Hi all
I installed OpenWrt 22.03 on my Fritzbox 7530
Needed features:
Connection via glasfibre / FTTH, behind fibre modem
3 VLANs to share via Switch for Wifi and Cable connected clients
1. Regular user
2. Guest
3. Devices without Internet but reachable via 1.
Wifi provided by separate Access Points
Providing all networks to an Switch that can handle VLANs
Connected to the switch are two APs
Internet works as needed, but VLANs doesn´t.
Directly connected to the router every network works with correct IP, but connected to the switch only vlan 1.
What to I need to do to have all VLANs on the switch, including assignment of IPs?
What I can imagine is that my issue is related to the br-lan and other idea is about VLAN "1", but thats just a guess.
Here my setting (setup was done via LuCi only, as I shouldn´t be affected by issues with e.g. LAN 5 port, as there is none (according to above mentioned specification):
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'Lan'
option ports '0t 2 3'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1t'
option vid '7'
option description 'wan'
config interface 'wan'
option proto 'pppoe'
option device 'eth0.7'
option username ''
option password ''
option ipv6 'auto'
config switch_vlan
option device 'switch0'
option vlan '3'
option description 'Gast'
option ports '0t 2t 4'
option vid '90'
config interface 'Gast'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
list dns '208.67.222.222'
option type 'bridge'
option device 'eth0.90'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 2t'
option vid '4'
option description 'Devices'
config interface 'Devices'
option device 'eth0.4'
option proto 'static'
option ipaddr '192.168.18.1'
option netmask '255.255.255.0'
Thanks in advance!
You have several errors here...
Your br-lan
should use list ports 'eth0.1'
based on the swtich conifg (vlan 1 is tagged on the CPU/eth0).
The Gast interface must not have the bridge definition within the network interface stanza. Using a bridge is only necessary if you are using the built-in wifi on your main router... simply remove the option type 'bridge'
line from your gast interface... or, if you are using wifi for the gast network on that same device, your gast network should look like this:
config device
option name 'br-gast'
option type 'bridge'
list ports 'eth0.90'
config interface 'Gast'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option device 'br-gast'
(side note, you can also remove the DNS from this interface -- it doesn't do anything.
Based on this, what will happen is that you will have the following VLAN assignments on the ports (keep in mind that the logical port numbers may or may not correspond with the physical port numbers on your device):
Port 1: VLAN 7 (wan) tagged
Port 2: VLAN 1 (lan) untagged, VLAN 90 (gast) tagged, vlan 4 (Devices) tagged
Port 3: VLAN 1 (lan) untagged
Port 4: VLAN 90 (gast) untagged
If this doesn't fix it, post your updated network file as well as the rest of the config:
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Thank you very much @psherman .
Indeed, I wanted to provide both built-in wifi as well.
I´ve tried with the following setting, but not even vlan 1 did work anymore (as soon as I assigned eth0.1 instead of eth0.
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'Lan'
option ports '0t 2 3'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1t'
option vid '7'
option description 'wan'
config interface 'wan'
option proto 'pppoe'
option device 'eth0.7'
option username ''
option password ''
option ipv6 'auto'
config switch_vlan
option device 'switch0'
option vlan '3'
option description 'Gast'
option ports '0t 2t 4'
option vid '9'
config interface 'Gast'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'br-gast'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 2t'
option vid '4'
option description 'Devices'
config interface 'Devices'
option device 'eth0.4'
option proto 'static'
option ipaddr '192.168.18.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-gast'
list ports 'eth0.9'
wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '123'
option encryption 'sae-mixed'
option key '321'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid '456'
option encryption 'sae-mixed'
option key '654'
option network 'Gast'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Gast'
option interface 'Gast'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'Devices'
option interface 'Devices'
option start '100'
option limit '150'
option leasetime '12h'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'gast'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'Gast'
option forward 'REJECT'
config forwarding
option src 'gast'
option dest 'wan'
config rule
option name 'Allow IPSEC Gast'
list proto 'esp'
option src 'wan'
option dest 'gast'
option target 'ACCEPT'
config rule
option name 'Gast-ISAKMP'
list proto 'udp'
option src 'wan'
option dest 'gast'
option dest_port '500'
option target 'ACCEPT'
config rule
option name 'gast-DHCP'
list proto 'udp'
option src 'gast'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'gast-dns'
option src 'gast'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'devices'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Devices'
config forwarding
option src 'devices'
option dest 'wan'
Somehow it completely drives me nuts.
I changed lan network to Vlan id 5 and also assigned the list ports eth0.5.
Internet works on the switch, but only with Vlanid 1 (which is not provided by openwrt router ). All other Vlan ids still not work connected to the switch - e.g. guest (9) or lan (5)
Once more the files.
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6e:735d:c2b7::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option description 'Lan'
option ports '0t 2 3'
option vid '5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1t'
option vid '7'
option description 'wan'
config interface 'wan'
option proto 'pppoe'
option device 'eth0.7'
option username ''
option password ''
option ipv6 'auto'
config switch_vlan
option device 'switch0'
option vlan '3'
option description 'Gast'
option ports '0t 2t 4'
option vid '9'
config interface 'Gast'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'br-gast'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 2t'
option vid '4'
option description 'Devices'
config interface 'Devices'
option device 'eth0.4'
option proto 'static'
option ipaddr '192.168.18.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-gast'
list ports 'eth0.9'
wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'wifi1'
option encryption 'sae-mixed'
option key '123'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'wifi2'
option encryption 'sae-mixed'
option key '456'
option network 'Gast'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Gast'
option interface 'Gast'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'Devices'
option interface 'Devices'
option start '100'
option limit '150'
option leasetime '12h'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'gast'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'Gast'
option forward 'REJECT'
config forwarding
option src 'gast'
option dest 'wan'
config rule
option name 'Allow IPSEC Gast'
list proto 'esp'
option src 'wan'
option dest 'gast'
option target 'ACCEPT'
config rule
option name 'Gast-ISAKMP'
list proto 'udp'
option src 'wan'
option dest 'gast'
option dest_port '500'
option target 'ACCEPT'
config rule
option name 'gast-DHCP'
list proto 'udp'
option src 'gast'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'gast-dns'
option src 'gast'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'devices'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Devices'
config forwarding
option src 'devices'
option dest 'wan'
Any idea what to do?
Meanwhile I also switched VLAN off and on again, but VLAN does still not work at all.
As already mentioned, I guess the VLAN from openwrt does not work at all, as I assigend VLAN 5 as standard, without even having VLAN 1 available. The only VLAN working is 1, all others don´t work
Is there any idea what to do, except setting the router back to firmware default?
greem
April 23, 2023, 10:08am
6
The move to DSA (Distributed Switch Architecture) has changed the way VLANs are applied.
Have a look at this thread to see how it's done.
theMan
April 23, 2023, 9:25pm
7
DSA is only in Snapshot which op don’t run. That said, I’d recommend switching to Snapshot and redo the config. VLANs 100% work on these ipq40xx devices.
Thanks for your answer. I read that these ipq40xx devices supposed to run VLANs with swconfig, but as written I´ve never been able to set it up.
Did I get you right to install snapshot and use DSA?
Just one question: how to determine if DSA or swconfig is running? I´m currently on 22.03.3
theMan
April 30, 2023, 2:38pm
9
If the snapshot exists as of today then it’s already DSA.