Good light.
I have tp wr740n with 15.05 openwrt
Local pc with ip 192.168.0.2
Esxi with 2 virtual pc ip's 172.16.20.2 and 172.16.40.2

wr740n ports
-------------------------------------------------
wan - not use
1 port - local pc
2 port - now not use (any pc to test)
3 port - now not use (any pc to test)
4 port - Esxi (tagged 20 and 40 vlan's)
-------------------------------------------------

I did:
2 vlan's 20 and 40
3 interfaces Lan, Vlan20 and Vlan40

What i want:
I need make L2 and L3 routing (as cisco 2911)
192.168.0.2->ping 172.16.20.2->get echo
192.168.0.2->ping 172.16.40.2->get echo
172.16.20.2->ping 192.168.0.2->get echo
172.16.40.2->ping 192.168.0.2->get echo

What work:
172.16.20.2->ping 172.16.20.1->get echo
172.16.40.2->ping 172.16.40.1->get echo
192.168.0.2->ping 172.16.20.1->get echo
192.168.0.2->ping 172.16.40.1->get echo

Config openwrt
-------------------------
Vlans
*********************
vlan 20
*********************
CPU - tagged
4th port - tagged
3rd port - untagged
*********************
vlan 40
*********************
CPU - tagged
4th port - tagged
2nd port - untagged
*********************

Interfaces (all mask /24)
*************************
Lan
*************************
Standart settings 15.05
IP 192.168.0.10
*************************
Vlan20
*************************
IP 172.16.20.1
GW 192.168.0.10
*************************
Vlan40
*************************
IP 172.16.40.1
GW 192.168.0.10
*************************

Local PC
*************************
IP 192.168.0.2
route ADD -p 172.16.20.1 MASK 255.255.255.0 192.168.0.10 METRIC 1
route ADD -p 172.16.40.1 MASK 255.255.255.0 192.168.0.10 METRIC 2

How work vlans i know!
How work routing i know!
I don't know how make it in OpenWRT
Pls help me if u can.

(Last edited by h0mikus on 30 May 2017, 07:41)

Hey there.

Could you please post the contents of some files on your OpenWRT:
* /etc/config/network
* /etc/config/switch
* /etc/config/firewall

If your OpenWRT device is your default gateway, you don't need to add routs manually to your PC. Your PC should connect to your default gateway, which, in turn, passes the traffic to the two additional vlans.

If your OpenWRT is not your default gateway: Better add routes to your default gateway. Same here: Your PC should connect to your default gateway which knows about that routes, not know the routes itself.

If you do add routes manually, you only need metrics if you want to apply "preferences" to that routes. As long as you don't have multiple routes targeting the same IP range, metrics don't matter at all.

You can use "tcpdump" on your router to see traffic passing through an interface. "tcpdump -i eth0.1 icmp" shows ping traffic to and from your LAN, "tcpdump -i eth0.20 icmp" shows ping traffic to and from your vlan 20.
You should use "tcpdump2 on the VMs as well, just to make sure traffic arrives and leaves as expected.

You didn't provide enough information to be 100% sure, but I assume your PC -- which uses the OpenWRT as default gateway -- reaches your VM, but your VM doesn't reach your PC. So ping from PC to VM arrives at the VM but not the other way around.

What about firewalling? Are the vlan20 and vlan40 interfaces in OpenWRT marked as WAN, LAN or something completely different? Did you maybe enable NAT for them? That would explain why 192.168.0/24 can reach 172.16.20/24 and receive answers since 172.16.20.2 doesn't need to know anything about 192.168.0/24 and response packages are allowed anyway).

For starters:
* Add eth0.20 to LAN firewall group
* Add eth0.40 to LAN firewall group
* Keep eth0.1 at LAN firewall group
* Don't use static IP addresses on any side (expect for your OpenWRT) and let DHCP handle things
* Use tcpdump on your PC, on your VM and on your router and see where your traffic goes to and where it stops

Regards,
Stephan.

Sry ihave many work at home.

I reseted router ))) (I wanter break it with hammer)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'true'
        option ifname 'eth0'
        option ipaddr '192.168.10.1'

config interface 'wan'
        option ifname 'eth1'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto 'static'
        option netmask '255.255.254.0'
        option gateway '192.168.0.1'
        option dns '8.8.8.8'
        option ipaddr '192.168.0.10'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '20'
        option ports '0t 1t'

config interface 'vlan_20'
        option proto 'static'
        option ipaddr '172.16.20.1'
        option netmask '255.255.255.0'
        option _orig_ifname 'eth0.20'
        option _orig_bridge 'true'
        option ifname 'eth0.20'

and root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'vlan_20'
        option network 'vlan_20'
        option forward 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'vlan_20'

config forwarding
        option dest 'wan'
        option src 'vlan_20'

config forwarding
        option dest 'vlan_20'
        option src 'lan'

config forwarding
        option dest 'vlan_20'
        option src 'wan'

ping 172.16.20.1 and 172.16.20.2 all good
ping 192.168.0.10 and 192.168.0.2 all good
but

If i delete vlan20 ping 192.168.10.10(21) work, ping 172.16.20.1(2) not work (((

All ping did in "cli" openwrt
172.16.20.1 vlan_20 ip
192.168.0.10 wan_port ip
192.168.10.1 lan_ports ip
192.168.10.21 pc ip (1-3 ports)

P.S.
I tested my settings vlan at dlink all work good. At OpenWRT isnt work
sry of my English(can write Russian)

(Last edited by h0mikus on 20 Jun 2017, 07:59)

My problem is solved.
All work with settings in 3-rd post
ESXi take a bug in interface on vlan.
I reinstalled ESXI and all now work.

Many thx to golialive.
He puted me at true way

P.S.
Moderators can close theme