Temat: Konfiguracja VLAN - Potrzebna pomoc
Cześć Panowie,
Pisze o wsparcie w sprawie konfiguracji VLANow na routerze Xiaomi Mi AX1600 bazującego na Openwrt 18.06.
Potrzebuje utworzyć 3 VLANy dla urządzeń w sieci:
- Główny - Sieć ogólna - wifi itp.
- 3 - Siec dla urządzeń typu tv
- 4 - Siec dla IoT
- 5 - Siec dla VM
Założenia:
- Każda z sieci ma dostęp do internetu
- Możliwy routing miedzy sieciami (w vlan 5 jest PiHole dla dns)
Info o sieci:
- ROUTER:
- ETH0 - Wyglada na soc
- ETH1 - Podlaczone urzadzenie (bez vlan)
- ETH2 - Podlączony zarządzalny switch TP-Link (wspiera VLAN)
- ETH3 - Podlaczony zarządzalny switch TP-Link (wspiera VLAN)
- ETH4 - WAN
Moja konfiguracja wygląda następujaco:
- FIREWALL:
config defaults
option syn_flood '0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option disable_ipv6 '1'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule 'Forbidden_Wan_RA'
option name 'Forbidden_Wan_RA'
option dest 'wan'
option proto 'icmp'
list icmp_type 'router-advertisement'
option family 'ipv6'
option target 'REJECT'
config include 'webinitrdr'
option path '/lib/firewall.sysapi.loader webinitrdr'
option reload '1'
option enabled '1'
config include 'dnsmiwifi'
option path '/lib/firewall.sysapi.loader dnsmiwifi'
option reload '1'
option enabled '1'
config include 'macfilter'
option path '/lib/firewall.sysapi.loader macfilter'
option reload '1'
option enabled '1'
config include 'miqos'
option path '/lib/firewall.sysapi.loader miqos'
option reload '1'
config include 'firewalluser'
option path '/etc/firewall.user'
option reload '1'
config include 'ipv6_masq'
option path '/lib/firewall.sysapi.loader ipv6_masq'
option reload '1'
config rule 'guest_8999'
option name 'Hello wifi 8999'
option src 'guest'
option proto 'tcp'
option dest_port '8999'
option target 'ACCEPT'
config rule 'guest_8300'
option name 'Hello wifi 8300'
option src 'guest'
option proto 'tcp'
option dest_port '8300'
option target 'ACCEPT'
config rule 'guest_7080'
option name 'Hello wifi 7080'
option src 'guest'
option proto 'tcp'
option dest_port '7080'
option target 'ACCEPT'
config zone 'ready_zone'
option name 'ready'
list network 'ready'
option input 'DROP'
option forward 'DROP'
option output 'DROP'
config rule 'ready_dhcp'
option name 'DHCP for ready'
option src 'ready'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule 'ready_dhcp_out'
option name 'DHCP for ready'
option dest 'ready'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule 'ready_minet_in'
option name 'minet ready'
option src 'ready'
option dest_port '786'
option proto 'tcp'
option target 'ACCEPT'
config rule 'ready_minet_out'
option name 'minet ready'
option src 'ready'
option src_port '786'
option proto 'tcp'
option target 'ACCEPT'
config rule 'ptdownload'
option name 'ingress port for PT download'
option src 'wan'
option dest_port '51413'
option proto 'tcpudp'
option target 'ACCEPT'
option family 'ipv4'
config include 'raw_notrack'
option type 'script'
option path '/etc/firewall.d/raw_notrack'
option family 'any'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'IPv4'
option reload '1'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config zone
option name 'vlan3'
option network 'vlan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vlan3'
config forwarding
option src 'vlan3'
option dest 'lan'
config forwarding
option src 'vlan3'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'vlan3'
config zone
option name 'vlan4'
option network 'vlan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vlan4'
config forwarding
option src 'vlan4'
option dest 'lan'
config forwarding
option src 'vlan4'
option dest 'wan'
config forwarding
option src 'vlan4'
option dest 'vlan5'
config forwarding
option src 'vlan5'
option dest 'vlan4'
config zone
option name 'vlan5'
option network 'vlan5'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vlan5'
config forwarding
option src 'vlan5'
option dest 'lan'
config forwarding
option src 'vlan5'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'vlan5'
config forwarding
option src 'vlan3'
option dest 'vlan5'
config forwarding
option src 'vlan5'
option dest 'vlan3'- NETWORK:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config interface 'eth4'
option ifname 'eth4'
option keepup '1'
config interface 'wan'
list dns '8.8.8.8'
list dns '8.8.4.4'
option mtu '1500'
option netmask '255.255.255.0'
option proto 'static'
option gateway '192.168.0.254'
option macaddr '00:00'
option ifname 'eth4'
option ipaddr '192.168.0.1'
config interface 'lan'
option igmp_snooping '0'
option proto 'static'
option ipaddr '10.10.1.1'
option netmask '255.255.255.0'
option ifname 'eth1 eth2 eth3'
option multicast_querier '0'
option type 'bridge'
option macaddr 00:00'
option force_link '1'
option ipv6 '0'
option ieee1905managed '1'
config interface 'vlan3'
option ipaddr '10.10.3.254'
option netmask '255.255.255.0'
option gateway '10.10.3.254'
option proto 'static'
option type 'bridge'
option ifname 'eth0.3 eth2.3 eth3.3'
config interface 'vlan4'
option ipaddr '10.10.4.254'
option netmask '255.255.255.0'
option gateway '10.10.4.254'
option proto 'static'
option type 'bridge'
option ifname 'eth0.4'
config interface 'vlan5'
option ipaddr '10.10.5.254'
option netmask '255.255.255.0'
option gateway '10.10.5.254'
option proto 'static'
option type 'bridge'
option ifname 'eth0.5 eth2.5 eth3.5'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 3t 4t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 3t 4t'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '5'
option ports '0t 3t 4t'
config switch_port
option port '3'
option pvid '1'
config switch_port
option port '4'
option pvid '1'- DHCP:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan'
option dhcpv6 'server'
option ra 'server'
option limit '150'
option ra_default '1'
option start '100'
option force '1'
option leasetime '720m'
option interface 'lan'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'vlan3'
option limit '250'
option start '1'
option leasetime '720m'
option interface 'vlan3'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'vlan4'
option limit '250'
option start '1'
option leasetime '720m'
option interface 'vlan4'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'vlan5'
option limit '250'
option start '1'
option leasetime '720m'
option interface 'vlan5'
list dhcp_option '6,8.8.8.8,8.8.4.4'Wszystko niby wydaje się ok, ale niektóre z urządzeń nie mogą poprawnie łączyć się z internetem. Raz vlan5 traci dostęp, vlan4 nie ma go w ogóle. Restart przez chwile pomoże, a później i tak pojawiają się problemy.
Widać coś co może być przyczyną?
