulties with VLANS. I've set it up as a router-on-a-stick configuration with a managed VLAN-aware Allied Telesis x230 switch. So far, I am able to connect my PC to port1.0.1 on the switch and I am able to connect to the router no problem (router is connected to port1.0.16) I've configured port1.0.7 to be an untagged access port to vlan 10, but whenever I connect a device to it, it does not get DHCP. If I manually set the device IP address to 192.168.10.50, for instance, then I can ping the switch at 192.168.10.5, but I cannot ping the router. What have I missed

Router
/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdca:f755:8ef2::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option device 'eth0.1'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1'

config device
        option name 'eth0.10'
        option type '8021q'
        option ifname 'eth0'
        option vid '10'

config device
        option name 'eth0.20'
        option type '8021q'
        option ifname 'eth0'
        option vid '20'

config interface 'guest'
        option proto 'static'
        option device 'eth0.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'iot'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

/etc/config/firewall

config defaults
        option syn_flood 1
        option input REJECT
        option output ACCEPT
        option forward REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6 1

config zone
        option name lan
        list network 'lan'
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name wan
        list network 'wan'
        option input REJECT
        option output ACCEPT
        option forward REJECT
        option masq 1
        option mtu_fix 1

config zone
        option name guest
        list network 'guest'
        option input REJECT
        option output ACCEPT
        option forward REJECT

config zone
        option name iot
        list network 'iot'
        option input REJECT
        option output ACCEPT
        option forward REJECT

config forwarding
        option src lan
        option dest wan

config rule
        option name Allow-DHCP-Renew
        option src wan
        option proto udp
        option dest_port 68
        option target ACCEPT
        option family ipv4

config rule
        option name Allow-Ping
        option src wan
        option proto icmp
        option icmp_type echo-request
        option family ipv4
        option target ACCEPT

config rule
        option name Allow-IGMP
        option src wan
        option proto igmp
        option family ipv4
        option target ACCEPT

config rule
        option name Allow-DHCPv6
        option src wan
        option proto udp
        option dest_port 546
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-MLD
        option src wan
        option proto icmp
        option src_ip fe80::/10
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-ICMPv6-Input
        option src wan
        option proto icmp
        list icmp_type echo-request
        list icmp_type echo-reply
        list icmp_type destination-unreachable
        list icmp_type packet-too-big
        list icmp_type time-exceeded
        list icmp_type bad-header
        list icmp_type unknown-header-type
        list icmp_type router-solicitation
        list icmp_type neighbour-solicitation
        list icmp_type router-advertisement
        list icmp_type neighbour-advertisement
        option limit 1000/sec
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-ICMPv6-Forward
        option src wan
        option dest *
        option proto icmp
        list icmp_type echo-request
        list icmp_type echo-reply
        list icmp_type destination-unreachable
        list icmp_type packet-too-big
        list icmp_type time-exceeded
        list icmp_type bad-header
        list icmp_type unknown-header-type
        option limit 1000/sec
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-IPSec-ESP
        option src wan
        option dest lan
        option proto esp
        option target ACCEPT

config rule
        option name Allow-ISAKMP
        option src wan
        option dest lan
        option dest_port 500
        option proto udp
        option target ACCEPT

config forwarding
        option src lan
        option dest guest

config forwarding
        option src lan
        option dest iot

config forwarding
        option src guest
        option dest wan

config forwarding
        option src iot
        option dest wan

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'

managed switch config:

!
service password-encryption
!
hostname sw1
!
enable password level 15 8 *******.
no banner motd
!
username philadmin privilege 15 password 8 ********
no username manager
!
ssh server allow-users philadmin
service ssh
!
no service telnet
!
service http
!
no clock timezone
!
snmp-server
!
aaa authentication enable default local
aaa authentication login default local
!
ip domain-lookup
!
!
!
spanning-tree mode rstp
!
service power-inline
!
vlan database
 vlan 10 name guest
 vlan 20 name iot
 vlan 10,20 state enable
!
interface port1.0.1-1.0.6
 switchport
 switchport mode access
!
interface port1.0.7
 switchport
 switchport mode access
 switchport access vlan 10
!
interface port1.0.8-1.0.15
 switchport
 switchport mode access
!
interface port1.0.16
 switchport
 switchport mode trunk
 switchport trunk allowed vlan add 1,10,20
 switchport trunk native vlan none
!
interface port1.0.17-1.0.18
 shutdown
 switchport
 switchport mode access
!
interface vlan1
 ip address 192.168.0.5/24
!
interface vlan10
 ip address 192.168.10.5/24
!
line con 0
line vty 0 4
!
end

What am I missing? Thanks in advance.

Delete these two 802.1q device stanzas (they're not necessary):

You have the input policy of the guest and iot zone set to REJECT which means that the router will not accept any traffic (destined for the router itself) from the networks in those zones.

When this is the goal (which is good practice for untrusted networks), traditionally, DHCP and DNS are allowed by creating a new set of rules for this purpose. I don't see those in your firewall. Therefore, for now, set the input rule to ACCEPT on both the guest and iot zones to test that the VLANs are working properly in general. After this is proven, you can add the firewall rules to accept this type of traffic, but option input 'ACCEPT' as a zone policy reduces the likelihood of errors in the creation of those DHCP/DNS rules.

Thanks for your input. I made the changes you suggested and it looks like we're a step closer. I can now ping 192.168.0.1 and 192.168.10.1 from the switch (but weirdly not 192.168.20.1). But, if I connect a device to port1.0.7, it still doesn't seem to be getting any L3 connectivity

**root@Rocinante:~# cat /etc/config/network**
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdca:f755:8ef2::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option device 'eth0.1'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1.10'

config device
        option name 'eth0.10'
        option ifname 'eth0'
        option vid '10'

config device
        option name 'eth0.20'
        option ifname 'eth0'
        option vid '20'

config interface 'guest'
        option proto 'static'
        option device 'eth0.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'iot'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
root@Rocinante:~#
root@Rocinante:~#
**root@Rocinante:~# cat /etc/config/firewall**
config defaults
        option syn_flood 1
        option input REJECT
        option output ACCEPT
        option forward REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6 1

config zone
        option name lan
        list network 'lan'
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name wan
        list network 'wan'
        option input REJECT
        option output ACCEPT
        option forward REJECT
        option masq 1
        option mtu_fix 1

config zone
        option name guest
        list network 'guest'
        option input ACCEPT
        option output ACCEPT
        option forward REJECT

config zone
        option name iot
        list network 'iot'
        option input ACCEPT
        option output ACCEPT
        option forward REJECT

config forwarding
        option src lan
        option dest wan

config rule
        option name Allow-DHCP-Renew
        option src wan
        option proto udp
        option dest_port 68
        option target ACCEPT
        option family ipv4

config rule
        option name Allow-Ping
        option src wan
        option proto icmp
        option icmp_type echo-request
        option family ipv4
        option target ACCEPT

config rule
        option name Allow-IGMP
        option src wan
        option proto igmp
        option family ipv4
        option target ACCEPT

config rule
        option name Allow-DHCPv6
        option src wan
        option proto udp
        option dest_port 546
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-MLD
        option src wan
        option proto icmp
        option src_ip fe80::/10
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-ICMPv6-Input
        option src wan
        option proto icmp
        list icmp_type echo-request
        list icmp_type echo-reply
        list icmp_type destination-unreachable
        list icmp_type packet-too-big
        list icmp_type time-exceeded
        list icmp_type bad-header
        list icmp_type unknown-header-type
        list icmp_type router-solicitation
        list icmp_type neighbour-solicitation
        list icmp_type router-advertisement
        list icmp_type neighbour-advertisement
        option limit 1000/sec
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-ICMPv6-Forward
        option src wan
        option dest *
        option proto icmp
        list icmp_type echo-request
        list icmp_type echo-reply
        list icmp_type destination-unreachable
        list icmp_type packet-too-big
        list icmp_type time-exceeded
        list icmp_type bad-header
        list icmp_type unknown-header-type
        option limit 1000/sec
        option family ipv6
        option target ACCEPT

config rule
        option name Allow-IPSec-ESP
        option src wan
        option dest lan
        option proto esp
        option target ACCEPT

config rule
        option name Allow-ISAKMP
        option src wan
        option dest lan
        option dest_port 500
        option proto udp
        option target ACCEPT

config forwarding
        option src lan
        option dest guest

config forwarding
        option src lan
        option dest iot

config forwarding
        option src guest
        option dest wan

config forwarding
        option src iot
        option dest wan
root@Rocinante:~#
root@Rocinante:~#
**root@Rocinante:~# cat /etc/config/dhcp**

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'

Rename WAN to wan (lowercase):

Delete these:

Restart and test again.

Also, verify your switch configuration. Your router is expecting three tagged networks on eth0:

• VLAN 1 tagged (lan)
• VLAN 10 tagged (guest)
• VLAN 20 tagged (iot)

And it is also expecting the wan (eth1) to be tagged VLAN 10 (hopefully this is not being tied to the same switch -- if so, that will cause a conflict.

Thanks for your help, psherman. Looks like its working now! Eth1 goes directly into to my ONT. VLAN 10 is a requirement from my ISP.

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!