OpenWrt Forum Archive

Topic: Routing between subnets on multiple Vlans with Kamikaze

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Aquahallic
13 Sep 2008, 15:30

So I beat my head against a wall for a couple days learning how to set this up in Kamikaze. As always it was so simple.. it was TOO easy and I totally overlooked it.
For those of you that are wanting to setup multiple vlans and be able to route across them here's a little info for you.

BIG thanx goes out to gerd for his post on how to do this with WhiteRussian and to xMff who's been so patient with me and helping me understand the interworkings of the new UCI.

Here's a link to gerd's post that got the ball rolling for me if you'd like to take a look and compare the WhiteRussian setup to this one for the Kamikaze. http://forum.openwrt.org/viewtopic.php?id=16795

For the record I'm running a WRT54G v.3 so my Wan port is 0 and my 4 lan ports are 1,2,3,4

##########################################################################################################
/etc/config/network
##########################################################################################################

#### VLAN configuration
config switch eth0
    option vlan0    "1 3 4 5*"    ### this line used to read option vlan0  "1 2 3 4 5*" but I've pulled out 2 (port 2 on back of router in my case) and made it a separate vlan see below
    option vlan1    "0 5"
    option vlan2    "2 5"           ### this is where I'm setting port 2 to live on a new vlan (vlan2)

### Loopback configuration
config interface loopback
    option ifname    "lo"
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0

### I left this first Lan Configuration (vlan0) as type bridge because I wanted my ports on vlan0 to live on same vlan as the wireless..(this is done by default with br0) if you're seting up a different vlan for wireless remove the entire "option type  bridge" line and you'd have to setup an interface for the wireless (wl0 in my case) as well as a new forward rule in the firewall like I have done for my vlan2... see /etc/config/firewall below

### One thing that also stumped me here was the option proto static... "But I want DHCP on this lan" you say.. well.. so did I.. but we set that up in the /etc/config/dhcp below... this just sets the ip of the interface or the "gateway" ip of the vlan and it is static...:)


#### LAN configuration
config interface lan
    option type     bridge
    option ifname    "eth0.0"  ### FYI.. everything is eth0 except the wireless interface because all the ports actually live on the same physical switch.. so eth0.0 is vlan 0 we created above
    option proto    static
    option ipaddr    192.168.1.1
    option netmask    255.255.255.0

config interface lan2
    option ifname    "eth0.2" ### This is where I'm setting the ip of the vlan2 I created above i.e. eth0.2 (this is the gateway ip for that network)
    option proto    static
    option ipaddr    192.168.2.1
    option netmask    255.255.255.0

#### WAN configuration
config interface    wan
    option ifname    "eth0.1"
    option proto    dhcp

###### You only need the stuff below if you want to be able to route from vlan0 to your new vlan2 and vice versa! if they are going to be isolated you can leave this out.

config route
    option interface lan
    option target 192.168.2.0
    option gateway 192.168.2.1

config route
    option interface lan2
    option target 192.168.1.0
    option gateway 192.168.1.1


##############################################################################################
/etc/config/firewall
##############################################################################################

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'DROP'
    option 'output' 'ACCEPT'
    option 'forward' 'DROP'

config 'zone'
    option 'name' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'DROP'


### This is where I configure a zone on the firewall for my new vlan2.. the "option name" must be the same as what you used in the network setup above for "config interface" I used lan2 above
config 'zone'
    option 'name' 'lan2'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'DROP'

config 'zone'
    option 'name' 'wan'
    option 'input' 'DROP'
    option 'output' 'ACCEPT'
    option 'forward' 'DROP'
    option 'masq' '1'

### Below is where we tell the firewall what vlan is allowed to see/route to where.. I "think" this first one was the only one originally that allowed the lan to "forward" to the wan to gain access to external (NAT)

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

### I added these below so my lans could all talk to each other and my new vlan could also "NAT" out through the wan

config 'forwarding'            ### My new vlan2 can access the internet (NAT)
    option 'src' 'lan2'
    option 'dest' 'wan'

config 'forwarding'           ### My new vlan2 can see all the machines on the original default vlan0 (on my setup this is ports 1 3 4 and wireless)
    option 'src' 'lan2'
    option 'dest' 'lan'

config 'forwarding'          ### Same as above but in the other direction.. vlan0 can see the machines on vlan2
    option 'src' 'lan'
    option 'dest' 'lan2'

#############################################################################################
/etc/config/dhcp
#############################################################################################

### On my setup my vlan2 (lan2) is all static IP's so my /etc/config/dhcp stayed default. If I wanted to have my lan2 serving out dhcp I would add the line at the very bottom to do this.

config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'filterwin2k' '0'
    option 'localise_queries' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'
    option 'nonegcache' '1'
    option 'logqueries' '1'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

config 'dhcp' 'wan'
    option 'interface' 'wan'
    option 'ignore' '1'

#### Add the lines below if you want lan2 to also serve out dhcp

config 'dhcp' 'lan2'
    option 'interface' 'lan2'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'
#########################################################################################


Well.. that's my 2 cents on it... it drove me nuts trying to do this.. and it's so simple... The guys here in the forum and on irc are great and have helped me out LOTS with this so I just wanted to give back and figured I'd take the time to do a "knowledge dump" since I know they're out helping others...;)

Thanx again gerd and xMff for all your help and input.. couldn't have done this without you... well... atleast not this week....:)

Aqua

Post #2
Yanira
13 Sep 2008, 19:15

Yeah, it's so easy with the UCI configuration (even the firewall part) smile

What I'd recommend for this howto is to add all the UCI CLI commands one should enter in the console to get this working. Would make things more understandable smile

/etc/config/network

VLAN configuration:
Pull out 2 (port 2 on back of router in my case) and made it a separate VLAN:

# uci set network.eth0.vlan0='1 3 4 5*'

Setting port 2 to live on a new VLAN (vlan2, eth0.2):

# uci set network.eth0.vlan2='2 5'

I left this first LAN Configuration (vlan0) as type bridge because I wanted my ports on vlan0 to live on same vlan as the wireless.. (this is done by default with br0) if you're seting up a different vlan for wireless delete 'uci del wireless.@wifi-iface[0].network' and you'd have to setup an interface for the wireless (wl0 in my case) as well as a new forward rule in the firewall like I have done for my vlan2... see /etc/config/firewall below.


LAN configuration:
Setting the IP of the vlan2 I created above i.e. eth0.2 (this is the gateway IP for that network)

# uci set network.lan2=interface
# uci set network.lan2.proto=static
# uci set network.lan2.ipaddr=192.168.2.1
# uci set network.lan2.netmask=255.255.255.0
# uci set network.lan2.ifname=eth0.2

Routing:
You only need the stuff below if you want to be able to route from vlan0 to your new vlan2 and vice versa! If they are going to be isolated you can leave this out.

# uci add network route
# uci set network.@route[-1].interface=lan
# uci set network.@route[-1].target=192.168.2.0
# uci set network.@route[-1].gateway=192.168.2.1

# uci add network route
# uci set network.@route[-1].interface=lan2
# uci set network.@route[-1].target=192.168.1.0
# uci set network.@route[-1].gateway=192.168.1.1

Save changes to /etc/config/network:

# uci commit network

/etc/config/firewall

Zone
This is where I configure a zone on the firewall for my new vlan2.. the name option must be the same as what you used in the network setup above for network.lan2=interface I used lan2 above

# uci add firewall zone
# uci set firewall.@zone[-1].name=lan2
# uci set firewall.@zone[-1].input=ACCEPT
# uci set firewall.@zone[-1].output=ACCEPT
# uci set firewall.@zone[-1].forward=DROP

Forwarding:
I added these below so my lans could all talk to each other and my new vlan could also "NAT" out through the wan. My new vlan2 can access the internet (NAT).

# uci add firewall forwarding
# uci set firewall.@forwarding[-1].src=lan2
# uci set firewall.@forwarding[-1].dest=wan

My new vlan2 can see all the machines on the original default vlan0 (on my setup this is ports 1 3 4 and wireless)

# uci add firewall forwarding
# uci set firewall.@forwarding[-1].src=lan2
# uci set firewall.@forwarding[-1].dest=lan

Same as above but in the other direction.. vlan0 can see the machines on vlan2

# uci add firewall forwarding
# uci set firewall.@forwarding[-1].src=lan
# uci set firewall.@forwarding[-1].dest=lan2

Save changes to /etc/config/firewall:

# uci commit firewall

/etc/config/dhcp

DHCP on vlan2 (lan2)
On my setup my vlan2 (lan2) is all static IP's so my /etc/config/dhcp stayed default. If I wanted to have my lan2 serving out dhcp I would add the line at the very bottom to do this.

# uci add dhcp dhcp
# uci set dhcp.@dhcp[-1].interface=lan2
# uci set dhcp.@dhcp[-1].start=100
# uci set dhcp.@dhcp[-1].limit=150
# uci set dhcp.@dhcp[-1].leasetime=12h

Save changes to /etc/config/dhcp:

# uci commit dhcp

Finally reboot the device and test it. Exactly the same what you have done with the console is possible with the LuCI WebUI.

Have fun smile

(Last edited by Yanira on 13 Sep 2008, 20:02)

Post #3
gerd
25 Sep 2008, 10:06

hi !

in  my "last days" with the alix and "double" lan setup i recongnized that ping time from one to other segment are relative high
(maybe you can verfiy this) that means pinging from lan_1 to lan_2 and vice versa was about max. 7 ms (average 4 ms) und usually should be around 1 ms
After a reboot w/o firewall same thing.
I'm sorry that i can test with it because i changed this one to another firmware which supports my hifn 7955 card inside (shame on me) :-)
But other wrts  and  2nd alix is still kamikaze/openwrt

ciao gerd

Post #4
obrienj
17 Apr 2009, 04:59

Aquahallic,

Can you draw a simple hardware picture of what your Kamikaze configuration supports. 

Specifically what is connected to the physical ports on the WRT54G v.3

Regards,
Jim

The discussion might have continued from here.