Trying to configure router in one shot over single LAN interface

I am trying to use a Linksys WHW03v2 router and AP to act as the main router for my home LAN. The main problem is that it has just a single lan port and a single wan port. Therefore I am trying to get the network, firewall, wireless and dhcp config files right in one shot!

I will admit that I had this working briefly and then a very minor change to the openwrt (related to avahi) basically bricked the configuration and I had to reset to defaults and start again. After another frustrating day I've decided to throw myself on the mercy of this forum.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '000407ea4406edd645e2a2d44fa778fafcb6'
	option ula_prefix 'fd77:4dea:55af::/48'
	option packet_steering '1'

# Trunk bridge - lan port only
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

# Home bridge - home wireless interfaces
config device
	option name 'br-home'
	option type 'bridge'
	list ports 'phy1-ap0'
	list ports 'phy2-ap0'

# Guest bridge - guest wireless interfaces
config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'phy1-ap1'
	list ports 'phy2-ap1'

# IoT bridge - iot wireless interfaces
config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'phy1-ap2'
	list ports 'phy2-ap2'

# VLAN 10 - home trunk
config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan:t'

# VLAN 20 - guest trunk
config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan:t'

# VLAN 30 - iot trunk
config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan:t'

# Home interface - VLAN 10 trunk + wireless bridge
config interface 'home'
	option proto 'static'
	option ipaddr '192.168.10.254'
	option netmask '255.255.255.0'
	option device 'br-lan.10'
	option bridge_empty '1'

# Guest interface - VLAN 20 trunk + wireless bridge
config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.20.254'
	option netmask '255.255.255.0'
	option device 'br-lan.20'
	option bridge_empty '1'

# IoT interface - VLAN 30 trunk + wireless bridge
config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.30.254'
	option netmask '255.255.255.0'
	option device 'br-lan.30'
	option bridge_empty '1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'home'
	option interface 'home'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '50'
	option leasetime '1h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '100'
	option leasetime '24h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

wireless (with passwords removed)

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option channel '100'
	option htmode 'VHT80'

config wifi-iface 'home_radio0'
	option device 'radio0'
	option network 'home'
	option mode 'ap'
	option ssid 'hlan'
	option encryption 'psk2'
	option key 'YOUR_HOME_PASSWORD'

config wifi-iface 'guest_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'hstead'
	option encryption 'psk2'
	option key 'YOUR_GUEST_PASSWORD'

config wifi-iface 'iot_radio0'
	option device 'radio0'
	option network 'iot'
	option mode 'ap'
	option ssid 'sloth'
	option encryption 'psk2'
	option key 'YOUR_IOT_PASSWORD'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'VHT20'

config wifi-iface 'home_radio1'
	option device 'radio1'
	option network 'home'
	option mode 'ap'
	option ssid 'hlan'
	option encryption 'psk2'
	option key 'YOUR_HOME_PASSWORD'

config wifi-iface 'guest_radio1'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option ssid 'hstead'
	option encryption 'psk2'
	option key 'YOUR_GUEST_PASSWORD'

config wifi-iface 'iot_radio1'
	option device 'radio1'
	option network 'iot'
	option mode 'ap'
	option ssid 'sloth'
	option encryption 'psk2'
	option key 'YOUR_IOT_PASSWORD'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'

config wifi-iface 'home_radio2'
	option device 'radio2'
	option network 'home'
	option mode 'ap'
	option ssid 'hlan'
	option encryption 'psk2'
	option key 'YOUR_HOME_PASSWORD'

config wifi-iface 'guest_radio2'
	option device 'radio2'
	option network 'guest'
	option mode 'ap'
	option ssid 'hstead'
	option encryption 'psk2'
	option key 'YOUR_GUEST_PASSWORD'

config wifi-iface 'iot_radio2'
	option device 'radio2'
	option network 'iot'
	option mode 'ap'
	option ssid 'sloth'
	option encryption 'psk2'
	option key 'YOUR_IOT_PASSWORD'

and finally firewall - note that the last rule is an attempt to keep access to the router while the wan port is plugged into my existing, minimal home lan. This is currently working but I will of course remove the rule before connecting it to my ISP!

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT

# Home zone - full access
config zone
	option name		home
	list network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

# Guest zone - internet only
config zone
	option name		guest
	list network		'guest'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT

# IoT zone - LAN only, no internet
config zone
	option name		iot
	list network		'iot'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT

# WAN zone
config zone
	option name		wan
	list network		'wan'
	list network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		DROP
	option masq		1
	option mtu_fix		1

# Forwarding rules
config forwarding
	option src		home
	option dest		wan

config forwarding
	option src		guest
	option dest		wan

# Block inter-network traffic
config rule
	option name		block-guest-to-home
	option src		guest
	option dest		home
	option target		REJECT

config rule
	option name		block-guest-to-iot
	option src		guest
	option dest		iot
	option target		REJECT

config rule
	option name		block-iot-to-home
	option src		iot
	option dest		home
	option target		REJECT

config rule
	option name		block-iot-to-guest
	option src		iot
	option dest		guest
	option target		REJECT

# Allow DHCP on all internal zones
config rule
	option name		Allow-DHCP-home
	option src		home
	option proto		udp
	option dest_port	67-68
	option target		ACCEPT

config rule
	option name		Allow-DHCP-guest
	option src		guest
	option proto		udp
	option dest_port	67-68
	option target		ACCEPT

config rule
	option name		Allow-DHCP-iot
	option src		iot
	option proto		udp
	option dest_port	67-68
	option target		ACCEPT

# Standard WAN rules
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

####### WARNING! MUST BE REMOVED BEFORE CONNECTING TO ISP ######
config rule
	option name 'Allow-SSH-wan'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '22'
	option proto 'tcp'
	option family 'ipv4'
################################################################

I can connect to the wifi network "hlan" and ping an external IP address but not the 192.168.10.254 gateway. There are minor problems with the "hstead" network too.

My primary question is, am I doing this right? Are there any glaring errors? particularly in the "network" and "wireless" files where I am least confident.

Many thanks for any and all advice/pointers.

G

Just glancing through this, you have a bunch of errors -- some more serious than others. I haven't done a complete review, but this config will not work as expected, so don't try to implement what you have here.

I would highly recommend that you do not attempt to do this "in one shot" as there is really no reason to do so. It's much better to build the setup one network at a time, with the most critical part being the transition from using the base br-lan to using the bridge-vlans (br-lan.x).

With that being said... what is downstream of this device? Specifically, what is connected to the lan port of the router?

Why don't you move one step at a time?!

The lan port is connected to a Netgear switch (vlan trunk). That seems to work as expected.

Is this a managed switch? What is the model?

Yes, managed. JGS516PE.

Ok... so build one additional network at a time.

Start by creating a bridge-vlan for the main lan and moving the lan interface to use br-lan.x where x is the VLAN ID. Don't make any other changes at this point.

Ok. Thanks. I won't be able to look at this tomorrow but I'll try to get some time on Sunday. I'll reset to defaults, enable ssh access via the wan port and do as you suggest.

No, don't do this. This is a very bad idea. Why do you want to expose ssh to the internet?

Not to the internet. Just to the existing lan. Because I only have the one LAN port I need a way of retaining access when configuring tagged vlans. Configuring this temporary access saves a lot of resets and reconfiguration. I will of course remove it before the router goes into production.

internet - existing router - switch (tagged) - wan port - new router - LAN port - switch (untagged)

Make sense?

It's late here, signing off for tonight.

Oh... ok, as long as the wan port on the OpenWrt side is connecting to a trusted network. That said, it might be easier to setup a wifi network (that is not attached to ethernet) as a backup management interface. Basically a guest wifi network but with no firewall restrictions (simple method is to add it to the lan zone).

ok I'm coming back to this today. I guess the forum topic is now inaccurate as I've found a way to stay connected to the router (via the wan interface) while I configure the tagged vlans.

to recap: I have the new router's wan interface connected to my existing lan while I configure it via ssh (I have a temporary firewall rule allowing ssh access to the wan interface).

I have my switch configured with untagged 802.11q mostly untagged ports with PVID 10. I have a tagged trunk port configured with VLANs 10, 20 and 30 for home, guest and iot networks.

I have connected the new router's lan port to the switch trunk port.

I have worked up "network", "firewall" and "dhcp" config files which I will paste here.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '000422b2fb698d6b41149b799d4e9c08e49a'
	option ula_prefix 'fd54:1ae5:c67a::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config bridge-vlan
	option device 'br-lan'
	option vlan 10
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan 20
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan 30
	list ports 'lan:t'
	
config interface 'home'
	option device 'br-lan.10'
	option proto 'static'
	list ipaddr '192.168.10.254/24'

config interface 'guest'
	option device 'br-lan.20'
	option proto 'static'
	list ipaddr '192.168.20.254/24'

config interface 'iot'
	option device 'br-lan.30'
	option proto 'static'
	list ipaddr '192.168.30.254/24'
	
config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option multipath 'off'
	list ipaddr '192.168.2.1/24'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	list   network		'home'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name	'guest'
	list network	'guest'
	option input	'REJECT'
	option output 	'ACCEPT'
	option forward	'REJECT'

config zone
	option name	'iot'
	list network	'iot'
	option input	'REJECT'
	option output	'ACCEPT'
	option forward	'REJECT'

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		DROP
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

config forwarding
	option src		guest
	option dest		wan

config rule
	option name 'Allow-guest-dhcp'
	option src	'guest'
	option proto	'udp'
	option dest_port	'67'
	option family 		'ipv4'
	option target		'ACCEPT'

config rule
	option name 'Allow-guest-dns'
	option src	'guest'
	option dest_port	'53'
	option family 		'ipv4'
	option target		'ACCEPT'

config rule
	option name 'Allow-iot-dhcp'
	option src	'iot'
	option proto	'udp'
	option dest_port	'67'
	option family 		'ipv4'
	option target		'ACCEPT'

config rule
	option name 'Allow-iot-dns'
	option src	'iot'
	option dest_port	'53'
	option family 		'ipv4'
	option target		'ACCEPT'
	
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


####### WARNING! MUST BE REMOVED BEFORE CONNECTING TO ISP ######
config rule
	option name 'Allow-SSH-wan'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '22'
	option proto 'tcp'
	option family 'ipv4'
################################################################

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

#config dhcp 'lan'
#	option interface 'lan'
#	option start '100'
#	option limit '150'
#	option leasetime '12h'
#	option dhcpv4 'server'
#	option dhcpv6 'server'
#	option ra 'server'
#	list ra_flags 'managed-config'
#	list ra_flags 'other-config'
#	option ra_preference 'medium'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '50'
	option leasetime '1h'
	option dhcpv4 'server'

config dhcp 'iot'
	option interface 'iot'
	option start '10'
	option limit '150'
	option leasetime '24h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

You will notice that I have disabled dhcp on the "lan" network for fear of it interfering with the existing lan provided by the existing router (192.168.1.0/24). This may be over-cautious as there are a limited number of hosts with wired connections for now.

Do those files look reasonable? Can you provide some advice for associating those vlans with SSIDs in the wireless configuration?

Many thanks!

G

adding wifi seemed to be easier than expected:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT80'

config wifi-iface 'home_radio0'
	option device 'radio0'
	option network 'home'
	option mode 'ap'
	option ssid 'flash'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-iface 'guest_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'homestead'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-iface 'iot_radio0'
	option device 'radio0'
	option network 'iot'
	option mode 'ap'
	option ssid 'sloth'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'VHT20'

config wifi-iface 'home_radio1'
	option device 'radio1'
	option network 'home'
	option mode 'ap'
	option ssid 'flash'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-iface 'guest_radio1'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option ssid 'homestead'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-iface 'iot_radio1'
	option device 'radio1'
	option network 'iot'
	option mode 'ap'
	option ssid 'sloth'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'

config wifi-iface 'home_radio2'
	option device 'radio2'
	option network 'home'
	option mode 'ap'
	option ssid 'flash'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-iface 'guest_radio2'
	option device 'radio2'
	option network 'guest'
	option mode 'ap'
	option ssid 'homestead'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

config wifi-iface 'iot_radio2'
	option device 'radio2'
	option network 'iot'
	option mode 'ap'
	option ssid 'sloth'
	option encryption 'psk2'
	option key redacted
	option disabled '0'

I've also now enabled dhcp on vlan 10.

This seems to be working as expected. Any comments on my configuration would be most welcome.