Скачать или смотреть Our first x86 OpenWRT Firewall setup part 2 Multiple Public ips MacVlans VLans the smart easy way

#OpenWrt #x86 #Marvell #AQC113C #10gb #PCIe #Upstream #Downstream #VLan #PublicIpAddresses


******Validate after re-upload*************
Update 1 June 2025 - Wi-Fi only works with interfaces that are using Bridge devices, you cannot use a Vlan device directly like so many tutorials have shown anymore. At least since using 24.10 the Wi-Fi now REQUIRES a bridge device to be used on the interface you attach it to in the wireless settings for a particular SSID. It will not work with an Interface using ANY other device that is NOT a regular bridge. ALSO, you now need to specify a rule (OpenWRT -- Network -- Firewall -- Traffic Rule) allowing the firewall zone you assign to the vlan interface to PING the router. If you don't do this, the Wi-Fi device will fail to get an ip address, this is something new and could be fixed later on, so test without it first and if the Wi-Fi device still can't get an ip address, try adding a ping rule for the zone the interface is tied to. so:

Name: - whatever you want
Protocol: ICMP
Source zone: Firewall zone you assigned to the interface
source address: Not needed
Destination zone: Device (Input)
everything else not needed to be changed

Side note: Don't worry about anything I don't mention like the MTUs I set to 9000, that's for jumbo frames which I'm doing some testing on regarding ipv6 specifically

0:00 Let's pick it back up from where we were
0:40 Flashing the routers and showing the new recovery state in OpenWrt
*Rebooting sometimes puts it out of it, otherwise you have to reflash it WITH the sysupgrade file versions.
4:20 Continuing with the snapshots since we live life on the edge

ssh [email protected]
apk update && apl add luci

11:08 Now let's setup the upstream router

Packages to install: kmod-macvlan luci-app-mwan3

14:30 Now setting up the devices and interfaces

-- 1. When using MacVlans the main device CANNOT be used by anything (Example: Macvlan from port 1, port 1 SHOULD NOT be used anywhere, only the MAcVlan Device made off of it).

-- 2. For the love of god, don't push your luck getting more than 2 public ip addresses and blowing our methods up so nobody can do this. Of course it's only a matter of time, but lets enjoy this while we can until they start giving out ipv6 public ip addresses.

18:30 Setting up multiple internet interfaces

-- 3. Mwan3 specific: Requires DNS and Gateway metrics to be used on each internet bound interface, please pay attention to that and adjust how you want. I set a weight of 1 on the main wan interfaces, and then a weight of 2 on the backup interfaces,

24:00 Important, bridging the two VLan devices to ensure pathway

-- 4. Vlan Devices don't always communicate with each other on the same router, so I recommend putting a downstream VLan device (Lan ports) on the same bridge as the upstream VLan port (wan port). There's probably more ways to do this, but this is what I did.

30:10 Now setting up the Firewall Zone for the VLan and GUI Access
33:00 Recap of what we did for the Upstream router
35:03 Now touching the MultiWan3 stuff

-- 5. mwan3 Interface names MUST match the name of the interface on OpenWrt

-- 6. Helpful public DNS addresses you can set:
-- -- -- -- OpenDNS: 208.67.222.222 || 208.67.220.220
-- -- -- -- Cloudflare: 1.1.1.1 || 1.0.0.1
-- -- -- -- Google: 8.8.8.8 || 8.8.4.4
**IPv6 DNS Addresses:
-- -- -- -- Cloudflare: 2606:4700:4700::64 || 2606:4700:4700::6400
-- -- -- -- Google: 2001:4860:4860::8888 || 2001:4860:4860::8844

48:38 *Note: change ALL rules you need, I forgot the https rule
52:20 Now testing that the multiple internet interfaces work.

**Skippable --
54:20 Future me showing the public ips being obtained and used
I don't live in the area or have public ip addresses even closely related, so I deemed it fine to still show this, also why it took me a minute to release the vid as it was the last ones I made just before moving and didn't have time to edit and release before having to move.

Also, if you wait long enough, the router does get a second ip address, it just takes longer then you'd expect. The delay could of been firmware related also, as since a firmware, the router gets the ip addresses much faster now, remember I'm using snapshots so your experience may differ.

1:03:48 I know, I can't help myself to not try and figure it out live
-- Skippable**

1:12:14 Now back to setting up the downstream router
1:16:00 The best part yet, VLan'd Wi-Fi Devices

-- 7. in the SSID settings, if you go to Interface Configuration - Advance Setting, there's a "interface name" section where you can actual name it do it's not the default phy0-ap0 type of names for the Wi-Fi devices.

1:24:10 Verify everything works and setting some last setting changes
1:27:45 Tired, but going to show I can connect to my firewall still
1:31:50 This is why it's SOOOO important to reboot to verify
*Remember x86 devices sometime need to be powered off and back on as rebooting doesn't always bring everything up

1:38:20 Final Recap