I got an Openwrt router with 3 ethernet ports:
-eth0 is my WAN port to the Internet
-eth1 is my LAN
-eth2 i would like it to be a trunk port
There are 4 different routers that i would like to access through their LAN. Laptops/mobiles from eth1 (on the left hand side) to be able to access all the 4 routers (on the right hand side).
So i got my self a managed router and create 5 ports on it:
-port 0:trunk port
-port 1: vlan 10
-port 2: vlan 20
-port 3: vlan 30
-port 4: vlan 40
i am stuck how to configure OpenWRT's eth2 as my trunk port, and be able to see all the vlans from the LAN in eth1. Here is a network topology diagram.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
root@APU_orange: ~ $ ubus call system board
{
"kernel": "5.15.137",
"hostname": "APU_orange",
"system": "AMD G-T40E Processor",
"model": "PC Engines apu1",
"board_name": "pc-engines-apu1",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "x86/64",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@APU_orange: ~ $
cat /etc/config/network
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.160.1'
config interface 'WAN_pppoe'
option proto 'pppoe'
option device 'eth0'
option username 'atux'
option password 'xyzabc'
option ipv6 '0'
config interface 'Modem_check'
option proto 'static'
option ipaddr '192.168.178.27'
option netmask '255.255.255.0'
option device 'eth0'
config interface 'Subnet2_1_1'
option proto 'static'
option device 'eth2'
option ipaddr '192.168.1.250'
option netmask '255.255.255.0'
The VLANs should not be able to communicate to each other. Only br-lan should be able to see the networks on the VLAN.
It looks like you don't have VLANs 20, 30, and 40 configured yet. It should be pretty simple to do.
Add this to your network config:
config interface 'vlan20'
option proto 'static'
option device 'eth2.20'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config interface 'vlan30'
option proto 'static'
option device 'eth2.30'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'vlan40'
option proto 'static'
option device 'eth2.40'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
You'll probably want to setup DHCP servers for each of these networks, too.
Then, the firewall configuration is what will give these networks the ability (or lack thereof) to connect to each other and/or the internet (and/or to the router itself). The specifics of this setup entirely depend on your goals.
That said, as a starting point, I'd recommend that you create a new firewall zone for these three networks. Set input = accept, output = accept, and forward = reject. Allow forwarding from this new zone to the wan zone. This will give all three zones connectivity to the internet, but not to each other. They will be able to reach the router itself.
This can all be adjusted based on your goals.
