VLANs with multiple subnets

Your subnets are invalid because they overlap. Why are you using /16 networks? Generally, using a /24 is sufficient in terms of a network size, but you could use larger if necessary. However, the /16 you've got defined means that this won't work.

If you want a proper review of your config, please show us the complete config in text form...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes

Thanks for the reply.
I actually had them at /24 but changed them when I was fiddling with it and forgot to change it back.

Here you go (this device has no wireless, router only with two ports)

root@router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option device 'br-vlan.1'
        option netmask '255.255.255.0'

config device
        option name 'eth0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config device
        option type 'bridge'
        option name 'br-vlan'
        list ports 'eth1'
        option ipv6 '0'

config bridge-vlan
        option device 'br-vlan'
        list ports 'eth1:t'
        option vlan '1'

config bridge-vlan
        option device 'br-vlan'
        option vlan '30'
        list ports 'eth1:t'

config interface 'CAMLAN'
        option proto 'static'
        option device 'br-vlan.30'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

root@router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'desktop'
        option dns '1'
        option ip '10.10.10.49'
        option leasetime '0'

config domain
        option name 'desktop'
        option ip '10.10.10.49'

config domain
        option name 'pve'
        option ip '10.10.10.5'

config domain
        option name 'AP1'
        option ip '10.10.10.3'

config domain
        option name 'AP2'
        option ip '10.10.10.4'

config host
        option name 'AP1'
        option dns '1'
        option ip '10.10.10.3'
        option leasetime '0'

config host
        option name 'AP2'
        option dns '1'
        option ip '10.10.10.4'
        option leasetime '0'

config host
        option name 'switch1'
        option dns '1'
        option ip '10.10.10.2'
        option leasetime '0'

config domain
        option name 'switch1'
        option ip '10.10.10.2'

config dhcp 'CAMLAN'
        option interface 'CAMLAN'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'
        list ra_flags 'none'


root@router:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.6'
        option dest_port '51820'

config zone
        option name 'CAMLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'CAMLAN'

config forwarding
        option src 'lan'
        option dest 'CAMLAN'

Let me know if I should add anything else.

As @slh said earlier, your device does not use DSA so you should be using simple eth0.x or eth1.y notation.

And if you're not using Wifi on the device, you don't need any of these networks to be bridges.

So for example, all of the config device and config bridge-vlan stanzas should be removed.

Your lan will have option device eth1.1 and your camlan should simply be option device eth1.30

3 Likes

psherman is spot on, your config could be as simple as the following (I haven't checked the details (read, only /etc/config/network), and I really don't like upper case interfaces (camlan), so I 'needlessly' converted that to lower case <-- would need changing everywhere else as well (firewall/ dhcp):

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option device 'eth1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'camlan'
        option proto 'static'
        option device 'eth1.30'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

Your r4s (just as RPi4 or x86_64) doesn't have an onboard switch, that makes the router config easier.

2 Likes

So how would I do that in luci? Create a VLAN device under the device menu, and then tie that to the correct interface? This is the output after doing so. I also do not like uppercase, I was just copying a video and thought it was the right way lol. I have changed that as well.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option netmask '255.255.255.0'
        option device 'eth1.1'

config device
        option name 'eth0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '1'
        option name 'eth1.1'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '30'
        option name 'eth1.30'
        option ipv6 '0'

config interface 'camlan'
        option proto 'static'
        option device 'eth1.30'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

I'm still not able to access the camera unless I untag port 4 on VLAN1 and exclude port 4 on VLAN30 on my switch and delete the camlan interface on the NanoPi.

remove these ... you don't need them.

Did you update your firewall file with the correct case for camlan?

Post your latest config files.

2 Likes

Ohhh, I didn't realize you could just enter in your own device at the bottom of the drop down in the "-- custom --" field.

I could just edit the config but I wanted to know how that interacts with luci as well.
Here are my updated configs:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option netmask '255.255.255.0'
        option device 'eth1.1'

config device
        option name 'eth0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'camlan'
        option proto 'static'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'
        option device 'eth1.30'

root@router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'desktop'
        option dns '1'
        option mac '70:85:C2:BE:B9:65'
        option ip '10.10.10.49'
        option leasetime '0'

config domain
        option name 'desktop'
        option ip '10.10.10.49'

config domain
        option name 'pve'
        option ip '10.10.10.5'

config domain
        option name 'AP1'
        option ip '10.10.10.3'

config domain
        option name 'AP2'
        option ip '10.10.10.4'

config host
        option name 'AP1'
        option dns '1'
        option ip '10.10.10.3'
        option leasetime '0'

config host
        option name 'AP2'
        option dns '1'
        option ip '10.10.10.4'
        option leasetime '0'

config host
        option name 'switch1'
        option dns '1'
        option ip '10.10.10.2'
        option leasetime '0'

config domain
        option name 'switch1'
        option ip '10.10.10.2'

root@router:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.6'
        option dest_port '51820'

config zone
        option name 'camlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'camlan'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'camlan'

This generally looks fine now. You don't have a DHCP server configured for your camlan. Do you want one setup? If so, add this:

config dhcp 'camlan'
        option interface 'camlan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'
1 Like

I think I will keep it disabled since all of my IP cameras will have a static IP, unless you can think of a reason to have it enabled anyways?

I don't know why I'm not able to access the camlan from lan via http, I might have to post on Zyxel support forum to see if my switch configuration is wrong.

I appreciate your help!

It's not a requirement as long as your devices have static IPs. However, it could be useful in some situations (or, in some cases, it might be less desirable).

Have you tried using a regular computer (or something like a RPi) on the camlan to see if you can get a connection between the two networks? I'd recommend something that you can test more easily and that would nominally work across subnets. Specifically, some systems do not accept connections from other subnets -- windows by default is like this, so you actually have to adjust the windows firewall to allow inter-VLAN connections. Your camera system may have a similar firewall feature enabled.

Since you're not using DHCP, you'll want to set a computer with a static IP in the correct subnet, and then test the ability for the connection to happen between the LAN and the camlan.

That said, it is also a good idea to verify that all of the information on the cameras/camera system is correct -- it needs to have an IP, subnet mask, and gateway (and nominally DNS, but that is less critical if you are not using the internet on that network). If any of these are missing or incorrect, the camera may not be able to respond.

Your Zyxel switch configuration will not impact routing, but if the device isn't properly configured, your cameras may actually not be properly connected to the expected network.

I'd start with a test with a regular computer (as I described above). In fact, enabling a DHCP server on that subnet and allowing internet connectivity (camlan > wan forwarding) will help you verify if the network is operating properly... if you get an IP via DHCP, you know you've got your switch configured properly. If you can get to the internet, the router is also configured appropriately. Then it is just your cameras that need verification (settings, local firewall rules, etc.).

You can turn off the DHCP server and remove the camlan > wan forwarding after you've verified everything is functioning.

That is a great idea! I will try that and report back.

Today I accessed my LAN from my work via wireguard I have running in the LAN network. I wasn't able to ping my camera so I went into my router and re-added the firewall rules I had deleted (lan -> camlan) and was instantly able to ping it. I then tried the camera address and I am able to see it now, and if I remove the firewall rule, I then am not able to reach it. So it seems like it is working now. Weird.

I still haven't had time to test DHCP on the camlan network but I thought I'd update you. The only thing I changed was enabled DHCP on camlan and also set up DNS over DoT.

EDIT: I figured it out! I never changed my desktop back to /24 from /16! As soon as I corrected the mask on my PC I am now able to access the network. It also seems that both the Ports and VLAN Ports tab on my switch both need to match. I don't understand that part yet but I'm glad I was able to get it to work. I then connected my laptop to port 5 and set it to vlan30 untagged, and my laptop pulled 10.10.30.x so DHCP works as well!

Is it necessary today to hide the MAC and IP address?

I think any external or public facing IP/MAC addresses.

If there is a firewall that drops the entries I don't see why.

In a perfect world that would be the case, but I'm sure plenty of people don't have secure networks for many different reasons so redacting your public information is better than only relying on your network security. It's a good practice to follow.

For a few seconds of work you can easily give yourself another barrier of protection by not making the information public. Kind of like saying its okay to doxx yourself because you know your home security will deter an intruder. If you don't doxx yourself in the first place then you won't have to worry about it.

But the public IP is already PUBLIC. The MAC I don't know... Hiding it gives you a false security.

Your home address is mostly public information but you still shouldn't openly post when its easily avoided. Like a bike lock, yes they are easy to tear through but it adds another layer of security because it takes longer to steal than not having one at all.

Big thank you to yourself, psherman and slh! Using your posted configs as a guide I've got my VLANs up & running, wasn't too troublesome!

Have you managed/attempted to get any mDNS reflector working, as that's probably the next hurdle to attempt?

Same here. Thanks to everyone on this thread. This thread was the key piece I needed to implement VLANs on my network with my OpenWRT device.