VLAN assistance - Isolating a single client from LAN

Hello!
First time poster here.

After borking my OpenWRT install two times where I had to do a pinhole reset back to defaults because I lost access to the webui I concluded I'm severely misrepresenting/not understanding how VLANs work, so I decided to try posting here for assistance.

Firstly, let me explain what I am trying to achieve:

GOAL: Isolate a single device from LAN, while retaining access to WAN (the device in question will act as a public facing webserver). From what I understand the way to go about this would be having the device on a separate VLAN. If there are alternate, more simpler ways to achieve this I'm more than open to suggestions.

My Network topology:

OpenWRT router > lan2 port > managed switch > P2 > Device that needs to be on a separate VLAN

Do note that there are other devices connected to the managed switch and they need to remain on the default LAN.

I've tried following various guides/examples in the past but most things I can find online seem to be written for pre-DSA openwrt versions or set VLANs on the routers ports themself with the assumption everything connected to that port will need to be on that VLAN (although this might just be me a misrepresentation on my part and me not understanding how vlans actually work).

Regarding the managed switch, I'm not entirely sure if I set that up correctly either, but given that I managed to break the network completely and lock myself out of the webui I thought I'd want to at least get the OpenWRT part of things somewhat correct so I can go about adjusting the managed switch further after that.

If you want to achieve this over a single cable (port), using vlans is your only choice.

The managed switch settings are as important as the OpenWrt device settings.

To get more specific help, please login to the device via ssh and post the output of the following commands using the "Preformatted text </>" button:

ubus call system board
uci export network
uci export firewall
uci export dhcp

Remember to redact MAC addresses and any public IPs you may have.
Also, tell us what the managed switch model is.

The managed switch settings are as important as the OpenWrt device settings.

Of course, but I thought since it's a third party switch unrelated to OpenWRT discussing it would be out of scope for this forum, but If I am able to get help with that as well it would be greatly appreciated!
The model of the switch is Zyxel GS1200-5. I can post screenshots of what the default VLAN settings screen looks like if needed.

As previously mentioned, I've reset the router to default settings and aside from renabling the 2.4 ghz radio and adding a couple of hostnames and static reservations I haven't done any additional changes.

Here are the outputs of the commands:

{
	"kernel": "5.15.167",
	"hostname": "router",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "ASUS RT-AX53U",
	"board_name": "asus,rt-ax53u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfa:7b7d:bd2d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

package firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

The DHCP output doesn't end here but I redacted the local domains and static reservations since they do not seem really relevant here.

If you can connect the device in question directly to say lan3 it will be much easier.

If not, here is an example (vlan) configuration:

#/etc/config/network

...

config device
	    option name 'br-lan'
	    option type 'bridge'
	    list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3'

config bridge-vlan
        option vlan '1'
        option device 'br-lan'
        list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3

config bridge-vlan
        option vlan '10'
        option device 'br-lan'
        list ports 'lan2:t'

config interface 'lan'
	    option device 'br-lan.1'
	    option proto 'static'
	    option ipaddr '192.168.1.1'
	    option netmask '255.255.255.0'

config interface 'webserver'
	    option device 'br-lan.10'
	    option proto 'static'
	    option ipaddr '192.168.2.1'
	    option netmask '255.255.255.0'

...
#/etc/config/dhcp

...

config dhcp 'webserver'
	    option interface 'webserver'
	    option start '2'
	    option limit '1'
	    option leasetime '12h'
...
#/etc/config/firewall

...

config zone
        option name 'webserver'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'webserver'

config rule
        option name 'WEBSERVER-DHCP-DNS'
        option src 'webserver'
        option dest_port '53 67'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option src 'wan'
        option dest 'webserver'
        option target 'DNAT'
        option name 'DNAT-Webserver-HTTP'
        list proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.2.2'

config redirect
        option src 'wan'
        option dest 'webserver'
        option target 'DNAT'
        option name 'DNAT-Webserver-HTTPS'
        list proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.2.2'

config forwarding
        option src 'webserver
	    option dest 'wan'

#Optional access lan=>webserver

config forwarding
        option src 'lan'
        option dest 'webserver'

Zyxel port 2:
Untagged PVID 1
Tagged VLAN ID 10

Connect the web server to an untagged port with PVID 10.

If you don't feel comfortable editing the configuration files directly, we will help you with the uci commands (it will take some time).

I was hoping there was a way of doing this via the web interface.
Still, I manually edited the firewall config using your examples, but after saving the changes the web ui started spitting out errors, and after a reboot the network was down again and the router web interface was inaccessible.

There is a way, but if you don't know how to do it, guiding you through the process would require taking (and posting) a bunch of screenshots, and that will take a lot of time.

Seems like typos in the configuration files.

Try entering failsafe mode and follow the instructions on how to access the device and fix the configuration.

I think I managed to do it through the webui.

When I tried doing it before, I always edited the bridge VLAN filtering directly on the br-lan bridge device itself, and this would lock me out.
So instead of doing that, I first removed all ports from my br-lan bridge device (which is still added to the LAN interface), pressed save without applying changes, then created a new bridge device and added all the ports I just removed from the br-lan device, and then proceeded to edit the vlan bridge filtering on that newly device.
Set all ports to VLAN ID 1, untagged, and primary VLAN like this:



After that change, I went back to the now empty br-lan device, and added the software VLAN: vlan.1 device which got automatically created after I made the VLAN filtering changes to the bridge ports:
image

Did not need to make any changes to the LAN interface as the br-lan was already a member of it, so hit save and apply, and didn't get locked out!
Now I went back to the vlan bridge device and proceeded to add VLAN10, left the two other ports as non-members, set port 2 as tagged like this:


After that, just like before a new device called vlan.10 got automatically created, went ahead and created a new interface, configured the range I wanted, turned on DHCP and set the firewall zone to the LAN zone for testing purposes (I do not want that though), hit apply changes, still did not get locked out at this point.

Configured my switch like you suggested, port 2 is where the webserver is, port 5 is the uplink to the openwrt router:

The device that's connected on port 2 at the switch at this point finally got on a different subnet through DHCP, success!
However, it could still reach VLAN1 and VLAN1 could reach it, which is not what I wanted to do, so I followed the firewall portion of this guide to create a new firewall zone to block it off from the rest of the LAN:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface#firewall

And everything is working as intended, my only concern is the weird configuration where I have a bridge device inside of a bridge device which intuitively doesn't make much sense, but this is how I saw it being done in another post I stumbled on reddit, and since for the time being I see no issues on my LAN I will leave it as is.

Thank you for your help and pushing me in the right direction!

1 Like