Vlan isolation with OpenWrt as gateway

Hi, I'm struggling to figure out how to make a VLAN to isolate all the devices connected to a given ethernet port from the rest of my LAN. I have OpenWRT installed on an Archer C7 which acts as the gateway for my network, i.e. my ISP-provided modem is in bridge mode connected to its WAN port, and everything else is connected to its LAN ports.

What I tried was to change the default VLAN configuration in /etc/config/network FROM

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        ports '0t 2 3 4 5'

config interface 'lan'             
        option type 'bridge'          
        option ifname 'eth1.1'        
        option proto 'static'         
        option ipaddr '192.168.1.1'   
        option netmask '255.255.255.0'
        option ip6assign '60'   

TO

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        ports '0t 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        ports '0t 2'

config interface 'lan'             
        option type 'bridge'          
        option ifname 'eth1.1'        
        option proto 'static'         
        option ipaddr '192.168.1.1'   
        option netmask '255.255.255.0'
        option ip6assign '60'   

config interface 'lanseparete'             
        option type 'bridge'          
        option ifname 'eth1.3'        
        option proto 'static'         
        option ipaddr '192.168.2.1'   
        option netmask '255.255.255.0'
        option ip6assign '60'   

Where port 0 is the CPU for eth1 on my device, and VLAN2 is the one preconfigured for WAN. I also checked the changes in the LuCi interface and made sure that all the settings for the lanseparate interface were identical to the lan interface except for of course the 'eth1.x' ifname and IP address, so it should have been able to do DHCP correctly. Lastly, I made the same firewall zone forwarding rule for lanseparate=>wan as existed already for lan=>wan.

I'm not sure what logs or config files would be useful to help troubleshoot this, but the apparent error I'm getting is seen in the LuCi window for Interfaces, where lanseparate fails to start and gives the error "Network device is not present". Of course, trying to connect to the ethernet port in lanseparate, my device just doesn't get assigned an IP address.

I feel like I've misunderstood something about how VLANs can be configured, and possibly whether this is something my hardware can do? In that case, is there a nice way to define some firewall rules with a list of IP addresses which cannot send or receive any packets from any unlisted addresses on the LAN subnet besides the gateway?

Thanks.

Collect the diagnostics and post it to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show wireless; \
uci show dhcp; uci show firewall; \
ip address show; ip route show table all; \
ip rule show; iptables-save -c; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Wow, I'm sorry for making an idiot post about this. I reverted my network settings last night after posting. Today when I tried to recreate the same configuration in order to produce those diagnostics, lo and behold, it works exactly as expected. I suspect there's some kind of path dependence to the changes I made, where I floundered a bit on the way to the configuration I described (e.g. giving lanseparate interface the same address as the lan interface when it was first initialized). If anyone wants to recreate a similar setup on their device, what worked was to first configure the switch VLAN settings (Network->Switch in LuCi), then the Interface settings (Network->Interface), then the firewall lanseparate=>wan setting.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.