VLAN or PBR to access bridged non openwrt router on its second port for management interface from Openwrt?

Squelch · November 12, 2023, 12:41pm

I have a ZTE MC801a in bridge mode providing my WAN over LTE/5G. The device has two LAN ports, as well as WIFI. In bridge mode, one of the LAN ports provides a gateway IPv4 address of 192.0.0.1 as well as IPv6 address space. The second port and also WiFi, has DHCP permanently running with whatever IP range may have been configured in non bridged mode (currently 192.168.1.x) and also provides a gateway to the internet. The only means of accessing the web gui on the MC801a is via its own WiFi, or the second LAN port. It looks unlikely that Openwrt can support the MC801a, so I'm stuck with the stock Three/Hutchinson firmware.

The network is configured as Openwrt 23.05 on my main router/AP serving DHCP in the range 192.168.0.x and other services, and then a dumb AP 22.03.2 for WiFi coverage. Due to DHCP clashes with the MC801a, its WiFi has been disabled, and the LAN conection is currently physically isolated from the rest of the network.

Here is a schematic of the current scenario:

What I would like to do, is to be able to still have access the web gui (no SSH sadly) of the bridge via its second LAN port, but prevent DHCP clashes with my own subnet, and prevent internet traffic being routed via its gateway. I have not been able to determine is if the second interface is VLAN tagged.

What is the best way of solving this problem? VLAN and Policy Based Routing seem like the obvious choices, but all of the examples that I've managed to find do not seem to cater for my particular scenario, nor am I sure that I'm setting them up correctly when I try. The result seems to end up with no web gui access, a network crash due to IP clashes, no internet access at all, or connecting via IPv6 only.

I have reset, and largely left Openwrt in its default configuration except for the changes to IP ranges, and setting up the dumb AP. I'll refrain from posting any of my configuration attempts simply because they didn't work, and may only serve to confuse.

The main router has its WAN interfaces (ipv4 and ipv6) as DHCP clients via LAN to the bridged port of the MC801a. The remaining four ports and two radios are bridged with a static IP of 192.168.0.1 and serving DHCP 192.168.0.100-150. The dumb AP has a static IP of 192.168.0.2. Gateway and DNS point to 192.168.0.1. This is working currently albeit without access to the web gui of the bridge unless I conect to this second port via the LAN port on my main PC.

Main router:

# ifconfig
br-lan    Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          inet6 addr: fdc7:xxxx:xxxx::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69953958 errors:0 dropped:121879 overruns:0 frame:0
          TX packets:126366198 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6509317159 (6.0 GiB)  TX bytes:158402700908 (147.5 GiB)

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet6 addr: fe80::b4d2:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1508  Metric:1
          RX packets:162410555 errors:0 dropped:0 overruns:0 frame:0
          TX packets:120856134 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2843351975 (2.6 GiB)  TX bytes:3918548525 (3.6 GiB)

lan1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:262741 errors:0 dropped:175 overruns:0 frame:0
          TX packets:627745 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24241830 (23.1 MiB)  TX bytes:131705668 (125.6 MiB)

lan2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:9381 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13007 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6051858 (5.7 MiB)  TX bytes:9349860 (8.9 MiB)

lan3      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32208296 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51089245 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2885648421 (2.6 GiB)  TX bytes:63889510812 (59.5 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:806115 errors:0 dropped:0 overruns:0 frame:0
          TX packets:806115 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:65279342 (62.2 MiB)  TX bytes:65279342 (62.2 MiB)

wan       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.0.0.2  Bcast:192.0.0.31  Mask:255.255.255.224
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          inet6 addr: 2a04:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:126893727 errors:0 dropped:33 overruns:0 frame:0
          TX packets:64658835 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:157247076760 (146.4 GiB)  TX bytes:6798695641 (6.3 GiB)

wlan0     Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:11679621 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23148585 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1429265596 (1.3 GiB)  TX bytes:28912378611 (26.9 GiB)

wlan1     Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17414118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36190900 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2006214229 (1.8 GiB)  TX bytes:45782602500 (42.6 GiB)

# cat config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc7:xxxx:xxxx::/48'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan3'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan4'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
        list ip6class 'local'

config interface 'wan'
        option proto 'dhcp'
        option device 'wan'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'config'
        list ports 'lan4'

Could one of you gurus please give me some pointers on how to realise my setup goal?

[Edited for clarity images and config)

vgaetera · November 12, 2023, 2:17pm

It is best to illustrate your desired topology with a diagram and post the relevant text configs.

Squelch · November 12, 2023, 2:20pm

Thanks, yes I've just made some edits for clarity, and working on your suggestions right now.

Squelch · November 13, 2023, 2:38pm

A correction and additional information for the OP:

Main router is running 22.03.5. Not 23.05.
lan4 in the device listing is the intended port for connecting to the administration gui of the MC801a
Source of assertion that MC801a won't be supported any time soon. [1]

pavelgl · November 13, 2023, 3:15pm

Remove this. You don't need a bridge.

Create a new interface and assign it to the wan firewall zone to masquerade the request initiated by network 192.168.0.0/24.

config interface 'config'
        option proto 'dhcp'
        option device 'lan4'
        option defaultroute '0'
        option peerdns '0'

Setting a static IP address to the interface should also work.

Squelch · November 13, 2023, 3:42pm

Heh, that is an orphaned artifact from a recent attempt to configure a separate VLAN. LUCI shows all 4 LAN ports in the same bridge.

I'm pretty sure I had created a new interface without a default route and DNS, but was already deep into the weeds and may have been inadvertantly in the same address space. Thanks, I'll try that now.

Squelch · November 13, 2023, 6:51pm

I set up as suggested - thanks for the sanity check - and made these changes
Network config:

config interface 'Config'
        option proto 'dhcp'
        option device 'lan4'
        option peerdns '0'
        option defaultroute '0'

In the WAN Zone.
This gives me the following route table on the main router without LAN4 connected:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.0.0.1       0.0.0.0         UG    0      0        0 wan
192.0.0.0       *               255.255.255.224 U     0      0        0 wan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan

LAN4 is then connected

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.0.0.1       0.0.0.0         UG    0      0        0 wan
192.0.0.0       *               255.255.255.224 U     0      0        0 wan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 lan4

This looks good doesn't it?
Connecting to the MC801a web page begins, but never loads, and within a few minutes, everything grinds to a halt with any one of these results:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.0.0.0       *               255.255.255.224 U     0      0        0 wan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 lan4

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.0.0.0       *               255.255.255.224 U     0      0        0 wan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan

All network services end up having to be restarted on the main router.

After several attempts, checking cables, connections, kicking puppies etc, I noticed that MC801a was now answering pings, and sure enough, the administration page is now available via the bridged connection. This was never the case before, and could only be accessed via a directly attached PC on the second port. I'm totally baffled by this.

I'll run with it for now, but fear it's ephemeral. Documentation for this device is sparse, ambiguous, and even contradictory, so combined with the locked down interface, is essentially a black box.

Thank you to all that have looked, and to @vgaetera and @pavelgl for thier helpfull suggestions. I'll be sure to share anything else that I find out so as to help any other poor soul.

Addendum: I wasn't able to get anything meaningful from the logs as the buffer had filled, and were simply full of DHCP requests etc or lost after a reboot.

system · November 23, 2023, 6:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.