Skip to main content Create two LANs? : r/openwrt
Go to openwrt

Create two LANs?

I have a Turris Omnia.

I'm hoping to create two separate networks, lan0 (192.168.1.*) and lan1 (192.168.2.*), that resemble this diagram:

r/openwrt - Create two LANs?

My goal is to have a "always on" VPN running on lan1 that I can join at will by selecting the LAN4 port on the router or joining the dedicated WiFi network.

The challenging part seems to getting the DNS and firewall settings to work.

Is this possible? Any advice is appreciated.

** edit 1 **

I think the issue is related to the lan and lan1_interface interfaces in my network configuration. I think I need to fix the _orig_ifname in both and not sure what to do about bridging (or how to configure it).

Also, I don't think the dhcp_option is set correctly for lan1_interface in the dhcp file. What does option 6 do?

I've included my current configuration for completeness. What do I need to change?

Is there a way to add comments to these files? Perhaps using an # or //?

/etc/config/wireless: 

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'VHT80'
	option disabled '0'
	option txpower '23'
	option country 'US'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option disabled '0'
	option encryption 'psk2+tkip+aes'
	option key '[REMOVED]'
	option network 'lan'
	option ssid 'Turris'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option country 'US'
	option hwmode '11g'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'HT20'
	option disabled '0'
	option txpower '19'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option disabled '0'
	option encryption 'psk2+tkip+aes'
	option key '[REMOVED]'
	option network 'lan1_interface'
	option ssid 'Turris [VPN]'

/etc/config/dhcp: 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option nonwildcard '0'
	option domain 'lan'
	option port '5353'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'lan1_interface'
	option interface 'lan1_interface'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.2.1'

/etc/config/network: 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd22:91e8:0e0f::/48'

config interface 'wan6'
	option ifname '@wan'
	option proto 'none'
	option noserverunicast '1'

config interface 'lan'
	option ifname 'eth0 eth2'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _orig_ifname 'eth0 eth2 wlan0 wlan1'
	option _orig_bridge 'true'

config interface 'lan1_interface'
	option _orig_ifname 'wlan1'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'vpn_interface'
	option ifname 'tun0'
	option proto 'none'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'
	option vid '2'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth1'

/etc/config/firewall: 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config include
	option path '/etc/firewall.user'

config include
	option path '/usr/share/firewall/turris'
	option reload '1'

config include
	option path '/etc/firewall.d/with_reload/firewall.include.sh'
	option reload '1'

config include
	option path '/etc/firewall.d/without_reload/firewall.include.sh'
	option reload '0'

config zone
	option name 'wan'
	option network 'wan wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'vpn_zone'
	option network 'vpn_interface'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan1_zone'
	option network 'lan1_interface'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'vpn_zone'
	option src 'lan1_zone'

config forwarding
	option dest 'wan'
	option src 'lan1_zone'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '5353'
	option name 'Allow Guest DNS Access'
	option src 'lan1_zone'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Allow Guest DHCP Access'
	option src 'lan1_zone'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'
The everything app, for work. Get everyone working in a single platform designed to manage any type of work.
Learn More
clickup.com
Thumbnail image: The everything app, for work. Get everyone working in a single platform designed to manage any type of work.
Sort by:
Best
Open comment sort options

Yes, it is possible. You'll need a managed switch for that. You don't need to have two different links for lan1 and lan2, you can set a trunk port and set the access VLAN on the switch ports.

It seems complicated at first, but as you get used to Luci interface, everything works out.

For creating a second LAN, follow the steps on how to create a guest network. Configure VPN client and set it to run on the guest network you created.

This is a unique configuration. Firewall settings are straightforward. Block the network that is to use the VPN from WAN access. Their DHCP server should have your "VPN" as the gateway.

What sort of issues are having with DNS?

I think I solved this. I used the router's configuration tools to create a guest network (guest_turris). I removed all references to lan1_interface.

I changed the LAN interface, using the UI, to bridge eth0 and wlan0 (removing eth2), which resulted in this change to the /etc/config/network config: 

config interface 'lan'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _orig_ifname 'eth0 eth2 wlan0 wlan1'
	option _orig_bridge 'true'
	option ifname 'eth0'

I don't know why eth2 and wlan1 are still included in the _orig_ifname setting--this isn't shown in the UI.

I changed the guest_turris interface, using the UI, to bridge eth2 and wlan1, which results in this change to the network config: 

config interface 'guest_turris'
	option enabled '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option bridge_empty '1'
	option _orig_ifname 'wlan1'
	option _orig_bridge 'true'
	option ifname 'eth2'

Should _orig_ifname include eth2 in it?

I was able to connect to each wireless network (with the appropriate IP address) and fetch a page.

Moreover, ports 0-3 assigned an IP address in the desire subnet, as did port 4 (on a different subnet).