VLAN and subnet configuration

Without having a huge amount of experience, I want to make sure I'm on the right track before I start the final configuration.

The goal is to isolate the devices (on Personal network) from the Guest network and while sharing internet access the internet with Guest network. Guest access will not be able to access the IP cams.

IP cams will be isolated from the internet

I have an 8-port POE switch (D-Link DGS-1210-10P) running OpenWRT 22.05 that needs to be set up with 3 subnets and VLANS. The switch uses DSA.

Ports:

1 - VLAN 11 - Internet router (192.168.1.1)
2 - VLAN 22 - Personal WAP (192.168.0.1)
3 - VLAN 33 - Guest WAP (192.168.1.2 - 254)
4 - VLAN 33 - Guest WAP (192.168.1.2 - 254)
5 - VLAN 33 - Guest WAP (192.168.1.2 - 254)
6 - VLAN 33 - Guest WAP (192.168.1.2 - 254)
7 - VLAN 44 - IP camera network (10.1.1.1 - 10.1.1.254)
8 - VLAN 44 - IP camera network (10.1.1.1 - 10.1.1.254)

Interface setup:

Internet (VLAN 11) - 192.168.1.2
Personal (VLAN 22) - 192.168.0.1
Guest (VLAN 33) - 192.168.1.3
IPCam (VLAN 44) - 10.1.1.222

Firewall setup:

VLAN 11 --> reject
VLAN 22 --> VLAN 11, VLAN 44
VLAN 33 --> VLAN 11
VLAN 44 --> reject

The router on port 1 should handle DHCP for the Guest network.
Devices on Personal will have static IPs and static routes to IP cams (10.1.1.0/24 via 192.168.0.1). I've set this part up and I am able to access the IP cams.

My question is really regarding setting up the subnets for the Guest and Personal network and subnet mask.

Should the Internet (192.168.1.2), Personal (192.168.0.1) and Guest (192.168.1.3) interfaces should have the subnet mask 255.255.254.0 (192.168.0.0/23)?

Is this the best way to implement the stated requirements?

Cheers

192.168.1.0/23 and 192.168.0.0/23 are the same network... so, the answer is no. However, I am wondering what made you think you needed to deviate from the /24 standard, perhaps there is something I am missing here.

1 Like

I'm looking to avoid using static routes on devices on the Guest network.

Is there another way to forward to VLAN 11 from VLAN 33 so VLAN 33 can access the internet?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Other than testing access to the IP cam subnet, I haven't started to set anything up. I'm trying to get as much input as I can beforehand to avoid troubleshooting later.

Is that switch also the router or do you have a router with some horsepower actually controlling everything anywhere else?

After continuing to struggle with this, I made some changes to the setup.

On the DGS-1210-10P switch:

VLAN 1 - Guest network 192.168.3.0/24 (Ports 3 - 6)
VLAN 2 - IP cam network 10.1.1.0/24 (Ports 7 - 8)
VLAN 3 - Personal network 192.168.2.0/24 (Port 2)
VLAN 4 - wired connection to internet router 192.168.1.0/24 (Port 1)

Interfaces on switch:

lan - 192.168.3.1 (WAP 192.168.3.2)
IPCams - 10.1.1.222
Personal - 192.168.2.1 (WAP 192.168.2.2)
WAN - 192.168.1.2 (router 192.168.1.1)

It was as easy as simply setting up a static route on my laptop (connected to 192.168.2.2 WAP) to the IPCam network and I am able to access the IP cams without issue.

10.1.1.0/24 via 192.168.2.1

Setting up the following static route on my laptop, I am unable to access 192.168.1.1) or the internet.

192.168.1.0/24 via 192.168.2.1

I am able to ping 192.168.1.2 (the switch interface on the 192.168.1.0/24 subnet) but I cannot ping 192.168.1.1

What am I missing? This should be as simple as accessing the IP cams, no?

Output of 'cat /etc/config/network':

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbf:e377:9544::/48'

config device 'switch'
        option name 'switch'
        option type 'bridge'
        option macaddr 'REDACTED'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'
        list ports 'lan9'
        list ports 'lan10'
        option bridge_empty '1'
        option ipv6 '0'

config bridge-vlan 'lan_vlan'
        option device 'switch'
        option vlan '1'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'

config device
        option name 'switch.1'
        option macaddr 'REDACTED'
        option ipv6 '0'

config interface 'lan'
        option device 'switch.1'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option broadcast '192.168.3.255'
        option delegate '0'

config interface 'IPCams'
        option proto 'static'
        option device 'switch.2'
        option ipaddr '10.1.1.222'
        option netmask '255.255.255.0'
        option broadcast '10.1.1.255'

config interface 'Personal'
        option proto 'static'
        option device 'switch.3'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.2.255'

config bridge-vlan
        option device 'switch'
        option vlan '2'
        list ports 'lan7'
        list ports 'lan8'

config bridge-vlan
        option device 'switch'
        option vlan '3'
        list ports 'lan2'

config device
        option name 'switch.3'
        option type '8021q'
        option ifname 'switch'
        option vid '3'
        option ipv6 '0'

config bridge-vlan
        option device 'switch'
        option vlan '4'
        list ports 'lan1'

config interface 'WAN'
        option proto 'static'
        option device 'switch.4'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'

config device
        option name 'switch.2'
        option type '8021q'
        option ifname 'switch'
        option vid '2'
        option ipv6 '0'

config device
        option name 'switch.4'
        option type '8021q'
        option ifname 'switch'
        option vid '4'
        option ipv6 '0'

Output of 'cat /etc/config/firewall':

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'IPCams'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IPCams'

config zone
        option name 'Personal'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Personal'
        option masq '1'

config forwarding
        option src 'Personal'
        option dest 'IPCams'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config forwarding
        option src 'Personal'
        option dest 'lan'

config zone
        option name 'WAN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WAN'

config forwarding
        option src 'Personal'
        option dest 'WAN'

config forwarding
        option src 'lan'
        option dest 'WAN'

As I stated initally, the IP cams need to be isolated from the internet and only the Personal network should be able to access them.

The Guest network should only be able to access the internet and Personal should be able to access everything.

What am I missing to be able to access the 192.168.1.0/24 subnet?

Thanks