Turn router into vlan aware switch only

Installing and Using OpenWrt
21

This is wrong. The name of the bridge should remain br-lan, and the interface lan device would be br-lan.1.

Since this router does not have wifi or a front panel serial port, I would suggest during setup and testing to remove one of the "extra" Ethernet ports from the bridge and set up an administrative network on it. This network would have an IP address not used in any other networks, a DHCP server, and be in a firewall zone that allows input. Then you can connect your PC there and log into the router regardless of how the other ports are configured.

2 Likes
22

You are right, I looked through what he actually showed me, I changed the wrong name, thanks for the catch!

23

As a management interface could I simply duplicate the current lan section give it a different ip and call it management instead, and leave it as br-lan then I would have the lan highway with vlan highways running with it?

I think we were basically using vlan1 as management though

24

Good catch!

1 Like
25

I would (temporarily) remove a port like eth3 and use it only for admin. In case the bridge is broken you would still have access.

# (Don't have eth3 in br-lan device or any bridge-vlans yet)
config interface 'admin'
    option proto 'static'
    option ipaddr '192.168.85.1/24'

in /etc/config/dhcp, add an "admin" section that is a copy of lan with the name changed.
in /etc/config/firewall, add list network admin to the lan zone

Make these changes first then move the cable to your PC to port eth3 and log in at 192.168.85.1 for the rest of the setup process.

2 Likes
26

Don't forget to add the port here after removing it from br-lan:

config interface 'admin'
    option proto 'static'
    option ipaddr '192.168.85.1/24'
    option device 'eth3'
2 Likes
27

I notice you added a /24, is it important to add that, all of my current setup seems to omit the /xx

I’m guessing it’s an implicit value from the 192. ?

28

There are two ways of specifying the size of the network:

  • subnet mask: option netmask '255.255.255.0'
  • CIDR: option ipaddr 'aaa.bbb.ccc.ddd/24'

Both are valid and achieve the same goal. But you should only use one or the other for any given network interface definition.

29

Oh I see, mine all include the 255.255.255.00so I don’t have to specify /24 but I could shorten my code by using /24 in place of 255.255.255.0

30

Do I need to setup dhcp for this interface or just set a static on the pc?

31

You can setup a dhcp server for it, but that is not required.

32

Is there any major difference between setting up vlans vs just un bridging the ports and doing a single interface per port? I think that would just be dsa subnetting?

33

The difference is about the port being treated completely independently.

If there is a syntax error on the bridge definition, it is possible the bridge won't come up (or may have unexpected behaviors). If that happens, all ports that are part of the bridge become inaccessible.

If all of your ports fail to function due to such an issue, there are two ways to fix the situation:

  • use failsafe mode
  • use a serial UART connection

By splitting out a port, this will ensure that the split-out port will operate regardless of the bridge status, making everything much easier (relative to failsafe or serial connections).

34

So my type of network segmentation is vlans. But the same could be done by splitting out all the ports? Is there any security differences between the 2 methods of segmentation?

35

There is a ton of nuance for the terminology and such around this (we can get into that if you want). But keeping it simple:

  • There is no security difference between using the ports individually vs as part of a bridge + bridge-vlan.
  • If you use the ports individually, you can assign exactly one port to each network.
  • If you wish to have multiple ports assigned with the same network, you must use a bridge to do so (a bridge is basically a software equivalent of a hardware switch).
36

I’m very interested in the different options for network segmentation, my network is evolving as I learn better practices

37

If we apply the KISS method, what’s the simplest network setup that allows my single wan port to seperate into 4 networks where I can define access via firewall rules

38

There are a lot of options and methods. In the DSA context, using bridge-VLANs offers the maximum flexibility and does not have any security impact. The only real reasons to break a port out of the bridge is if:

  • the port will carry a network that will never be needed on any other port(s).
  • you need an easy management port that is not subject to the bridge (should you make a syntax error while editing). This is useful as you are learning and experimenting, and can be useful in some cases for the long term, but IMO, not needed in general.
39

You've already got that configured (or at least the recipe ready to be used) on the Pi -- a single device performing the routing functions with multiple subnets defined. From there, the subnets are trunked together to a managed switch (the ER-X) where they can then be assigned to the individual ports as needed.

The firewall on the Pi will handle all the allow/deny policies for inter-VLAN routing based on your needs. It can be as broad/simple or as granular/complex as you need or want.

41

Ok I think I’m in a comfortable spot, time to go make some edits, once I verify I can get one vlan up and running it’s just copy paste edit name and ip x the ammount of ports I want