HI !
Tell me, who knows? If possible, in clear words.
I created a second lan2 network and I don’t know how to put br-lan or interface alias “lan” correctly, what’s the difference between them?
1 Like
Is lan2 an alias to lan?
You can add more IPs directly to an interface, you don't need to create secondary interfaces.
1 Like
What specifically are you trying to achieve? If the lan2 network is supposed to be an independent network (maybe an untrusted network for guest or IoT devices, as an example), the details depend on the specific type of device you're using (DSA or swconfig).
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
1 Like
I’m interested in what is the difference between the standard br-lan interface and the interface alias “lan”.
both options work and I would like to understand what is the difference between them
your option is not suitable, since there is only one broadcast IPv4 address in the interface
Use alias:
It is a refrence (i.e. alias) to the already created interface.
It will allow you to do what you desire.
The broadcast address is calculated from the netmask.
3 Likes
Using an alias, AFAIK, is nearly the same as adding an additional network address on the same interface, but instead it is typically used when you need to be able to setup some of the network parameters differently than the main interface. For example, this might be the case if you need to have two different netmasks (let's say one was a /24 network, an the other was a /30), or when the protocol needs to be different (aliases are sometimes used on the wan port to have PPPoE as the main and then aliased for a static IP so that there is a route to the external DSL modem's admin interface).
Keep in mind, though, that this will not be the same as VLANs (and that's why I wanted to know what you want to achive -- it is VLANs that you're looking for, you need a different approach).
4 Likes
I want to achieve that 2 lan networks communicate less with each other in order to somehow isolate them from each other. For example, there are 2 computers and one has NetBIOS packets sent to the broodcast on port 138, and I would like to somehow isolate 2 computers from each other
Different vlans, different wifi. IP alias or multiple IPs on the same interface won't help with isolation.
4 Likes
That is specifically why I was asking... the alias method is not what you want at all.
as @trendy said... you want different VLANs/subnets and unique wifi SSIDs. If the devices in question are all wifi based, you could enable wifi client isolation (possibly instead of VLANs), but keep in mind that this means all wireless devices will be unable to connect to each other (it's a blunt tool -- either all or none).
3 Likes
'lan' is a normal ethernet interface. 'br-lan' is a 'network bridge' able to combine/join/merge several interfaces (e.g. lan+wifi adapter) into one virtual interface (or virtual network switch) so you can have e.g. client 192.168.1.1 on ethernet and 192.168.1.2 on WiFi. Technically, they can see and talk to each other on layer2.
1 Like
In any case, the enemy device will have a different ip address, it's still better than nothing 
All devices must have different ip addresses. What you want, for isolation, is:
- different subnets
- firewall rule based isolation
This cannot be achieved with an alias based approach.
4 Likes
Yikes. This is the kind of logic that lands people in hot water. Nothing about this statement passes an acceptable level of "isolation".
Let this post stand as an example of how NOT to achieve the goal. 
5 Likes
lan is a logical name used by OpenWrt tools so you can write more independent code. You can query for lan state without taking care of underlaying hardware.
Example:
ubus call network.interface.lan statusifdown lan- Firewall rule with
option dest 'lan'