How to Configure VLAN on OpenWRT for Separate Work Network with Internet Access

Question

I'm trying to set up a separate VLAN for my work network using OpenWRT, while keeping it isolated from my home network but still having internet access. Here's my current setup:

• Main Router (HGU from Movistar): Provides internet access with DHCP enabled, using IP range 192.168.1.x.
• OpenWRT Router: Connected to the HGU. It's set to 192.168.2.1 and should handle the work network.

Objective:

• Connect the HGU to port 1 on the OpenWRT router.
• Use port 4 on the OpenWRT router for the work network, isolated from the home network.
• Ensure the work network has internet access.

Current Configuration:

1. VLAN Setup:

• VLAN 1: Port 1 (connected to HGU) is untagged.
• VLAN 2: Port 4 is untagged, CPU (eth0) is tagged.

2. Interface Settings for VLAN:

• Device: eth0.2
• Protocol: Static address
• IPv4 address: 192.168.2.1/24
• IPv4 gateway: 192.168.1.1 (HGU's IP)
• DNS: Tried using 8.8.8.8

3. Firewall Settings:

• Zone for VLAN:
  • Input: accept
  • Output: accept
  • Forward: reject
  • Masquerading: Enabled
  • Forwarding to wan allowed Issue:

The work network device gets an IP in the 192.168.2.x range but has no internet access. I've checked connections, firewall rules, and interface settings, but can't seem to resolve the issue.

What I've Tried:

Verified physical connections. Ensured firewall masquerading and forwarding settings are correct. Checked gateway and DNS settings. Restarted all devices. Any advice or guidance would be greatly appreciated!

Answer 1

In the past I have built a configuration similar to what you are looking for with a single OpenWRT router:

• The WAN port connects to the Cable modem.
• The Switch is split 3 ports for home, 1 port for work (all untagged).
• The CPU port is tagged.
• I then bridge the home VLAN with the 2 wireless networks, lets call the bridged network "LAN".
• No bridging is needed for the work network since its only a single VLAN, lets call that "WORK"
• Assign 1 subnet + DHCP + NAT to LAN, say 192.168.1.0/24
• Assign 1 subnet + DHCP + NAT to WORK say 192.168.2.0/24

Without any routing / firewall rules between LAN and WORK the two subnets are isolated from each other and both have internet access.

---

The problem in your setup is the HGU router, unless you can switch it to just bridge (so you treat it like a dumb cable modem) you will get double NAT (from the HGU router and again from the OpenWRT router).

Cutting to the chase, if you cannot avoid double NAT, you may as well just embrace it.

Lets say your HGU router is providing an internal LAN of 192.168.1.0/24 you can then just connect another router (OpenWRT in this case) to that router and NAT again to 192.168.2.0/24.

• The 192.168.2.? network will have access to hosts on 192.168.1.?
• Without additional configuration (such as port forwarding) hosts on the 192.168.1.? network will be blocked by the firewall/NAT on OpenWRT router so won't be able to initiate new connections to hosts on the 192.168.2.0/24 network.
• Both networks will have internet access.
• Broadcast protocols/discovery probably won't cross the OpenWRT router so most of the time the networks will be fairly isolated.

Based on the access pattern outlined above you will need to pick which of the two networks you want to use for work and which for home.