Two VLANs and subnets - OpenWrt

Hello OpenWRT community,

I am new to OpenWRT world and I need some help, so I hope somebody can help me

My final goes it to have 2 VLANS on same port, but for starters I am just trying to create 2 VLANS with two subnets.

So, this router on which is OpenWRT is connected to primary router(from ISP) which is on 192.168.1.1(LAN cable goes from port 2 ISP router on port 4 OpenWrt router).
The setup I have dones so far:
Standard LAN interface is set to 192.168.1.3 and DHCP is disabled(since it is getting it from ISP router) and VLAN 1 is attached to eth0(CPU) and lan3 and lan4 port.
I have also added LAN2(192.168.2.1, DHCP enabled) interface and VLAN 10, which is attched to lan1 and lan2 and eth0(cpu) port.
I have also created firewall zone LAN2 and for covered interfcaes I have set LAN2, and I have also set that it allsows forward to and from other zones.

So far, when I connect with my PC to lan1 or lan2 port, I get IP adress, I can enter Luci interface via 192.168.2.1 but that is all. This PC does not want to go to the internet(which is what I want)

I think the problem is in routing tables?
Or mabye it is the ISP router which does not recognize VLANs(do I need additonal interVLAN-ing?)?

Here is a screenshot, and some config files, if you need anything else let me know.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8b:8898:f1b6::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        option ifname 'eth0.1 eth0.10'
        option stp '1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '5t 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '5t 0 1'

config interface 'LAN2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.10'

config route
        option interface 'LAN2'
        option netmask '255.255.255.0'
        option gateway '192.168.1.3'
        option target '192.168.2.1'

and firewall rules:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'LAN2'
        option network 'LAN2'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list device 'eth0.1'
        list device 'eth0.10'
        list device 'eth0'
        list device 'eth1'
        option output 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'LAN2'

config forwarding
        option dest 'wan'
        option src 'LAN2'

config forwarding
        option dest 'LAN2'
        option src 'lan'

config forwarding
        option dest 'LAN2'
        option src 'wan'

root@OpenWrt:~#

You cannot bridge the two interfaces in lan.
They are separate interfaces, lan and lan2.

remove this

Add masquerade in lan firewall zone.

remove these from LAN2 firewall zone.

Thanks for the help trendy!

Well, there is deffinetly a movement, I stil cannot access Internet(mabye DNS ip config is missing?) now I can ping from 192.168.2.104 to 192.168.1.1 or to 192.168.1.3, I can't ping Windows Clinet(192.168.1.46) but I think Windows firewall is blocking this.

But from that 192.168.1.46 PC I cannot ping 192.168.2.1

Here is new config

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8b:8898:f1b6::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '5t 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '5t 0 1'

config interface 'LAN2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.10'

and firewwall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'LAN2'
        option network 'LAN2'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list device 'eth0.1'
        list device 'eth0.10'
        list device 'eth0'
        list device 'eth1'
        option output 'ACCEPT'
        option masq '1'

This will not work unless the hosts or the gateway in 192.168.1.0/24 network have a static route towards 192.168.2.0/24.

Hmm, that means that it is not possible to connect them wihtout additional router(since my ISP router is locked for modifying)?

What about no Internet on PC 2 (192.168.2.104), also not possible to achieve(If I put manually 192.168.1.3 I get Internet, so it it possible to setup in DHCP to assing this adress for DNS?)?

You can always bridge them. Or do a DMZ on the ISP router towards the OpenWrt and connect all the devices on OpenWrt in separate networks.

This must be the reason.

You need to assign the dns on lan interface, use the ISP router address.

This is exactly why I in the first place birdged two interfaces.
But I misscongired something, do you maybe know what?

So my goal is at the begging two VALNs/subnets but that they act lictararly like they are in the same VLAN/subnet, than I wil stzrat tpo filter things (e.g you can't see 192.168.1.40 from 192.168.2.xx but oyu can see 12.168.1.45)

So a firewall filtering and routing, but all on one device.

Done, works now, thanks for the input!

Reset OpenWrt. Connect OpenWrt on ISP router from WAN port. DMZ OpenWrt on the ISP router.
Create the vlans and interfaces as you have them now, that part is correct.
Connect the host devices on OpenWrt only, nothing on ISP (disable its wifi as well).
Use the forwardings in firewall to control the allowed traffic between lan and lan2.

Sorry but I didn't catch you.

Why would I reset OpenWRT router and than set up it the same way as now?

You mean to connect from any ISP router port(lan1,2,3 and 4 ports) to WAN port in OpenWRT router?

Which adress should I put as Default DMZ Server on ISP router?

Also DMZ means exposure to the internet from outside, I would like to avoid that..

This is why I would like bridging the interfaces....

It's better to start clean.

Yes

The IP which OpenWrt will get on wan interface from the ISP router.

DMZ means all ports are forwarded to the OpenWrt, which is necessary, unless you won't forward any ports to the lan.

OK, I am a bit lost, treid to do the above but no luck, I cant get to work that 192.168.1.xx network sees 192.168.2.xx

I have even treid to add ip route

config 'route'
    option 'interface' 'lan'
    option 'target' '192.168.2.0'  -- I also tried with 192.168.2.1
    option 'netmask' '255.255.255.0'
    option 'gateway' '192.168.1.1' -- I also tried 192.168.1.3

So, now I have deleted everything, WAN and LAN are on one inerface and one VLAN, can you/somebody please tell me how to bridge or route two subnets/VLANs

Here is Openwrt setup now. (I have deleted all rules and VLANs and interfaces and created only one, and ISP ruoter is connected to WAN port on OpenWrt router, so now everything is on 192.168.1.xx subnet)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9f:0aa0:fdce::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '5t 0 1 2 3 4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config include
        option path '/etc/firewall.user'

Here is an idea how I would like it:

So there are now devices which are rungin on 192.168.1.xx network, and I cannot move them to OpenWRT ruoter, since they are too far away)
And now I would like to vreate my home lab, which can be isolated from 192.168.1.xx network but it is not a neccessetiy.
My main goal is to create two VLANs and have a possibilty to control zones.
So PC3 and PC4 can cominucate on all ports, but PC2 and (PC3 or PC4) should not be able to communicate on all ports, only on the very few I will provide to the router firewall rule (e.g. port 22, 21) but in both directions.

Normally, what IU have read, for such thing to work ideally would be there additional router which would route those two VLANs, but I have also heard that it is possible to InterVLAN this?
Can please somebody tell me how to set this up?
Because I have treied really a lot of options(routing, bridigin, masquarting..), and none of them were able to work

Having two routers is very much less than ideal. If you can afford a cheap managed switch ~$30 you can put both those PCs behind your OpenWrt router using VLANs which is what I suggest

So mean something like this?
Amazon.com: TP-Link 8 Port Gigabit Switch | Easy Smart Managed | Plug & Play | Limited Lifetime Protection | Desktop/Wall-Mount | Sturdy Metal w/ Shielded Ports | Support QoS, Vlan, IGMP and LAG (TL-SG108E): Computers & Accessories
it's not a problem to buy additional switch, but why to complicate with additonal device if this can work ?
So the network would look like this than?

Your setup in the first post doesn't use the wan network at all. Your lan1 is simply bridged to the ISP router.

This means that when lan2 forwards to lan, either masquerading (NAT) needs to be enabled on lan, or a route back to lan2 needs to be installed. The first method is preferable when lan2 consists of IoTs that you want to isolate as much as possible.

As I said in another thread, it is best to migrate all of your PCs and other endpoints(*) to your side of your router, in other words nothing connected to the ISP router other than the wan port of your router.

If you don't have a lot of wired devices and don't have wiring constraints that would require trunking networks onto one cable, you don't need to add a switch. If you are going to add a switch I would not recommend the SG-10xE series, buy a Zyxel GS1200 instead.

• other than ISP-supplied IPTV boxes, which should be considered untrusted and kept out of your network-- feed those from the ISP router.

No, we put the managed switch between the ISP router and the OpenWrt device... then plug the PC and TV into the managed switch. Put the ISP router on VLAN say 2, the OpenWrt device uses tagged packets for VLAN 2 and 3, and the PC and TV are on VLAN 3... so then although they're on the "upstream side" physically of the OpenWrt device, they're actually behind the OpenWrt device logically/virtually via vlans.

Since this setup puts your managed switch connected to the upstream side of your OpenWrt, I agree with @mk24 and recommend the zyxel GS1200 series because it has better security for a device exposed to the "internet side" of your OpenWrt. The SG108e is a good switch if all the ports on the "downstream" side of the OpenWrt. I have at least 3 of them, they work well, just have some security issues for this application.

Correct, and this was OK scenario for me, since it is OK for me that one of the PC's in connected directly to ISP, it was just important for me that I can bock/passthough some of the ports to/from other PC which is on different subnet

How to achieve this, add route in ISP router(which I can't, since I can only few option change there since it is ISPs router) or I need to add route in OpenWrt(which I tried, but could be that I misconfigured this)?

I tried masurating, but only thing I got that lan2(192 168.2.xx) was able to comminucate with lan(192.168.1..xx) , but not the other way around

Thanks for the info!
zyxel GS1200 is availbe in my country and not much more exapnive.
So if there is really no other possibilty I will buy it.
As I said, I would just like to keep devices and wiring to minumum.

There is no other possibility where 100% of devices are "under your control". When you have a device directly behind the ISP router such as your PC or TV, you have to assume that the ISP is capable of sending any packets at all to those devices. In other words, those devices are under their control.

This is why in an ideal world, everyone runs OpenWrt or similar on their own device, having 100% control of which packets can reach their TV or PC. OpenWrt is designed to be "on the internet" with the WAN port secure by default. A smart TV? not at all.

The route has to be in the main router. When one of the devices on the lan2 network requests the Internet, the packet has a return address in lan2, which the main router does not know how to reach unless a route is installed in it. So the reply from the Internet will be lost.

If you can't do that, have the second router NAT the packet, so it has a return address in lan1, which the main router does know how to reach.

That is prefectly fine for me, they wre under ISP control until now, they can be further.
There are no ports forwatring on ISP router or DMZ zones.

I just want to isolate my HomeLab, but at the same time be albe to connect e.g. from SmartTV to FTP in home lab(but everyting else blocked from smartTV to HomeLab).

Didn't I do that in post 3 when I was setting Masqurate in Lan2(and I was able to ping from Lan2 to Lan, but not the opposite way) ?

config zone
        option name 'LAN2'
        option network 'LAN2'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list device 'eth0.1'
        list device 'eth0.10'
        list device 'eth0'
        list device 'eth1'
        option output 'ACCEPT'
        option masq '1'

No, you need to set masquerade on the destination zone, which is lan.

Also as someone else said, take those device options out of your firewall config and instead use an option network referring back to the network defined in /etc/config/network. Using all lower case for network and zone names is highly recommended (though LuCI will confuse you by uppercasing them).