SOLVED - NO routing between VLAN 802.1q

It seems that is not so straight forward for me

Device - Raspberry Pi as NAT router with multiple 802.1q vlan on LAN side
OpenWRT
Firmware Version OpenWrt 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 branch git-23.236.53405-fc638c8

I am trying to replace an old "home router"

network structure
ISP <=> Cable Modem in bridge mode <=> "NAT router" <=> Sw1 (with 3 VLAN 802.1q) <=> Sw2 (with 3 VLAN 802.1q) <=>...

some of the SW are POE and I have AP's with VLAN 802.1q mapped to WiFI SSID and some VLANs for other purposes
this is working well

All network infrastructure is in VLAN(1) "default" with a class 10.10.x.0/24 (mange IP of APs,SWs...)

All "standard" devices ( tablets, computers, latops,... ) are into another vlan VLAN(89) in a 192.168.x.0/24 class

I have another VLAN(69) for guests

Plus another VLAN (33) for IOT ...

I set up the Pi as router with NAT and is working well
Each device is able to access the internet and the port fwrd rules from WAN to LAN for some servers works well

OpenWRT has
VLAN1 IP 10.10.x.1/24 ( no GW)
VLAN89 192.168.x.1/24 (no GW)
....

WAN DHCP client

The problem I have is that I am not able to route between VLAN's

On the "crappy" homerouter
If you ping or mtr the LAN IP of any other VLAN's all was fine
To go from one VLAN to the other one just adjust the firewall rules (or just disable it ) to allow that traffic

But for this OpenWRT is counterintuitive

From any of the VLAN's

If I'm pinging the other LAN interface of the router
Is timeout

ping from 192.168.x.5 > 10.10.31.1 = timeout
ping from 10.10.x.51 > 192.168.184.1 = timeout
ping from 192.168.x.5 to 192.168.x.1 = 1ms
ping from 10.10.x.51 > 10.10.x.1 = 1ms

If I try to mtr from any device in any of the VLAN's the trafic goes over the internet ( through NAT )

mtr from 192.168.x.5 to 10.10.x.1

gw_OpenWRT 1ms 1ms 1ms
Gw-provider 2ms 2ms 2ms
...

the same from 10.10.x.
the same for devices in the other vlan

Any help to point me in the right direction is appreciated.

Configs?

cat /etc/config/network

root@OpenWrt-pi:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd5f:f97d:9a04::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan.184'
option proto 'static'
option ipaddr '192.168.89.1'
option netmask '255.255.255.0'
option ip6assign '60'
option defaultroute '0'

config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0:t*'

config bridge-vlan
option device 'br-lan'
option vlan '69'
list ports 'eth0:t'

config bridge-vlan
option device 'br-lan'
option vlan '184'
list ports 'eth0:t'

config interface 'LAN001'
option proto 'static'
option device 'br-lan.1'
option ipaddr '10.10.31.1'
option netmask '255.255.255.0'
option defaultroute '0'

config device
option type 'bridge'
option name 'br-wan'
list ports 'eth1'
option bridge_empty '1'

config interface 'WAN'
option proto 'dhcp'
option device 'br-wan'
option hostname '*'

You have a number of issues with your configuration.

Delete the following:

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0:t*'

config bridge-vlan
option device 'br-lan'
option vlan '69'
list ports 'eth0:t'

config bridge-vlan
option device 'br-lan'
option vlan '184'
list ports 'eth0:t'
config device
option type 'bridge'
option name 'br-wan'
list ports 'eth1'
option bridge_empty '1'

Then change any remaining references to br-wan to eth1, and any remaining references to br-lan to eth0 (retain the . vlan tag, e.g. it should end up looking like eth0.184).

1 Like

That is how it is supposed to work. In general you would not want a guest or IoT able to reach your privileged network. Of course you can modify the firewall so that it is possible, if that is what you want.

In the firewall you need to build a zone for each vlan lan and decide which forwarding will be allowed.

2 Likes

You need to add interface for each of your network(vlan) in order to be able to route between them, without a interface the traffic targeted to those networks is following the default route. At least vlan 69 is not having an interface. This config looks like a DSA device config. In my opinion the traffic should be possible between the lan and LAN001 if firewall rules allow it.

My bad

I have found the trouble"S"

1'st I have changed the running config on my switch and added the port of the OpenWRT in VLAN1 Tagged
BUT - forgot to save the config in the boot config
...
at some point I've restarted and ... lost the good config

  • this was the main problem to not be able to access the VLAN1

2'nd - when I've done 1.
Not having access to VLAN1 I deleted and reconfigured that VLAN on the OpenWRT
"in hurry" I have wrote 10.11.31.1 instead of 10.10.31.1
...
( the config I've posted is from the saved config )

a simple 'diff" solved this issue

sorry for troubles