I would really appreciate help on something I haven't been able to figure out by myself with the help of googling for solutions. This is not urgent, I would like to understand the matter better and configure existing hardware rather than buy more components.
the router that is running openwrt latest version is pretty standard: 1 WAN and 4 LAN ports
I have bridged all 5 ports together under network/device; firewall settings are for LAN
there is an ethernet cable from router port WAN to the ISP router in my house, ISP router acts as DHCP server
on LAN port1 1 ethernet cable goes to the only port on a small computer running opnsense. I give LAN1 192.168.4.2/24 def gateway 192.168.4.1
LAN2, 3 & 4 are just LAN
I set 2 VLANs on the bridge
VLAN10: WAN , LAN1:t, LAN2, 3 & 4: u
VLAN100: WAN: u, LAN1:t, LAN2, 3 &4
opnsense:
LAN 192.168.4.1/24 def gateway 192.168.4.1 em0.10
WAN 192.168.2.101/24 (static) def gateway 192.168.2.1 em0.100
on LAN2 I can ping 192.168.4.2 but not 192.168.4.1
on opnsense I can ping 192.168.2.1 but not 192.168.4.2
I am sure I am missing something fundamental, most likely in routing, but I haven't found anything that solves the intersection of routing, vlans, router on a stick and openwrt.
I appreciate the time everyone is taking to read this and even more the ones helping me out with a solution.
Let's take a look at your configuration. And please confirm that the ISP router is the upstream network, and the Opnsense box is downstream of OpenWrt.
No, the route is internet - isp router - openwrt VLAN 100 - opnsense - openwrt VLAN10
I deleted LAN port 4 from the bridge,it uses 192.168.20.1.
I use that port as a failsafe; I can always connect to it.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd87:f788:fe7d::/48'
option packet_steering '1'
config device
option name 'wan'
option acceptlocal '1'
config device
option name 'phy0-ap0'
config device
option name 'lan1'
config device
option name 'lan2'
config device
option name 'lan3'
config device
option name 'eth0'
config device
option name 'lan4'
config interface '4lanSave'
option proto 'static'
option device 'lan4'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option gateway '192.168.20.1'
config device
option type 'bridge'
option name 'LANBr'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'LANBr.10'
list ports 'LANBr.100'
list ports 'wan'
config interface 'PreLAN'
option proto 'static'
option device 'LANBr'
option ipaddr '192.168.4.2'
option netmask '255.255.255.0'
option gateway '192.168.4.1'
config bridge-vlan
option device 'LANBr'
option vlan '10'
list ports 'lan1:t'
list ports 'lan2'
list ports 'LANBr.10:t'
config bridge-vlan
option device 'LANBr'
option vlan '100'
list ports 'lan1:t'
list ports 'lan3'
list ports 'LANBr.10'
list ports 'LANBr.100:t'
list ports 'wan'
config route
option interface 'PreLAN'
option gateway '192.168.4.1'
option target '192.168.4.1/24'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network '4lanSave'
list network 'PreLAN'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
I'm not following... 2 OpenWrt devices? Could you draw a diagram?
This network config file is severely messed up. The best approach will be to reset it to defaults and start over (it will be way too much effort to unravel all the issues).
I'm not really certain if this OpenWrt device is intended as a managed switch or an actual router. So, if you can provide a diagram of how this fits into the network, that will help. Also necessary are:
port by port description of VLAN memberships (i.e. port x is an access port for VLAN A, port y is a trunk with VLANs A, C, D), etc.
A description about what routing occurs on this device (vs the others).
I agree it is messed up. I will reset it.
It looks a look clearer in LUCI
The device is a linksys wrt3200acm. It works with DSA, and I concluded that you can use it as a managed switch with VLANs
It may take me some time to come up with a clear picture. I had hoped my original post would be clear, but from you response I see it is not clear at all.
In the image you see the isp router that is connected to the internet and via another ethernet port to the WAN port of the OpenWRT router
OPNSense is installed on a tiny computer with only 1 ethernet port. An single ethernet cable runs to LAN port 1 on the OpenWRT router.OPNSense has a WAN side (vlan100) and a LAN side (vlan10)
This is what I am trying to achieve:
A computer is connected via an ethernet cable to LAN port 2 on the OpenWRT router. When it needs to connect to the internet it follows this route:
from LAN port 2 to LAN port 1, then to the LAN side of OPNSense (VLAN10), back from OPNSense down to LAN port 1 (VLAN100) on to the WAN port of the OpenWRT router and on to the LAN port of the ISP router.
Generally, I think I understand what you're trying to achieve, and it should be possible. I would argue that this is a bit of a strange arrangement, but it's certainly technically valid.
Also, you didn't describe what should happen with ports lan3 and lan4. I'll just assume all of them are connected to VLAN 10.
That said, is the intent for the OpenWrt router to perform purely as a managed switch (i.e. no routing)? If so...
The process will look like this:
Delete the wan and wan6 interfaces
Add the wan port to br-lan
Create two bridge VLANs:
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '100'
list ports 'lan1:t'
list ports 'wan:u*'
Then, edit your lan network interface such that it has an address on the network that will be used to administer the OpenWrt device
that can be a static IP or DHCP client
if static IP, it must not conflict with any other devices on the network and must be outside the DHCP for that network as well.
Next, you'll edit the device for the lan interface to be br-lan.10 or br-lan.100 -- that is, if the OpenWrt device is being managed by the lan side of the OPNSense router, you'll use br-lan.10; if it's the ISP router's network, it'll be br-lan.100.
Finally, create an unmanaged network interface for the other VLAN:
config interface 'vlanx'
option proto 'none'
option device 'br-lan.x'
where x is the VLAN that you didn't use for the lan interface.
The list of ping results did not come out in a form that is easily readable.
After an empty line, there are 2 devices (ie OPNSense ISP-lan) and.a result: ping ok
that means I could ping from OPNSense to ISP-lan
The next line there is only 1 device (OpenWrt) and a result: ping ok
that means I could ping from OPNSense to OpenWrt
What port is the pc connected to? What is the ip addrsss of the pc? What is the address it is pinging? And what are the addresses for the pfsense system (wan and lan)?
PC is connected on LAN port of OpenWrt. Has ip address 192.168.4.4/24 def gateway 192.168.4.1
OPNSense LAN 192.168.4.1/24 and WAN 192.168.2.139/24 (via DHCP)
PC pings 192.168.4.2 for OpenWrt
PC pings 192.168.4.1 for OPNSense
PC pings 192.168.2.8 for ISP-lan
