Troubleshooting "lost" switch and fixing vlan that needs to forward IP from ISP's home gateway

Hi everybody!

So, as a computer enthousiast (just to point out my level of knowledge) with limited knowledge on networking, I decided to buy myself some "new" equipment after seeing onemarcfifty's videos on YouTube on OpenWrt and network segmentation (something I wanted to do for a while now).

I decided on buying three D-Link DIR-2660 A2 routers and four Netgear GS308E switches (8-port managed switches). I currently run the latest version of OpenWrt on al the routers. One router I use as my main router, the two others I use as access points (one in the front of the house on the left (router), one in the back of the house on the right (AP1) and one upstairs (AP2)). The main router is behind the home gateway (modem + router combination) of my ISP. I'll include a diagram of my network.

The ISP's HGW is connected to the WAN-port of the main router. Then a connection is made from LAN1 on the router to the switch with IP 192.168.10.5. All the cables to the different rooms in the house are plugged into this switch.

"Lost" switch
Since I am new to OpenWrt I followed Marc's videos very closely. Unfortunately I ran into some problems. The switch that is behind AP1 isn't showing up when I perform a network scan. The devices connected to it do show up. Also, when I try to ping out using the diagnostic menu in OpenWrt I recieve error messages. This is also the case for the upstairs AP, AP2 that has no physical devices connected to it for the moment. The router can ping out to the internet. Is it normal that the AP's can't reach the internet?

When I connect to the switch behind AP1 using a cable I can see the switch and I can manage it, but then the switch that is connected to the main router is invisible. When I connect over Wi-Fi I can't see the switch behind the router (192.168.10.5) nor can I see the switch behind the AP (192.168.10.8).

So, in summary, the PC connected to switch 192.168.10.6 can manage 192.168.10.5-6-7, but can't connect to switch 192.168.10.8. PC connected to switch 192.168.10.8 can manage 192.168.10.6-7-8, but can't connect to switch 192.168.10.5.

Route IP from ISP to settopbox/digicorder via vlan
The switch behind AP1 is giving out IP's to several devices as configured (Android-TV-box, TV, DVD-player on the main LAN, my son's PS4 and Nintendo Switch on the vlan40 "Console",...), exept for one device: the TV-box from my ISP. The TV-box (a digicorder) doesn't work properly if it doesn't recieve an IP directly from the modem of the ISP. I tried to configure a vlan (vlan50) to recieve an IP from the ISP's modem on the main router and did the same on AP1. When I connect to it with my laptop over UTP the device fails to get an IP. I configured the vlan the same way I configured the others that have fixed IP's, exept I tried to set the IP through DHCP (but that wouldn't work since that's the job of the home gateway, so I'm kinda lost here). I set the protocol temporarily to unmanaged. I have only one UTP-connection available in this room.

Please answer my questions as comprehensive as possible (as in: click there, then click on...) since I am completely new at OpenWrt and my knowledge of networking is mediocre, as I stated above.

I appreciate all the help I can get very much! Thanks! :+1:t2:

etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix '.../48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.1'
        option device 'br-lan.10'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'

config interface 'Gast'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'IOT'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan1:t'

config interface 'Telenet'
        option device 'br-lan.50'
        option proto 'none'

config bridge-vlan
        option device 'br-lan'
        option vlan '50'
        list ports 'lan1:t'

config interface 'Console'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'

etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Gast'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'Gast'

config zone
        option name 'IOT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'lan'
        option dest 'IOT'

config forwarding
        option src 'Gast'
        option dest 'wan'

config rule
        option name 'Gast DHCP en DNS'
        option src 'Gast'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'Telenet'
        option output 'ACCEPT'
        list network 'Telenet'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'Telenet'
        option dest 'wan'

config rule
        option name 'Telenet DHCP en DNS'
        option src 'Telenet'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'Console'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Console'
        option input 'REJECT'

config forwarding
        option src 'Console'
        option dest 'wan'

config rule
        option name 'Console DNS en DHCP'
        option src 'Console'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'Console'

config forwarding
        option src 'lan'
        option dest 'Telenet'

Start with just one segment and get that going. Once it works, add the second segment and so on. Start with only one VLAN and add the VLAN stuff later on. IMHO your configuration is at this stage too complex to fully debug.

Also, your VLAN information is not completely clear to me. You seem to have VLANs 10, 20, 30, 40 and 50, but the port configuration of the switches only shows the PVID, not which VLANs you have added to the trunk ports (I assume the ports with "T" are trunk). Maybe you are missing the VLANs on the trunk ports?

Then, on your OpenWrt device, VLAN 50 is only assigned to port 1 tagged. You said you would like to bridge it to your ISP modem, which port is the ISP modem connected to? If it's wan, then you need to bridge VLAN 50 to wan, assuming your ISP modem supports multiple devices on its port.