I've been trying to delve into more complex setups with OpenWrt to finally manage my home as it was meant to be. However VLAN setups are still too mysterious for me, and I could use some advice, guidance, or just being told if I'm stupid.
My current network setup is a bit complex. For gateway between WAN and LAN, I'm running OpenWrt in a VM, in Proxmox, on an Odroid H2. The first ethernet is directly PCI passthrough'd to the VM (this is WAN, and done to avoid the Proxmox host directly accessing the internet), while the second port is part of a simple Linux bridge.
This second ethernet is directly hooked up to a Belkin RT3200, also running OpenWrt, currently in a dumb AP setup (all ethernets bridged, including
wan, with both a DHCP and DHCPv6 clients set up, and WLANs added to it). To this device I have two end devices connecting (a PS4 and an Xbox), as well as another RT3200, and a Synology RT2600ac, both in similar dumb AP setups. The RT3200 has two wired clients, as well as the Syno, plus the wireless APs set up.
Ideally I'd like to create four networks in total:
- MAIN - the main network as it is right now.
10.0.0.1/23address range, with DHCP defined on the second 24 segment, and all static devices (routers, NAS, Proxmox box, VMs in Proxmox) are on the first segment with static IPs
- GUEST - this would go under
10.0.2.1/24, without access to any other networks, but with WAN access. Guests would use this.
- IOT - this is
10.0.3.1/24, no internet access, and can only access one host on MAIN, my HoneAssistant instance. Any local-only iot devices would connect to this network.
- VPN - to no surprise, this would be
10.0.4.1/24, and devices on this network should have access to MAIN, but instead of connecting to the internet through WAN, they'd use a WireGuard instance
What I was hoping for that I could make VLAN work in a way that all ports on the RT3200's would act as what I understand
trunk is, while still leaving the end clients directly connected to MAIN only, on any port. If I understand things correctly, this would be a combined tagged/untagged situation, where any packet untagged would be going to MAIN, packets tagged with 1 would go to to GUEST, 2 to IOT, 3 to VPN, and so on, should I add any further VLANs in the future.
I've tried setting this up - on the gateway I created a VLAN with ID 1 on
br-lan, assigned this to a new bridge
br-guest on top of this, created an interface with static IP protocol, set up the DHCP server, allowed DHCP and DNS firewall rules from the new
guest zone, disabled forwarding to LAN. Then did the same on the RT3200, except the
guest interface there is a DHCP client, and there's no firewall. Then created a new wireless AP, assigned it to
br-guest, saved the config, and tried to test it.
guest on the RT3200 gets an IP address (though at first it took quite some time), however clients over WiFi are unable to get addresses - I can see in logs of dnsmasq that DHCPDISCOVER and DHCPOFFER events occur, but no DHCPREQUEST or DHCPACK.
Where am I going wrong with this setup?
The VM is running OpenWrt 2021.2.0-rc4, while the RT3200 APs are running recent Snapshot versions (r17217).