Hi,
I have upgraded my OpenWRT router from TP-Link Archer C7 to x86 based PC.
I have two VLANs set up on Archer to isolate two LAN segments. Archer has a network switch like many other routers.
Now, x86 board does not have a network switch built in. It has 5 ethernet ports.
How do I setup VLANs and segment LAN?
Since OpenWRT 18.06 is running a decent kernel, my idea was to use bridge VLAN filtering, but when I install ip-bridge package and try to assign VLAN ID to interface, bridge command fails.
# cat /etc/config/network
...
config interface 'lan'
option type 'bridge'
option ifname 'eth1 eth2.50 eth2.1 eth3'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
# bridge vlan add vid 1 dev eth2.1 pvid untagged
**RTNETLINK answers: Not supported**
# bridge vlan add vid 1 dev eth2 pvid untagged
**RTNETLINK answers: Not supported**
UCI handles this natively. Just declare VLANs of the form eth2.50 like you did and they will be added to the network bridges that are natively formed when you declare option type bridge. You can use brctl show to see the results.
When you are using VLANs on a port, don't attach anything to the plain interface (like eth2 with no VLAN number)
Thanks for reply.
There's something I do not get. I understand I can segment network, creating IP networks this way.
But how do I isolate one from another?
For example, 192.168.1.0/24 on br-lan and 192.168.50.0/24 on VLAN 50 bridge.
I specifically create VLAN50 bridge with one port untagged (eth3) and one tagged (VID 50 on eth2).
I connect to 192.168.1.0/24 network from host with IP 192.168.1.100 (via eth1).
But if I set host route from 192.168.1.100 to 192.168.50.1 using 192.168.1.1 as gateway, I can ping 192.168.50.1, but this is not what I need.
Should isolation be done via IP level, via firewall? But how and is it proper?
Thanks,
shpokas