i have evolved into a new setup and will now be using my edgerouter x as a vlan aware switch,
isp modem feeds -
rpi4 running open wrt with ip 192.168.1.1 which will feed -
edgerouter x in vlan aware switch mode which will feed-
gs108 gigabit switch,
the pi is up and running normally already using a usb adapter, and im replacing the ue306 with a ue300 for stability sake,
what config do i need to setup on the pi to enable 3 vlans and then pass them through the second router (*in vlan aware switch mode only)
vlan 10 will be for my personal network and server (desktop pc and server pc nothing else currently)
vlan 20 will be my wifi which is in bridge mode and passes all info directly to the router (MR7340 in bridge mode)
vlan 30 will be 1 port to my work laptop
there are 5 ports total on the edgerouter x, 0=in 1= vlan10 feeding the gs108, 2=vlan20 and 3=vlan30 4= future expansion
my brain says because im using port vlans i can have a dumb switch behind one port and all devices on that dumbswitch can use the vlan right?
special considerations for setup on the switch portion? or a link to a similar guide?
setup new network interfaces in the /etc/config/network file. For each of them, use dotted notation ethx.y where x is the ethernet port (either 0 or 1, depending on which one you are using for the lan side vs the wan), and y is the VLAN ID. So you'll have, for example, eth0.10 for VLAN10 (assuming that the built-in port -- eth0 -- is the lan side).
You'll also setup DHCP servers (usually desired) and associate the networks with firewall zones along with the desired firewall rulesets.
Then you'll connect to the ER-X with a mirrored configuration with respect to the VLANs expected on the uplink port, but the details there depend on if you are running EdgeOS or OpenWrt on that device.
both devices will be openwrt, so i want to make the edgerouter x forget how to be a router and learn how to be a managed vlan aware switch
can you show me a network config for a single vlan setup, I can extrapolate after that, i think i saw one in another post you commented on along a similar vein
i know ill need firewall rules and dhcp setup for each network, but i know i have to remove routing features from the switch and bridge the ports together
I could find some threads, but I actually like to work directly on your actual config. If you post your /etc/config/network files from each of the devices, I can show you a quick example.
Part 1, THE PI installed and configured irqbalance, installed usb 3 drivers and usb ethernet adapter driver, cloudflare dns setup (turned off peer discovery in wan and wan6, set custom dns in lan settings) enabled packet steering and enabled sqm, plans to add luci_adblock soon
in total id like to configure 3 vlans, and on the switch 1 port for each vlan(10,20,30), and then 1 normal lan port
(NETWORK)
root@openwrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc4:5204:2fcd::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
(DHCP)
root@openwrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
(FIREWALL)
root@openwrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
And for now, just put this new network in the lan firewall zone (this can be changed later, but it reduces the variables at play during initial setup and testing):
config zone
option name 'lan'
list network 'lan'
list network 'vlan10'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
You'll repeat the same process for the other VLANs, but don't do that until you test to make sure this one is working as expected and you've got a corresponding config for the ER-X (I can help there, too).
im slowly working on hooking up the er-x for file dumps, but its primarily stock "router setup" right now, are there any preparation steps to dumb it down? or will that all be part of the vlan creation process
The ER-X is actually pretty simple... just post the network config file as it is right now and we can make a few quick edits. No other files are necessary.
first, we'll make remove eth0 form the wan and add it to br-lan.
Delete this:
Add eth0 to the bridge:
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
Now we will make some bridge-VLANs. We'll keep the current lan on vlan1 and ports eth0 and eth4 for now so that you don't lock yourself out of the device (vlan1 can be removed when it is no longer needed for config purposes).
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0:t'
list ports 'eth1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0:u*'
list ports 'eth4:u*'
Now we can edit the lan on the er-x to use br-lan.1
i think end goal will be 1 trunked port, and 4 vlan subnets 10.1,20.1,30.1 and 40.1 then i think i want to setup firewall rules to eliminate all intervlan traffic, giving me 4 virtual networks, The AP i have running still has the ability to broadcast a guest network within itself with client isolation enabled, i think this covers my wifi security well enough when coupled with the vlan routing.
the vlan10 port is going to feed a 8 port gs108 autosensing dumb switch, because im going port level for the vlans i shouldnt have to worry about traffic in the switch, it will just all be on vlan10 correct? i would like to maintain ipv6 support (but im pretty sure if the pi has it enabled it will pass through automatically?
VLAN 1 is untagged on the switch, so there is no tag on the pi that needs to be defined in this particular case. We needed to define it on the switch because of the way that the bridge-vlans work.
Yes
Yes, exactly. You'll see VLAN 10 (192.168.10.0/24) on port eth1, and VLAN 1 (which may not be kept in the long term) on port eth4.