VLANs - creating interface between router and switch

Hi everyone,
I have the following components:

• Netgear R7800 router with OpenWRT
• Ruckus ICX7150-C12P switch
• 2x Ruckus R320 APs (one on each level)

My target is to have two VLANs, one for IOT/HomeKit components and the other one for laptops, iPads etc. I also want to be able to limit the internet access for single IOT components for privacy purposes in the future.

Current setup:

• I created two SSIDs, one for the standard things and one for IOT. The SSIDs run on both APs, who are connected to eth 1/1/2 and 1/1/4 on the switch. The router is connected to the switch on eth 1/1/1 on the switch and on LAN 1 on the router. Internet comes into the router on the Internet/WAN port.
• On the management VLAN 1 I left eth 1/1/1 untagged and tagged it in VLANs 2+3. I also tagged eth 1/1/2 and eth 1/1/4 on the new VLANs.
• I created the VLANs on the switch. "Management" VLAN 1, Standard VLAN 2 and IOT VLAN 3. VLAN 1 has the IP range 192.168.1.1/24, VLAN 2 192.168.2.1/24 etc. with the gateway being the router IP.
• The router has the IP 192.168.1.1 and the switch has the IP 192.168.1.180
• When I connect the the new SSIDs, the respective device does not have a connection to the internet, so next step was to trunk the ports I mentioned above between router and switch for the new VLANs, as my assumption is/was that the devices in the new VLANs do not get IPs via DHCP.
• I configured VLAN 3 only for now on the router:

Screen Shot 2021-09-03 at 9.57.40 AM896×464 34.8 KB

Screen Shot 2021-09-03 at 9.57.35 AM896×216 26 KB

Screen Shot 2021-09-03 at 9.57.31 AM899×237 20.8 KB

Screen Shot 2021-09-03 at 9.57.23 AM894×909 76.3 KB

Screen Shot 2021-09-03 at 9.57.17 AM962×164 20.1 KB

Screen Shot 2021-09-03 at 9.57.04 AM966×751 70.4 KB

I hope at least I did some basic things right, as I am new to this :).

Thanks a lot in advance!

You'll need to use another vlan number for standard, as it is already in use in OpenWrt for the wan port.
vlan3 interface is not assigned to any firewall zone and I presume that the default policy is to drop incoming packets, hence the dhcp discoveries won't reach the dhcp server.

I'll also add the following recommendation:
Set one of the router ports (say port 4) as an access port for your new VLAN (i.e. VLAN 3 untagged on port 4, other VLANs off). This way you can plug a computer directly into the router to make it easy to test the router configuration without having to worry about the other switch. This isolation will help you verify the VLAN functionality and isolate the different potential culprits.

I Standard VLAN on the switch and router is 1. I left those untouched. On the router I only added 3 for now.

The firewall seems to accept incoming traffic, correct (see screenshot)? Will need to check how to create a zone for a VLAN.

image1924×1394 180 KB

Creating a new zone is easy, but actually the best option is to simply declare VLAN 3 in the LAN zone. Once you have everything working, you can split the zones.

How do I do that?

If you're using LuCI (web) interface: Network > Interfaces > Edit VLAN 3 > Firewall Settings > select LAN.

That was easy, thanks!

Still no internet on vlan3! It still gets no IP that I have assigned to the vlan on the router, but I assume the dhcp server on the router does not know what IP range I assigned. How can I influence which IPs are assigned to a vlan?

Are my configs up top correct?

I am only using Luci btw

Did you make the change I recommended for port 4 (making it an access port for VLAN 3), and then plug a computer directly into that port?

No, not yet. I join the respective WiFi on my iPad that is assigned to vlan 3 in the ap/switch config

Start with the wired connection first as I recommended. It is far easier to troubleshoot.

Same result, stuck at "identifying" and then "unidentified network". I tried to assign an ip manually within the IP range I defined for VLAN 3 (192.168.3.2), with the router as the gateway, but that also does not work.

This is not a valid RFC1918 address.

Let's see your config files. You'll need to ssh into the router to get these files, but they will give a more complete picture (faster than doing a 20-questions style approach).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

There was a typo in the IP - I correct that.

I ok will check how to ssh into this thing and post that - thanks!

here we go:

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t 4t 2'

config interface 'VLAN3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ifname 'eth1'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN3'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN3'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan VLAN3'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

This should be eth1.3

Cool, little change, big effect!

The port has internet connection now (even in the correct IP range I configured), the Wi-Fi that should be in the same VLAN does not. Still does not get the proper IP through DHCP it seems.

Are you connecting via the on-board wifi in the router, or with the R320s?

R320s.

The wi-fi on the router is deactivated.

Ok... so now you need to do a wired test on the other switch to make sure the VLANs are configured properly on that device. Setup an access port for VLAN3 (untagged) on one of the ports and make sure that you can connect through that switch.