D-Link Forums

D-Link Enterprise => DGS-1100-Series => Topic started by: tiredUser123 on January 02, 2021, 09:56:59 AM

Title: [SOLVED] DGS-1100-24 - VLAN for IoT with openWRT router
Post by: tiredUser123 on January 02, 2021, 09:56:59 AM

Hello All,
after day of unsuccessfully trying to figure it by myself I am coming here for advice with the following matter.

Current status:
1. WAN => OpenWRT router connected => D-Link Switch => all wired devices.
2. Router si connected to D-Link switch via Port  2 (one cable only).

Desired status
1. WAN => OpenWRT => D-Link Switch with the following VLANs (and subnets set in OpenWRT):
- VLAN1 - Port 2 - OpenWRT router to D-Link switch
- VLAN3 - Ports 16-23 - IoT "untrusted" devices - robovacuum cleaner, smartTV (ideally in subnet 192.168.9.0/24)
- VLAN4 - Ports 3-15 - local "trusted" devices - PCs, NAS (ideally in subnet 192.168.7.0/24, subnets to be setup in router)
- VLAN4 - Port 24 - DMZ, accessible from WAN (ideally in 192.168.10.0/24 subnet)

2. Only devices within the same VLAN shall see each other.

What I did
- I understand that VLAN has to be setup in D-Link switch and the OpenWRT configuration shall reflect it (i. e. VLANs with the same IDs shall be created in OpenWRT in Switches and also interfaces. I believe I have managed this well.
- I understand that Port 2 has to be member of all the other VLANs, so the packets can be transferred to the OpenWRT router which will them sort them into respective subnets.

What I struggle with
What are the steps to make the correct setup on the side of D-Link. I have been through several manuals, but in my interface I see different option.Therefore, what are the correct options to turn on/off? 802.1Q VLAN or Port-based VLAN? Shall the asymmetric VLAN be enabled?

Thank you for your kind help.

SOLUTION
1. Disable Port-based VLAN.
2. Enable Asymmetric VLAN.
3. In VLAN Interface:
-- Port 2 shall look like this:
Port   eth2
VLAN Mode   Hybrid
Native VLAN   1
Hybrid Untagged VLAN   1,
Hybrid Tagged VLAN   3,
Ingress Checking   Enabled
Acceptable Frame Type   Admit All

-- Ports 16-23 shall look like this:
Port   eth16
VLAN Mode   Access
Access VLAN   3
Ingress Checking   Enabled
Acceptable Frame Type   Untagged Only

In openWRT do not forget to add the following two firewall rules:
1. Incoming IP4 and IP4 for TCP & UDP from VLAN3 interface to "this device" (openWRT router) on port 53 for DNS AND
2. Incoming IP4 and IP4 for TCP & UDP from VLAN3 interface to "this device" (openWRT router) on port 67-68 for DHCP.

EDIT: Solution added.