Hi folks, this is a continuation of my home networking VLAN journey. I've made some progress from my previous post.
This is the same WAX202 that runs 23.05.0. I'd like to have the following VLANs:
10: WAX202 Admin (LAN1) (10.0.10.x)
20: WiFi radio1 (WAN, LAN ok) (10.0.20.x)
30: Zerotier VPN (WAN only, no LAN) (10.0.30.x)
40: UNRAID, TV (LAN only, no WAN) (LAN2) (10.0.40.x)
50: IP Cameras (no egress) (LAN3, WiFi radio0) (10.0.50.x)
The WAN port of this WAX202 router is connected to an upstream Mikrotik router with an IP address of 10.0.0.1.
I'd like to first setup VLAN50 for the IP cameras. Here's my configuration, but I'm having issue with the DHCP server. Looks like the IP cameras are not being assigned IP addresses, even though they are DHCP clients. Under Active DHCP Leases, I only see my laptop I use to connect to LuCI, no cameras. Any help would be much appreciated.
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
option ipv6 '0'
config device
option name 'lan1'
option macaddr '34:xx:xx:xx:xx:36'
config device
option name 'lan2'
option macaddr '34:xx:xx:xx:xx:36'
config device
option name 'lan3'
option macaddr '34:xx:xx:xx:xx:36'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '10.0.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '34:xx:xx:xx:xx:37'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
config bridge-vlan
option device 'br-lan'
option vlan '30'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan2'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '50'
list ports 'lan3'
list ports 'wan:t'
config device
option name 'br-lan.10'
option type '8021q'
option ifname 'br-lan'
option vid '10'
option ipv6 '0'
config device
option name 'br-lan.20'
option type '8021q'
option ifname 'br-lan'
option vid '20'
option ipv6 '0'
config device
option name 'br-lan.30'
option type '8021q'
option ifname 'br-lan'
option vid '30'
option ipv6 '0'
config device
option name 'br-lan.40'
option type '8021q'
option ifname 'br-lan'
option vid '40'
option ipv6 '0'
config device
option name 'br-lan.50'
option type '8021q'
option ifname 'br-lan'
option vid '50'
option ipv6 '0'
cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
this if I understood what you want to achieve (in case I misunderstood your problem I apologize in advance)
i suppose that the "Mikrotik" router you have defined the vlan 50 and that it offers a dhcp pool (this is the router that actually does the packet routing and offers the IP addresses in the various VLANs).
and that vlan 50 has been defined on the "Mikrotik" router and possibly on the management switch in between (if present) ...
and I assume that the "WAX202" is a dump-ap and the actual packet routing is done by the "Mikrotik" (so the wan port of the "WAX202" is a trunk port) ...
so the dhcp server on the "WAX202" is not needed ... (disable this)
this is assuming the other vlans are working...
in this case you just have to tag the wan port on this router:
Thanks for the reply. The reason why I'd like to run a DHCP server on the downstream router WAX202 and not the upstream Mikrotik for VLAN 50 is because I'd like to isolate the IP cameras from all home network devices. Instead, I'd like the Zerotier VPN on the WAX202 to forward the IP camera data so that the camera streams are accessible to any WAN device in the VPN network.
The IP cameras on VLAN 50 don't need to be directly exposed to the upstream Mikrotik router, so I didn't enable the trunk port you circled.
Please let me know if this clears things up.
Firstly there is no interface defined for the vlan50. Second, there is no dhcp server definition, nor assigned to a firewall zone.
And if you don't need the vlan50 to be accessible from the mikrotik, you don't need to create another vlan there. You can remove the lan3 from the bridge and assign the interface directly on the lan3 port.
Thank you both. If the IP camera 50.x network doesn't need to communicate outside the WAX202 router directly, it does make sense to remove it from the VLAN. The network entry now looks like the following:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
option ipv6 '0'
I've added the ip-cam device and interface:
config device
option type 'bridge'
option name 'br-ip-cam-lan3'
list ports 'lan3'
option ipv6 '0'
config interface 'ip_cam_lan3'
option proto 'static'
option device 'br-ip-cam-lan3'
option ipaddr '10.0.50.1'
option netmask '255.255.255.0'
option ip6assign '60'
I've also enabled the DHCP server for this interface:
When I plug in my laptop to lan port 3, it's not being assigned an IP address from the WAX202. Can you see if there's anything wrong with the setup? Thanks.
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'wan'
We now have:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'wan'
config device
option name 'lan1'
option macaddr '34:xx:xx:xx:xx:36'
config device
option name 'lan2'
option macaddr '34:xx:xx:xx:xx:36'
config device
option name 'lan3'
option macaddr '34:xx:xx:xx:xx:36'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '10.0.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '34:xx:xx:xx:xx:37'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan2'
list ports 'wan:t'
config device
option name 'br-lan.10'
option type '8021q'
option ifname 'br-lan'
option vid '10'
option ipv6 '0'
config device
option name 'br-lan.20'
option type '8021q'
option ifname 'br-lan'
option vid '20'
option ipv6 '0'
config device
option name 'br-lan.30'
option type '8021q'
option ifname 'br-lan'
option vid '30'
option ipv6 '0'
config device
option name 'br-lan.40'
option type '8021q'
option ifname 'br-lan'
option vid '40'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-ip-cam-lan3'
list ports 'lan3'
option ipv6 '0'
config interface 'ip_cam_lan3'
option proto 'static'
option device 'br-ip-cam-lan3'
option ipaddr '10.0.50.1'
option netmask '255.255.255.0'
option ip6assign '60'
I haven't changed any firewall rules, so this should be the default:
cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
I haven't added the DNS rule, as I don't need the cameras to connect directly to WAN, just via the Zerotier VPN which I've yet to set up.
The WAX202 is able to ping the cameras too:
PING 10.0.50.43 (10.0.50.43): 56 data bytes
64 bytes from 10.0.50.43: seq=0 ttl=64 time=1.083 ms
64 bytes from 10.0.50.43: seq=1 ttl=64 time=0.829 ms
64 bytes from 10.0.50.43: seq=2 ttl=64 time=0.796 ms
64 bytes from 10.0.50.43: seq=3 ttl=64 time=0.889 ms
64 bytes from 10.0.50.43: seq=4 ttl=64 time=0.835 ms
--- 10.0.50.43 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.796/0.886/1.083 ms
My laptop is under 10.0.10.x. I'd like to try connecting to the IP cameras at 10.0.50.x, so I changed the netmask to 255.255.0.0:
The Mikrotik upstream router is at 10.0.0.1. The WAX202 is not connected to the Mikrotik though, and has not been connected after the WAX202 has been factory reset, so it has no knowledge of the upstream router.
The laptop is connected to the WAX202 lan 1 port, and the IP cameras are on lan 3 via a PoE switch. Not sure why the laptop is being assigned 10.0.0.x when I change the netmask from /24 to /16.
can you post the complete and current configurations of your router "WAX202" hoping for help from the user @trendy
who is much more competent than me ...
maybe the IP address is provided by the "Mikrotik" and not by your "WAX202" however if I were you I would keep the "WAX202" with IP 10.0. 10.1/24 and not with 10.0. 10.1/16 in order to keep the two routers on different IP addresses ...
Making unmanaged bridges means that the network operation depends on the Mikrotik. Replicate the VLANs on the Mikrotik and configure DHCP servers there and connect the cable.
The weird thing is, the WAX202 was factory reset after the upstream Mikrotik at 10.0.0.1 was disconnected, so from the perspective of WAX202, it has never seen the Mikrotik before. The Mikrotik is not connected now either, so it should not be able to give it IP addresses to WAX202 devices.
When I set the WAX202 lan-br to 10.0.10.1/16, the laptop connected to lan port 1 gets 10.0.0.136/16 and is not able to ping the WAX202 at 10.0.10.1. So I can't post its configuration. Let me poke around and see what I can do.
I'm planning to do that with the VLANs 10, 20, 30, and 40. VLAN 50 was supposed to be for the IP cameras, but since I don't want to expose it to other upstream Mikrotik LAN devices, I decided to remove the IP cameras from the bridge.