Vlan weirdness on WRT3200ACM

KernelKurtz · December 16, 2018, 12:05am

Hi there, first post. I'm running OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) on a WRT3200ACM and I'm trying to create an isolated, wired vlan (vlan 3 in my case). I've configured one switchport for that vlan thusly;

VLAN 1:
port_based: 0
vid: 1
ports: 0 1 2 5t
VLAN 2:
port_based: 0
vid: 2
ports: 4 6t
VLAN 3:
port_based: 0
vid: 3
ports: 3t 5t

I've also tried untagged on the switchport

VLAN 3:
port_based: 0
vid: 3
ports: 3 5t

but it makes no difference. My regular lan (vlan 1) is 192.168.0.0/24, so I create a new interface, assign it to eth0.3 and give it a static address of .1 on 192.168.1.1/24. I also set up a DHCP server for this range. So far so good.

I plug a laptop into the port designated for vlan 3, and it gets an address on that network - 192.168.1.175, and the correct mask and gateway. So far so good. Except that laptop cannot ping its gateway 1.1 (Why? It should just be straight layer 2), and devices on vlan 1 can ping the interface on vlan 3 ie my PC at 192.168.0.5 can ping 192.168.1.1 as well as its own gateway at 0.1!! (Why? I have not even gotten to routes or FW zones yet?). I'm completely baffled by this. Do vlans actually work on this device's switch? If layer 2 does not work as expected there is not much point in going further. Any ideas are appreciated!

lleachii · December 16, 2018, 12:32am

Did you also create a new firewall zone for this new Interface, and at least:

ALLOW Input (to router)
OUTPUT (from router on that IP)
Set forwaring to ACCEPT (to be clear, this setting refers only to forwarding to another router in the same zone)
and ALLOW FORWARD to Zone WAN?

If you edited your General Firewall Zone to BLOCK or REJECT for security, you must ensure you define a working firewall zone.

JW0914 · December 16, 2018, 12:39am

Please post /etc/config/firewall and /etc/config/network

KernelKurtz · December 16, 2018, 1:18am

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option macaddr '58:6D:8F:02:59:99'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config interface 'vpnserver'
        option ifname 'tun0'
        option proto 'none'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '3 5t'

config interface 'DMZ'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.0.100'
        option dest_port '80'
        option name 'HTTP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '2020'
        option dest_ip '192.168.0.5'
        option dest_port '22'
        option name 'SSH'

config rule
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'tcp udp'
        option target 'ACCEPT'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'vpnserver'

config zone
        option name 'dmz'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'DMZ'

KernelKurtz · December 16, 2018, 1:31am

So not wanting to get ahead of myself, why can't my laptop with its DHCP assigned 192.168.1.175 ping its gateway at 192.168.1.1? It's the same subnet so no routing or FW zones should be needed. Do I need to allow ICMP responses from that interface to it's own vlan somewhere?

JW0914 · December 16, 2018, 12:54pm

Try adding option pvid '3' to vlan 3 in /etc/config/network.

config switch_vlan
    option  device 'switch0'
    option  vlan   '3'
    option  vid    '3'
    option  pvid   '3'
    option  ports  '3 5t'

Whatever devices connected to that vlan are likely going to need to have the vlan ID set to 3 on the device's interface for traffic to route correctly.
- Just to verify, you are plugging into LAN port 1 [sw.port 3] on the router?

KernelKurtz · December 16, 2018, 4:24pm

Hi again. Thanks for the reply. Yes, I am plugging into LAN1. I'm connecting that to a Cisco 2970G interface configured as an access port on its vlan 3, though I have tried the laptop directly to the Linksys with the same result. I was hoping this device might do dot1q trunking but I know that was a bit much to ask. I'll be happy enough if I can get different individual tagged vlans on the switch ports of the 3200 and distribute them on the Cisco.

I'll try the pvid option and report back.

Cheers

lleachii · December 16, 2018, 4:52pm

It does. I've used trunks on every device I've owned, back to the original WRT54Gs.

Have you tried configuring this on the web GUI?

KernelKurtz · December 16, 2018, 5:32pm

Hey. Thanks, I thought it should. I've tried configuring the downstream switchport as a trunk but no luck either. PVID option did not seem to help either. From my reading here https://openwrt.org/docs/guide-user/network/vlan/switch_configuration it looks like dot1q should be the default protocol on ports with multiple vlans. I've tried this configuration with a dot1q trunk on the Cisco connected to LAN1 on the Linksys, but still get the same funky behavior.

Switch

I'm recently retired from a career in enterprise networking so switching and routing is second nature but I'm used to Cisco devices. I've only had this Linksys a couple days so perhaps I need to spend more time reading TFM.

Still, it just seems completely odd that a device on vlan 1 can ping the eth0.3 gateway address, and a device on vlan 3 can't.

KernelKurtz · December 16, 2018, 8:16pm

So basically any subinterface I create on eth0.x is pingable from vlan 1. I assigned 172.16.0.1 to eth0.4 with no bridging or anything and I can immediately ping that address from clients the in 192.168.0.0/24 subnet. Its like the CPU itself is ignoring the tagging......

JW0914 · December 16, 2018, 9:48pm

I'm not sure about the other issues, but after looking at my old managed switch config, pinging vlan 3's gateway should be fixed by adding option gateway 'xxx.xxx.x.x' to dmz's interface options.