Link to the diagram used in the video gyazo.com/bd3d8ee46e581597bfe...
Жүктеу.....
Пікірлер: 35
@sandikodev17 күн бұрын
great explanation, you make the day
@ramosel Жыл бұрын
VLAN filtering works pretty well, but it's best to just kill all the stock interfaces and create all your VLANS as 802.1q, then bridge. Also, VERY helpful: Add software package for "ip-bridge". It gives you a really good method via SSH to see the VLANs and confirm the GUI setup.
@raughboy188
Ай бұрын
When you make vlans make one extra where anything untagged can be sent and it doesn't have to have any interface asigned to it, such Vlan is often refered to as Black Hole vlan.
@ramosel
Ай бұрын
@@raughboy188 Yep, agree.
@raughboy188
Ай бұрын
@@ramosel having black hole vlan can help you possibly prevent VLAN hopping attack.
@Keith_P Жыл бұрын
Nicely done. Much appreciated on the explanations.
@matteorutamat Жыл бұрын
You save my day!
@hiyoshi177 Жыл бұрын
Very nice and heplful.
@cp-xl7lo8 ай бұрын
perfetto .. funziona alla grade nella mia rete... molto simile ... pfsense.... > switch managed trunk port ---> vlan OPENWRT... iot -wifi ..THANK !!!
@TismoGaming8 ай бұрын
Awesome video. How did you setup the boosters. I have a couple of TP-Link consumer routers that I could use as APs but not sure how you set your up to use as boosters
@raughboy188Ай бұрын
I need to correct you. Most IOT devices can use both 2.4 and 5ghz. Enable on your wifi to have both avaliable bit make sure that whichever device you can is configured to ise 5ghz band to reduce interfearances because everything in your house that can disrupt network works on 2.4 ghz. Not all IOT devices can use 2.4ghz but whenever you have an option to use 5ghz band go for it. 5ghz band had 36 channels i think and 2.4 ghz has 13. Do the and you'll understand.
@struggle37511 ай бұрын
Thanks
@bassjmr18 күн бұрын
unfortunatelly this doesn't work anymore... if you configure a new bridge on lan1 you need to delete that port from the old bridge. You can’t use same port on two bridges anymore.
@beefnuts2941 Жыл бұрын
I have an XR500 which made the ports named kind of goofy, so it was hard to follow any tutorials on setting them up in here. Theres 4 LAN ports but they are all referenced through 2 "CPU(eth)" interfaces so its a further layer of confusion. I ended up tagging all my vlans in the switch page, then creating a bridge device for each vlan with the management vlan individually. Then creating an unmanaged interface for each vlan bridge device that i can assign to the wireless. They are going through a trunk to a managed switch which is trunked to a firewall. It's working without the 'vlan bridge filtering' stuff, and I only have one static address for management configured on the openwrt. hope any of that makes sense.
@pragmaticsecurity
Жыл бұрын
I unfortunately have a few routers that also use that imbedded switch tab with two cpu ports. I honestly kept my config the same and just tagged the cpu ports due to having other issues earlier. If it works though and the traffic is segmented thats really whats important!
@Treeck57 Жыл бұрын
Hello there. I've watched your video part 1 and a bit of part 2 as well. But I do have a different situation with my home network setup. I have Openwrt running on x86 PC as a router and connected to TP-Link TL-SG1016PE v1. I wanted to have three different vlan IDs. So I want to have similar idea as yours, but mine is different because it's directly to connect to my TP-Link smart managed switch since I have two WIFI APs (has three SSIDs) and one LAN for everything else. I want to assign vlan on those three ones. Will this setup works? I'm pretty newbie with vlan configuration. I'm very familiar with Openwrt but vlan.
@pragmaticsecurity
Жыл бұрын
I think it should work, as long as you remain consistent with ALL of your VLAN rules. I dont have a lot of experience pushing VLANS to another OpenWrt device but I imagine as long as your firewall zones are not blocking one zone on one device it should be ok. Only wildcard is how the switch works with VLANS and where exactly it is in the network.
@petecordero7160 Жыл бұрын
I like
@SnakZ Жыл бұрын
couldnt the red line ( internet line) just connect to the wan port on the router ? I know it probably doesn't matter as all ports can be change to but yeah :D
@pragmaticsecurity
Жыл бұрын
Yes you could do that. In my experience sometimes I had some odd issues with it but every router will be different!
@tonyeckel6524 Жыл бұрын
Would it be at all possible to publish the network diagram to allow viewers to "Follow along"???
@pragmaticsecurity
Жыл бұрын
Sure let me see if I can find the original one from this video. I am in the process of making a new set of videos that covers more deployments from different diagrams not just what I was doing at the time I made this video. If I find it I will put it in the description of this video.
@pragmaticsecurity
Жыл бұрын
I found it, ill put it in description somehow!
@IAmMan- Жыл бұрын
Why the double bridge? Why not remove lan1 from br-lan, then add lan1 to a new bridge and do the vlan filtering on the lan1 bridge?
@pragmaticsecurity
Жыл бұрын
So at some points I was able to actually use both the bridges and it was very convenient. However there are some strange things that happen now when I use the double bridge and it pretty much just becomes as you say now. I think the solution you proposed is probably slightly less of a headache and a lot more consistent.
@mayankgupta4848 Жыл бұрын
I created couple of VLAN's (IOT and Guest) but my Amazon Echo devices keeps losing WiFi network intermittently somehow but all other devices remains connected to IOT. I am unable to figure out what's wrong :(
@pragmaticsecurity
Жыл бұрын
I have limited exp with amazon echos but generally IoT devices go berserk with all kinds of flooding which is also why its nice to have them on their own network. There should be a setting under the Wireless tab for your Wifi network to "Isolate clients", that may help but not positive. In my eyes there are a couple different possible problems. 1 your echo is having connection issues due to other devices flooding IoT network in which case, the "isolate" option might help or 2 your echo is flooding and its triggering a protocol in OpenWrt that is trying to stop it from flooding in which case I am not sure how to help other than try to put your echo on an unrestricted network or 3 the chipset for the antenna in your router is not very compatible with the antenna in the Echo. I have encountered this issue before and to fix it I had to turn off "WMM Mode" on my IoT wifi network. Turning WMM mode off will dramatically reduce the IoT network's speed but it also helps IoT devices connect. If this doesnt help keep going! The worst that can happen is you learn something :)
@SameerGurung1975 Жыл бұрын
I have followed your instructions to the T. however after adding interface and choosing my software vlan 10 (i have added only one VLAN) the interface shows an error: Network device not present. Any idea why?
@pragmaticsecurity
Жыл бұрын
So in my experience that will happen if there is nothing else connected to the VLAN you create. You could test it out be creating a wifi network under the wireless tab and attempting to use the VLAN you created. If the error is still there I am not sure what else it could be unfortunately.
@HeinserTorres
Жыл бұрын
same issue with device not present.
@Alex-oh5rt
8 ай бұрын
@SameerGurung1975 & @HeinserTorres Did you figure it out? I'm having that same issue right now!!! Edit: I solved it by removing the VLANS bridge port (LAN1) from my br-lan. Then I saved and applied and re-added it to br-lan and it worked. However, I don't really understand why that worked 😶
@arkinjade355 Жыл бұрын
HI thanks for your video,how can you add ex LAN 4 to vlan 20?
@pragmaticsecurity
Жыл бұрын
If you wanted to use LAN 4, on the virtual bridge section of the video you can change the from LAN 1 to LAN 4. You would need to make sure that the physical port "lan 4" on the back of your router is actually the one plugged in.
Пікірлер: 35
great explanation, you make the day
VLAN filtering works pretty well, but it's best to just kill all the stock interfaces and create all your VLANS as 802.1q, then bridge. Also, VERY helpful: Add software package for "ip-bridge". It gives you a really good method via SSH to see the VLANs and confirm the GUI setup.
@raughboy188
Ай бұрын
When you make vlans make one extra where anything untagged can be sent and it doesn't have to have any interface asigned to it, such Vlan is often refered to as Black Hole vlan.
@ramosel
Ай бұрын
@@raughboy188 Yep, agree.
@raughboy188
Ай бұрын
@@ramosel having black hole vlan can help you possibly prevent VLAN hopping attack.
Nicely done. Much appreciated on the explanations.
You save my day!
Very nice and heplful.
perfetto .. funziona alla grade nella mia rete... molto simile ... pfsense.... > switch managed trunk port ---> vlan OPENWRT... iot -wifi ..THANK !!!
Awesome video. How did you setup the boosters. I have a couple of TP-Link consumer routers that I could use as APs but not sure how you set your up to use as boosters
I need to correct you. Most IOT devices can use both 2.4 and 5ghz. Enable on your wifi to have both avaliable bit make sure that whichever device you can is configured to ise 5ghz band to reduce interfearances because everything in your house that can disrupt network works on 2.4 ghz. Not all IOT devices can use 2.4ghz but whenever you have an option to use 5ghz band go for it. 5ghz band had 36 channels i think and 2.4 ghz has 13. Do the and you'll understand.
Thanks
unfortunatelly this doesn't work anymore... if you configure a new bridge on lan1 you need to delete that port from the old bridge. You can’t use same port on two bridges anymore.
I have an XR500 which made the ports named kind of goofy, so it was hard to follow any tutorials on setting them up in here. Theres 4 LAN ports but they are all referenced through 2 "CPU(eth)" interfaces so its a further layer of confusion. I ended up tagging all my vlans in the switch page, then creating a bridge device for each vlan with the management vlan individually. Then creating an unmanaged interface for each vlan bridge device that i can assign to the wireless. They are going through a trunk to a managed switch which is trunked to a firewall. It's working without the 'vlan bridge filtering' stuff, and I only have one static address for management configured on the openwrt. hope any of that makes sense.
@pragmaticsecurity
Жыл бұрын
I unfortunately have a few routers that also use that imbedded switch tab with two cpu ports. I honestly kept my config the same and just tagged the cpu ports due to having other issues earlier. If it works though and the traffic is segmented thats really whats important!
Hello there. I've watched your video part 1 and a bit of part 2 as well. But I do have a different situation with my home network setup. I have Openwrt running on x86 PC as a router and connected to TP-Link TL-SG1016PE v1. I wanted to have three different vlan IDs. So I want to have similar idea as yours, but mine is different because it's directly to connect to my TP-Link smart managed switch since I have two WIFI APs (has three SSIDs) and one LAN for everything else. I want to assign vlan on those three ones. Will this setup works? I'm pretty newbie with vlan configuration. I'm very familiar with Openwrt but vlan.
@pragmaticsecurity
Жыл бұрын
I think it should work, as long as you remain consistent with ALL of your VLAN rules. I dont have a lot of experience pushing VLANS to another OpenWrt device but I imagine as long as your firewall zones are not blocking one zone on one device it should be ok. Only wildcard is how the switch works with VLANS and where exactly it is in the network.
I like
couldnt the red line ( internet line) just connect to the wan port on the router ? I know it probably doesn't matter as all ports can be change to but yeah :D
@pragmaticsecurity
Жыл бұрын
Yes you could do that. In my experience sometimes I had some odd issues with it but every router will be different!
Would it be at all possible to publish the network diagram to allow viewers to "Follow along"???
@pragmaticsecurity
Жыл бұрын
Sure let me see if I can find the original one from this video. I am in the process of making a new set of videos that covers more deployments from different diagrams not just what I was doing at the time I made this video. If I find it I will put it in the description of this video.
@pragmaticsecurity
Жыл бұрын
I found it, ill put it in description somehow!
Why the double bridge? Why not remove lan1 from br-lan, then add lan1 to a new bridge and do the vlan filtering on the lan1 bridge?
@pragmaticsecurity
Жыл бұрын
So at some points I was able to actually use both the bridges and it was very convenient. However there are some strange things that happen now when I use the double bridge and it pretty much just becomes as you say now. I think the solution you proposed is probably slightly less of a headache and a lot more consistent.
I created couple of VLAN's (IOT and Guest) but my Amazon Echo devices keeps losing WiFi network intermittently somehow but all other devices remains connected to IOT. I am unable to figure out what's wrong :(
@pragmaticsecurity
Жыл бұрын
I have limited exp with amazon echos but generally IoT devices go berserk with all kinds of flooding which is also why its nice to have them on their own network. There should be a setting under the Wireless tab for your Wifi network to "Isolate clients", that may help but not positive. In my eyes there are a couple different possible problems. 1 your echo is having connection issues due to other devices flooding IoT network in which case, the "isolate" option might help or 2 your echo is flooding and its triggering a protocol in OpenWrt that is trying to stop it from flooding in which case I am not sure how to help other than try to put your echo on an unrestricted network or 3 the chipset for the antenna in your router is not very compatible with the antenna in the Echo. I have encountered this issue before and to fix it I had to turn off "WMM Mode" on my IoT wifi network. Turning WMM mode off will dramatically reduce the IoT network's speed but it also helps IoT devices connect. If this doesnt help keep going! The worst that can happen is you learn something :)
I have followed your instructions to the T. however after adding interface and choosing my software vlan 10 (i have added only one VLAN) the interface shows an error: Network device not present. Any idea why?
@pragmaticsecurity
Жыл бұрын
So in my experience that will happen if there is nothing else connected to the VLAN you create. You could test it out be creating a wifi network under the wireless tab and attempting to use the VLAN you created. If the error is still there I am not sure what else it could be unfortunately.
@HeinserTorres
Жыл бұрын
same issue with device not present.
@Alex-oh5rt
8 ай бұрын
@SameerGurung1975 & @HeinserTorres Did you figure it out? I'm having that same issue right now!!! Edit: I solved it by removing the VLANS bridge port (LAN1) from my br-lan. Then I saved and applied and re-added it to br-lan and it worked. However, I don't really understand why that worked 😶
HI thanks for your video,how can you add ex LAN 4 to vlan 20?
@pragmaticsecurity
Жыл бұрын
If you wanted to use LAN 4, on the virtual bridge section of the video you can change the from LAN 1 to LAN 4. You would need to make sure that the physical port "lan 4" on the back of your router is actually the one plugged in.
OpenWrt, no OpenWRT.
@designer.346
Күн бұрын
DD-WRT