How to isolate a single LAN port to a different subnet?

[seud0nym]

I am trying to move a single LAN port (in this case eth3) to a different subnet, similar to the way that the Guest Wi-Fi runs on a different subnet.

The problem I am encountering is that there seems to be a routing issue. I can see from the logs that the router receives the DHCPREQUEST and sends the DHCPOFFER, but it never arrives back at the client. I have used iptables TRACE to ensure that it is not being blocked by a firewall rule.

I applied the changes by duplicating what the Guest network does.

Here are my config files:

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option default_ps '0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '0'
	option force_link '1'
	option rpfilter '1'
	list pppoerelay ''
	option ipaddr '192.168.145.1'
	option ifname 'eth0 eth1 eth2'

config switch
	option name 'bcmsw'
	option reset '1'
	option enable_vlan '0'

config interface 'Guest1'
	option proto 'static'
	option ip6assign '64'
	option ip6hint '1'
	option netmask '255.255.255.128'
	option ipaddr '192.168.2.126'
	option ifname 'wl0_1'
	option force_link '1'
	option rpfilter '1'

config interface 'Guest1_5GHz'
	option proto 'static'
	option ip6assign '64'
	option ip6hint '2'
	option netmask '255.255.255.128'
	option ipaddr '192.168.2.254'
	option ifname 'wl1_1'
	option force_link '1'
	option rpfilter '1'

config interface 'ppp'
	option proto 'pppoe'
	option metric '10'
	option username '[email protected]'
	option password 'new2dsl'
	option keepalive '4,20'
	option iface6rd '0'
	option graceful_restart '1'
	option auto '0'
	option ifname 'atm_8_35'

config interface 'ipoe'
	option proto 'dhcp'
	option metric '1'
	option reqopts '1 3 6 43 51 58 59'
	option release '1'
	option iface6rd '0'
	option vendorid 'technicolor'
	option auto '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option defaultreqopts '0'
	option reqopts '23 17'
	option reqaddress 'force'
	option noslaaconly '1'
	option iface_464xlat '0'
	option forceprefix '1'
	option soltimeout '240'
	option ifname 'eth4'

config interface 'wwan'
	option enabled '0'
	option proto 'mobiled'
	option session_id '0'
	option profile '1'
	option iface_464xlat '1'

config device 'eth4'
	option name 'eth4'
	option mtu '1500'
	option mtu6 '1500'
	option neighreachabletime '1200000'
	option neighgcstaletime '2400'

config device 'atm_8_35'
	option name 'atm_8_35'
	option neighreachabletime '1200000'
	option neighgcstaletime '2400'

config device 'ptm0'
	option name 'ptm0'
	option neighreachabletime '1200000'
	option neighgcstaletime '2400'

config ppp_placeholder
	option uciname 'pppoe-wan'

config config 'config'

config interface 'lan2'
	option proto 'static'
	option ip6assign '64'
	option ip6hint '3'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option force_link '1'
	option rpfilter '1'
	option ipv6 '1'
	option ifname 'eth3'

config interface 'wan'
	option reqopts '1 3 6 43 51 58 59'
	option iface6rd '0'
	option vendorid 'technicolor'
	option metric '1'
	option release '1'
	option proto 'dhcp'
	option ifname 'eth4'

/etc/config/dhcp

config dnsmasq 'main'
	option disabled '0'
	option nonwildcard '1'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option strictorder '1'
	option dhcpscript '/lib/dnsmasq/dhcp-event.sh'
	option domain 'modem'
	list interface 'lan'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,6,"DJA0230TLS"'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,5,"CPXXXXXXXXX"'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,4,"101331"'
	list address '/fwstore.bdms.telstra.net/0.0.0.0'
	list address '/fwstore.bdms.telstra.net/::'
	list hostname 'DJA0230'
	list hostname 'telstra.wifi'

config dnsmasq 'guest'
	option disabled '0'
	option nonwildcard '1'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option strictorder '1'
	option dhcpscript '/lib/dnsmasq/dhcp-event.sh'
	option domain 'modem'
	option add_local_fqdn '0'
	list hostname 'mymodem'
	list hostname 'mygateway'
	list hostname 'telstra'
	list interface 'Guest1'
	list interface 'Guest1_5GHz'
	list notinterface 'loopback'

config odhcpd 'odhcpd'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option start '2'
	option limit '253'
	option leasetime '1d'
	option force '1'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'
	option ra_mininterval '200'
	option ra_maxinterval '600'
	option ra_lifetime '1800'
	option ra_hoplimit '64'

config dhcp 'Guest1_private'
	option instance 'guest'
	option interface 'Guest1'
	option start '1'
	option limit '125'
	option leasetime '1d'
	option force '1'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'
	option ra_mininterval '200'
	option ra_maxinterval '600'
	option ra_lifetime '1800'
	option ra_hoplimit '64'

config dhcp 'Guest1_5GHz_private'
	option instance 'guest'
	option interface 'Guest1_5GHz'
	option start '129'
	option limit '125'
	option leasetime '1d'
	option force '1'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'
	option ra_mininterval '200'
	option ra_maxinterval '600'
	option ra_lifetime '1800'
	option ra_hoplimit '64'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'ppp'
	option interface 'ppp'
	option ignore '1'

config dhcp 'ipoe'
	option interface 'ipoe'
	option ignore '1'

config dhcp 'wwan'
	option interface 'wwan'
	option ignore '1'

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'

config opassthrud 'opassthrud'
	option passthruscript '/lib/dhcpopassthrud/dnsmasq.sh'
	option options_needed '0'

config dnsmasq 'lan2'
	option disabled '0'
	option nonwildcard '1'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option strictorder '1'
	option dhcpscript '/lib/dnsmasq/dhcp-event.sh'
	option domain 'modem'
	option add_local_fqdn '0'
	list hostname 'DJA0230'
	list interface 'lan2'
	list notinterface 'loopback'

config dhcp 'lan2_private'
	option instance 'lan2'
	option interface 'lan2'
	option start '2'
	option limit '253'
	option leasetime '1d'
	option force '1'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'
	option ra_mininterval '200'
	option ra_maxinterval '600'
	option ra_lifetime '1800'
	option ra_hoplimit '64'
	option dhcpv4 'server'

To simplify the firewall settings, I just added the new lan2 interface to the Guest1 firewall zone, as that does what I want:

config zone
	option name 'Guest1'
	list network 'Guest1'
	list network 'lan2'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option wan '0'

Output of various commands:

root@DJA0230:~# ip -4 -o a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
12: eth4    inet 10.20.30.110/24 brd 10.20.30.255 scope global eth4\       valid_lft forever preferred_lft forever
16: eth3    inet 192.168.3.1/24 brd 192.168.3.255 scope global eth3\       valid_lft forever preferred_lft forever
23: wl0_1    inet 192.168.2.126/25 brd 192.168.2.127 scope global wl0_1\       valid_lft forever preferred_lft forever
24: wl1_1    inet 192.168.2.254/25 brd 192.168.2.255 scope global wl1_1\       valid_lft forever preferred_lft forever
26: br-lan    inet 192.168.145.1/24 brd 192.168.145.255 scope global br-lan\       valid_lft forever preferred_lft forever
root@DJA0230:~# ip -4 route
default via 10.20.30.1 dev eth4 proto static src 10.20.30.110 metric 1
10.20.30.0/24 dev eth4 proto static scope link metric 1
192.168.2.0/25 dev wl0_1 proto kernel scope link src 192.168.2.126
192.168.2.128/25 dev wl1_1 proto kernel scope link src 192.168.2.254
192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.1
192.168.145.0/24 dev br-lan proto kernel scope link src 192.168.145.1
239.0.0.0/8 dev br-lan scope link
root@DJA0230:~#

I am hoping I have just missed something simple...

Thanks.

[LuKePicci]

You goal is fine and doable. There is a major big issue in your configs on your switch configuration.

The main point is that eth0-eth3 are not distinct adapters but they are DSA mappings to RJ45 switch ports.

Not sure if the official Openwrt DSA drivers (not available in tch firmwares) behave differently, but here with your current config the host connected to RJ45 LAN port mapped to eth3 is able to send packets to every other host connected on other switch ports since they all belong to the same VLAN. All you said so far in configs is that packets arriving at the switch from that RJ45 port and exiting the switch from the CPU port and showing up into eth3 device will be considered as being related to lan2 interface. You need to enable VLAN on the switch and set the first three ports as part of a different VLAN then the fourth. AFAIR you must set the switch to tag packets going to the CPU even if DSA is used. But that never had much sense to me (maybe DSA driver limitation/bug by bcm? ).

[seud0nym]

So does that mean I need to do something like the answer in this post:
#132 (comment)

[seud0nym]

I have tried the config below, and it is worse than before: the DHCPDISCOVER doesn't reach dnsmasq at all. At least the other way it was just the return DHCPOFFER that was lost.

EDIT: I have added a new switch stanza as follows:

config switch 'bcmsw_ext'
        option name 'bcmsw_ext'
        option reset '1'
        option type 'bcmsw'
        option unit '1'
        option enable_vlan '1'

and changed the device options in the switch_vlan stanzas to match, and the DHCPDISCOVER messages now arrive and the DHCPOFFER gets sent, but it still doesn't arrive back at the requesting client. The VLAN configuration has made no difference at all.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option default_ps '0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '0'
	option force_link '1'
	option rpfilter '1'
	list pppoerelay ''
	option ipaddr '192.168.145.1'
	option ifname 'eth0_1 eth1_1 eth2_1'

config switch
	option name 'bcmsw'
	option reset '1'
	option enable_vlan '1'

config switch 'bcmsw_ext'
        option name 'bcmsw_ext'
        option reset '1'
        option type 'bcmsw'
        option unit '1'
        option enable_vlan '1'

config device 'eth0_1'
	option type '8021q'
	option ifname 'eth0'
	option name 'eth0_1'
	option vid '1'

config device 'eth1_1'
	option type '8021q'
	option ifname 'eth1'
	option name 'eth1_1'
	option vid '1'

config device 'eth2_1'
	option type '8021q'
	option ifname 'eth2'
	option name 'eth2_1'
	option vid '1'

config device 'eth3_103'
	option type '8021q'
	option ifname 'eth3'
	option name 'eth3_103'
	option vid '103'

config switch_vlan
	option device 'bcmsw_ext'
	option vlan '1'
	option ports '0* 1* 2* 8t'

config switch_vlan
	option device 'bcmsw_ext'
	option vlan '103'
	option ports '3* 8t'

config interface 'Guest1'
	option proto 'static'
	option ip6assign '64'
	option ip6hint '1'
	option netmask '255.255.255.128'
	option ipaddr '192.168.2.126'
	option ifname 'wl0_1'
	option force_link '1'
	option rpfilter '1'

config interface 'Guest1_5GHz'
	option proto 'static'
	option ip6assign '64'
	option ip6hint '2'
	option netmask '255.255.255.128'
	option ipaddr '192.168.2.254'
	option ifname 'wl1_1'
	option force_link '1'
	option rpfilter '1'

config interface 'ppp'
	option proto 'pppoe'
	option metric '10'
	option username '[email protected]'
	option password 'new2dsl'
	option keepalive '4,20'
	option iface6rd '0'
	option graceful_restart '1'
	option auto '0'
	option ifname 'atm_8_35'

config interface 'ipoe'
	option proto 'dhcp'
	option metric '1'
	option reqopts '1 3 6 43 51 58 59'
	option release '1'
	option iface6rd '0'
	option vendorid 'technicolor'
	option auto '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option defaultreqopts '0'
	option reqopts '23 17'
	option reqaddress 'force'
	option noslaaconly '1'
	option iface_464xlat '0'
	option forceprefix '1'
	option soltimeout '240'
	option ifname 'eth4'

config interface 'wwan'
	option enabled '0'
	option proto 'mobiled'
	option session_id '0'
	option profile '1'
	option iface_464xlat '1'

config device 'eth4'
	option name 'eth4'
	option mtu '1500'
	option mtu6 '1500'
	option neighreachabletime '1200000'
	option neighgcstaletime '2400'

config device 'atm_8_35'
	option name 'atm_8_35'
	option neighreachabletime '1200000'
	option neighgcstaletime '2400'

config device 'ptm0'
	option name 'ptm0'
	option neighreachabletime '1200000'
	option neighgcstaletime '2400'

config ppp_placeholder
	option uciname 'pppoe-wan'

config config 'config'

config interface 'lan2'
	option proto 'static'
	option ip6assign '64'
	option ip6hint '3'
	option netmask '255.255.255.0'
	option ipaddr '192.168.103.1'
	option force_link '1'
	option rpfilter '1'
	option ipv6 '1'
	option ifname 'eth3_103'

config interface 'wan'
	option reqopts '1 3 6 43 51 58 59'
	option iface6rd '0'
	option vendorid 'technicolor'
	option metric '1'
	option release '1'
	option proto 'dhcp'
	option ifname 'eth4'