VLAN config no connect to internet and no reach printer

Hello, I need to create 3 VLAN, LAN3 must be isolated from LAN4, both can access to LAN5 to the network printer, this is the network diagram:
network-openwrt
I'm unable to reach the printer and the VLAN 4 and 5 can't connect to internet.

Below my configurations:

Managed switch

  • VLAN3
    Port: 1T, 3U, 4U
    PVID: Port 3,4 - PVID 3
  • VLAN4
    Port: 1T, 5U, 6U
    PVID: Port 5,6 - PVID 4
  • VLAN5
    Port: 1T, 7U
    PVID: Port 7 - PVID 5

Port 1 connect switch to modem

OpenWRT router
Interfaces:

  • LAN3 (eth0.3) 192.168.30.1/24, GW 192.168.30.1
  • LAN4 (eth0.4) 192.168.40.1/24, GW 192.168.40.1
  • LAN5 (eth0.5) 192.168.50.1/24, GW 192.168.50.1

Firewall

  • LAN3 --> WAN (accept, accept, accept)
  • LAN4 --> WAN (accept, accept, accept)
  • LAN5 --> WAN (accept, accept, accept)

ISP modem

  • IP: 192.168.1.1/24

What's wrong?

@Voltron, welcome to the community!

Can you provide the relevant configs...?

(It may be that you haven't allowed the zones of the other networks to reach the VLAN 5 network.

To be clear, you're didn't set gateways on the LANs, correct?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Thank you for the answers. In the clients I've set the gateway as "192.168.30.1" for LAN3, "192.168.40.1" for LAN4 and "192.168.50.1" for LAN5.
I've attached the configs requested below:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REMOVED/48'

config interface 'lan'
	option force_link '1'
	option macaddr 'REMOVED'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _orig_ifname 'eth0.1 wlan0'
	option _orig_bridge 'true'
	option ifname 'eth0.1 eth0.2'
	option broadcast '192.168.0.255'
	option ipaddr '192.168.1.77'
	option gateway '192.168.1.1'
	option dns '192.168.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option force_link '1'
	option macaddr 'REMOVED'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'
	option vid '2'

config interface 'wwan'
	option proto 'dhcp'

config interface 'lan4'
	option proto 'static'
	option ifname 'eth0.4'

config interface 'lan3'
	option ifname 'eth0.3'
	option _orig_ifname 'eth0.3'
	option _orig_bridge 'false'
	option proto 'static'
	option netmask '255.255.255.0'
	option broadcast '192.168.30.255'
	option dns '8.8.8.8'
	option ipaddr '192.168.30.1'
	option gateway '192.168.30.1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 4t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4t 6t'
	option vid '5'

config interface 'lan5'
	option proto 'static'
	option ifname 'eth0.5'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option gateway '192.168.50.1'
	option broadcast '192.168.50.255'
	option dns '8.8.8.8'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t 4t 6t'
	option vid '4'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'lan3'
	option network 'lan3'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'lan3'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'lan4'
	option network 'lan4'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'lan4'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'lan5'
	option forward 'ACCEPT'
	option network 'lan5'

config forwarding
	option dest 'wan'
	option src 'lan5'

_orig_ifname and _orig_bridge are obsolete, you can remove them.

Remove eth0.2 since it is already used by interface wan.

This refers to the wrong network. Instead of correcting it, I suggest to remove it and rely on the default.

Remove gateway and dns.
Update: Since the ISP modem is also using an IP address from the 192.168.1.0/24 network ...

... I suggest to change one of them to use a different subnet. There is a guide in the wiki how to access the modem with the new configuration.

ipaddr and netmask are missing.

Remove dns and gateway, perhaps also broadcast. Again, you could also remove _orig_ifname and _orig_bridge.
If you want LAN3 devices to use a custom DNS server, set up DHCP accordingly.

Again, remove dns and gateway.

Some OpenWrt devices do not support mixing tagged and untagged VLANs on the same port.
I suggest to remove 4 from ports, or set it to 4t if you want VLAN 1 to be part of the trunk.

LAN VLANs should not be extended to the ISP modem; I suggest to remove 0t.

Again, remove 0t from both VLANs.

In addition, I suggest to swap the VLAN ID such that it matches the VLAN index.
However, this is just a cosmetic change to avoid confusion.

Since the mapping of port numbers to physical ports is device-specific, I made some assumptions:

  • 6 = CPU
  • 0 = WAN
  • 1..4 = LAN1 .. LAN4 (not necessarily in this order)
  • external managed switch connected to internal switch port number 4 (whatever LANx that may correspond to)

For each of lan3, lan4 and lan5, set:

	option forward 'REJECT'

Instead, add specific forwarding rules:

config forwarding
	option src 'lan3'
	option dest 'lan5'

config forwarding
	option src 'lan4'
	option dest 'lan5'

Since the printer is located on a separate VLAN, it is unlikely to be discovered automatically by the clients.
However, addressing the printer directly should work.

2 Likes