VLANs - creating interface between router and switch

here we go:

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t 4t 2'

config interface 'VLAN3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ifname 'eth1'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN3'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'VLAN3'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan VLAN3'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

This should be eth1.3

Cool, little change, big effect!

The port has internet connection now (even in the correct IP range I configured), the Wi-Fi that should be in the same VLAN does not. Still does not get the proper IP through DHCP it seems.

Are you connecting via the on-board wifi in the router, or with the R320s?

R320s.

The wi-fi on the router is deactivated.

Ok... so now you need to do a wired test on the other switch to make sure the VLANs are configured properly on that device. Setup an access port for VLAN3 (untagged) on one of the ports and make sure that you can connect through that switch.

Ha! Just did that! Tagged an empty port and it works with the weird caveat that the network has the same name as the standard wi-fi. And the laptop gets an IP from VLAN 1 and not VLAN 3, although the port is tagged to VLAN 3.

Maybe I need to reload the switch

Yes, at this point it appears that you need to configure your switch and or AP. This is not OpenWrt, and I am not familiar with the Ruckus devices, so I can't really help here other than general advice.

Thanks! this is the VLAN config on the switch:

SSH@ICX7150-C12 Switch>show vlan
Total PORT-VLAN entries: 3
Maximum PORT-VLAN entries: 1024

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, On
 Untagged Ports: (U1/M1)   1   2   3   4   5   6   7   8   9  10  11  12

 Untagged Ports: (U1/M2)   1   2
 Untagged Ports: (U1/M3)   1   2
   Tagged Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled
PORT-VLAN 2, Name Why-Fi, Priority level0, On
 Untagged Ports: None
   Tagged Ports: (U1/M1)   2   4
 Mac-Vlan Ports: None
     Monitoring: Disabled
PORT-VLAN 3, Name Why-Fi-IOT, Priority level0, On
 Untagged Ports: None
   Tagged Ports: (U1/M1)   2   4  11
 Mac-Vlan Ports: None
     Monitoring: Disabled

Looks ok, but who knows! Thanks a LOT!

What ports connect to the router and each of the APs?

1/1/1 connects the switch to the router
1/1/2 and 1/1/4 connect the APs to the switch

VLAN 3 is not active on port 1. It should be tagged on port 1.
Also, your computer is probably expecting untagged traffic on the ethernet connection, so you need to set a port on the switch to have VLAN 3 untagged. This will also require setting the default (sometimes called PVID) VLAN on the port to VLAN 3 as well.

OK, so now we are on the switch on VLAN 3 with the wired connection. At least the laptop gets an IP from that range. Same for Wi-Fi

Awesome! It seems we got it.

Next questions When I connect the IOT devices to VLAN 3, I want to keep them away from what's going on in VLAN 2. How do I separate the two and how can I stop the internet connection for VLAN 3 on-demand?

Great.

Create a new firewall zone for VLAN 3 (you can do that by editing the firewall zone the way you did previously, create a new zone).

Then adjust the firewall rules for that zone (Network > Firewall).
I'd recommend accept output, drop input and forward.
You'll also need two traffic rules to accept DNS (port 53) and DHCP (ports 67-68) to reach the router from the IoT zone.= since the "drop" on input will prevent that from working (but it will otherwise protect the router from any IoT devices trying to access any other services).

Is that only for internet access or also to separate the VLAN traffic

Cool, will try that later or tomorrow . Ted Lasso is calling

Thanks so much for your help - I have tried and tried for weeks - your help made my day

Glad I could help. Please mark the most useful response as the solution since the primary issue is solved. When you start working with the firewal, open a new thread if you have questions about that part.

I set up all VLANs and they work fine with some limitations I can log in via cable and wifi and get the correct IP etc. I also set up a firewall zone for each of them (see screenshot). I also assigned each VLAN to its firewall zone. I thought this link is necessary, although it seems when an interface is linked to its respective zone, internet access works and it stops working, when I do not link the interface to a zone. For IOT, I adjusted them based on what @psherman recommended above.

I still have some problems / issues:

1. For the IOT vlan/wifi I selected drop, accept, drop and the internet does still work. It only stops working, when I unlink the interface from the firewall zone. Same is true for guests, but as the only difference is reject vs drop I assume it is caused by the same mistake.

2. Although I created separate firewall zones, I can still log into the router from all VLANs. My understanding was/is that VLANs are separated from another. What am I missing?

Screen Shot 2021-09-07 at 2.13.13 PM980×432 61.4 KB

Screen Shot 2021-09-07 at 2.13.23 PM962×341 52.9 KB

@thimplicity - would you mind moving this to a new thread since it is firewall specific (rather than the earlier issues of VLAN tagging/trunking and such). Tag me into a new thread and I can answer it there.

Done!

Here is the new one: How to set up firewall rules/zones correctly for VLANs? - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum

Thanks in advance for your help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.