I'm trying to get my head wrapped around how VLANs work and how I can use them to isolate my security IP cameras on my network.
I have two questions:
If I have a managed switch where I can create VLANS and tag/untag certain ports, does that information get passed along to the next device as well (assuming the port is "tagged"). I have a NanoPi with only two ethernet ports, eth0 (WAN) and eth1 (LAN). I would like to create two VLANs, one for my cameras (10.10.30.1/24) and one for my main network (10.10.10.1/24). If I create the VLANs on the switch and tag the port that connects to the NanoPis LAN port, will that tag be seen by OpenWRT on the NanoPi assuming I have matching VLAN IDs? Same with other devices that have VLAN capabilities, can they also use the data? Is that what tagging is for?
Second question: What would be the best way to create two LANs that I can create rules on how they can communicate? Can I make two interfaces, one for each subnet, that are both using eth1 and then create firewall rules for each network? Or do I need to virtualize eth1 into eth1.0 and eth1.1?
I'm having a hard time finding information that has helped me get my head around all of this.
Here is my network:
NanoPi R4S(router) -> GS1900-8HP (managed switch) -> clients
Right now everything is on 10.10.10.1/24 and I have a wireguard server with clients using 10.10.20.1/24.
Your router (r4s) makes the policies, via subnet routing between the individual VLANs (different firewall zones!) and firewall traffic rules, your switch (gs1900-8hp) executes them by distributing the VLANs among its ports and filtering away the VLANs your clients aren't supposed to see (on each port).
You have to decide between two (configurable) types of switch ports here:
trunk ports, carrying multiple (up to all-) VLANs in tagged form
the connection between your router- and switch
further managed switches, daisy-chained to your first switch
selected (trusted and carefully configured) servers, which are supposed to have access to multiple VLANs
access ports, only providing access to a single VLAN in untagged form
your PCs, they only get to see the LAN subnet (VLAN) in untagged form, plug in and play
your cameras, likewise they also only get to see their own camera subnet (VLAN) in untagged form
Your switch gets the responsibility to decide which incoming (e.g. on a trunk port on its LAN1) VLANs from your router are connected to which of its remaining (access-) ports, e.g. LAN1 (trunk), LAN2-5 (access port for the untagged LAN network), LAN6-8 (access port for the untagged camera network).
You never want to expose 'stupid' or 'untrusted' devices to a trunk port carrying multiple tagged VLANs (from which they could choose at their own courtesy), they typically only get to see their own VLAN in untagged form from an access port of your switch. That's the primary task of your managed switch, filtering VLANs and distributing them among its ports, so your clients only get to see what they're allowed to access.
More complex scenarios can be configured as necessary.
This is a fantastic and informative reply, written very clearly, thanks!
I'm in a similar position to the OP, I'm new to OpenWrt and just got set up on a NanoPi R4S. Next step will be attempting to set up 2 VLANs (main & IoT) to segregate the network.
I've had a few reads about DSA and the differences between trunk & access ports. Your reply certainly helps to clarify things.
I'm still not quite clear on how to set up the VLANs on OpenWrt, it will have to be via the command line unfortunately as Luci doesn't have any GUI options for setting it up on the R4S. More reading required...
Please keep this thread updated OP with any successful attempts!
DSA only applies to devices with onboard switches running OpenWrt (and targets not using the legacy way with swconfig), your r4s does not fall into this category (no onboard switch at all, just two standalone full featured onboard ethernet 'cards'). There (and on other devices falling into this category, e.g. RPi, x86_64, etc.) you use eth0.1, eth0.7, eth0.42 or eth1.56 to indicate the network interface and the (tagged-) VLAN ID; respectively eth0/ eth1 for untagged traffic.
If your managed switch was running OpenWrt (the realtek target, e.g. rtl838x), DSA might play a role there.
I've made a lot of progress because of your replies, I really appreciate it!
I created a new device, br-vlan, with VLAN filtering enabled, created VLAN1 and VLAN30 with eth1 being tagged for both 1 and 30 and left the "local" box checked for both.
I then tied my main LAN interface to br-vlan1. This locked me out so I knew it was working but I needed to change my switch settings to account my new VLAN settings. This is now where I am stuck. My switch has two "port" settings, "port" and "VLAN port" I took a screenshot below.
"Port" tab:
Port 1 is connected to the NanoPi, port 2 and 3 are my APs and port 4 is my security camera. I'm trying to keep everything on VLAN1 and the camera on VLAN30, and give access from VLAN1 to VLAN30 but not VLAN30 -> VLAN1.
I tried using the "VLAN port" tab first by tagging port 1 on VLAN1, untagging 2 and 3, and excluding 4. On VLAN30, I tagged port 1, excluding 2 and 3 and untagged 4. This did not work.
I then put everything back to untagged for both VLANs under "VLAN port" and then went to the "port" tab, selected port 1, and clicked edit. I enabled Ingress filtering, enabled VLAN Trunk and changed to tag only. This finally worked and gave me access to my router after confirming the new VLAN settings on my NanoPi but now I'm stuck on getting VLAN30 to work. I have created a new interface with br-vlan.30 and made firewall rules for the two, but no matter what I do I cannot access the camera unless I untag port 4 on VLAN30. If I exclude it, and untag port 4 on VLAN30, I thought it would then follow the firewall rules for br-vlan.30.
I'm mainly confused about the two different port tabs, I've only had experience the options under "VLAN port" tab and I'm not sure what the "Port" tab is for or why it worked.
The Zyxel documentation hasn't helped me understand it better either.
Just to see what would happen, I changed the switch settings back to default and everything still worked. I then started over with the VLAN settings on the NanoPi and it's doing the same thing. It locks me out when I tag eth1 on VLAN1 and 30. I've tried everything on the switch like I listed above and I couldn't get it to connect before Luci reverts back. So I have no idea what is going on now. I was told VLAN ID 1 should not be used to I wanted to use ID 10 and 30 instead of 1 and 30.
When you're using eth1 as a trunk port with tagged VLANs on it, tag every VLAN that is to be on the port. In other words make sure you don't have eth1 without a VLAN number anywhere in your config.
You should be connected through eth0 (or serial or wifi if available) while doing this so you don't get locked out.
It is OK to use 1 as a VLAN here you just have to watch out with some switches it is hard to de-configure 1 being the default for all ports, so it may not be secure as a trusted network.
This is how I have it set up.
vlan1 - 10.10.10.1/16
vlan30 -10.10.30.1/16
My PC IP = 10.10.10.49
camera = 10.10.30.2
My PC is connected to port 3 of the switch, camera is port 4. Router is connect on port 1.
Switch PVID config: (leaving Ingress check and VLAN trunk disabled on port 1 still allows me to access the router so I'm not sure what those settings are for).
According to Zyxel documentation:
With this setup, I can still connect to the router and switch no problem, so it seems br-vlan.1 is working but I'm not able to communicate with br-lan.30. I was under the impression that I should be able to since I have configured the firewall to allow it while also stopping the camera from accessing vlan1 or the internet.
Your subnets are invalid because they overlap. Why are you using /16 networks? Generally, using a /24 is sufficient in terms of a network size, but you could use larger if necessary. However, the /16 you've got defined means that this won't work.
If you want a proper review of your config, please show us the complete config in text form...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
psherman is spot on, your config could be as simple as the following (I haven't checked the details (read, only /etc/config/network), and I really don't like upper case interfaces (camlan), so I 'needlessly' converted that to lower case <-- would need changing everywhere else as well (firewall/ dhcp):
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd13:28af:8def::/48'
config interface 'lan'
option proto 'static'
option ipaddr '10.10.10.1'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option device 'eth1.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'camlan'
option proto 'static'
option device 'eth1.30'
option ipaddr '10.10.30.1'
option netmask '255.255.255.0'
Your r4s (just as RPi4 or x86_64) doesn't have an onboard switch, that makes the router config easier.
So how would I do that in luci? Create a VLAN device under the device menu, and then tie that to the correct interface? This is the output after doing so. I also do not like uppercase, I was just copying a video and thought it was the right way lol. I have changed that as well.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd13:28af:8def::/48'
config device
option name 'eth1'
config interface 'lan'
option proto 'static'
option ipaddr '10.10.10.1'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option netmask '255.255.255.0'
option device 'eth1.1'
config device
option name 'eth0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config device
option type '8021q'
option ifname 'eth1'
option vid '1'
option name 'eth1.1'
config device
option type '8021q'
option ifname 'eth1'
option vid '30'
option name 'eth1.30'
option ipv6 '0'
config interface 'camlan'
option proto 'static'
option device 'eth1.30'
option ipaddr '10.10.30.1'
option netmask '255.255.255.0'
I'm still not able to access the camera unless I untag port 4 on VLAN1 and exclude port 4 on VLAN30 on my switch and delete the camlan interface on the NanoPi.
I think I will keep it disabled since all of my IP cameras will have a static IP, unless you can think of a reason to have it enabled anyways?
I don't know why I'm not able to access the camlan from lan via http, I might have to post on Zyxel support forum to see if my switch configuration is wrong.
It's not a requirement as long as your devices have static IPs. However, it could be useful in some situations (or, in some cases, it might be less desirable).
Have you tried using a regular computer (or something like a RPi) on the camlan to see if you can get a connection between the two networks? I'd recommend something that you can test more easily and that would nominally work across subnets. Specifically, some systems do not accept connections from other subnets -- windows by default is like this, so you actually have to adjust the windows firewall to allow inter-VLAN connections. Your camera system may have a similar firewall feature enabled.
Since you're not using DHCP, you'll want to set a computer with a static IP in the correct subnet, and then test the ability for the connection to happen between the LAN and the camlan.
That said, it is also a good idea to verify that all of the information on the cameras/camera system is correct -- it needs to have an IP, subnet mask, and gateway (and nominally DNS, but that is less critical if you are not using the internet on that network). If any of these are missing or incorrect, the camera may not be able to respond.
Your Zyxel switch configuration will not impact routing, but if the device isn't properly configured, your cameras may actually not be properly connected to the expected network.
I'd start with a test with a regular computer (as I described above). In fact, enabling a DHCP server on that subnet and allowing internet connectivity (camlan > wan forwarding) will help you verify if the network is operating properly... if you get an IP via DHCP, you know you've got your switch configured properly. If you can get to the internet, the router is also configured appropriately. Then it is just your cameras that need verification (settings, local firewall rules, etc.).
You can turn off the DHCP server and remove the camlan > wan forwarding after you've verified everything is functioning.
