VLAN between 3 routers

r0nmlt · March 2, 2024, 10:44am

Hi all,

I am trying to setup my routers in the following setup.

My target is to let clients on router 2 and router 3 to have access to the internet but not to each other. From what I have read port 4 of routers 2 and 3 need to act as a trunk.

I got the port numbers from using

swconfig list

Found: switch0 - rt305x

swconfig dev rt305x show

The output of the above is:

Global attributes:
        enable_vlan: 1
        alternate_vlan_disable: 0
        bc_storm_protect: 0
        led_frequency: 0
Port 0:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 0
        recv_bad: 0
        recv_good: 21858
        tr_bad: 0
        tr_good: 13855
        pvid: 0
        link: port:0 link:up speed:100baseT full-duplex
Port 1:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:1 link:down
Port 2:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:2 link:down
Port 3:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:3 link:down
Port 4:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 17605
        tr_bad: 0
        tr_good: 26459
        pvid: 0
        link: port:4 link:up speed:100baseT full-duplex
Port 5:
        disable: 1
        doubletag: 0
        untag: 1
        led: ???
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:5 link:down
Port 6:
        disable: 0
        doubletag: 0
        untag: 0
        led: ???
        lan: ???
        recv_bad: ???
        recv_good: ???
        tr_bad: ???
        tr_good: ???
        pvid: 0
        link: port:6 link:up speed:1000baseT full-duplex
VLAN 0:
        ports: 0 1 2 3 4 5 6t

I am assuming port 6 is the cpu port as it is the only 1000baseT connection.

The out of

swconfig dev rt305x show

is

switch0: rt305x(rt305x-esw), ports: 7 (cpu @ 6), vlans: 4096
     --switch
        Attribute 1 (int): enable_vlan (VLAN mode (1:enabled))
        Attribute 2 (int): alternate_vlan_disable (Use en_vlan instead of doubletag to disable VLAN mode)
        Attribute 3 (int): bc_storm_protect (Global broadcast storm protection (0:Disable, 1:64 blocks, 2:96 blocks, 3:128 blocks))
        Attribute 4 (int): led_frequency (LED Flash frequency (0:30mS, 1:60mS, 2:240mS, 3:480mS))
        Attribute 5 (none): apply (Activate changes in the hardware)
        Attribute 6 (none): reset (Reset the switch)
     --vlan
        Attribute 1 (ports): ports (VLAN port mapping)
     --port
        Attribute 1 (int): disable (Port state (1:disabled))
        Attribute 2 (int): doubletag (Double tagging for incoming vlan packets (1:enabled))
        Attribute 3 (int): untag (Untag (1:strip outgoing vlan tag))
        Attribute 4 (int): led (LED mode (0:link, 1:100m, 2:duplex, 3:activity, 4:collision, 5:linkact, 6:duplcoll, 7:10mact, 8:100mact, 10:blink, 11:off, 12:on))
        Attribute 5 (int): lan (HW port group (0:wan, 1:lan))
        Attribute 6 (int): recv_bad (Receive bad packet counter)
        Attribute 7 (int): recv_good (Receive good packet counter)
        Attribute 8 (int): tr_bad (Transmit bad packet counter. rt5350 only)
        Attribute 9 (int): tr_good (Transmit good packet counter. rt5350 only)
        Attribute 10 (int): pvid (Primary VLAN ID)
        Attribute 11 (unknown): link (Get port link information)

This is my current config on router 2 in openwrt:

/etc/config/network

config globals 'globals'
	option ula_prefix 'fd3e:beea:bf91::/48'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.53.30'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.53.1'
	list dns '192.168.53.1'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '11'
	option band '2g'
	option htmode 'HT40'
	option cell_density '0'
	option country 'MT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'R08-MR-2.4'
	option encryption 'psk2'
	option key '*'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '124'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option txpower '23'
	option country 'ZA'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'R08-MR-5.0'
	option encryption 'psk2'
	option key '*'

/etc/config/dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.11.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

My first issue is that I cannot separate the WAN port from the two LAN ports. This should be possible as the stock firmware worked that way.

I tried replacing

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.53.30'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.53.1'
	list dns '192.168.53.1'

with

config interface 'lan'
	option ifname 'eth0.1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.53.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

but the router will then become inaccessible from all ports

I also tried enabling the switch menu in openwrt with:

config switch_port
	option device 'switch0'
	option disable '0'

config switch_vlan
	option device 'switch0'
	option vlan '0'
	option vid '0'
	option ports '0 1 2 3 4 5 6t'

but the switch menu on luci complains with switch unknown topology.

NPeca75 · March 2, 2024, 3:00pm

Hi

since ALL of your devices is in same subnet (192.168.53.x /24) and your device is old style swconfig, your goal is almost impossible with this network design

either you need to

re-think addressing of your clients, (separate vlans, separate address space, one common address space for management of APs)

or

you need DSA device (at least main router) and then you could play with firewall and separate LAN2 LAN4 ports to prevent communication between 2 device

r0nmlt · March 2, 2024, 4:56pm

I can change the main router but I think i need them on the same subnet as i want to vpn onto the main router and be able to access the devices on the networks on router two and three.

Nonetheless using swconfig i read that it is still possible to have one port being a trunk port. I just need to know how to address it

psherman · March 2, 2024, 5:00pm

You don't need a DSA device to achieve VLANs and isolation...

But, going back to some basics...
Are all 3 routers running OpenWrt? If so, the best way to approach this is to configure all the networks on the main router -- you'll want 2 or 3 distinct subnets. Then, using VLANs, you'll distribute those to the other devices and then you can setup the ports and/or wifi such that the client devices join the desired network.

The firewall on the main router will govern the inter-vlan routing that is allowed (or not allowed). And, from there, the VPN can also gain access to all of the devices if desired.

r0nmlt · March 2, 2024, 5:15pm

Hey thanks for your reply. Yes all three routers are running openwrt and I can divide the routers in different subnets as long as i can eventually route some particular traffic from the main router to devices on the sub routers

NPeca75 · March 2, 2024, 5:21pm

very very opposing statements ...

r0nmlt · March 2, 2024, 5:54pm

yes .... but in context i meant... i need them on the same subnet so i can access the devices when i vpn into the main router. but if i can still do that with different subnets then fine i can have them on different subnets.

mk24 · March 2, 2024, 5:55pm

You can access different subnets through the same VPN tunnel. That is what routers are for-- routing between different subnets.

psherman · March 2, 2024, 5:58pm

It should be pretty simple... do you need help setting up the new subnets and VLANs on your main router?

r0nmlt · March 2, 2024, 6:30pm

I can reorganise my network to different subnets. My first issue is getting my router to subdivide eth0 i to eth0.1 eth0.2 amd eth0.3 to represent the three physical ports. Then I can start setting up a vlan trunk on one of them.

r0nmlt · March 2, 2024, 6:31pm

Ok understood thanks.

psherman · March 2, 2024, 6:32pm

Maybe, maybe not.

From the main router, let's see:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

r0nmlt · March 2, 2024, 8:23pm

{
        "kernel": "5.15.123",
        "hostname": "Malital-R09",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "Xiaomi Mi Router 4A (100M International Editi
on V2)",
        "board_name": "xiaomi,mi-router-4a-100m-intl-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r23676+1-57fda4b743",
                "target": "ramips/mt76x8",
                "description": "OpenWrt SNAPSHOT r23676+1-57fda
4b743"
        }

cat /etc/config/network

config globals 'globals'
	option ula_prefix 'fd3e:beea:bf91::/48'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.53.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.2'
	list dns '192.168.0.2'

mk24 · March 2, 2024, 9:08pm

It looks like the original default configuration that sets up two networks (lan and wan) with VLANs through the switch has been removed. If you reset a unit to default configuration you should see that and it will be very useful as a guide to adding additional VLANs.

Also this model has release builds; it is recommended to use 23.03.2 instead of snapshot.

r0nmlt · March 3, 2024, 8:02am

There is no official release for this model. This is the R4ACv2 and the only firmware that worked was this snapshot which was compiled by @werecatf. There is a PR for this patch but it still needs more reviews to be included.

If I had to reset the unit I still get this configuration, just with the ip addresses set to default. No wan interface is ever setup and this is my first issue as I need it for the main router.

I was thinking of configuring the br-lan listing ports 'eth0.2' and 'eth0.4' and the wan with 'eth0.0' which reflect the port numbers that I get when I unplug the ethernet cable from the wan port:

Sun Mar  3 09:01:10 2024 kern.info kernel: [80781.156967] rt3050-esw 10110000.esw: port 0 link down
Sun Mar  3 09:01:13 2024 kern.info kernel: [80783.802343] rt3050-esw 10110000.esw: port 0 link up

r0nmlt · March 3, 2024, 9:54am

Ok I managed to bring up the wan interface. I did this:

config globals 'globals'
	option ula_prefix 'fd3e:beea:bf91::/48'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option enable '1'

config switch_port
	option device 'switch0'
	option port '0'
	option disable '0'

config switch_port
	option device 'switch0'
	option port '1'
	option disable '0'

config switch_port
	option device 'switch0'
	option port '2'
	option disable '0'

config switch_port
	option device 'switch0'
	option port '3'
	option disable '0'

config switch_port
	option device 'switch0'
	option port '4'
	option disable '0'

config switch_port
	option device 'switch0'
	option port '5'
	option disable '0'

config switch_port
	option device 'switch0'
	option port '6'
	option disable '0'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '1 2 3 4 5 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '0 6t'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.53.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.11.100'
	list dns '192.168.11.100'

config interface 'wan'
	option device 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.11.100'
	option netmask '255.255.255.0'
	option gateway '192.168.11.1'
	list dns '192.168.11.1'

This brought up the wan interface and it is working as supposed. I'm not sure about the tagging part and the ports part.

From swconfig and luci I deduced:

swconfig Port 4 = LAN 1 = Port 5 on luci
swconfig Port 2 = LAN 2 = Port 3 on luci
swconfig Port 0 = WAN   = Port 1 on luci
swconfig Port 6 = CPU   = Port 6 on luci

But on LUCI I get this:

apart from the notice in yellow saying "Switch switch0 has an unknown topology - the VLAN settings might not be accurate." The cpu port is untagged. In the network config I had tagged port 6 on both interfaces but this doesn't show up on luci.

On the devices tab I get: