VLAN does not have internet

I have internet on my vlan1.10 but the other vlans has no access to internet.

Please kindly help me out.
Thank you in advance

cat /etc/config/network



config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '172.16.10.127'
        option device 'br-vlan.10'
        option gateway '172.16.10.1'
        list dns '172.16.10.1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'vtun0'
        option proto 'none'
        option device 'tun0'

config interface 'vtun1'
        option proto 'none'
        option device 'tun1'

config interface 'vtun3'
        option proto 'none'
        option device 'tun3'

config interface 'vtun4'
        option proto 'none'
        option device 'tun4'

config interface 'vtun5'
        option proto 'none'
        option device 'tun5'

config interface 'vtun6'
        option proto 'none'
        option device 'tun6'

config interface 'vtun7'
        option proto 'none'
        option device 'tun7'

config interface 'vtun2'
        option proto 'none'
        option device 'tun2'

config device
        option type 'bridge'
        option name 'br-vlan'
        list ports 'br-vlan.10'
        list ports 'br-vlan.100'
        list ports 'br-vlan.200'
        list ports 'br-vlan.300'
        list ports 'br-vlan.400'
        list ports 'br-vlan.500'
        list ports 'eth0'

config bridge-vlan
        option device 'br-vlan'
        option vlan '100'
        list ports 'br-vlan.100:t'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-vlan'
        option vlan '200'
        list ports 'br-vlan.200:t'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-vlan'
        option vlan '300'
        list ports 'br-vlan.300:t'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-vlan'
        option vlan '400'
        list ports 'br-vlan.400:t'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-vlan'
        option vlan '500'
        list ports 'br-vlan.500:t'
        list ports 'eth0:t'

config interface 'vlan100'
        option proto 'static'
        option device 'br-vlan.100'
        option ipaddr '172.94.89.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'vlan200'
        option proto 'static'
        option device 'br-vlan.200'
        option ipaddr '102.89.46.1'
        option netmask '255.255.255.0'

config interface 'vlan300'
        option proto 'static'
        option device 'br-vlan.300'
        option ipaddr '201.206.70.1'
        option netmask '255.255.255.0'

config interface 'vlan400'
        option proto 'static'
        option device 'br-vlan.400'
        option ipaddr '120.158.17.1'

config interface 'vlan500'
        option proto 'static'
        option device 'br-vlan.500'
        option ipaddr '112.14.28.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-vlan'
        option vlan '10'
        list ports 'eth0:u*'

cat /etc/config/firewall


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'lan_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vlan_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan100'
        list network 'vlan200'
        list network 'vlan300'
        list network 'vlan400'
        list network 'vlan500'

config forwarding
        option src 'lan_fw'
        option dest 'wan_fw'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan_fw'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan_fw'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan_fw'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan_fw'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan_fw'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan_fw'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan_fw'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan_fw'
        option dest 'lan_fw'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan_fw'
        option dest 'lan_fw'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'vlan_fw'
        option dest 'wan_fw'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone
        option name 'vtun_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun0'
        list network 'vtun1'
        list network 'vtun3'
        list network 'vtun4'
        list network 'vtun5'
        list network 'vtun6'
        list network 'vtun7'
        list network 'vtun2'

config rule
        option name 'Allow-IPSec-ESP-V'
        option src 'wan_fw'
        option dest 'vlan_fw'
        option target 'ACCEPT'
        list proto 'esp'

config rule
        option name 'Allow-ISAKMP-V'
        option src 'wan_fw'
        option dest 'vlan_fw'
        option target 'ACCEPT'
        option dest_port '500'
        list proto 'udp'

cat /etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan100'
        option interface 'vlan100'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan200'
        option interface 'vlan200'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan400'
        option interface 'vlan400'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan500'
        option interface 'vlan500'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan300'
        option interface 'vlan300'
        option start '100'
        option limit '150'
        option leasetime '12h'

Your vlans and bridges are entirely wrong in terms of the syntax. You've bridged the VLANs together, which defeats the purpose of VLANs in the first place. Then you've got them all defined incorrectly with circular references.

You need to reset and start from scratch. I'd recommend building out only one additional VLAN (not 6) and not setting up the tunnels until you have a recipe that works.

1 Like

Here is the new and fresh start.

show me how to stepup it vlan work
Thank you for helping
cat /etc/config/network



config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '172.16.10.117'
        option device 'br-lan'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

You've got an issue here because eth0 is used in both wan and lan. You either need one of them to be a tagged VLAN or you need to use different devices.

Which route do you plan to take?

I am confuse more now. I am using proxmox.
Can you show me how to do it. I will follow up from there.
thank you

Virtualizing OpenWrt is not always particularly easy -- it must be handled properly on the virtualization host + supervisor/hypervisor.

https://openwrt.org/docs/guide-user/virtualization/start

In this case, you need to have either:

  • 2 (virtual or physical) ethernet adapters assigned to the OpenWrt VM -- one for lan and one for wan

or

  • VLANs defined within the networking configuration of proxmox on the network adapter that is assigned to the VM.

I used OVS intport and OVS bridge but no internet. right now i am having problem getting internet only. there is internet connect on the lan only. if you can show me example i will make a good progress.

I don't use proxmox. The proxmox (or any VM host, for that matter) configuration is absolutely critical for this to work. You need to review the proxmox networking configurations and maybe ask on the proxmox support channels to ensure you have the correct setup for running a routing OS in a virtual machine.

That said, are you mapping a physical port directly to the VM, or are you using proxmox's internal networking stack?

if you show me example, i will fix it. example if you have a router that as one eth0 only. how will you config it. teach me, i will do the rest..

You have not yet described the rest of the networking setup. This is important.

  • Why are you virtualizing OpenWrt? Can you run it bare-metal instead? (virtualization is not recommended in general)
  • How many physical ethernet ports does your PC have?
  • Is this OpenWrt installation being used to route for a physical network behind this router, or is it only for routing other virtual hosts?
  • Do you have a managed switch?

A diagram of your desired topology would be very helpful. A simple sketch on paper is fine -- just take a picture and upload it to the forum.

it is only for routing other virtual hosts

Ok... so I have no idea how to help you with the proxmox settings (because I don't use proxmox), but typically you want to setup 2 network adapters for your VM -- one is the upstream (i.e. wan), and the other will be the lan. In this case, you need the lan to be an "internal network" (in the terms of VirtualBox) that is for networking between VMs within the same virtualization host. Each of your VMs must have a similar connection so that you can form the virtual lan.

Figure that part out first, then you can deal with the OpenWrt side.

it is not about proxmox setting please. it is about my openwrt. how can i make a vlan from eth0 or br-lan. let say you are using your physical router with a eth0 port only. if you show me i will implement it on proxmox.

I'll show you how to make a VLAN, but I will guess it will not solve your problem because it is necessary for the proxmox environment to be configured appropraitely.

We'll make the wan eth0.2 and the lan eth0.1.

This means that the wan will be tagged VLAN 2, and the lan will be tagged VLAN 1.

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.2'
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

If the VLANs are not configured on the other side of this virtual link (i.e. within proxmox and/or the other associated machines), this will cause your openwrt VM to lose all connectivity.

I was clear with my question proxmox is seeing the vlans and everything is working well. the only problem is that there is no internet on the vlans. if i connect to the lan interface, there is internet access. it is a straightforward question and needs a straightforward solution. for example. br-lan.100 is vlan 100 proxmox see it and assign the ip address to it but no internet. it is not distributing connection to the vlan.

let's see your latest config, then.

here is it. thank you
cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '172.16.10.132'
        option device 'br-lan'
        option gateway '172.16.10.1'
        list dns '172.16.10.1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option vlan_filtering '1'

config interface 'vlan100'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config device
        option type '8021ad'
        option ifname 'br-lan'
        option vid '100'
        option name 'br-lan.100'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '200'
        option name 'br-lan.200'

config interface 'vlan200'
        option proto 'static'
        option device 'br-lan.200'
        option ipaddr '102.89.46.118'
        option netmask '255.255.255.0'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan100'
        option interface 'vlan100'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan200'
        option interface 'vlan200'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall



config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan_fw'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan_fw'
        option dest 'wan_fw'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan_fw'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan_fw'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan_fw'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan_fw'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan_fw'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan_fw'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan_fw'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan_fw'
        option dest 'lan_fw'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan_fw'
        option dest 'lan_fw'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vlan_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan100'
        list network 'vlan200'

config forwarding
        option src 'vlan_fw'
        option dest 'wan_fw'

You did not follow the directions I just gave you.

Reset to defaults and start over, following the method that I described earlier.

can you send me example.

Right here is the example: