Two simple Vlan cannot route

Hi,
I'm trying to use VLAN to make a guest network on my home router.
I keep the VLAN1 for home "lan" (with the DSL box, no WAN zone), and VLAN10 for "guest"
I've configured firewall very simply today, forward is allowed between lan and guest zone,
I can get my DHCP lease on "guest" network,
connect to Luci,
but I cannot route to the "lan" and beyond (DSL..)

I've searched for similar problem, but I don't see any...
It must be so stupid... I don't understand my mistake.
The problem happens if I plug my computer on a port (lan4) that is untagged as vlan10 same with wifi, but I wanted to make it simple with cable (no question on wifi).
I've tried to disable STP and IGMP snooping, but no better.

Here are the config;
I've removed some IPV6 adresss... IPV4 are too banal.
All is made via Luci...

network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd51:uuuu:vvvv::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option stp '1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'
	option delegate '0'

config interface 'lan6'
	option device 'br-lan.1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option delegate '0'
	option defaultroute '0'
	option reqaddress 'try'

config route6
	option interface 'lan6'
	option target '::/0'
	option gateway 'fe80::tttt:zzzz:xxxx:yyy'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:u*'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'

config interface 'guest6'
	option proto 'dhcpv6'
	option device 'br-lan.10'
	option reqaddress 'try'
	option reqprefix 'auto'
	option delegate '0'
	option force_link '1'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan6'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'
	list network 'guest6'

config forwarding
	option src 'guest'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'guest'

The active route seems OK, and I've tried to add a 0.0.0.0/32 route to my box, but no better...

Device	Target	Gateway	Metric	Table	Protocol
guest	192.168.10.0/24	-	0	main	
lan	0.0.0.0/0	192.168.0.254	0	main	
lan	192.168.0.0/24	-	0	main

guest6 IPV6 interface does not work, but I suspect it's because the routing/forwarding does not work...

I'm so sorry, it mus be really stupid... it is so simple, I really missed something.

You have enabled "forwarding" from GUEST to LAN. That means that the main router will receive packets comming from the guest network, with a private IP address outside of what it considers as its LAN, and its probably rejecting all the traffic.

Ah, yes, I forgot that.
I've tested various mix of masquerade, but I dit not reboot in between,
and this was the key.
It appears I also need to accept and masquerate from LAN to GUEST, at least for ping

Now I only need to solve the IPV6 problem, but it's more rational now.

Here are the 2 corrected sections of "firewall"

THANKS

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan6'
	option masq '1'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'
	list network 'guest6'
	option masq '1'
1 Like

For IPV6 it was the same problem (I need to change my glasses)
I needed to configure NDP proxy on the LAN6 interface, and configure MASQ6 on the firewall.

EDIT2: after few time, it no more worked. It worked against, but not after a reboot of the router... then it worked after router's reboot, but not after laptopt reboot...
Currently it works toward the internet outside, toward the DSL box, but not toward the local network.
IPV6 is a hell when you don't master it (I don't)...
I'll try to push something that works for noobs like me, but it's not yet perfect.

For French users, this is on a Freebox revolution without neither using prefix delegation, nor DHCPV6 from the freebox.

Here is my config. There is no security yet...

network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd51:e8f4:ef7b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option stp '1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'
	option delegate '0'

config interface 'lan6'
	option device 'br-lan.1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option delegate '0'
	option defaultroute '0'
	option ip6assign '64'
	list ip6class 'local'

config route6
	option interface 'lan6'
	option target '::/0'
	option gateway 'fe80::f6ca:e5ff:fe50:c13'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:u*'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'local'

config route6
	option interface 'guest'
	option target '::/0'
	option gateway 'fe80::f6ca:e5ff:fe50:c13'
	option disabled '1'

firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'
	list network 'lan6'
	option masq6 '1'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'guest'
	option masq6 '1'

config forwarding
	option src 'guest'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'guest'

Finally, it works,
the cause was on the Windows side, drivers are not VLAN-aware by default(all VLAN were considered by windows network stack)...
see Multicast relayed to windows client switch despite VLAN isolation
I removed the tagged Vlan from Ethernet ports, as Windows drivers don't sort them by default.

It's how I succeed in making a guest subnetwork, with my freebox DSL router which does not (easily) allow prefix delegation (there is a way to delegate a full separate prefix, described elsewhere).

Here is the network that works, guest network is a ipv6 ULA prefix, IPv6 masquerade, RA server and DhcpV6 server... similar to IPv4 in fact.

The only strange thing is the need of a default route to the DSL box from lan zone, while "use default router" should be disabled on lan6 interface. But its works.


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd51:e8f4:ef7b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option stp '1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'
	option delegate '0'

config interface 'lan6'
	option device 'br-lan.1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option delegate '0'
	option defaultroute '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan4'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'local'

config route6
	option interface 'lan6'
	option target '::/0'
	option gateway 'fe80::f6ca:e5ff:fe50:c13'

Here is the firewall config, nothing much beyond the ipv6/ipv4 masquerade
I should filter more now.


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'DROP'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'lan'
	list network 'lan6'
	option masq6 '1'
	option masq '1'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'
	option masq '1'
	option masq6 '1'

config forwarding
	option src 'guest'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'guest'

dhcp config is:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan6'
	option interface 'lan6'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra_useleasetime '1'
	option preferred_lifetime '5m'

config dhcp 'guest'
	option interface 'guest'
	option start '96'
	option limit '159'
	option leasetime '12h'
	option ra_useleasetime '1'
	option force '1'
	option preferred_lifetime '12h'
	option ra 'server'
	option ra_default '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

Hope this helps...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.