[Solved] Simple network segmentation. why is it soooo hard for newcommers?

I am trying something that seems really simple but for me as an uninitiated proves to be very hard indeed. Have been trying for more than one week now almost non stop.

10.0.0.1 should be the OpenWrt router (Linksys ACM3200WRT) running OpenWRT (does it matter what exact version?)

10.1.x.x should be separate subnet just like;
10.2.x.x
10.3.x.x

If I could just get them to talk to each other, or how to get packet forwarded is the correct term?
My general firewall settings are to allow input, output and forward.

btw, I have donated 50$ just now to the OpenWRT organization and will do so again once I finally reached my goal. I have spend countless of hours going no where. I even hired a local network engineering company at +125$ an hour and even that went no where!!!!

I have a network diagram but how to I post it? Or even how do I post my config backup tar? so that an expert can take a good look at it at this seemingly simple setup to work.

I have a network diagram but how to I post it?

If you go to edit your reply, the comment box should have a small painting icon which on hover over says "Upload". Once you click on that you can select an image to upload from your device.

Or even how do I post my config backup tar?

I would recommend you just post the pertinent text from the various configuration files inside the backup tar. In the comment box you can click the </> icon to insert pre-formatted text like the kind OpenWRT uses for configuration. I'd say based on your question you should post the contents of:

  • /etc/config/network &
  • /etc/config/firewall

Just make sure that what you post doesn't contain any sensitive information like public IP addresses, MAC addresses, passwords, crypto keys, etc.

Quick question: Are those separate subnets supposed to keep certain data or systems from being accessible to another subnet, with certain exceptions? Or do you just want to organize your network like .1.* for PCs, 2.* for printers, etc?

If the latter, you can simply bridge all those different interfaces that cover the various subnets. You can also add interfaces to firewall zones and then allow/deny forwarding based on firewall rules, etc. Plenty of options.

P.S. Get a refund.

1 Like

Nope, because they have different numbering, DHCP, etc.

2 Likes

Yeah, you're right. Scratch that idea, it doesn't make sense. And once you go down the VLAN route it's a really dumb idea. So firewall zones, preferably one for each interface if security is needed with allow/deny rules controlling what traffic can cross between the zones?

here goes, btw. I had no such option to upload files ;(

</>
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd68:74a7:6e62::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'

config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '5t 3 2 1 0'
option vid '1'

config interface 'if_Switch_APs'
option proto 'static'
option ifname 'eth0.10'
option netmask '255.255.0.0'
option ipaddr '10.1.1.1'
option gateway '10.0.0.1'

config interface 'if_Servers'
option proto 'static'
option ifname 'eth0.20'
option netmask '255.255.0.0'
option ipaddr '10.2.1.1'
option gateway '10.0.0.1'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'

config interface 'if_Trusted'
option proto 'static'
option force_link '0'
option netmask '255.255.0.0'
option ipaddr '10.3.1.1'
option ifname 'eth0.30'
option gateway '10.0.0.1'

config switch_vlan
option device 'switch0'
option vlan '3'
option vid '30'
option ports '5t 2t'

config interface 'if_Guests'
option ifname 'eth0.40'
option proto 'static'
option ipaddr '10.4.1.1'
option netmask '255.255.0.0'
option gateway '10.0.0.1'
option force_link '0'

config switch_vlan
option device 'switch0'
option vlan '4'
option vid '40'
option ports '5t 2t'

config interface 'if_Peripherals'
option ifname 'eth0.50'
option proto 'static'
option netmask '255.255.0.0'
option ipaddr '10.5.1.1'
option gateway '10.0.0.1'

config switch_vlan
option device 'switch0'
option vlan '5'
option vid '50'
option ports '5t 2t'

config interface 'if_IOT'
option ifname 'eth0.60'
option proto 'static'
option netmask '255.255.0.0'
option ipaddr '10.6.1.1'
option gateway '10.0.0.1'

config switch_vlan
option device 'switch0'
option vlan '6'
option vid '60'
option ports '5t 2t'
</>

Yes, I'd like to be in total control over what is able to talk to what and also keep a strcuture that is remember able by me. I have more than a few clients and things are getting hard without proper segmentation

A bit of topic, but do you really need a subnet of that size? That is a bit too much, especially if you have multiple subnets. I imagine you mean 10.0.1.x.

2 Likes

yes, i think i need because the
10.a.b.c
a = function
b = floor where the client is located
c = the orientation the client is located

am I going overboard with this abc setup or is there hope yet?

btw, still looking for a way to post an image of my network diagram
any suggestions?

should I? please elaborate?

Maybe use a host like imgur and post the link to the image here (just copy & paste it).

In your VLAN config I see you have two interfaces, eth.10 and eth.20 but VLAN ID entries for 1 & 2. Do they need to be added or modified?

I would personally hookup a switch to your tagged ports, configure the VLANs on the switch (designate trunk ports, ports for individual VLANs). Once that's done, connect with a cable and test out each individual VLAN if it can ping the router IP in that particular subnet. Just to get the basics out of the way.

interfaces eth0.10 and eth0.20 are currently disable and things are less bad

If someone charged me that much and couldn't get the job done, I would, but again it's up to you.

i still dont see why I need vlan 1 and 2 which is the default for my device

One is by default reserved for the LAN interface, the other for WAN. You also have two firewall zones created for both of these with rules that allow LAN->WAN outbound traffic. You can modify those if you have your own separate uplink arrangement, but I'd stick with basics for now.

please give me some time and I will find a way to post my network diagram. I am more tha willing to hire you or anyone that can get things done.

respect

Why don't you just divide the the 256 IPs (well, 254) in some fashion?

You can use the image icon underneath the box where you type the message and browse for the file. Also if you have the image (the contents not the file path) in the clipboard you can paste here in the message box directly. Please make sure your image file size isn't too large to avoid consuming the resources of the forum.

I could, but before I do can you please motivate why that is better/easier/more sensible than my abc? I am here to learn and I am in no way suggesting that my abc is sensible from a networking engineering standpoint. It is only sensible in my mind

I am working on it as we speak. But because of my network now in a barely usable state I need to find a way how to get to my FreeNAS. Ohh how things were less complicated when I still was a toddler :wink: