SSH to setup Vlan on Flint 3

Routers
1

Hi,

Does anyone have a SSH script to setup VLAN’s on the Flint 3.

I have used the one posted by Bruce for IOT, but I was also looking for the same for the switch ports.

Thanks.

2

I thought someone would have this.

Thanks, in anticipation.

3

Hello,

I see you've discussed this here before, and you've pinpointed the VPN issue.

Please share what your VPN dashboard or VPN configuration?

4

Unfortunately, the router has been set back to factory and I have reverted to the stock firmware 4.7.11 due to the below error in LuCI.

Switch switch0 has an unknown topology - the VLAN settings might not be accurate.

Although, this has not rectified the switch problem so the router must have had this error out of the box.

There are so many problems with this router, I’m really not happy, I purchased the Flint 3 to replace my Flint 2, but I am now thinking of returning it due its poor performance and instability.

5

That's not an error, it's a warning. The switch numbering is weird in the flint 3. The numbering is backwards in LuCi, and different again in the config files. In the config files LAN1/WAN2 is port 7, LAN2 is port 6, LAN3 is port 5, and LAN4 is port 4. So, if I wanted my IoT VLAN30 on LAN3, I would untag port 5. Remember port 3 is the CPU and must be tagged in all VLANS, so I would tag port 3 and untag port 5 in the switch config.

So setting up the switch for that VLAN would look like this.

uci set network.vlan_iot='switch_vlan'
uci set network.vlan_iot.device='switch1'
uci set network.vlan_iot.vlan='30'
uci set network.vlan_iot.ports='3t 5ut'     **# THIS IS WHERE PORTS ARE SET**

Here is my complete script for an IoT VLAN30 set to LAN3.

uci set network.vlan_iot='switch_vlan'
uci set network.vlan_iot.device='switch1'
uci set network.vlan_iot.vlan='30'
uci set network.vlan_iot.ports='3t 6t'

uci set network.eth1_30=device
uci set network.eth1_30.type='8021q'
uci set network.eth1_30.ifname='eth1'
uci set network.eth1_30.vid='30'
uci set network.eth1_30.name='eth1.30'

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-iot'
uci add_list network.@device[-1].ports='eth1.30'

uci set network.iot=interface
uci set network.iot.proto='static'
uci set network.iot.device='br-iot'
uci set network.iot.ipaddr='192.168.30.1'
uci set network.iot.netmask='255.255.255.0'

uci set dhcp.iot=dhcp
uci set dhcp.iot.interface='iot'
uci set dhcp.iot.start='100'
uci set dhcp.iot.limit='150'
uci set dhcp.iot.leasetime='12h'

uci add firewall zone
uci set firewall.@zone[-1].name='iot'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='iot'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='iot'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='iot'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-IoT'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-IoT'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Block-IoT-Intra'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest='iot'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'

uci add firewall rule
uci set firewall.@rule[-1].name='Block IoT WebUI'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].target='DROP'
uci set firewall.@rule[-1].dest_port='22 80 443 8080'

uci set wireless.iot2g=wifi-iface
uci set wireless.iot2g.device='wifi0'
uci set wireless.iot2g.network='iot'
uci set wireless.iot2g.mode='ap'
uci set wireless.iot2g.ifname='wlan30'
uci set wireless.iot2g.ssid='IoT'
uci set wireless.iot2g.encryption='psk2+ccmp'
uci set wireless.iot2g.key='goodlife'
uci set wireless.iot2g.wds='1'
uci set wireless.iot2g.hidden='0'
uci set wireless.iot2g.isolate='1'
uci set wireless.iot2g.disabled='0'
uci set wireless.iot2g.ieee80211k='1'
uci set wireless.iot2g.bss_transition='1'

uci set wireless.iot5g=wifi-iface
uci set wireless.iot5g.device='wifi1'
uci set wireless.iot5g.network='iot'
uci set wireless.iot5g.mode='ap'
uci set wireless.iot5g.ifname='wlan31'
uci set wireless.iot5g.ssid='IoT'
uci set wireless.iot5g.encryption='psk2+ccmp'
uci set wireless.iot5g.key='goodlife'
uci set wireless.iot5g.wds='1'
uci set wireless.iot5g.hidden='0'
uci set wireless.iot5g.isolate='1'
uci set wireless.iot5g.disabled='0'
uci set wireless.iot5g.ieee80211k='1'
uci set wireless.iot5g.bss_transition='1'

uci set wireless.iot6g=wifi-iface
uci set wireless.iot6g.device='wifi2'
uci set wireless.iot6g.network='iot'
uci set wireless.iot6g.mode='ap'
uci set wireless.iot6g.ifname='wlan32'
uci set wireless.iot6g.ssid='IoT'
uci set wireless.iot6g.encryption='sae'
uci set wireless.iot6g.key='goodlife'
uci set wireless.iot6g.wds='1'
uci set wireless.iot6g.hidden='0'
uci set wireless.iot6g.isolate='1'
uci set wireless.iot6g.disabled='0'
uci set wireless.iot6g.ieee80211k='1'
uci set wireless.iot6g.bss_transition='1'

uci commit
reboot

Here is my complete script for a Work VLAN60 assigned to LAN4, complete with MLO.

uci set network.vlan_work='switch_vlan'
uci set network.vlan_work.device='switch1'
uci set network.vlan_work.vlan='60'
uci set network.vlan_work.ports='3t 4ut'

uci set network.eth1_60=device
uci set network.eth1_60.type='8021q'
uci set network.eth1_60.ifname='eth1'
uci set network.eth1_60.vid='60'
uci set network.eth1_60.name='eth1.60'

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-work'
uci add_list network.@device[-1].ports='eth1.60'

uci set network.work=interface
uci set network.work.proto='static'
uci set network.work.device='br-work'
uci set network.work.ipaddr='192.168.60.1'
uci set network.work.netmask='255.255.255.0'

uci set dhcp.work=dhcp
uci set dhcp.work.interface='work'
uci set dhcp.work.start='100'
uci set dhcp.work.limit='150'
uci set dhcp.work.leasetime='12h'

uci add firewall zone
uci set firewall.@zone[-1].name='work'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='work'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='work'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-Work'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='work'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-Work'
uci set firewall.@rule[-1].src='work'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Block-Work-Intra'
uci set firewall.@rule[-1].src='work'
uci set firewall.@rule[-1].dest='work'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'

uci add firewall rule
uci set firewall.@rule[-1].name='Block Work WebUI'
uci set firewall.@rule[-1].src='work'
uci set firewall.@rule[-1].target='DROP'
uci set firewall.@rule[-1].dest_port='22 80 443 8080'

uci set wireless.work2g=wifi-iface
uci set wireless.work2g.device='wifi0'
uci set wireless.work2g.network='work'
uci set wireless.work2g.mode='ap'
uci set wireless.work2g.ifname='wlan60'
uci set wireless.work2g.ssid='Work'
uci set wireless.work2g.encryption='psk2+ccmp'
uci set wireless.work2g.key='goodlife'
uci set wireless.work2g.wds='1'
uci set wireless.work2g.hidden='0'
uci set wireless.work2g.isolate='1'
uci set wireless.work2g.disabled='0'
uci set wireless.work2g.ieee80211k='1'
uci set wireless.work2g.bss_transition='1'

uci set wireless.work5g=wifi-iface
uci set wireless.work5g.device='wifi1'
uci set wireless.work5g.network='work'
uci set wireless.work5g.mode='ap'
uci set wireless.work5g.ifname='wlan61'
uci set wireless.work5g.ssid='Work'
uci set wireless.work5g.encryption='psk2+ccmp'
uci set wireless.work5g.key='goodlife'
uci set wireless.work5g.wds='1'
uci set wireless.work5g.hidden='0'
uci set wireless.work5g.isolate='1'
uci set wireless.work5g.disabled='0'
uci set wireless.work5g.ieee80211k='1'
uci set wireless.work5g.bss_transition='1'

uci set wireless.work6g=wifi-iface
uci set wireless.work6g.device='wifi2'
uci set wireless.work6g.network='work'
uci set wireless.work6g.mode='ap'
uci set wireless.work6g.ifname='wlan62'
uci set wireless.work6g.ssid='Work'
uci set wireless.work6g.encryption='sae'
uci set wireless.work6g.key='goodlife'
uci set wireless.work6g.wds='1'
uci set wireless.work6g.hidden='0'
uci set wireless.work6g.isolate='1'
uci set wireless.work6g.disabled='0'
uci set wireless.work6g.ieee80211k='1'
uci set wireless.work6g.bss_transition='1'

uci set mlo.mld6=wifi-mld
uci set mlo.mld6.disabled='0'
uci set mlo.mld6.bands='2g'
uci add_list mlo.mld6.bands='5g'
uci add_list mlo.mld6.bands='6g'

uci set wireless.workmld2g=wifi-iface
uci set wireless.workmld2g.device='wifi0'
uci set wireless.workmld2g.network='work'
uci set wireless.workmld2g.mode='ap'
uci set wireless.workmld2g.ssid='Work'
uci set wireless.workmld2g.encryption='ccmp'
uci set wireless.workmld2g.sae='1'
uci set wireless.workmld2g.key='goodlife'
uci set wireless.workmld2g.wds='1'
uci set wireless.workmld2g.isolate='1'
uci set wireless.workmld2g.hidden='0'
uci set wireless.workmld2g.ifname='wlan63'
uci set wireless.workmld2g.ieee80211k='1'
uci set wireless.workmld2g.bss_transition='1'
uci set wireless.workmld2g.disabled='0'
uci set wireless.workmld2g.mld='mld6'

uci set wireless.workmld5g=wifi-iface
uci set wireless.workmld5g.device='wifi1'
uci set wireless.workmld5g.network='work'
uci set wireless.workmld5g.mode='ap'
uci set wireless.workmld5g.ssid='Work'
uci set wireless.workmld5g.encryption='ccmp'
uci set wireless.workmld5g.sae='1'
uci set wireless.workmld5g.key='goodlife'
uci set wireless.workmld5g.wds='1'
uci set wireless.workmld5g.isolate='1'
uci set wireless.workmld5g.hidden='0'
uci set wireless.workmld5g.ifname='wlan64'
uci set wireless.workmld5g.bss_transition='1'
uci set wireless.workmld5g.disabled='0'
uci set wireless.workmld5g.mld='mld6'

uci set wireless.workmld6g=wifi-iface
uci set wireless.workmld6g.device='wifi2'
uci set wireless.workmld6g.network='work'
uci set wireless.workmld6g.mode='ap'
uci set wireless.workmld6g.ssid='Work'
uci set wireless.workmld6g.encryption='ccmp'
uci set wireless.workmld6g.sae='1'
uci set wireless.workmld6g.key='goodlife'
uci set wireless.workmld6g.wds='1'
uci set wireless.workmld6g.isolate='1'
uci set wireless.workmld6g.hidden='0'
uci set wireless.workmld6g.ifname='wlan65'
uci set wireless.workmld6g.ieee80211k='1'
uci set wireless.workmld6g.bss_transition='1'
uci set wireless.workmld6g.disabled='0'
uci set wireless.workmld6g.mld='mld6'

uci set wireless.mld6=wifi-mld
uci set wireless.mld6.mld_ssid='Work'

uci commit
reboot

I'm running a total of 10 VLANS on my Flint3, and I changed the default to VLAN10 since VLAN1 should never be used for traffic.

Edit: I should add, if you make one and you can't get an address on the lan port, go into Luci and the switch settings, and just click "save and apply". Then disconnect and reconnect to that port. I don't know why it does that when you set it up via SSH but sometimes it does and it took me a while to figure out.

2 Likes
6

Dears, a complete newbie here. I’ve followed exactly the script made by Miles here to create an Iot VLAN (slightly modified to include also 5 and 6 GHz wifi).

Now, based on the examples I’ve seen here and there, I prepared a script “on the paper” to create a VLAN (192.168.50.x) entirely dedicated to my surveillance devices (an antitheft system and, in the future, a POE NVR), using LAN ports 3 and 4. Here it is:

uci set network.vlan_surv='switch_vlan'
uci set network.vlan_surv.device='switch1'
uci set network.vlan_surv.vlan='50'
uci set network.vlan_surv.ports='3t 4ut 5ut'

uci set network.eth1_50=device
uci set network.eth1_50.type='8021q'
uci set network.eth1_50.ifname='eth1'
uci set network.eth1_50.vid='50'
uci set network.eth1_50.name='eth1.50'

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-surv'
uci add_list network.@device[-1].ports='eth1.50'

uci set network.surv=interface
uci set network.surv.proto='static'
uci set network.surv.device='br-surv'
uci set network.surv.ipaddr='192.168.50.1'
uci set network.surv.netmask='255.255.255.0'

uci set dhcp.surv=dhcp
uci set dhcp.surv.interface='surv'
uci set dhcp.surv.start='100'
uci set dhcp.surv.limit='150'
uci set dhcp.surv.leasetime='12h'

uci add firewall zone
uci set firewall.@zone[-1].name='surv'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='surv'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='surv'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-Surv'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-Surv'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

uci commit
reboot

Questions:

  1. not that sure regarding ports enablement. Actually my Flint 3 is basically as it comes out the box, with the exception of the IoT VLAN I created. That is to say, currently LAN ports are not bound to any VLAN: is therefore correct to use '3t 4ut 5ut' for port enablement?

  2. I basically configured few rules for the firewall: internet access through WAN, DHCP, DNS.
    I also would like the NVR to be accessible from the default LAN/wireless.
    I think I should add:

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='surv'

But this should allow wired devices on LAN1 and LAN2 to access to the surv VLAN. How to allow also wireless devices connected to the default 192.168.8.x?
(use case: access to an rtsp stream from my smartphone connected to the “Home” wireless connection)

7

Can’t edit, but for the sake of clarity… the script I posted broke my Internet connection. The flint 3 says it’s online but all the connections are not able to reach internet or to ping anything buy the gateway. Had to reset the router and start from scratch, but First, I have to understand what’s wrong with the script.

8

Your port tags are correct.

To enable your main lan to access the VLAN, you would add

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='surv'

When you say it breaks your internet, do you get an IP from the router via LAN? If not, connect to wifi, go into Luci, then Network, then Switch, then dismiss the warning, then click "Save & Apply". I don't know why I had to do that but I did, and it took me a long time to figure out.

Here's my script modified to match yours.

###Create VLAN 50 Surveillance###

uci set network.vlan_surv='switch_vlan'
uci set network.vlan_surv.device='switch1'
uci set network.vlan_surv.vlan='50'
uci set network.vlan_surv.ports='3t 4ut 5ut'

uci set network.eth1_50=device
uci set network.eth1_50.type='8021q'
uci set network.eth1_50.ifname='eth1'
uci set network.eth1_50.vid='50'
uci set network.eth1_50.name='eth1.50'

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-surv'
uci add_list network.@device[-1].ports='eth1.50'

uci set network.surv=interface
uci set network.surv.proto='static'
uci set network.surv.device='br-surv'
uci set network.surv.ipaddr='192.168.50.1'
uci set network.surv.netmask='255.255.255.0'

uci set dhcp.surv=dhcp
uci set dhcp.surv.interface='surv'
uci set dhcp.surv.start='100'
uci set dhcp.surv.limit='150'
uci set dhcp.surv.leasetime='12h'

uci add firewall zone
uci set firewall.@zone[-1].name='surv'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='surv'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='surv'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='surv'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-Surveillance'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-Surveillance'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Block Surveillance WebUI'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].target='DROP'
uci set firewall.@rule[-1].dest_port='22 80 443 8080'

uci set wireless.surv2g=wifi-iface
uci set wireless.surv2g.device='wifi0'
uci set wireless.surv2g.network='surv'
uci set wireless.surv2g.mode='ap'
uci set wireless.surv2g.ifname='wlan50'
uci set wireless.surv2g.ssid='Surveillance-2.4Ghz'
uci set wireless.surv2g.encryption='psk2+ccmp'
uci set wireless.surv2g.key='goodlife'
uci set wireless.surv2g.wds='1'
uci set wireless.surv2g.hidden='0'
uci set wireless.surv2g.isolate='1'
uci set wireless.surv2g.disabled='0'
uci set wireless.surv2g.ieee80211k='1'
uci set wireless.surv2g.bss_transition='1'

uci set wireless.surv5g=wifi-iface
uci set wireless.surv5g.device='wifi1'
uci set wireless.surv5g.network='surv'
uci set wireless.surv5g.mode='ap'
uci set wireless.surv5g.ifname='wlan51'
uci set wireless.surv5g.ssid='Surveillance-5Ghz'
uci set wireless.surv5g.encryption='psk2+ccmp'
uci set wireless.surv5g.key='goodlife'
uci set wireless.surv5g.wds='1'
uci set wireless.surv5g.hidden='0'
uci set wireless.surv5g.isolate='1'
uci set wireless.surv5g.disabled='0'
uci set wireless.surv5g.ieee80211k='1'
uci set wireless.surv5g.bss_transition='1'

uci set wireless.surv6g=wifi-iface
uci set wireless.surv6g.device='wifi2'
uci set wireless.surv6g.network='surv'
uci set wireless.surv6g.mode='ap'
uci set wireless.surv6g.ifname='wlan52'
uci set wireless.surv6g.ssid='Surveillance-6Ghz'
uci set wireless.surv6g.encryption='sae'
uci set wireless.surv6g.key='goodlife'
uci set wireless.surv6g.wds='1'
uci set wireless.surv6g.hidden='0'
uci set wireless.surv6g.isolate='1'
uci set wireless.surv6g.disabled='0'
uci set wireless.surv6g.ieee80211k='1'
uci set wireless.surv6g.bss_transition='1'
9

Thanks a lot. I would trim the generation of wifi from the script as the surv VLAN should apply ONLY to the two LAN ports.

Besides that, I have to clarify the “internet broken” issue. The router was correctly connected to internet and It gave correctly IPs to the devices according to their respective VLAN. But then, any device connected had no access to the internet.

I think my script broke something at bridge level, as the consequence were not ONLY impacting the surv VLAN, but also the IoT one and the main lan/wifi (192.168.8.x) that were working perfectly before my UCI commit & reboot.

I’ve seen you didn’t modify anything in the script but adding a firewall rule that affects surv VLAN capability to access the wan… so on the paper the issue will not be solved. I’ll try however this evening when I’ll be back home from work and let you know.

Thanks again!!!

10

No problem. The script I posted is my own "security" vlan script I use for outdoor wifi cameras, changed to "surveillance" (surv) to match yours for you to compare.

11

Thanks again. I entered exactly your script without the wireless part:

uci set network.vlan_surv='switch_vlan'
uci set network.vlan_surv.device='switch1'
uci set network.vlan_surv.vlan='50'
uci set network.vlan_surv.ports='3t 4ut 5ut'

uci set network.eth1_50=device
uci set network.eth1_50.type='8021q'
uci set network.eth1_50.ifname='eth1'
uci set network.eth1_50.vid='50'
uci set network.eth1_50.name='eth1.50'

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-surv'
uci add_list network.@device[-1].ports='eth1.50'

uci set network.surv=interface
uci set network.surv.proto='static'
uci set network.surv.device='br-surv'
uci set network.surv.ipaddr='192.168.50.1'
uci set network.surv.netmask='255.255.255.0'

uci set dhcp.surv=dhcp
uci set dhcp.surv.interface='surv'
uci set dhcp.surv.start='100'
uci set dhcp.surv.limit='150'
uci set dhcp.surv.leasetime='12h'

uci add firewall zone
uci set firewall.@zone[-1].name='surv'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='surv'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='surv'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='surv'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-Surveillance'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-Surveillance'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit
reboot

After the reboot, I had internet connection but on both eth3 and eth4, my laptop got a 192.168.8.x IP address.
So I went into LUCI under network → switch to find out what follows:

switch
switch964×917 41.7 KB

Looking at the configuration it seems in switch1 ports are in reversed order, so LAN4 is effectively LAN1/secondWAN, LAN3 is LAN2 and so on. Hence the conflict I see is that LAN1 and LAN2, that corresponds to the “real” LAN3 and LAN4 respectively, are both untagged for both the VLANs.

So I tried to turn off LAN1 and LAN2 on VLAN 1…And it worked flawlessly.
Maybe it could be useful for someone. Even in LUCI ports are enumerated in reverse order.

12

Ok yeah that's why I was trying to explain before in this thread and probably did a bad job lol.

Untagging 4 and 5 in the script is LAN1 and LAN2 in Luci, and physical ports LAN3 and LAN4 on the router. I'm not sure why after running the script you had the ports untagged for VLAN1 but yeah turning those off is what was needed.

13

Hey Rob this was crystal clear to me :sweat_smile: you explained it well and in fact, in the script I correctly identified the two ports I needed. What was missing is that in LUCI graphical interface, the switch representation shows ports from 1 to 4 (no port7,6 or whatsoever).. but the representation is exactly in reverse order w.r.t. the physical labels on the router. That was misleading, I initially tried to turn off ports thinking LAN ports in correct order …and I kicked out myself turning off the lan I was connected to, lol.

1 Like