[Solved] Two subnets on same physical interface

Hello. I run a Proxmox server which runs a few LXCs. I wanted to logically group the containers in subnets (also somewhat for security), by defining two subnets:
192.168.0.0/24: services (eg homeassistant)
192.168.1.0/24: apps (eg torrent)

I've read I should use different physical ports on the router and use VLANs for proper isolation, but my server only has 1 port, so I have no idea what I should do here.

I created two interfaces on my router, and two devices, which are identical:

Both interfaces are running a DHCP, but I don't really care about what IP my clients get as I use static leases and only wifi (+ guest wifi) for foreign clients. This setup works but it doesn't feel correct. Could someone explain to me what I should do to accomplish this in a proper way?

You need to use vlans for this purpose.

This is pretty easy to do with OpenWrt, but the Proxmox system must properly handle the VLANs and mapping to the physical port (if the port is directly bound to the OpenWrt VM, this should be a non-issue AFAIK).

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Just to clarify, OpenWrt runs on my ASUS AX53U Router; Proxmox has nothing to do with OpenWrt, i.e. there is no OpenWrt VM running on it or anything fancy. I just named Proxmox as it's the one system that has multiple IPs in my network. Here is a simple diagram; left is the loglical view, and on the right side is the physical view

router.drawio736×613 11.2 KB

This is the output you asked for. I plan on adding another subnet for IoT wifi connected devices in the future, but that's off topic here:

~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "ASUS RT-AX53U",
        "board_name": "asus,rt-ax53u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdd0:a84f:5d28::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config device
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option device 'br-guest'
        option proto 'static'
        option ipaddr '192.168.255.1'
        option netmask '255.255.255.0'

config interface 'infra'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        # my internal DNS Server (AdGuard Home)
        list server '192.168.0.204#53'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

# All my static leases redacted, for example:
config host
        option dns '1'
        option name 'HOST'
        option ip '192.168.0.250'
        option mac 'REDACTED'

config dhcp 'infra'
        option interface 'infra'
        option start '100'
        option limit '150'
        option leasetime '12h'

~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'

config zone
        option name 'guest'
        option output 'ACCEPT'
        list network 'guest'
        option input 'REJECT'
        option forward 'REJECT'

config zone
        option name 'infra'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'infra'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src '*'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src '*'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

# Exclude Caddy from DNS forwarding, to not intercept letsencrypt cert renewal
config redirect
        option target 'DNAT'
        option name 'Skip DNS Port Forwarding'
        option src 'infra'
        option src_dport '53'
        option dest_ip '1.1.1.1'
        option dest_port '53'
        option src_ip '192.168.0.99'

config redirect
        option name 'Forward LAN DNS'
        option src 'lan'
        option src_dport '53'
        option dest 'infra'
        option dest_ip '192.168.0.204'
        option dest_port '53'
        option src_ip '!192.168.0.204'

config redirect
        option name 'Redirect INFRA DNS'
        option src 'infra'
        option src_ip '!192.168.0.204'
        option src_dport '53'
        option dest_ip '192.168.0.204'
        option dest_port '53'
        option dest 'infra'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'infra'
        option dest 'lan'

config forwarding
        option src 'infra'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'infra'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule
        option name 'Guest Block All'
        option src 'guest'
        option target 'DROP'

config nat
        option name 'DNS MASQUERADE'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.0.204'
        option dest_port '53'
        option target 'MASQUERADE'
        option src 'infra'
        option enabled '0'

Edit: I also thought I should mention: I tried VLAN configuration before, but the smallest change in the VLAN config of br-lan causes my connection to the router to drop and it resets the config after the 90s timeout. I'm connected to my router via WiFi in this instance, so I thought VLAN should not affect my client whatsoever. Guess I am wrong

Thank you for clarifying. This should be pretty straight forward. You'll still need to make sure the Proxmox system handles VLANs properly, but we can easily get your Asus setup.

We'll start by creating bridge-VLANs:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'

Next, we'll edit the lan and infra networks to use br-lan.1 and br-lan.10 respectively:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'infra'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

Your firewall rules for lan and infra look fine, but you'll probably want to revisit the guest firewall rules later (and in general, make sure your firewall achieves your objectives).

Restart your router and you should have VLAN 1 and VLAN 10 both tagged on port lan1.

You will need to configure your proxmox system to expect VLANs 1 and 10, both tagged, for the respective networks. Currently, it's expecting an untagged network (and probably no tagged networks)... since we don't have an untagged network lan1, the system will not get an IP and will not have connectivity until you get proxmox working with VLANs (I can't help you on that part, though).

That should be all you need for now.

I did the config in LuCI, but I get a timeout when applying the config, as the router becomes unreachable from my device. These are the configuration changes:

# /etc/config/dhcp
uci del dhcp.lan.ra_slaac
# /etc/config/network
uci add network bridge-vlan # =cfg0aa1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='1'
uci add_list network.@bridge-vlan[-1].ports='lan1:t'
uci add_list network.@bridge-vlan[-1].ports='lan2'
uci add_list network.@bridge-vlan[-1].ports='lan3'
uci add network bridge-vlan # =cfg0ba1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='10'
uci add_list network.@bridge-vlan[-1].ports='lan1:t'
uci set network.lan.device='br-lan.1'
uci set network.infra.device='br-lan.10'

You should be able to reach the device using ports 2 and 3. Try that out if you haven't already.

Thanks, wired connection works. Wifi doesn't work anymore however. I also had to disable the DNS port forwarding as the 192.168.0.0/24 subnet is unreachable now from 192.168.1.0/24.

wireless config (not showing up in lan interface page):

image754×86 3.74 KB

Pinging 192.168.0.204 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.

let's see your complete config as it is now, including wifi:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Certainly:

~# ubus call system board
/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "ASUS RT-AX53U",
        "board_name": "asus,rt-ax53u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdd0:a84f:5d28::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config device
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option device 'br-guest'
        option proto 'static'
        option ipaddr '192.168.255.1'
        option netmask '255.255.255.0'

config interface 'infra'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option device 'br-lan.10'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'

~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'AT'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'WLAN'
        option encryption 'psk2'
        option key 'X'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'AT'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'WLAN'
        option encryption 'psk2'
        option key 'X'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'WLAN-Guest'
        option key 'X'
        option encryption 'psk2'
        option network 'guest'
        option isolate '1'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'WLAN-Guest'
        option key 'X'
        option encryption 'psk2'
        option isolate '1'
        option network 'guest'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.0.204#53'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

# ... static leases

config dhcp 'infra'
        option interface 'infra'
        option start '100'
        option limit '150'
        option leasetime '12h'

~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'

config zone
        option name 'guest'
        option output 'ACCEPT'
        list network 'guest'
        option input 'REJECT'
        option forward 'REJECT'

config zone
        option name 'infra'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'infra'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src '*'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src '*'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Skip DNS Port Forwarding'
        option src 'infra'
        option src_dport '53'
        option dest_ip '1.1.1.1'
        option dest_port '53'
        option src_ip '192.168.0.99'
        option enabled '0'

config redirect
        option name 'Forward LAN DNS'
        option src 'lan'
        option src_dport '53'
        option dest 'infra'
        option dest_ip '192.168.0.204'
        option dest_port '53'
        option src_ip '!192.168.0.204'
        option enabled '0'

config redirect
        option name 'Redirect INFRA DNS'
        option src 'infra'
        option src_ip '!192.168.0.204'
        option src_dport '53'
        option dest_ip '192.168.0.204'
        option dest_port '53'
        option dest 'infra'
        option enabled '0'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'infra'
        option dest 'lan'

config forwarding
        option src 'infra'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'infra'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule
        option name 'Guest Block All'
        option src 'guest'
        option target 'DROP'

config nat
        option name 'DNS MASQUERADE'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.0.204'
        option dest_port '53'
        option target 'MASQUERADE'
        option src 'infra'
        option enabled '0'

Also, 192.168.0.0/24 is unpingable from the router itself as well

You have a DNS resolver at 192.168.0.204 -- what is that device and how does it connect (wifi, ethernet -- which port?)

What specific addresses are you pinging and how are they connected?

That is AdGuardHome 192.168.0.204 running as an LXC on Proxmox 192.168.0.5. The Proxmox Host is connected via (bear with me) Powerline, which has a static lease to 192.168.0.4. Everything else is wired. It looks like this:
I didn't expect the PowerLine Adapter to be an issue here. I got a TL-WPA7619 KIT which shouldn't strip VLAN tags

image340×632 5.46 KB

I was trying to ping 192.168.0.204 and 192.168.0.5 from my client and from the router. I tried specifying the interfaces as well, but the result is the same:

ping 192.168.0.204 -I br-lan.1
ping 192.168.0.204 -I br-lan.10

The powerline is probably not an issue, but it could be -- the problem here is that we don't know if it is capable of handling VLANs (unless you have looked that up and can answer that).

The problem you're experiencing is becoming more complex to diagnose because you have many variables.

• your DNS is served on your proxmox host, which means that any loss of connectivity to proxmox results in loss of dns and thus a practical loss of overall internet connectivity.
• your proxmox host needs to be configured with VLANs -- I don't know if you've done that yet, but this is key if you want to have multiple networks serviced by the single port.
• you have powerline adapters which may or may not properly pass VLANs. We can think of the powerline adapters as a switch -- the question is if they are vlan aware/compatible. See this post I wrote about VLANs and unmanaged switches. We could be running into issues here, too.

Meanwhile -- I'm going to propose a new strategy.

1. Make a backup of your current configuration.
2. Upgrade and reset to defaults. Your current version of OpenWrt is out of date and should be upgraded. Take the opportunity to reset to defaults to make a clean slate -- there are things in there that may be vestiges of previous efforts and/or may increase the number of variables that we have to consider (or troubleshoot) as we make changes.
3. Start simple -- let's make just the lan and infra networks and get those running in general. Don't set custom DNS resolvers firewall any special firewall rules -- put the infra network in the lan firewall zone and get it running. I recommend setting it such that port 1 is tagged for both networks, port 2 is the lan, and port 3 is infra. This way you can test and prove the network.
4. Remove the power line adapter from the equation. This may mean temporarily moving hardware around, but we cannot assume the powerline works with VLANs until we can verify that fact (either by its documentation or by experimental validation after the next step)
5. work on your proxmox setup to ensure that the VLANs are configured on that host properly and that they are attached properly to the VMs.
6. .... well... we'll continue to build out all your needed functionality, but maybe in different threads since this one really has to do with setting up the general VLANs.

Regarding upgrades: The most current version of OpenWrt is 23.05.2. You're running 22.03.5 (22.03.6 has subsequently been released), but 22.03 is going to be EOL and unsupported in ~2 months, so it makes sense to upgrade to 23.05.2.

I will be going to bed shortly, so I'll be offline for a while. Feel free to get started on this (if you agree with my order of operations), or if you want to wait, I'll should be able to help tomorrow to whatever extent our timezones overlap (I'm in California).

Thank you so much for your patience and detailed answer!

Ad the problems you listed:

• DNS - I know, it sucks. But I can't find another solution, as I need port forwarding to stop my devices, e.g. Chromecast from using their hardcoded DNS (google) servers. I might change it so my clients get the DNS via DHCP 6 Option and only use port forwarding for devices that I know are using a hardcoded DNS.
• Yes, that was it! After I reverted the Router I configured Proxmox accordingly (vmbr0.10 and vmbr.11 respectively; I changed PVID 1 to 11 for consistency). I then restored OpenWrt and now I can connect to the server again
• I have found that PowerLine usually just acts as a dumb switch without removing VLAN Tags - lucky it's the same for the model I got

The reason I don't want to update to 23.05 is stated on my device's page:
https://openwrt.org/toh/asus/rt-ax53u which says:

Warning! There is a WAN interface issue with version 23.05.0, version 22.03.5 works fine.

Now the only issue left is wifi not working when using vlan tagging

I think I'm on the right track:

• On Proxmox I created the VLAN interfaces
  
  

  image945×172 7.72 KB
• I assigned the respective VLAN IDs to my LXCs and VMs
  
  

  image901×75 3.61 KB

Now all services/apps running on the server are reachable again.

For the WiFi issue:

• I created two bridges br-vlan10 and br-vlan11 in OpenWrt
  

• I set the interface device to the newly created bridges:
  

• After restarting the WiFi interface the station is associated with the interface again.

Does this seem reasonable? Also, do I have to create a seperate Wifi SSID for VLAN10?

Edit2: I had to temporarily revert my changes again, as the wifi stopped working again. I have no idea what causes this issue

Awesome! Glad we were able to get your VLANs to work and that your proxmox server is back online normally!

At least, that's what it sounds like...

Let's attack this issue in a new thread. After all, we managed to get the VLANs working. So unless you had to revert those changes, let's consider this issue resolved and use a new thread to discuss the wifi and/or other issues.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

@psherman Just in case you are interested: WiFi didn't have internet access - actually my wifi clients couldn't resolve DNS queries - because of a missconfiguration in the DNS port forwarding; and disabling port forwarding also didn't work because I disabled peer dns in the wan interface. Still not 100% sure what I did wrong with the port forwarding, but now I know what to check
Thanks again for your invaluable help!!

Glad you're on a path to figuring out the DNS issue!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.