VLAN setup on Linksys EA8300 with Cisco Switch

I've been reading, experimenting with my wifi router and a Cisco c3560-PS24 switch.
I find many different ways to configure, and am not sure what to follow, so decided to put my configuration here to get advice.

From the switch, I can see ethernet ports connect or not. From the wifi router, the active light comes on when a cable is connected to ethernet 4.

I have the Cisco switch setup to have vlan 20 vlan 30 vlan 60 and vlan 1 with vlan 1 having no ports used and only vlan 1 is assigned 192.168.10.1 address. Port 24 is a trunk. I am planning to use IP addr ranges 192.168.20.x on vlan 20 192.168.30.x on vlan 30 192.168.60.x on vlan 60.

I don't get any pings to work yet. Is my EA8300 in DSA mode? How to configure to get a ping through that trunk to ethernet 4 on the EA8300?
Here is my network configuration below:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfd:4db4:e009::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr 'c4:41:1e:ad:1a:a9'

config device
        option name 'lan2'
        option macaddr 'c4:41:1e:ad:1a:a9'

config device
        option name 'lan3'
        option macaddr 'c4:41:1e:ad:1a:a9'

config device
        option name 'lan4'
        option macaddr 'c4:41:1e:ad:1a:a9'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
       option ip6assign '60' 
                                               
config device                      
        option name 'wan'             
        option macaddr 'c4:41:1e:ad:1a:a8'
                                          
config interface 'wan'             
        option device 'wan'           
        option proto 'dhcp'               
                                          
config interface 'wan6'            
        option device 'wan'           
        option proto 'dhcpv6'             
                                          
config device                      
        option type '8021q'           
        option ifname 'lan4'              
        option vid '1'                    
        option name 'lan4.1'       
                                      
config device                             
        option type '8021q'               
        option ifname 'lan4'       
        option vid '2'                
        option name 'lan4.2'        
                                         
config device                
        option type '8021q'        
        option ifname 'lan4'          
        option vid '3'                    
        option name 'lan4.3'

Here is my dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '100'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option dhcpleasemax '8'
	option dnsforwardmax '22'
	option sequential_ip '1'
	list server '1.1.1.1'
	list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'xxxx'
	option dns '1'
	option mac 'xx:xx:xx''
	option ip '192.168.3.x'
	option leasetime '2h'
	option duid '00041a2759fa58209a230fee768f95b59f3a'

config host
	option name 'xxxxxxx'
	option dns '1'
	option mac 'xx:xx:xx'
	option ip '192.168.3.x'
	option leasetime '2h'

config host
	option name 'hp-4700dn'
	option mac 'xx:xx:xx''
	option ip '192.168.3.7'
	option leasetime '24h'
	option dns '1'

Here is my firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow ssh'
	option src 'lan'
	option dest_port 'xx'
	option target 'ACCEPT'

Here is the redacted show run from the Cisco switch:

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cibololan1
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxx.
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 20
 switchport mode access
!         
interface FastEthernet0/6
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/7
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/8
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/9
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/10
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/11
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/12
 switchport access vlan 20
 switchport mode access
!
interface FastEthernet0/13
 switchport access vlan 30
 switchport mode access
!
interface FastEthernet0/14
 switchport access vlan 30
 switchport mode access
!
interface FastEthernet0/15
 switchport access vlan 30
 switchport mode access
!
interface FastEthernet0/16
 switchport access vlan 30
 switchport mode access
!
interface FastEthernet0/17
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/18
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/19
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/20
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/21
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/22
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/23
 switchport access vlan 60
 switchport mode access
!
interface FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 20
 switchport mode access
!
interface Vlan1
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 no ip address
!
ip default-gateway 192.168.3.1
ip classless
ip http server
!
ip access-list standard TELNET-ACCESS
 permit 192.168.3.2
 permit 192.168.3.4

Your device is using DSA, so you need to use that syntax method.

It's not clear what happens with these VLANs (1-3) -- is this the main router? Or is it a dumb AP/switch (with a router elsewhere)? Putting VLANs on port 4 alone won't accomplish anything useful -- they need to connect to something. Is that:

• other ports on the EA8300 switch?
• Wifi SSIDs?
• Or local L3 interfaces defined here (theoretically as the main router)?

With an understanding of what happens to these VLANs (aside from the connection to port Lan 4), I can help with the rest of the syntax.

The EA8300 is the main router, only router. I wanted to use a port on the wifi router to connect to the trunk port of the Cisco Switch which has vlan 20 30 60 defined.
I want to use vlan 20 to include ethernet ports 1 2 3 of the EZ8300, and eventually the wifi radios also.
vlan 30 should get internet access but not be accessible to other vlans.
vlan 60 should get internet access and access to the wifi radios for guests to use.

Thanks,

John

I can see one mistake is the vlan IDs need to be 20 30 60 and they are 1 2 3 in my network config.

option vid '1'
-->
option vid '20'

Ok... thanks.

Start by deleting all of this:

Put lan4 back into br-lan:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

Create bridge VLANs like so (note for VLAN 20, currently that is untagged on port lan4, but if your Cisco switch is configured for VLAN 20 tagged, change the :u* to :t):

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'lan4:t'

Now we'll edit the lan interface to use br-lan.20 (and while we're at it, I'll make it 192.168.20.1):

config interface 'lan'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
       option ip6assign '60' 

And we can now add the other networks for VLANs 30 and 60:

config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config interface 'vlan60'
        option device 'br-lan.60'
        option proto 'static'
        option ipaddr '192.168.60.1'
        option netmask '255.255.255.0'

For now, add these networks to the lan firewall zone -- this will make it easier to ensure that they are working as expected:

config zone
	option name 'lan'
	list network 'lan'
	list network 'vlan30'
	list network 'vlan60'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

And setup DHCP servers for these new VLANs:

config dhcp 'vlan30'
	option interface 'vlan30'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan60'
	option interface 'vlan60'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Reboot and all of the VLANs should work. They don't yet have the restrictions you want, but ensuring that they are operational is the first step.

What does this line do?

option ip6assign '60'

Still doing changes.

John

ip6assign Delegate a prefix of given length to this interface (see Downstream configuration below)

I rebooted and still had dhcp, but not dns, so no internet. The vlan 20 was working as I was able to sync my laptop to my desktop between 192.168.20.100 and 192.168.20.101 addresses given out by dhcp.

I don't see any console login available on a EA8300 linksys, so I guess I'll need to do a factory reset. I used nmap and only found the above two addresses.

There must have been another place where 192.168.3.1 was used. changing to 192.168.20.1 probably conflicted with 192.168.3.1 for dnsmasq and stopped it.

Don't factory reset...

Let's see your config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I don't find an ip to ssh to. I'm not at the location of the EA8300 router, but my memory tells me I could not ping 192.168.3.1.

Below is the previous dhcp config parts that were not change, and conflicting:

You said you still have DHCP working, right?

What address are you getting?
You could do a static IP assignment on your computer for 192.168.20.5/24 and then ssh to 192.168.20.1 (assuming you used the addresses I recommended).... as long as you're connected to VLAN 20.

192.168.20.100 and 192.168.20.101 addresses are given to my laptop and desktop connected via a simple switch to the ethernet 3 port of the EA8300. I did all the changes you suggested -- checked for typos, then typed reboot.

More will have to wait til tomorrow.

Thanks, John

So if your are getting an address on VLAN 20, you should be able to reach the router via 192.168.20.1

Thanks, I'll try that.

Does an openwrt router respond to nmap with 192.168.20.1?

I did not get any nmap responses except 192.168.20.100 and 192.168.20.101

I did take a backup from openwrt yesterday, so a factory reset won't be too painful. If needed. I'll try pinging 192.168.20.1 first thing tomorrow. (and maybe setup an MR8300 I got for the house location so I can have internet in between experiments.)

Yeah, but it should simply respond to a connection via ssh or a web browser. That's all we need to do.

I'd recommend starting from scratch if you actually need to reset to defaults (at least assuming that the backup has the config you shared at the beginning). That earlier config didn't really get you any closer to your goals.

Have you tried just connecting to one of the ports on the router itself (rather than via the Cisco switch)?

I've got a vanilla openwrt 23.04 installed on a MR8300 now.
option ipaddr '192.168.20.1' is the only change.
Here is the network config:

config interface 'loopback'       
        option device 'lo'                     
        option proto 'static'     
        option ipaddr '127.0.0.1'              
        option netmask '255.0.0.0'
                                               
config globals 'globals'    
        option ula_prefix 'fda2:2161:7611::/48'
                            
config device                             
        option name 'br-lan'
        option type 'bridge'              
        list ports 'lan1'
        list ports 'lan2'                      
        list ports 'lan3'         
        list ports 'lan4'                      
                                  
config device                                  
        option name 'lan1'        
        option macaddr 'xxxxxxxxxxxxx'     
                            
config device                                  
        option name 'lan2'  
        option macaddr 'xxxxxxxxxxxxxxx'
                            
config device                             
        option name 'lan3'
        option macaddr 'xxxxxxxxxxxxx'
                          
config device                             
        option name 'lan4'
        option macaddr 'xxxxxxxxxxxxx'
                          
config interface 'lan'                    
        option device 'br-lan'
        option proto 'static'             
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'    
        option ip6assign '60'       
                                          
config device                       
        option name 'wan'                 
        option macaddr 'xxxxxxxxxxxxx'
                                          
config interface 'wan'                    
        option device 'wan'               
        option proto 'dhcp'               
                                      
config interface 'wan6'                   
        option device 'wan'           
        option proto 'dhcpv6'

Now I'd like to double check some changes before doing them, since I bombed last time. here's the proposed config/network

config interface 'loopback'       
        option device 'lo'                     
        option proto 'static'     
        option ipaddr '127.0.0.1'              
        option netmask '255.0.0.0'
                                               
config globals 'globals'    
        option ula_prefix 'fda2:2161:7611::/48'
                            
config device                             
        option name 'br-lan'
        option type 'bridge'              
        list ports 'lan1' 
        list ports 'lan2'                 
        list ports 'lan3' 
        list ports 'lan4'                 
                          
config device                             
        option name 'lan1'
        option macaddr 'c4:xxxxxxxxxx'
                              
config device                             
        option name 'lan2'          
        option macaddr 'c4:xxxxxxxxxx'
                                    
config device                             
        option name 'lan3'          
        option macaddr 'c4:xxxxxxxxxx'
                                          
config device                             
        option name 'lan4'                
        option macaddr 'c4:xxxxxxxxxxxxx'
                                          
config interface 'lan'                
        option device 'br-lan'            
        option proto 'static'         
        option ipaddr '192.168.20.1'      
        option netmask '255.255.255.0'    
        option ip6assign '60'       
                                          
config device                       
        option name 'wan'                 
        option macaddr 'c4:xxxxxxxxxxxxxx'
                                          
config interface 'wan'                    
        option device 'wan'               
        option proto 'dhcp'               
                                      
config interface 'wan6'                   
        option device 'wan'           
        option proto 'dhcpv6'             
  

Here is the config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option logqueries '1'
        list server '1.1.1.1'
        list server '8.8.8.8'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
                             
config odhcpd 'odhcpd'                
        option maindhcp '0'         
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'           
                                            
config host                                          
        option name 'cultlab4'      
        option ip '192.168.20.2'
        option mac 'xxxxxxxxxxxxxxx'      
                                                     
config host                     
        option name 'thinktool'       
        option ip '192.168.20.4'            
        option mac 'xxxxxxxxxxxxxxxxx'               
                            

So now I add suggested changes to config/network (to doublecheck).

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda2:2161:7611::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'xxxxxxxxxxx'

config device
        option name 'lan2'
        option macaddr 'xxxxxxxxxx'

config device
        option name 'lan3'
        option macaddr 'xxxxxxxxxxxxx'

config device
        option name 'lan4'
        option macaddr 'xxxxxxxxxxxx'
                         
config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'lan4:t'

config interface 'lan'                    
        option device 'br-lan.20'
        option proto 'static'             
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'    
        option ip6assign '60' 
             
        config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config interface 'vlan60'
        option device 'br-lan.60'
        option proto 'static'
        option ipaddr '192.168.60.1'
        option netmask '255.255.255.0'
                     
config device                       
        option name 'wan'                 
        option macaddr 'xxxxxxxxxxxxx'
                                          
config interface 'wan'              
        option device 'wan'               
        option proto 'dhcp'               
                             
config interface 'wan6'             
        option device 'wan'           
        option proto 'dhcpv6' 

Here is proposed firewall zone lan

config zone                                            
        option name             lan                    
        list   network          'lan'      
        list   network    'vlan30'
	list   network    'vlan60'   
        option input            ACCEPT                 
        option output           ACCEPT                 
        option forward          ACCEPT  

Here is proposed config/dhcp added 2 vlans

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'vlan30'
	option interface 'vlan30'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan60'
	option interface 'vlan60'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

See any problems? Before there was a conflict of ip address with the static hosts, and probably a typo with ```
list ports 'lan1:u*' --> list ports 'lan1:t*' instead of list ports 'lan1:t'

I'm thinking this may be a problem:

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

lan1 lan2 lan3 are just ethernet ports on the MR8300. So they probably are going to be untagged since not from the Cisco switch. Can untagged and tagged 20 be part of the same vlan? Maybe it's better to have another vlan10 be just port 1 2 3 of the MR8300 untagged, and vlan 20 be only from the cisco switch and all tagged?
Port 4 of the MR8300 is to be a trunk from the cisco switch.

Thanks for thinking about this, John

Yeah... they shouldn't be tagged (except maybe port lan4). Look back at the recommendation I made previously: