VLAN on WAN for the router itself and downstream LAN device

Hi,

My current setup looks like this

  • ISP wire connects to OpenWrt and it needs PPPoE for internet
  • LAN1 port connects to a laptop running proxmox
  • WLAN is for wifi devices

I want to create a virtualized router that I can use to experiment without disturbing the internet for others. In simple terms, I want to use the WAN in the OpenWrt router and pass it through LAN1 to the laptop. A laptop would need both LAN (for management) and WAN (for creating a virtualized OpenWRT and dialling another PPPoE for local VMS)

Here is what I did

  • I create a bridge interface with ports WAN and LAN1
  • then I created a VLAN filtering rule for VLAN 100 (to be used by openwrt) and VLAN 101
  • VLAN 100 WAN is untagged and LAN1 is not participating and I created PPPoE interface on this vlan device and it works
  • VLAN 101 WAN is untagged and LAN1 is tagged, then in proxmox, I added a network device to openwrt VM with 101 VLAN ID.
  • Virtualized OpenWRT is failing in PPPoE connection.

uci export

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option sequential_ip '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_slaac '0'
	list dns 'fd4e:8e45:335f::52'
	list dhcp_option '6,192.168.1.52'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name '192.168.1.52'
	option dns '1'
	option duid '000100012b56ee3606dd8045941b'
	option hostid '52'

package dropbear

config dropbear
	option PasswordAuth 'on'
	option RootPasswordAuth 'on'
	option Port '22'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

package luci

config core 'main'
	option lang 'auto'
	option mediaurlbase '/luci-static/bootstrap'
	option resourcebase '/luci-static/resources'
	option ubuspath '/ubus/'

config extern 'flash_keep'
	option uci '/etc/config/'
	option dropbear '/etc/dropbear/'
	option openvpn '/etc/openvpn/'
	option passwd '/etc/passwd'
	option opkg '/etc/opkg.conf'
	option firewall '/etc/firewall.user'
	option uploads '/lib/uci/upload/'

config internal 'languages'

config internal 'sauth'
	option sessionpath '/tmp/luci-sessions'
	option sessiontime '3600'

config internal 'ccache'
	option enable '1'

config internal 'themes'
	option Bootstrap '/luci-static/bootstrap'
	option BootstrapDark '/luci-static/bootstrap-dark'
	option BootstrapLight '/luci-static/bootstrap-light'

config internal 'apply'
	option rollback '90'
	option holdoff '4'
	option timeout '5'
	option display '1.5'

config internal 'diag'
	option dns 'openwrt.org'
	option ping 'openwrt.org'
	option route 'openwrt.org'

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd4e:8e45:335f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'pppoe'
	option username 'redact'
	option password 'redact'
	option ipv6 'auto'
	option device 'wan-br.100'

config device
	option name 'wan'

config device
	option type 'bridge'
	option name 'wan-br'
	list ports 'lan1'
	list ports 'wan'

config bridge-vlan
	option device 'wan-br'
	option vlan '100'
	list ports 'wan'

config bridge-vlan
	option device 'wan-br'
	option vlan '101'
	list ports 'lan1:t'
	list ports 'wan'

config device
	option name 'wan-br.101'
	option type '8021q'

package rpcd

config rpcd
	option socket '/var/run/ubus/ubus.sock'
	option timeout '30'

config login
	option username 'root'
	option password '$p$root'
	list read '*'
	list write '*'

package system

config system
	option hostname 'OpenWrt'
	option timezone 'UTC'
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'
	option compat_version '1.1'

config timeserver 'ntp'
	option enabled '1'
	option enable_server '0'
	list server '0.openwrt.pool.ntp.org'
	list server '1.openwrt.pool.ntp.org'
	list server '2.openwrt.pool.ntp.org'
	list server '3.openwrt.pool.ntp.org'

package ucitrack

config network
	option init 'network'
	list affects 'dhcp'

config wireless
	list affects 'network'

config firewall
	option init 'firewall'
	list affects 'luci-splash'
	list affects 'qos'
	list affects 'miniupnpd'

config olsr
	option init 'olsrd'

config dhcp
	option init 'dnsmasq'
	list affects 'odhcpd'

config odhcpd
	option init 'odhcpd'

config dropbear
	option init 'dropbear'

config httpd
	option init 'httpd'

config fstab
	option exec '/sbin/block mount'

config qos
	option init 'qos'

config system
	option init 'led'
	option exec '/etc/init.d/log reload'
	list affects 'luci_statistics'
	list affects 'dhcp'

config luci_splash
	option init 'luci_splash'

config upnpd
	option init 'miniupnpd'

config ntpclient
	option init 'ntpclient'

config samba
	option init 'samba'

config tinyproxy
	option init 'tinyproxy'

package uhttpd

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option redirect_https '0'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'redact'
	option encryption 'sae-mixed'
	option key 'redact'

wan-br is the bridge I created VLANs

this is not unexpected (at least for most ISPs). Typically you only get a single ISP connection/IPv4 address per account. You are effectively trying to enable a second ISP connection, which probably won't work unless your ISP actually provides the ability to create multiple connections and will issue multiple IPv4 addresses.

This can be achieved much more easily, though... two ways to look at this:

  1. Just connect your virtualized router (or even a physical one) to the LAN of your main router. From there, everything behind the secondary/virtualized router will be a unique network... It is very unlikely to cause a problem with your main network (and you can even firewall the main network using the firewall on the secondary router).
  2. Create a separate VLAN on the main router (which would be a second LAN)... firewall that from your main trusted network, and then connect your virtualized router to that.

In both cases, you can then use either DHCP or static IP on the WAN of your secondary router, and away you go. There's no need for a second PPPoE connection or anything other complications.

thanks for the reply.

I have a second PPPoE connection. And the reason I am doing this is mainly to experiment with IPv6. It might be possible to delegate the complete IPv6 prefix to the laptop router or something but I have very little knowledge of IPv6 to work with it. That's why I want the setup to be as close to the original router. Earlier I did the same with a switch which worked but I can't use that switch for this purpose right now.

Cool. So my original statement does not really apply here. (I'll leave it because it may apply to future readers).

Ok... so let's just make that wan port pass through...

I may have misunderstood your original intent here, so please correct my understanding (and/or adapt what you see here) if I have it wrong... What the following will do is

  • put VLAN 100 (lan) untagged on ports lan1 and lan2
  • and then put VLAN 101 ("raw" WAN) untagged on the wan and tagged on port lan1.

What you actually need to do is put the wan port into br-lan (yeah, this seems strange)... then setup the VLANs from there. You'll need to delete all the stuff that is associated with wan-br. It will look basically like this in the end:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan1:t'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config interface 'lan'
	option device 'br-lan.100'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'pppoe'
	option username 'redact'
	option password 'redact'
	option ipv6 'auto'
	option device 'br-lan.101'

I did the same using LuCI but the moment I click save and apply, I loose connection to openwrt via 192.168.1.1. And after 2-3 minutes openwrt reverts back and changes don’t apply.
What could I be doing wrong?

It worked, thanks @psherman . I was not setting LAN to br-lan.100 when doing through LuCI

@psherman although everything is working perfectly, I am having a slight problem when defining new VLAN 102 for the purpose of passing wan to another network.

my /etc/config/network looks like this

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd4e:8e45:335f::/48'

config device
	option name 'wan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config bridge-vlan    
        option device 'br-lan'
        option vlan '102'     
        list ports 'lan1:t'        
        list ports 'lan2:t'           
        list ports 'wan'              

config interface 'lan'
	option device 'br-lan.100'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'pppoe'
	option username 'redact'
	option password 'redact'
	option ipv6 'auto'
	option device 'br-lan.101'

VLAN-101 works for both OpenWRT and virtual routers, but somehow both bandwidths are getting merged and I am getting the combined speed of both packages. So I thought I will define another VLAN like 101 and use that. But it did not work.

Can you explain a bit more here? Does this mean that if you run a speed tests from a computer behind the main router and then a computer behind the virtual router at the same time, you get the same speed as if you run it from just one computer?

If so, this is not necessarily unexpected, but we need to dig deeper. What are the speeds (individual and/or combined)? What is the expected speed of your internet connection? And if you use the original method you tried (using a switch between the modem and the routers), do you get a different result?

How many concurrent PPPoE connections does your ISP allow you to use via your single physical connection? We established above that you can actually do 2 -- can you do more? If so, this should work (I'm not seeing any errors here), but you could use the hardware switch again to test to see if you can establish 3 or more PPPoE sessions.

Both connections 200Mbps, I did not check the speed from the virtual router. But the device on main router br-lan.100 gets ~400Mbps

I can confirm I can dial as many pppoe as I want, each gets their different IPv4 and IPv6.

When I switch the VLAN to 102 I get error “Failed to establish connection”

The wan (or any other) port cannot be an untagged member of more than one VLAN.
Better try another approach.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
		
config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'lan1.101'
	list ports 'lan2.101'
	list ports 'lan1.102'
	list ports 'lan2.102'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'pppoe'
	option username 'redact'
	option password 'redact'
	option ipv6 'auto'
	option device 'br-wan'
1 Like

I can't believe I missed this one! lol. Good catch.

I like your solution @pavelgl... that should do the trick!

it works @pavelgl