Two VLANs and subnets - OpenWrt

OK, will try that tommorroow.

wil setup WAN port as LAN interface and VALNid 10(.1.xx subnet), and other LAN ports as LAN2 interface and VLAN 20(.2.xx subnet), and will try to masqurate LAN interface

After a bit of time, I am back, finally some time for experiments!

Once again many thanks for the advices, I think I have made huge a progress.

So I have created 3 interfaces and VLANS, I think I am pretty close to solution.
So LAN interface(VLAN 1) is connected to the ISP router (WAN port) and is attached to two more ports(port 1 and port 2)
LAN20 interface is associated to VLAN 20, and port 3 (192.168.2.xx) and LAN30 interface is associated to VLAN 30, and port 4 (192.168.3.xx).
Firewall zones are named according to LAN interfaces.
I have enabled masquarte on all 3 interfaces, and great thing is that I can ping from any subnet to any subnet I want.
I have even tried to add additional firewall rule in Zone20(disable SSH TCP/22) and it works, exactly what I want!
Now, the only problem left is that I don't have internet access, and I don't know why since nslookup does work.

Here is config and screenshots, any idea what have I missed?

p.s. I have added in LAN30 option list dns '192.168.1.1', but I think I don't need it since masquarting is enabled (nslookup works in both LAN20 and LAN30!)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9f:0aa0:fdce::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '5t 0 1 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5t 3'
        option vid '20'

config interface 'LAN20'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.20'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '5t 2'
        option vid '30'

config interface 'LAN30'
        option ifname 'eth0.30'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        list dns '192.168.1.1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'LAN_zone'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option output 'ACCEPT'
        option masq '1'

config zone
        option network 'LAN20'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list device 'eth0.20'
        option output 'ACCEPT'
        option name 'LAN20_Zone'
        option masq '1'

config forwarding
        option dest 'LAN_zone'
        option src 'LAN20_Zone'

config forwarding
        option dest 'LAN20_Zone'
        option src 'LAN_zone'

config zone
        option name 'LAN30_Zone'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'LAN30'
        option output 'ACCEPT'
        option masq '1'

config forwarding
        option dest 'LAN20_Zone'
        option src 'LAN30_Zone'

config forwarding
        option dest 'LAN_zone'
        option src 'LAN30_Zone'

config forwarding
        option dest 'LAN30_Zone'
        option src 'LAN20_Zone'

config forwarding
        option dest 'LAN30_Zone'
        option src 'LAN_zone'

config rule
        option dest_port '22'
        option src 'LAN20_Zone'
        option name 'Disable SSH'
        option dest 'LAN30_Zone'
        option target 'REJECT'
        list proto 'tcp'

You need a default route (option gateway) in the network connected to the Internet(*). This is the next router on the way to the Internet. In this case it would be your house's ISP router, 192.168.1.1

  • Traditionally this network and firewall zone are called 'wan'.

When you're doing symmetrical inter-zone routing like this, masq should only be enabled in the wan zone.

Running route will show the underlying routing table as it has been built.

But why it then worked in first setup, where I also had LAN and LAN2(VLAN2, 192.168.2.xx), and devices at LAN2 were able to access Internet?(the only problem I had there that LAN devices could not talk with LAN2)?
If now LAN20 has access to DNS and to LAN(I can ping 192.168.1.1) why it doesn't PC doesn't see the Internet, where does the package get lost?

EDIT: I thought that option getway should be added in ISP router, so I should add it in OpenWRT router?
if yes, than on both interfaces, LAN20 and LAN30 ?
EDIT2: I have added option getway 192.168.1.1 on LAN20,but still no Internet

I think if I enable masq only in wan(which is my LAN interface) then LAN20 and LAN30 devices will not be able to communicate, but will try.

here is how route table look now on Openwrt, if you think I should run this in my ISP router, I don't think I can

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0.20
192.168.3.0     *               255.255.255.0   U     0      0        0 eth0.30

If devices are able to access the Internet they must be doing it directly through the main router, because they picked up DHCP from the main router rather than your OpenWrt router and know the gateway to the Internet is .1.1. This will also prevent them from reaching .2.0 or .3.0 since the route to those is .1.3 and they don't know that.

You should only have one DHCP server on the .1 network, and it should be your router so clients set their default route to .1.3 so they can reach the other networks. It should be possible to turn off the DHCP server in the ISP router. If you can't do that you need to set up another network for it and isolate it strictly to being the path to the Internet.

With the ISP router still at 192.168.1.1 in br-lan (DHCP disabled), the .1.3 router would have a default route like this for Internet requests:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1    0.0.0.0         UG    0      0        0 br-lan

in addition to the specific routes you already have.
The OpenWrt router will do all of your routing except for access to the Internet. The ISP router becomes an appendage to the network.

Well, you made my day!
Many thanks!
After adding this route, the clients were able to access the internet!

My I ask now:
If I modify route like this(I put as target 192.168.3.0 it is also same)

the 192.168.3.xx devices cannot ping anything from 192.168.2.xx or 1.xx, and when I check routes in config I see why, two routes are gone:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0.20

Why would I want to do this?
Well If I want that only 3.xx can have access to Internet, I was thinking of modifying static route.
Why would I want to to that, I can restrict that in Firewall rules?!?
Well true, but I am thinking this is a more secure approach(why to add another layer if you can restrict it at first layer?)

From what I understand, 0.0.0.0 address is any IPv4 address.

0.0.0.0 is any address that is not otherwise found in the table. That usually means a site on the Internet, if the table is correct.

Defining a network static automatically inserts it into the route table. You don't need to add it manually. Manual routes are for when there is another router handling IP addresses that are not defined locally. For example different buildings on a campus with a router in each building.

The table only defines possible paths, i.e. 192.168.2.0 is on eth0.20. The firewall rules restrict whether connections are allowed.

Thank you for all the help and explantion.
I have played a bit to get full understaing and now I have removed masq on LAN20 and LAN30, and I see that it works same.
I did got what i want, but I just have two estions which I don't understand how they function.
Firstly, if I don't add in LAN20 or LAN30 list dns '192.168.1.1' option I cannot access interet(DNS does not work), I don't understand why, since when this option is added nslookup returns from 192.168.2.1 e.g. from 192.168.2.50 for youtube.com:

Server: OpenWrt.lan
Address: 192.168.2.1
Non-authotice answer: name youtube.com 
adress; 172.217.19.100

Why this does not work without list dns option?
DNS on 192.168.2.1 has no entry(better said there is no DNS server on that IP adress) and then it should ask 192.168.1.1 and if that srv does not know that it goes futher..

Also, how come that even if I put list dns '192.168.1.1' only on LAN20 interface, devices from LAN30 (192.168.3.xx) network also resolves DNS wihtout problem ?!?

And the last question is which bothers(I dont need it I just don't understand why it doesnt work) is that i cannot ping from 192.168.1.xx netowrk anythign to 192.168.2/3.xx, I have tried adding masq on all inerfances but also still same.
What is it missing that e.g package from 192.168.1.5 cannot reach 192.168.2./3.xx devies, I thought that added rute would solve both directions?

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan

Here is now how final config looks

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9f:0aa0:fdce::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '5t 0 1 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5t 3'
        option vid '20'

config interface 'LAN20'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.20'
        list dns '192.168.1.1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '5t 2'
        option vid '30'

config interface 'LAN30'
        option ifname 'eth0.30'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config route
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option interface 'lan'
        option gateway '192.168.1.1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'LAN_zone'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option output 'ACCEPT'
        option masq '1'

config zone
        option network 'LAN20'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list device 'eth0.20'
        option output 'ACCEPT'
        option name 'LAN20_Zone'

config forwarding
        option dest 'LAN_zone'
        option src 'LAN20_Zone'

config forwarding
        option dest 'LAN20_Zone'
        option src 'LAN_zone'

config zone
        option name 'LAN30_Zone'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'LAN30'
        option output 'ACCEPT'

config forwarding
        option dest 'LAN20_Zone'
        option src 'LAN30_Zone'

config forwarding
        option dest 'LAN_zone'
        option src 'LAN30_Zone'

config forwarding
        option dest 'LAN30_Zone'
        option src 'LAN20_Zone'

config forwarding
        option dest 'LAN30_Zone'
        option src 'LAN_zone'

config rule
        option dest_port '22'
        option src 'LAN20_Zone'
        option name 'Disable SSH'
        option dest 'LAN30_Zone'
        option target 'REJECT'
        list proto 'tcp'

config rule
        option dest 'LAN20_Zone'
        option name 'Disable HTTP'
        option dest_port '80'
        option src 'LAN30_Zone'
        option target 'REJECT'

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0.20
192.168.3.0     *               255.255.255.0   U     0      0        0 eth0.30
root@OpenWrt:~#

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.