Topic: 2 different vlans, no connection to internet from vlan

The content of this topic has been archived on 4 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

tenta

7 Mar 2013, 01:32

hi guys,

first of all, openwrt and its features are amazing! GREAT WORK!
the basic stuff is working very well (internet access through openwrt --> isp router).
i'm using a linksys WRT54GL + brcm-2.4.

i want to setup 2 vlans.
the clients within vlan2 should not be able to communicate with clients from vlan3.
both vlans should be able to access the internet.

so i created my_vlan_2 and my_vlan_3. each vlan is providing a dhcp service. everything fine.

so i adjusted the firewall rules, as a first step/test for my_vlan_2, as you can see:

my_vlan_2 --> wan

the issue here is that the client connected to my_vlan_2 is still not able to connect to the internet (straight http).
basicly, there are the same rules for my_vlan_2 in place, as for "lan".
after reading lots of tutorials and trying different settings, without success, i'm a bit stuck now.

any suggestions what's missing here?
is there really a bridge needed between my_vlan_2 and lan? to my understanding the internet access should work fine as long as the "my_vlan2 --> wan" rule is in place.

thanks in advance!

(Last edited by tenta on 7 Mar 2013, 02:21)

Post #2

DB1

7 Mar 2013, 10:39

No, you don't need a bridge. You do need to get the firewall right though. You need to forward from each vlan to the wan and NAT both.

Post #3

tenta

7 Mar 2013, 19:44

hey DB1,
ok thanks, so i was not totally wrong.

i still don't get this: why is accessing the internet not possible, although i configured my_vlan_2 to have access to the WAN zone?

how can i achieve this NATing?
would be very thankful for any kind of help!

perhaps somebody knows a good tutorial for this?
i don't think i'm the first one who wants 2 separate vlans accessing the internet

(Last edited by tenta on 7 Mar 2013, 20:13)

Post #4

DB1

8 Mar 2013, 10:14

It would help if you posted /etc/config/network, /etc/network/firewall and etc/config/dhcp rather than those images which are impossible to read with any certainty.

Post #5

tenta

8 Mar 2013, 23:40

hey DB1,

when my client in my_vlan_2 tries to access a web page via browser the dns resolution is working fine, but after that i can only see a http SYN from my client but don't get any response (SYN ACK).

okay, see attached:

/etc/config/network

config 'switch' 'eth0'
        option 'enable' '1'

config 'switch_vlan' 'eth0_0'
        option 'device' 'eth0'
        option 'vlan' '0'
        option 'ports' '0 3 5'

config 'switch_vlan' 'eth0_1'
        option 'device' 'eth0'
        option 'vlan' '1'
        option 'ports' '4 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option '_orig_ifname' 'eth0.0 wl0'
        option '_orig_bridge' 'true'
        option 'ifname' 'eth0.0'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'dhcp'

config 'switch_vlan'
        option 'device' 'eth0'
        option 'vlan' '2'
        option 'ports' '2 5'

config 'interface' 'my_vlan_2'
        option 'proto' 'static'
        option 'ifname' 'eth0.2'
        option 'ipaddr' '192.168.3.1'
        option 'netmask' '255.255.255.0'
        option 'macaddr' 'C1:C2:C3:C4:C5:C6'

config 'switch_vlan'
        option 'device' 'eth0'
        option 'vlan' '3'
        option 'ports' '1 5'

config 'interface' 'my_vlan_3'
        option 'proto' 'static'
        option 'ifname' 'eth0.3'
        option 'ipaddr' '192.168.4.1'
        option 'netmask' '255.255.255.0'

/etc/network/firewall

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'drop_invalid' '1'

config 'zone'
        option 'name' 'lan'
        option 'network' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'network' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'masq' '1'
        option 'mtu_fix' '1'
        option 'forward' 'REJECT'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'

config 'rule'
        option 'name' 'Allow-DHCP-Renew'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '68'
        option 'target' 'ACCEPT'
        option 'family' 'ipv4'

config 'rule'
        option 'name' 'Allow-Ping'
        option 'src' 'wan'
        option 'proto' 'icmp'
        option 'icmp_type' 'echo-request'
        option 'family' 'ipv4'
        option 'target' 'ACCEPT'

config 'rule'
        option 'name' 'Allow-DHCPv6'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'src_ip' 'fe80::/10'
        option 'src_port' '547'
        option 'dest_ip' 'fe80::/10'
        option 'dest_port' '546'
        option 'family' 'ipv6'
        option 'target' 'ACCEPT'

config 'rule'
        option 'name' 'Allow-ICMPv6-Input'
        option 'src' 'wan'
        option 'proto' 'icmp'
        list 'icmp_type' 'echo-request'
        list 'icmp_type' 'destination-unreachable'
        list 'icmp_type' 'packet-too-big'
        list 'icmp_type' 'time-exceeded'
        list 'icmp_type' 'bad-header'
        list 'icmp_type' 'unknown-header-type'
        list 'icmp_type' 'router-solicitation'
        list 'icmp_type' 'neighbour-solicitation'
        option 'limit' '1000/sec'
        option 'family' 'ipv6'
        option 'target' 'ACCEPT'

config 'rule'
        option 'name' 'Allow-ICMPv6-Forward'
        option 'src' 'wan'
        option 'dest' '*'
        option 'proto' 'icmp'
        list 'icmp_type' 'echo-request'
        list 'icmp_type' 'destination-unreachable'
        list 'icmp_type' 'packet-too-big'
        list 'icmp_type' 'time-exceeded'
        list 'icmp_type' 'bad-header'
        list 'icmp_type' 'unknown-header-type'
        option 'limit' '1000/sec'
        option 'family' 'ipv6'
        option 'target' 'ACCEPT'

config 'include'
        option 'path' '/etc/firewall.user'

config 'zone'
        option 'name' 'my_vlan_2'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'network' 'my_vlan_2'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'my_vlan_3'
        option 'input' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'output' 'ACCEPT'
        option 'network' 'my_vlan_3'

config 'forwarding'
        option 'dest' 'wan'
        option 'src' 'my_vlan_2'

config 'forwarding'
        option 'dest' 'wan'
        option 'src' 'my_vlan_3'

etc/config/dhcp

config 'dnsmasq'
        option 'domainneeded' '1'
        option 'boguspriv' '1'
        option 'filterwin2k' '0'
        option 'localise_queries' '1'
        option 'rebind_protection' '1'
        option 'rebind_localhost' '1'
        option 'local' '/lan/'
        option 'domain' 'lan'
        option 'expandhosts' '1'
        option 'nonegcache' '0'
        option 'authoritative' '1'
        option 'readethers' '1'
        option 'leasefile' '/tmp/dhcp.leases'
        option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'start' '100'
        option 'limit' '150'
        option 'leasetime' '12h'

config 'dhcp' 'wan'
        option 'interface' 'wan'
        option 'ignore' '1'

config 'dhcp'
        option 'start' '100'
        option 'leasetime' '12h'
        option 'limit' '150'
        option 'interface' 'my_vlan_2'
        option 'force' '1'

config 'dhcp'
        option 'start' '100'
        option 'leasetime' '12h'
        option 'limit' '150'
        option 'interface' 'my_vlan_3'

(Last edited by tenta on 9 Mar 2013, 00:08)

Post #6

tenta

9 Mar 2013, 06:42

it's working now. i did a factory reset started from scratch.
created 2 vlans
assigned ip address to each vlan
added zones --> vlan to wan

thank you anyway DB1 for ur efforts!!!

config:

/etc/config/firewall

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'drop_invalid' '1'

config 'zone'
        option 'name' 'lan'
        option 'network' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'network' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'
        option 'mtu_fix' '1'


config 'include'
        option 'path' '/etc/firewall.user'

config 'zone'
        option 'name' 'my_vlan_2'
        option 'input' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'output' 'ACCEPT'
        option 'network' 'my_vlan_2'

config 'forwarding'
        option 'dest' 'wan'
        option 'src' 'lan'

config 'forwarding'
        option 'dest' 'wan'
        option 'src' 'my_vlan_2'

config 'zone'
        option 'name' 'my_vlan_3'
        option 'input' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'output' 'ACCEPT'
        option 'network' 'my_vlan_3'

config 'forwarding'
        option 'dest' 'wan'
        option 'src' 'my_vlan_3'

(Last edited by tenta on 9 Mar 2013, 06:43)

The discussion might have continued from here.

Page 1 of 1