VLAN Shenanigans

Installing and Using OpenWrt
1

Hi all,

I've attempted to configure VLANs on my Flint 2, but I've hit a snag.

I have a DMZ interface tied to a WiFi SSID and all was working fine, but as soon as I configured VLANs (so that I could tie a single ethernet port of the built-in switch to this network), the WiFi devices connected to this SSID have lost connection to the internet.

I'm actually not home, so I can't even check if "lan5" is correctly configured to the dmz VLAN I've tried to set up either, so I was looking for some advice and guidance.

Below is my config:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:44cd:4b0::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option device 'br-guest'

config interface 'dmz'
        option proto 'static'
        option ipaddr '10.0.255.1'
        option netmask '255.255.255.0'
        option device 'br-dmz'

config device
        option type 'bridge'
        option name 'br-guest'

config device
        option type 'bridge'
        option name 'br-dmz'
        list ports 'eth0'
        list ports 'lan5'

REDACTED WG0

config bridge-vlan
        option device 'br-dmz'
        option vlan '1255'
        list ports 'eth0:t'
        list ports 'lan5'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config zone
        option name 'dmz'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'dmz'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'lan'
        option dest 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'dmz'
        option dest 'wan'

config rule
        option name 'guest DHCP & DNS'
        option src 'guest'
        option dest_port '53 67'
        option target 'ACCEPT'

config rule
        option name 'dmz DNS & DHCP'
        option src 'dmz'
        option dest_port '53 67'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51821'
        option dest_ip '10.0.0.1'
        option dest_port '51821'


root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option cell_density '0'
        option country 'US'
        option txpower '23'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae'
        option key 'REDACTED'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option country 'US'
        option cell_density '0'
        option txpower '23'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt_5GHz'
        option encryption 'sae'
        option network 'lan'
        option key 'REDACTED'
        option ocv '0'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt_Guest'
        option encryption 'sae'
        option key 'REDACTED'
        option ocv '0'
        option network 'guest'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt_DMZ'
        option encryption 'sae'
        option key 'REDACTED'
        option ocv '0'
        option hidden '1'
        option network 'dmz'

Any input would be appreciated :slight_smile:

2

Remove all references to "eth0", it's the connection to the switch where all the "lan*" ports are.

1 Like
3

Done, but still no luck:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:44cd:4b0::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option device 'br-guest'

config interface 'dmz'
        option proto 'static'
        option ipaddr '10.0.255.1'
        option netmask '255.255.255.0'
        option device 'br-dmz'

config device
        option type 'bridge'
        option name 'br-guest'

config device
        option type 'bridge'
        option name 'br-dmz'
        list ports 'lan5'

config bridge-vlan
        option device 'br-dmz'
        option vlan '1255'
        list ports 'lan5'
4

Now delete the whole "config bridge-vlan", please.

Every program has at least one bug and can be shortened by at least one
instruction -- from which, by induction, one can deduce that every
program can be reduced to one instruction which doesn't work.

5

May I ask why I'd have to remove "config bridge-vlan"?

Genuine noob question, because I actually managed to get it to work. I removed eth0 from the bridge-vlan but it still didn't work, so I played around a bit and in "Interfaces", I assigned "br-dmz.1255" to the dmz interface.

Screenshot 2025-03-21 223931
Screenshot 2025-03-21 2239311122×609 21.8 KB

The DMZ WiFi SSID started working again and when I plugged in a device to lan5, it got an IP address from the dmz interface.

I then made some slight modifications and configured another VLAN for the "lan"/main interface, VLAN 10, and tagged lan1 and untagged lan2, lan3 and lan4.

I then bridged lan1 to "br-dmz" and tagged it as well.

Now, my reasoning could be wrong, so please do correct me if I'm wrong, but I did this because I will potentially add a secondary OpenWRT router as an access point and would like the dmz SSID on it, so I assume there would need to be a trunk of sorts, passing both VLAN 10 and 1255?

Current config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:44cd:4b0::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option device 'br-guest'

config interface 'dmz'
        option proto 'static'
        option ipaddr '10.0.255.1'
        option netmask '255.255.255.0'
        option device 'br-dmz.1255'

config device
        option type 'bridge'
        option name 'br-guest'

config device
        option type 'bridge'
        option name 'br-dmz'
        list ports 'lan1'
        list ports 'lan5'

config bridge-vlan
        option device 'br-dmz'
        option vlan '1255'
        list ports 'lan1:t'
        list ports 'lan5'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

Thanks in advance :slight_smile:

6

The bridge-VLAN syntax is what you want, but you have a few issues... nothing big, though.

Ports can only be part of a single bridge. Delete this:

Edit vlan 1255 to use device br-lan and specifically mark lan5 as untagged+PVID. It will look like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1255'
        list ports 'lan1:t'
        list ports 'lan5:u*'

Edit vlan 10 to make it explicitly untagged+PVID on ports 2-4:

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

Edit the dmz to use br-lan.1255:

config interface 'dmz'
        option proto 'static'
        option ipaddr '10.0.255.1'
        option netmask '255.255.255.0'
        option device 'br-lan.1255'

Reboot after those changes are done. I've only reviewed your network config, so if that doesn't work, post the complete config again.

2 Likes
7

Hi, thanks for this.

I've made the changes in Luci:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:44cd:4b0::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option device 'br-guest'

config interface 'dmz'
        option proto 'static'
        option ipaddr '10.0.255.1'
        option netmask '255.255.255.0'
        option device 'br-lan.1255'

config device
        option type 'bridge'
        option name 'br-guest'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1255'
        list ports 'lan1:t'
        list ports 'lan5'

This works just fine, however, I have a few questions to help me understand why things should be done this way:

  1. Why did I have to delete the "br-dmz" interface?
  2. Why is the dmz VLAN now set in "br-lan" as opposed to "br-dmz", like before?
  3. Is it recommended to set up another VLAN for the guest WiFi SSID or does the current setup for it work fine in terms of security?

I'm just trying to truly understand this rather than just do it because "monkey see, monkey do" :slight_smile:

Also, one strange thing is that in Luci, ports 2,3 and 4 are Untagged in VLAN 10 and port 5 is Untagged in VLAN 1255, however, this doesn't seem to register in the config (see above), and only the tagged ports seem to appear with a "t" at the end. example:

config bridge-vlan
        option device 'br-lan'
        option vlan '1255'
        **list ports 'lan1:t'**
        list ports 'lan5'

Screenshot:

Screenshot 2025-03-23 150446
Screenshot 2025-03-23 150446984×484 21.5 KB

Is there a chance that list ports 'lan4' is the same as list ports 'lan4:u'(for example), and the "u" doesn't have to be specified if it's untagged?

Many thanks for your help.
It's truly appreciated :slight_smile:

8

Because dsa uses a single bridge for all Ethernet ports.

DSA syntax has the construct of single bridge and then the bridge-VLANs to create the vlan ids and the associated ports.

From the network config, security is no different. It is only necessary to add the bridge-vlan for guest if you need Ethernet on that network (such as to connect it to another AP). Otherwise, what you have is fine.

Yes. Generally. I recommend for untagged ports to explicitly specify untagged + pvid. That is, add :u* to each untagged port for the respective vlan.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.