[SOLVED] Router-on-a-stick: missing one little thing

NC1 · June 21, 2025, 3:36am

As an experiment, I decided to build a router-on-a-stick. Got a thin client (10ZIG 4600q running on a Celeron N3160 processor with 2 GB RAM and 8 GB eMMC) to be used as local router and a no-frills five-port managed switch (the good old Netgear GS305E). Looked at a few guides and spliced together a plan of action. That splicing left me with one loose end: I can't figure out how to set up access to the switch from LAN.

Here's the network:

Here's the switch setup:

Here's the /etc/config/network from the local router:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[REDACTED]'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan.100'
        option proto 'static'
        option ipaddr '192.168.102.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth0:t'

config interface 'wan'
        option proto 'dhcp'
        option device 'br-lan.10'

The obvious (glaring, really) asymmetry is, I have VLAN 1 on the switch (intended to be a management network), but I have no idea what matching entry it should have on the local router, so the switch is accessible from LAN.

Right now, I can access the switch from a local client at the IP address assigned to it by the upstream router. Other than this one (admittedly minor) thing, I have a working setup. But it should be possible to have the switch present on the LAN, right?

As usual, all ideas are welcome; bright ones, doubly so...

psherman · June 21, 2025, 5:52am

Does your switch allow you to change the management VLAN? Most do, but some may not. I've never used that particular switch.

If not, there are a few tricks, but the easiest might be to simply setup an additional network on VLAN 1 specifically for managing your network infrastructure

NC1 · June 21, 2025, 6:48am

I do not think so. It's one of those "Plus" switches with limited "brain power".

That's what I've been thinking, too. So, what would this look like in terms of specific configuration directives? I am thinking:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:t'

config interface 'mgmt'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.103.1'
        option netmask '255.255.255.0'

That would have to be reinforced by the complementing entries in /etc/config/dhcp and /etc/config/firewall.

And on top of that, should I give the switch a static IP address in the 192.168.103.* range? And maybe make a reservation for it on the router side?

Am I anywhere near the right track?

psherman · June 21, 2025, 6:50am

yup... that should do what you want. The DHCP server is optional, but you'll probably find it useful to have setup.

NC1 · June 21, 2025, 6:51am

Thank you! Will try it and report back. And, if all goes well, write another HOWTO...

NC1 · June 21, 2025, 7:31pm

I am pleased to report I have results. I am even more pleased to report they are good.

For the future readers, a summary of changes.

On the router:

One: Added the following to /etc/config/network:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:t'

config interface 'mgmt'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.103.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

Two: In /etc/config/dhcp, created a config dhcp 'mgmt' section by copying the config dhcp 'lan' section verbatim and changing 'lan' to 'mgmt' in two places in the copy.

Three: Also in /etc/config/dhcp, added the following to the end of the file to reserve an IP address for the switch:

config host
        option name 'GS305E'
        list mac '12:34:56:78:90:AB'
        option ip '192.168.103.2'

Four: In /etc/config/firewall, added the newly created 'mgmt' network to the lan zone by adding one line as shown below:

config zone
        option name             lan
        list   network          'lan'
        list   network          'mgmt' # The added line
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

On the switch:

Disabled DHCP and set:

IP address: 192.168.103.2
Subnet mask: 255.255.255.0
Gateway address: 192.168.103.1

After rebooting the router, everything fell into place. The switch is no longer visible on the upstream network (which in the real world would have been a security risk), but is present on the local mgmt network and accessible at 192.168.103.2 from clients residing on the lan network (192.168.102.*).

Big thank-you to @psherman, and I am marking this thread solved.

system · July 1, 2025, 7:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.