But I'm lost with VLANs.
Assuming I have an openwrt AP connected via lan1 to a linux router and via lan4 to a linux client, how can I create a rule to have lan4 talk only to a vlan on lan1 and untagged lan1, lan2, lan3 still work as default?
Is it even possible?
If they're configured with 2 different firewall zones, you simply permit forwarding from one to the other.
???
I'm confused. You stated that you setup VLANs, so this wouldn't be "default" configs.
Does your main router have VLANs already configured?
All of the routing will happen on the main router itself (so that means the firewall on that router will be relevant, too). What is the main router (device + firmware/OS)?
As far as using the OpenWrt device as a managed switch, it is generally possible to do this -- you'll setup a trunk for the uplink, and then access ports or trunks for the downlinks... It would be helpful to know what you are trying to achieve with a basic diagram that includes the VLANs for each port.
I'm sorry. By "default", I mean the br-lan bridge.
Yes, or they can be easily added.
It's a SBC running Debian. I believe I can handle things on that end.
This is is the relevant subset of my network:
Basically I'm trying to share the cable shown on the left between the two subnets, if that makes any sense.
By the way, would it be possible to keep the trunk connection untagged?
Either they are or are not currently setup. If they're not, set those up first. Otherwise, you won't be able to determine if the downstream stuff is working.
A trunk is, by definition, a port/cable carying multiple networks. The 802.1q standard allows you to have:
If you wish to carry multiple networks, you must tag them. Technically speaking, one may be untagged. Some people will advise against using any untagged networks, but that is usually a matter of personal opinion. That said, some devices do not work properly with tagged + untagged configurations, so you may need to have all tagged from a practical perspective.
Please add some detail to the diagram (or explain in text)...
Ok, I set up enp1s3.7 on the router, subnet 192.168.7.0/24 and enp1s3 is on 192.168.15.0/24.
If possible, I would like to keep the latter untagged.
VID 7 plus untagged or 7 and 15 if the former not possible.
7
lan1
This is not completely clear to me. As I wrote above, I would like enp1s3 to
carry the AP traffic and possibly be untagged.. enp1s3.7 should link to the
openwrt switch and receive the traffic from lan4, AP side.
Any individual network can only be tagged or untagged. It cannot be both. You have VLAN tagged on your router, so the downstream device (i.e. the switch) must be tagged, too. VLAN 15 is currently utagged from the router.
So is the OpenWrt managed switch also being used as an AP?
My goal is to have a clear definition of each port (and SSID):
Ok
No other SSID.
ok... great. I just need one files and I can recommend the changes to make this work.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix '<redacted>::/48'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.15.88'
option gateway '192.168.15.254'
list dns '192.168.7.230'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option auto '0'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
Note: I don't use the WAN port or IPv6 at the moment.
Great.
Add the following:
config bridge-vlan
option device 'br-lan'
option vlan '15'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'lan1:t'
list ports 'lan4:u*'
Then edit the lan to use br-lan.15 like this:
config interface 'lan'
option device 'br-lan.15'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.15.88'
option gateway '192.168.15.254'
list dns '192.168.7.230'
That should do it. If not, please desribe what does and does not work.
Sorry, I need to make a last-minute correction:
Would it be possible to have Port 4 untagged and yet be bridged with Port 1 VLAN 7?
In the suggestions I just provided, port 4 will have VLAN 7 untagged, and VLAN 7 will be tagged on port 1. Ports 1-3 will have VLAN 15 untagged.
Everything appears to be working. Thank you very much!
To further expand on my question, assuming I wanted a new vlan with a single port, bridged to a new SSID, how safe should L2 isolation be considered if it were to be connected to a potentially hostile machine?
Is it conceivable that it could access the rest of the LAN?
If you create a new subnet for a physical port and/or wifi, your firewall is the thing that protects your trusted network from a potential hostile host on the other network. This happens at L3 (routing). On L2 (switching), the subnets will be isolated by nature (provided you configure it poperly).
Take a look at the guest wifi wiki for a bit of context on that.
Perhaps I will also take precautions at L3 for good measure, but I'm trying to understand how much security I can assume it's happening at L2 in that regard.
E.g:
config bridge-vlan
option device 'br-lan'
option vlan '15'
list ports 'lan1:u*'
list ports 'lan2:u*'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'lan1:t'
list ports 'lan4:u*'
config interface 'lan'
option device 'br-lan.15'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.15.88'
option gateway '192.168.15.254'
list dns '192.168.7.230'
adding this:
config device
option type 'bridge'
option name 'wbr50'
list ports 'lan3'
list ports 'wifi50'
option ipv6 '0'
and to /etc/config/wireless
config wifi-iface 'wifi50'
option device 'radio1'
option mode 'ap'
option ssid '<ssid50>'
option encryption 'sae'
option macaddr '<my custom MAC address>'
option key '<my secure key>'
could I then assume that no frames from devices connected either to wifi50 or lan3 would spill over to the rest of the network or vice versa?
In this case openwrt would only handle authentication. DHCP and routing would be managed by another router connected to port 3.
the list ports 'wifi50' should be removed from the wbr50 device defintion.
If the idea here is that you'll be taking port lan3 and bridging it to wifi (as a dumb AP), you also need to create a network interface for it with proto none. Then you tie the wireless to that network.
The device doing this bridging will not do any routing and will be essentially invisible to the wifi devices on that network as well as anything connected on port 3. Therefore, (for most normal use cases) you must have a DHCP server/router upstream on port 3... otherwise the wifi network won't go anywhere.
But to answer your question, the L2 isolation will work as long as the rest of your network is properly configured... you don't need to do anything special... your upstream router(s) will be the parts of the system that can allow/restrict the inter-vlan connections.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.