Help needed with VLANs with Omnia and OS5.3.5

Software SW help
1

Hello,
I’m new to Turris Omnia and OpenWRT.

So far, I’m not able to understand how to set-up my VLANs on this router. The internet search I made pointed to good detailed procedures that are marked as obsolete by other posts (eg managing switch interface), or more recent posts that are either too high level (VLAN - Turris Documentation) or not corresponding to my set-up (like the guest wifi exiting through WAN).

Right now, I need Omnia to replace a cisco Wifi AP and it need to be connected to an EdgeRouter doing all the router/firewall/gateway work.
I need to configure the Omnia with same configuration as the current AP, as I don’t want to change rules in the EdgeRouter for the moment.

I made trial and errors, but I’m not where I want to be :sob:

To start this journey, I’m first trying to do an initial set-up:

  • Omnia needs to support 2 Vlans:
    Vlan2 is for managing network devices, the Omnia in this case
    Vlan5 is for devices connected via Wifi

  • VLAN2 and VLAN5 are both connected to the EdgeRouter on Lan4
    on the Edgerouter side, the PVID is Vlan2 and the VID is Vlan4
    static IPv4 for Omnia interfaces

  • Vlan5 needs of course to be set-up with Wifi
    devices connected to Wifi shall obtain IP via DHCP managed by Edgerouter

  • Vlan2 and Vlan5 shouldn’t talk to each other
    Omnia management interfaces (SSH, http, etc) need to be accessible only from Vlan2

How do I clean start to make this work?

So far, I managed cisco and Edgerouter via their GUI, but if CLI is required for Omnia, I can do SSH.

2

There is something wrong I do, but can’t figure what :interrobang:

If I set-up a standard interface on lan4 with static IP in same subnetwork of the Edgerouter pvid, communication is OK:

  • I can ping from omnia to edgerouter
  • I con ping from edgerouter to omnia

When I try to set-up a VLAN using this config generated via GUI

config interface ‘50_Normal’
option proto ‘static’
option type ‘bridge’
option ipaddr ‘10.0.50.4’
option netmask ‘255.255.255.0’
list dns ‘10.0.50.1’
option gateway ‘10.0.50.1’
option ifname ‘eth0.5 lan4.5’

then networking is not established:

  • from omnia I can ping its interface 10.0.50.4 but not 10.0.50.1 on edgerouter nor other IP on this subnetwork “Destination Port Unreachable” with omnia firewall started and “Destination Host Unreachable” with omnia firewall stopped
  • from the edgerouter, I can ping 10.0.50.1 and other devices, but not the omnia 10.0.50.4 “Destination Host Unreachable” (with omnia firewall started or stopped)
  1. Any advice to make this work?

Also, I can see in youtube videos that an easy VLAN set-up on OpenWRT could be achieved via “device” tab under “network” section, but I haven’t got such tab on my Turris OS Luci…
It only shows 2 tabs under “network”:

  • “interfaces”
  • “global network options”
  1. is there any reason why this “device” tab is not available on Omnia?
3

It will be available in Turris OS 6.

1 Like
4

Try to find another related VLAN topics in this forum. Some can help you with configuration.

5

Dont know if you configured but you should additionally:
In Luci From Interfaces
at Firewall Settings tab add new zone(each subnet requires new zone)
at DHCP Server tab configure General-Setup and at Advaned Settings add DCHP-Options.
Then
From Firewall configure your new zone, add DHCP and DNS firewall rules, you can inspire from existing lan, and add necessary forwardings from/to your new zone

At the end will look like
in /etc/config/dhcp

config dhcp '50_Normal'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface '50_Normal'
	list dhcp_option '6,10.0.50.1'

and in /etc/config/firewall

config zone
	option name '50_Normal'
	option input 'REJECT'
	option forward 'REJECT'
	list network '50_Normal'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src '50_Normal'

config rule
	option dest_port '67-68'
	option src '50_Normal'
	option name '50_Normal dhcp'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '53'
	option src '50_Normal'
	option name '50_Normal dns'
	option target 'ACCEPT'

These are example basic setup to give you inspiration. Then you will do more configuration for your needs.

6

@hagrid , does it mean that we can’t set-up VLANs before OS6, or that it is much more difficult to do it at the moment?

@iron-maiden , I’ll try modifying the firewall.
Ping response was different yet negative with firewall started or stopped, although I would have thought that doing ping on same subnetwork would not require any particular firewall settings. Is there something particular to know within OpenWRT?

7

Yes it should work in same subnet wo any particular firewall setting.

What I posted above is general basic setup for a subnet.

8

Thanks, this will help in the next steps.

For some reasons, after reboot omnia reverted to factory default set-up (except management password). I need to redo experiments to set-up the VLAN and try to achieve at least basic connectivity…

9

The absence of tools in LuCI can make VLAN setup more difficult for many users.

1 Like
10

Indeed, it is not easy.
With the reboot and fresh reentry of parameters, it seems I’m able to ping the VLAN interface!
I’ll do some more tests to ensure it is properly working.
Probably that trials and errors broke something that made the good configuration not working yesterday. As we all know, if it doesn’t work, just reboot it :rofl:

1 Like
11

But this is Linux.

When in trouble;
Linux beroot, windows reboot :grin:

1 Like
12

Well, yes, you can create VLAN, by creating the sub-interfaces with the correct VLAN tag. I personally do not like this approach and prefer to do the VLAN filtering on the bridge, like this (available on TOS6)

vlanbridge
vlanbridge905×550 38.5 KB

root@office-omnia:~# bridge link show
5: lan0@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 4 
6: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-lan state disabled priority 32 cost 4 
7: lan2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 19 
8: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 4 
9: lan4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 4 
root@office-omnia:~# bridge vlan show
port              vlan-id  
lan0              1
                  10
                  255
lan1              1 PVID Egress Untagged
lan2              1 PVID Egress Untagged
lan3              1 PVID Egress Untagged
lan4              2006 PVID Egress Untagged
br-lan            1
                  10
                  255
                  2006

You can find more info about bridge VLAN filtering at VLAN filter support on bridge | Red Hat Developer

13

This will be very helpfull.

Although configuration I did through current OS5 Luci GUI seems to work, it is very suprising when I look at " bridge link show ":

All the valan IDs are set at 1 PVID Egress Untagged, event with eth0.5 or Lan4.5

This is very strange