Edgerouter Lite - help setting up separate VLANs for kids, IOT, etc

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Edgerouter Lite - help setting up separate VLANs for kids, IOT, etc

grayskull

189 posts

Master Geek
+1 received by user: 21

ID Verified

Lifetime subscriber

#265753 9-Feb-2020 14:34

I've been running an Edgerouter Lite for some time with no issues, so thought its time to do some tinkering. Have 3x UniFi AP-AC-Pro with original CloudKey and using UniFi Controller

Would like to setup 3 VLANS - 1 standard using Vorco's DNS (my ISP), 1x family with this free family DNS filter https://cleanbrowsing.org/filters#family and VLAN30 to move all my IoT onto and keep separate from the network.

Then have 2 (or possibly 3) wifi networks - ie standard, family, and IOT so that each VLAN has a separate wifi SSID that then routes to the correct VLAN.

Have managed to setup the 3x VLANs and 2x wifi so far (left IOT for now). Setup the Cleanbrowsing family DNS on "family"/VLAN20, connect to that wifi on my iPhone, but it says no internet connection. However I can browse to web pages. I tired the DNS Leak Test but its still showing my ISP DNS (103.*.*.*) and the IP on my phne is 169.254.115.***

I've also noticed internet speed as slowed down substantially on my main wifi network and PC on ethernet. Disabled VLAN20 and the kids wifi and its back up to normal speed?

I can post my config file in the next post - note I had 2x VPN's setup by the company who installed & manages my Home Theatre/Control4 system so that will show in the config file too. As such, I would prefer not to start from scratch but can do as last resort.

Hopefully its something obvious I've missed? My experience/skill level with ER is very slow, I've tried reading all the relevant posts on Geekzone and the Ubiquity Community support page but still struggling. Is there perhaps a limitation of the ERR-Lite preventing me from taking this route?

Thanks in advance for any assistance, and for you patience :)

grayskull

189 posts

Master Geek
+1 received by user: 21

ID Verified

Lifetime subscriber

#2415073 9-Feb-2020 14:36

Here's my Dashboard, and config (hopefully the right info in the correct format?)

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name Torrent {
default-action accept
description Torrent
rule 1 {
action accept
description 45100
destination {
}
log disable
p2p {
all
}
protocol tcp_udp
source {
address 192.168.10.72
port 45100
}
state {
established enable
invalid enable
new enable
related enable
}
}
}
name WAN_IN {
default-action accept
description "WAN to internal"
rule 10 {
action accept
description "PPTP Allow"
destination {
port 1723
}
log disable
protocol tcp
source {
}
}
rule 20 {
action accept
description GRE
log disable
protocol gre
}
rule 30 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action accept
description "PPTP Allow"
destination {
port 1723
}
log disable
protocol tcp
}
rule 30 {
action accept
description "Allow GRE"
log disable
protocol 47
}
rule 40 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
firewall {
out {
name Torrent
}
}
speed auto
vif 10 {
description "Internet (PPPoE)"
firewall {
in {
name WAN_IN
}
}
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name Torrent
}
}
mtu 1492
name-server auto
password ****************
user-id **@**.vorco.net.nz
}
}
vif 20 {
description "VLAN20 Family"
firewall {
local {
name WAN_LOCAL
}
}
}
vif 30 {
description "VLAN30 IoT"
disable
mtu 1500
}
}
ethernet eth1 {
address 192.168.10.1/24
description Local
duplex auto
firewall {
local {
name Torrent
}
}
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat disable
lan-interface eth1
lan-interface eth0.20
rule 1 {
description torrent
forward-to {
address 192.168.10.72
port 45100
}
original-port 45100
protocol tcp_udp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 103.14.68.2
dns-server 103.14.68.3
domain-name **.nextav.co.nz
lease 86400
start 192.168.10.20 {
stop 192.168.10.100
}
unifi-controller 192.168.10.253
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
dynamic {
interface pppoe0 {
service dyndns {
host-name **.nextav.co.nz
login ***
password ****************
}
}
}
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
listen-on pppoe0
listen-on eth0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
upnp {
listen-on eth1 {
outbound-interface pppoe0
}
}
upnp2 {
listen-on eth1
nat-pmp enable
secure-mode enable
wan eth0
}
}
system {
host-name *****
login {
user admin {
authentication {
encrypted-password ****************
}
level admin
}
user *** {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "** **"
level admin
}
user ** {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name ***
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Pacific/Auckland
}
vpn {
pptp {
remote-access {
authentication {
local-users {
username *** {
password ****************
}
username *** {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.11.100
stop 192.168.11.110
}
mtu 1492
}
}
}

dfnt

1553 posts

Uber Geek
+1 received by user: 1036

Trusted

Lifetime subscriber

#2415121 9-Feb-2020 15:17

To start with, your vlan is on the wrong interface. It should be on either eth1 or eth2 as eth0 is your WAN interface

It has no IP address and no DHCP configuration for that vlan/subnet either, so it's never going to get an address

Is your AP capable of vlan tagging? Do you have a switch capable of vlan tagging? Without either of these things you're not going to be successful with this endeavour

grayskull

189 posts

Master Geek
+1 received by user: 21

ID Verified

Lifetime subscriber

#2415167 9-Feb-2020 15:59

dfnt:

To start with, your vlan is on the wrong interface. It should be on either eth1 or eth2 as eth0 is your WAN interface

It has no IP address and no DHCP configuration for that vlan/subnet either, so it's never going to get an address

Cool, thanks for pointing that out. I think I've sorted that out by deleting VLAN20 then recreating under eth1, assigning it a subnet, then sorting DHCP as per 2 screenshots below?

dfnt:

Is your AP capable of vlan tagging? Do you have a switch capable of vlan tagging? Without either of these things you're not going to be successful with this endeavour

I have a Unifi CloudKey and using the Unifi managment system for the Unifi AP's via that. It has an option to use a VLAN, so I have used the VLAN ID of 20 for the "skullduggery_kids" network

Having done all this, I can now connect to the skullduggery_kids wifi, and it assigns an IP of 192.168.20.20 - albeit it takes ages to assign? But then I cant reach any webpages, so I must be missing something with DHCP or configured that incorrectly?

Thanks, appreciate the help.

dfnt

1553 posts

Uber Geek
+1 received by user: 1036

Trusted

Lifetime subscriber

#2415209 9-Feb-2020 16:12

Excellent :)

Yep, you just need to make the dhcp server authoritative for that subnet.

SSH to your EdgeRouter, or you can do it in the config tree view

configure

set service dhcp-server shared-network-name FAMILY authoritative enable

commit

save

If your kids are smart enough, they can manually change their DNS server to whatever they like.

You can create a NAT rule which will redirect any DNS query within that VLAN's subnet to the clean browsing DNS servers

Spyware

3818 posts

Uber Geek
+1 received by user: 1366

Lifetime subscriber

#2415213 9-Feb-2020 16:18

Router address should 192.168.20.1

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

grayskull

189 posts

Master Geek
+1 received by user: 21

ID Verified

Lifetime subscriber

#2415257 9-Feb-2020 16:52

dfnt:

Excellent :)

Yep, you just need to make the dhcp server authoritative for that subnet.

If your kids are smart enough, they can manually change their DNS server to whatever they like.

You can create a NAT rule which will redirect any DNS query within that VLAN's subnet to the clean browsing DNS servers

He's only 9 but probably not far off being able to do that :O I figured I'd get the basics working first, then move onto create a suitable NAT rule.

OK, ran those commands via SSH, but still cant load any internet pages? So then I tried changing the router address as below?

Spyware:

Router address should 192.168.20.1

When I updated the router to 192.168.20.1, I got the following error;

Warning: No DHCP start-stop range or active static-mapping set for subnet 192.168.20.0/24<br />Warning: No DHCP start-stop range or active static-mapping set for subnet 192.168.20.1/24 Conflicting subnet ranges: 192.168.20.1/24 overlaps 192.168.20.0/24 Conflicting subnet ranges: 192.168.20.0/24 overlaps 192.168.20.1/24 DHCP server configuration commit aborted due to error(s).

service dhcp-server

Lego

Shop now for Lego sets and other gifts (affiliate link).

grayskull

189 posts

Master Geek
+1 received by user: 21

ID Verified

Lifetime subscriber

#2415263 9-Feb-2020 17:02

doh, solved it - a mess of my own making.

Had to go back into the DHCP Server detail for the Family network and re-enter the range start & stop after I'd deleted and recreated the DHCP server for that Family network.

DNS Leak test is getting stuck on the "Waiting for Results" page on my phone but not on my PC. Fix one thing, break another.......

Thanks for all your help. Now onto creating that NAT rule. once I confirm the Cleanbrowser DNS is working as intended.

Cheers