[Solved] Sanity Check VLAN Config

I recently decided to setup VLANs on my network and everything seems to be working fine, but i still don't fully understand VLANs so i would appreciate anyone with more knowledge can look at my configs and see if everything seems ok

My network is pretty simple:
Modem (Bridge) --> Linksys EA8100 (Main router with PPPoE connection) --> Archer C6 v3 (Dumb AP)

LAN (vlan1) 192.168.1.0/24
GST(vlan10) 192.168.100.0/24

My main reason for VLANs is that i have a "server" running on my LAN which i don't want guests to have access to. The server runs on 192.168.1.104.

and here are my current configs:

Linksys EA8100

/etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config device
        option name 'lan1'
        option macaddr '30:23:03:76:99:74'

config device
        option name 'lan2'
        option macaddr '30:23:03:76:99:74'

config device
        option name 'lan3'
        option macaddr '30:23:03:76:99:74'

config device
        option name 'lan4'
        option macaddr '30:23:03:76:99:74'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns '192.168.1.1'

config device
        option name 'wan'
        option macaddr '30:23:03:76:99:74'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'REMOVED'
        option password 'REMOVED'
        option ipv6 'auto'
        option peerdns '0'

config interface 'wg1_tunnel'
        option proto 'wireguard'
        option private_key 'REMOVED'
        list addresses '10.2.0.2/32'

config wireguard_wg1_tunnel
        option description 'Imported peer configuration'
        option public_key 'REMOVED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'REMOVED'
        option endpoint_port 'REMOVED'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'

config interface 'GST'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config device
        option name 'br-lan.10'
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option ipv6 '1'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option ipv6 '0'
/etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.1.104'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.1.1,127.0.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'GST'
        option interface 'GST'
        option start '100'
        option limit '150'
        option leasetime '24h'
        list ra_flags 'none'
/etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wg1_tunnel'

config forwarding
        option src 'lan'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DNS Hijack'
        option src 'lan'
        option src_ip '!192.168.1.104'
        option src_dport '53'
        option dest_ip '192.168.1.1'
        option dest_port '53'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'


config forwarding
        option src 'gst'
        option dest 'wan'

config zone
        option name 'gst'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GST'
        option input 'REJECT'

config rule
        option name 'Allow-gst-DNS'
        option src 'gst'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Allow-gst-DHCP'
        list proto 'udp'
        option src 'gst'
        option dest_port '67-68'
        option target 'ACCEPT'

Archer C6 v3

/etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.101'
        option netmask '255.255.255.0'
        option ip6assign '64'
        list dns '192.168.1.1'
        option gateway '192.168.1.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option name 'br-lan.10'
        option ipv6 '0'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'

config interface 'GST'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.100.101'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'

/etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
/etc/config/firewall (Disabled from startup section)
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'gst'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GST'

config forwarding
        option src 'gst'
        option dest 'wan'

Let's start with your dumb AP (Archer).

Important. Backup your dumb AP config first. I hope you're comfortable with restoring your config if things go wrong.

I assume all you want to do is to have a WiFi network for guests that is tagged on ethernet cable with VLAN id = 10. Let me know if you want to have 2 separate WiFis or something else.

Step 1
I always like to have a separate escape hatch ethernet port with DHCP for easy access on lan1 port:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

Ensure it has DHCP enabled in /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '0' # <------------- important

Reboot. Check if lan1 ethernet gives you access to luci or ssh.

Step 2

I'm going to use lan4 for trunk. Let's setup a switch for other ports:

config device
        option type 'bridge'
        option name 'br-vlan'
        option bridge_empty '1'
        # lan1 is in the br-lan already
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        # list ports 'wan' # I'm not sure about this one. Try later to see if it works.

config bridge-vlan
        option device 'br-vlan'
        option vlan '10'
        list ports 'lan3' # untagged guest port for local testing in case of WiFi config 
        list ports 'lan4:t'
issues

https://openwrt.org/docs/guide-user/network/wifi/basic#common_options1 network says:

Specifies one or multiple logical network interfaces declared in the network configuration, each one should be a L3 bridge to be able to attach this L2 wireless interface.

You should have a separate bridge device for each vlan, if you want to later use it for WiFi.

config device
        option type 'bridge'
        option name 'br-10-gst'
        list ports 'br-vlan.10'
        option bridge_empty '1'
        option ipv6 '0'

Now let's add an interface:

config interface 'GST'
        option proto 'static'
        option device 'br-10-gst'
        option ipaddr '192.168.100.101'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'

Remove device "br-lan.1", device "br-lan.10" and bridge-vlan configs assigned to "br-lan".
Connect trunk to lan4. See if you can reach your dumb AP from your existing network. Check if lan3 connects you to guest network.

Step 3
Assign GST interface to your WiFi network.

1 Like

In your main router, I recommend being explicit about the port status for your bridge-vlans. In the case of br-lan.1, it looks like you want all ports untagged + PVID. Add :u* to make that explicit, like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

Remove the 802.1q stanzas as they are not necessary, and could cause problems:

Remove the last line from the lan DHCP server... when DHCP option 6 is not specified, it will always advertise the router itself as the DNS sever -- exactly what you want. Specifying the localhost address (127.0.0.1) in option 6 is a bad idea because some clients may use that which is actually self referencing and therefore will break the client's ability to resolve DNS. So just remove the line entirely.

Onto the AP (I disagree with many of the recommendations from @qunvureze, so I'll describe my suggestions)...

As we did in the main router, add :u* to explicitly untag+PVID all ports in VLAN 1:

and also remove the 802.1q stanzas:

The guest network should not have an address on the router, it should be unmanaged. Edit it as follows:

config interface 'GST'
        option proto 'none'
        option device 'br-lan.10'

There is no need to disable the firewall. I usually recommend leaving it enabled; it won't actually be filtering any traffic under normal situations, so it does nothing as a dumb AP, which is why I leave it on -- this way it is at least deterministic if you have a potential firewall related issue.

Meanwhile, since we set the guest network to unmanaged, we can now remove these:

(BTW, with the firewall disabled and the router having an address on the guest network, that would have acutally allowed guest client devices to connect to the AP itself).

1 Like

Thank you so much for both replies! Reading all this made me understand how everything is working a bit more :sweat_smile:

Yah i was wondering why that was happening but it makes sense now.

I do have 1 more request. I also wanted to setup access to my bridge router from lan and i came up with this:

config zone
        option name 'flashfiber'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'flashfiber'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'flashfiber'
config interface 'flashfiber'
        option proto 'static'
        option device 'wan'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option defaultroute '0'

It seems to be working fine. i can access it from lan but not from gst. but again i wanted to be sure if its the best way to do it

if it works, seems fine to me.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.