Topic: How do I set up vlans on individual ports 1900 AC v1

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

acdcman200

23 Feb 2017, 21:28

So I am following a guide and switching the lan and wan as needed. I can't link it but its on the openwrt fourms.

Here's the config I am using in /etc/config/network

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

#wan port
config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '100'
    option ports '4 5t'

#port 1
config switch_vlan
    option device 'switch0'
    option vlan '2'
    option vid '2'
    option ports '3 6t'

#port 2
config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '3'
    option ports '2 6t'

#port 3
config switch_vlan
    option device 'switch0'
    option vlan '4'
    option vid '4'
    option ports '1 6t'

#port 4
config switch_vlan
    option device 'switch0'
    option vlan '5'
    option vid '5'
    option ports '0 6t'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:5b45:214d::/48'

#NEW LAN config
config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

#Another local network on switch port 2
config interface 'someothernetwork'
        option proto 'static'
        option ifname 'eth1.3'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

#new WAN
config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

#Wireless
config interface 'wi'
        option type 'bridge'
        option _orig_ifname 'wlan0 wlan1'
        option _orig_bridge 'true'
        option proto 'static'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'

However after this there is no connection, I can not ssh into the router nor can I can access the luci interface. Internet does not work either. I reset the router via the connection on the back with a paper clip and then reinstall my config I made a backup of before trying this.

I want to make it so that all the ports are their own separate vlans. [meaning devices on port 1 can not ping or talk to devices on port 2,3,4 and so on. They all still need to access to the WAN]

Where am I going wrong with the config? And can you explain what is happening and how to avoid this in the future?

Thanks!

(Last edited by acdcman200 on 23 Feb 2017, 21:28)

Post #2

eduperez

24 Feb 2017, 09:38

In that device, switch port 5 is connected to eth0; if you tag in in "option ports '4 5t'", then eth0 becomes unusable, and you must change your configuration to use eth0.x in "option ifname 'eth0'".

Post #3

acdcman200

24 Feb 2017, 21:48

eduperez wrote:

In that device, switch port 5 is connected to eth0; if you tag in in "option ports '4 5t'", then eth0 becomes unusable, and you must change your configuration to use eth0.x in "option ifname 'eth0'".

So should my config look like this?

And what about option ifname 'eth0' in the lan config? Do I set that to eht1?

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

#wan port
config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '100'

#port 1
config switch_vlan
    option device 'switch0'
    option vlan '2'
    option vid '2'
    option ports '3 6t'

#port 2
config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '3'
    option ports '2 6t'

#port 3
config switch_vlan
    option device 'switch0'
    option vlan '4'
    option vid '4'
    option ports '1 6t'

#port 4
config switch_vlan
    option device 'switch0'
    option vlan '5'
    option vid '5'
    option ports '0 6t'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:5b45:214d::/48'

#NEW LAN config
config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

#Another local network on switch port 2
config interface 'someothernetwork'
        option proto 'static'
        option ifname 'eth1.3'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

#WAN
config interface 'wan'
    option ifname 'eth0.x'
    option proto 'dhcp'

#Wireless
config interface 'wi'
        option type 'bridge'
        option _orig_ifname 'wlan0 wlan1'
        option _orig_bridge 'true'
        option proto 'static'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'

Post #4

eduperez

26 Feb 2017, 19:41

Sorry, when I said "eth0.x", "x" should be changed to the VLAN ID. Anyway, in the "#wan port" section you are not configuring any ports now, and that does not make sense. You are also trying to use both eth0 for LAN and eth0.x for WAN, and that does not make sense, too.

Perhaps you should try to explain what are you trying to achieve and why.

Post #5

acdcman200

26 Feb 2017, 19:51

eduperez wrote:

Sorry, when I said "eth0.x", "x" should be changed to the VLAN ID. Anyway, in the "#wan port" section you are not configuring any ports now, and that does not make sense. You are also trying to use both eth0 for LAN and eth0.x for WAN, and that does not make sense, too.
Perhaps you should try to explain what are you trying to achieve and why.

I am trying to configure it so that each port is separated from the others. (except for ports 1 and 3) This is to prevent devices on each port from seeing others on different ports. They all still need to have Internet access to the Wan. I would also like wireless devices to be separated from the Lan ports on both the 2.4 and 5 GHZ. This is for better security of my network. Although I would still like to be able to connect from port 1 to devices on port 3.

Could you correct the config for me as I have zero experience with vlan configuration. If you would like payment let me know and we can work something out.

Thanks.

Post #6

eduperez

27 Feb 2017, 12:58

acdcman200 wrote:

eduperez wrote:
Sorry, when I said "eth0.x", "x" should be changed to the VLAN ID. Anyway, in the "#wan port" section you are not configuring any ports now, and that does not make sense. You are also trying to use both eth0 for LAN and eth0.x for WAN, and that does not make sense, too.
Perhaps you should try to explain what are you trying to achieve and why.
I am trying to configure it so that each port is separated from the others. (except for ports 1 and 3) This is to prevent devices on each port from seeing others on different ports. They all still need to have Internet access to the Wan. I would also like wireless devices to be separated from the Lan ports on both the 2.4 and 5 GHZ. This is for better security of my network. Although I would still like to be able to connect from port 1 to devices on port 3.
Could you correct the config for me as I have zero experience with vlan configuration. If you would like payment let me know and we can work something out.
Thanks.

Ok, so all you need are separated LANs, and that has nothing to do with "switching the LAN and WAN"; you do not even have to touch anything related to the WAN, and this is a five minute job that requires no payment. Let's suppose this was your default configuration:

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

# WAN port
config switch_vlan
    option device 'switch0'
    option ports '4 5'

# LAN port
config switch_vlan
    option device 'switch0'
    option ports '0 1 2 3 4 6'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:5b45:214d::/48'

# LAN networg
config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# WAN network
config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

This should give you internet on the WAN port, and one single LAN on all ports. To create separate LANs, we use VLANs on the LAN side, and create new interfaces eth0.x for each one:

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

# WAN port
config switch_vlan
    option device 'switch0'
    option ports '4 5'

# LAN port 1
config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '3 6t'

# LAN port 2
config switch_vlan
    option device 'switch0'
    option vlan '2'
    option vid '2'
    option ports '2 6t'

# LAN port 3
config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '3'
    option ports '1 6t'

# LAN port 4
config switch_vlan
    option device 'switch0'
    option vlan '4'
    option vid '4'
    option ports '0 6t'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:5b45:214d::/48'

# LAN network 1
config interface 'lan1'
    option ifname 'eth0.1'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 2
config interface 'lan2'
    option ifname 'eth0.2'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 3
config interface 'lan3'
    option ifname 'eth0.3'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 4
config interface 'lan4'
    option ifname 'eth0.4'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.4.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# WAN network
config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

This creates 4 LAN1 to LAN4 interfaces, each connected to one LAN port on the back of the router, and each one on a separate network. Try if that works, then we will work on the wireless connections, and the forwarding between the interfaces.

Post #7

acdcman200

27 Feb 2017, 17:43

eduperez wrote:

acdcman200 wrote:
eduperez wrote:
Sorry, when I said "eth0.x", "x" should be changed to the VLAN ID. Anyway, in the "#wan port" section you are not configuring any ports now, and that does not make sense. You are also trying to use both eth0 for LAN and eth0.x for WAN, and that does not make sense, too.
Perhaps you should try to explain what are you trying to achieve and why.
I am trying to configure it so that each port is separated from the others. (except for ports 1 and 3) This is to prevent devices on each port from seeing others on different ports. They all still need to have Internet access to the Wan. I would also like wireless devices to be separated from the Lan ports on both the 2.4 and 5 GHZ. This is for better security of my network. Although I would still like to be able to connect from port 1 to devices on port 3.
Could you correct the config for me as I have zero experience with vlan configuration. If you would like payment let me know and we can work something out.
Thanks.
Ok, so all you need are separated LANs, and that has nothing to do with "switching the LAN and WAN"; you do not even have to touch anything related to the WAN, and this is a five minute job that requires no payment. Let's suppose this was your default configuration:
config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

# WAN port
config switch_vlan
    option device 'switch0'
    option ports '4 5'

# LAN port
config switch_vlan
    option device 'switch0'
    option ports '0 1 2 3 4 6'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:5b45:214d::/48'

# LAN networg
config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# WAN network
config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'
This should give you internet on the WAN port, and one single LAN on all ports. To create separate LANs, we use VLANs on the LAN side, and create new interfaces eth0.x for each one:
config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

# WAN port
config switch_vlan
    option device 'switch0'
    option ports '4 5'

# LAN port 1
config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '3 6t'

# LAN port 2
config switch_vlan
    option device 'switch0'
    option vlan '2'
    option vid '2'
    option ports '2 6t'

# LAN port 3
config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '3'
    option ports '1 6t'

# LAN port 4
config switch_vlan
    option device 'switch0'
    option vlan '4'
    option vid '4'
    option ports '0 6t'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:5b45:214d::/48'

# LAN network 1
config interface 'lan1'
    option ifname 'eth0.1'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 2
config interface 'lan2'
    option ifname 'eth0.2'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 3
config interface 'lan3'
    option ifname 'eth0.3'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 4
config interface 'lan4'
    option ifname 'eth0.4'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.4.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# WAN network
config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'
This creates 4 LAN1 to LAN4 interfaces, each connected to one LAN port on the back of the router, and each one on a separate network. Try if that works, then we will work on the wireless connections, and the forwarding between the interfaces.

So upon applying that second one you posted I see the same issue. internet goes down, router not pingable.

Am I missing file permissions on the file? Am I supposed to be appending this to the current file?

Currently I run the following.
mv /etc/config/network /etc/config/network.bak
vi /etc/config/network
Enter insert mode and paste what you sent then :wq
Then I enter the Luci page and trigger a restart on the router.

Thanks for your help so far!

(Last edited by acdcman200 on 27 Feb 2017, 17:44)

Post #8

eduperez

27 Feb 2017, 22:24

acdcman200 wrote:

So upon applying that second one you posted I see the same issue. internet goes down, router not pingable.

Yes, internet going down is expected, we still have not configured that. Connect the computer to LAN port 1, so it remains in the 192.168.1.x network, edit the "network" file, then execute "/etc/init.d/network restart" to apply the changes, and then "ifconfig" to check that all LANx interfaces have been created as expected.

Now we can edit the "/etc/config/dhcp" file to give clients an IP address.

Your dhcp file should contain a section similar to this one:

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

Now we create one section for each LANx:

config dhcp 'lan1'
    option interface 'lan1'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'lan2'
    option interface 'lan2'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'lan3'
    option interface 'lan3'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'lan4'
    option interface 'lan4'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

Now, connect a computer to a LAN port, renew the IP address, and see how you get a different range in each port; the router should also be accessible, using the IP address for the router on that interface.

Post #9

acdcman200

27 Feb 2017, 22:29

eduperez wrote:

acdcman200 wrote:
So upon applying that second one you posted I see the same issue. internet goes down, router not pingable.
snip

Does that append (As in add to it after whats in there) to the /etc/config/dhcp or does that replace the things in the file? Same for /etc/config/network.

Post #10

eduperez

28 Feb 2017, 12:03

In both cases, the "after" config has to replace the "before" section in my posts; in case of doubt, just post your current file here, and I will give you back the edited version.

Post #11

acdcman200

3 Mar 2017, 05:51

eduperez wrote:

In both cases, the "after" config has to replace the "before" section in my posts; in case of doubt, just post your current file here, and I will give you back the edited version.

/etc/config/network

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

# WAN port
config switch_vlan
    option device 'switch0'
    option ports '4 5'

# LAN port 1
config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '3 6t'

# LAN port 2
config switch_vlan
    option device 'switch0'
    option vlan '2'
    option vid '2'
    option ports '2 6t'

# LAN port 3
config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '3'
    option ports '1 6t'

# LAN port 4
config switch_vlan
    option device 'switch0'
    option vlan '4'
    option vid '4'
    option ports '0 6t'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:5b45:214d::/48'

# LAN network 1
config interface 'lan1'
    option ifname 'eth0.1'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 2
config interface 'lan2'
    option ifname 'eth0.2'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 3
config interface 'lan3'
    option ifname 'eth0.3'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# LAN network 4
config interface 'lan4'
    option ifname 'eth0.4'
    option force_link '1'
    option proto 'static'
    option ipaddr '192.168.4.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '8.8.8.8 8.8.4.4'

# WAN network
config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '8.8.8.8'
        list server '8.8.4.4'

config dhcp 'lan1'
    option interface 'lan1'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'lan2'
    option interface 'lan2'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'lan3'
    option interface 'lan3'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'lan4'
    option interface 'lan4'
    option start '100'
    option limit '100'
    option leasetime '1d'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config host
        option mac '00:19:d1:88:d0:eb'
        option ip '192.168.1.196'
        option name 'UbuntuServer1'

Using both of these still result in the same issue.

(Last edited by acdcman200 on 3 Mar 2017, 05:52)

Post #12

eduperez

3 Mar 2017, 09:12

acdcman200 wrote:

Using both of these still result in the same issue.

Please, be more explicit with the diagnostics... When you connect a computer to one of the LAN ports, do you get an IP address in the expected range? Can you ping the router? Can you log in?

The discussion might have continued from here.

Page 1 of 1