Advice on how to VLAN tag two ports same id

Gingernut · August 25, 2019, 5:23pm

Been trying to get this working as I've seen it achived on Ubiquiti, Mikrotik, Pfsense box setups.

I would like my Belkin F9K1115 v2 running OpenWRT to be my home's main router and have the ISP router sit behind it just as an ATA for my phone line.

My internet instalation:

Direct fiber cable --> ISP supplied ONT / ONT WAN port connected to ISP supplied VOIP router which my phone line is also connected to.

I have successfully setup and connected my Belkin to the ONT and have internet access without problems.

Belkin's IP is 192.168.1.1, have the WAN interface as a DHCP client and is VLAN 20 tagged.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdaf:0c14:af23::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0.20'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '20'
	option ports '0t 1t 5t'

I've given the ISP router a static IP 192.168.2.1 and disabled it's DHCP server.

I've got it working by making LAN port 4 of the Belkin a second WAN port and connecting it to the WAN port of the ISP router, both routers get a different public IP address from my ISP and internet and VOIP works.

Not sure I should be getting two public IP addresses but at the moment it's working at the cost of half my lines speed.

My original idea was to create a new interface with a static IP 192.168.3.1 in the Belkin, a DHCP server on that interface and tag LAN port 4 with id 20 but Openwrt doesn't let you tag two ports with the same VLAN id.

I've tried a few other configs but without success.

Any help is appreciated.

mk24 · August 25, 2019, 5:35pm

You can't do that. The switch considers only the VLAN tag of a packet to decide how to switch it. So you can't have it send some VLAN20 packets out one port and some out another.

Maybe install a USB Ethernet adapter then you can specify eth1.20 for the phone traffic.

Gingernut · August 25, 2019, 5:52pm

That's what I thought but others have made it work using a Ubiquiti router for example.

Here is a config backup that a user posted and is said to work:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    name INTERNET_LOCAL {
        default-action drop
        description "Trafico de internet a Router"
        rule 1 {
            action accept
            description "Permitir establecidas o relativas"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Deniega no validas"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description "permite icmp"
            log disable
            protocol icmp
        }
        rule 4 {
            action accept
            description "permitir gestion remota"
            destination {
                port 22,443
            }
            disable
            log disable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        poe {
            output off
        }
        speed auto
        vif 20 {
            address dhcp
            description Internet
            firewall {
                local {
                    name INTERNET_LOCAL
                }
            }
        }
    }
    ethernet eth1 {
        description "A WAN Router Jazztel"
        duplex auto
        poe {
            output off
        }
        speed auto
        vif 20 {
            address 192.168.100.1/24
        }
    }
    ethernet eth2 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat disable
    lan-interface switch0
    rule 1 {
        description ejemplo
        forward-to {
            address 192.168.1.10
            port 8889
        }
        original-port 8889
        protocol tcp
    }
    wan-interface eth0.20
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name dhcp1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.199
                }
            }
        }
        shared-network-name dhcp2 {
            authoritative disable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server 192.168.100.1
                lease 86400
                start 192.168.100.100 {
                    stop 192.168.100.199
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on eth1.20
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            description Masq_Internet
            log disable
            outbound-interface eth0.20
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    upnp2 {
        listen-on switch0
        nat-pmp enable
        secure-mode disable
        wan eth0.20
    }
}
system {
    config-management {
    }
    conntrack {
        expect-table-size 4096
        hash-size 4096
        modules {
            sip {
                disable
            }
        }
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name Router
    login {
        user ubnt {
            authentication {
                encrypted-password $6$PYuiCrphePD3S7$jBrtiG82dkFX23seLsBInYUaI9.S5yIROhLAPHLXpb.azrT2Tdctq/HbpO5vtBtVkuW/WsK3JOIpe6Up1B8KU1
                plaintext-password ""
            }
            full-name ubnt
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
            vlan enable
        }
        ipv6 {
            forwarding disable
        }
    }
    static-host-mapping {
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Madrid
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.0.4853089.160219.1607 */

Lucky1 · August 25, 2019, 9:01pm

can you change the isp's router to ether turn off it's vlan tagging or change it's ID to something other then 20
if so you can get it to work
then you may have to see if the voip side will be effected but double NAT

Gingernut · August 25, 2019, 10:26pm

I can change it and get internet to work but the phone doesn't.

I suppose I just need to understand how to interpret the Ubiquiti config and mimic it on OpenWRT.

Lucky1 · August 26, 2019, 12:19am

was your isp's router getting an ip from the openwrt one ?
& did you make sure you openwrt ip rage was was diffrent to you isp's ?

Lucky1 · August 26, 2019, 12:24am

it is possible that the Ubiquiti has it's wan port separate & not part of the switch

sonakshi02 · August 26, 2019, 12:48pm

The simplest way to enable routing between the two VLANs to simply connect an additional port from each VLAN into a Router. The Router doesn't know that it has two connections to the same switch — nor does it need to. The Router operates like normal when routing packets between two networks.

Gingernut · August 26, 2019, 1:18pm

ISP router was getting an IP address from the OpenWRT router on the new interface and internet connected but the phone line was down.

Gingernut · August 26, 2019, 1:21pm

Thank you all for your help.

Could you explain how I would set this up and do I need a manageble switch or another router?

jeff · August 26, 2019, 1:58pm

@Gingernut

It's not really clear to me what you're trying to accomplish. Would you be able to describe what is on the cable coming from your ISP and what you want to go where?

Lucky1 · August 26, 2019, 2:01pm

please make sure that the openwrt router has a different lan subnet to the isp's router
say 192.168.2.x for openwrt & 192.168.1.x for the isp's
if the basic internet works on the isp's router & the phone isn't then
ether the phone interface "ATA" won't work as behind another NAT
or maybe ATA and internet are on different VLANS or something to the internet

Gingernut · August 26, 2019, 4:13pm

My ISP supplies a direct fiber line which goes to their ONT, to the ONT's only port their router/ATA box is connected, my home's phone line goes to the rj12 phone port on the ISP router.

I have to leave in place the ONT which isn't a problem but if I replace the ISP router with my Belkin I lose my home phone line and I wanted to keep it if possible.

My ISP syncs internet and VoIP over VLAN 20.

Gingernut · August 26, 2019, 4:17pm

This is exactly how I had the setup and the phone doesn't work.

As I said and have everything working right now by having a LAN port of the Belkin on eth0.20, tagged and connected to the WAN port of the ISP router.

jeff · August 26, 2019, 4:53pm

So they're both on the same VLAN coming in to your router, yes?

If so, then you'd probably need to be able to distinguish between them at a packet level to be able to "split" them off from one another. Your ISP-supplied device probably does this by having a "listener" there, so it grabs the traffic for the VOIP before routing the rest.

While I can think of ways to sort of do it, it becomes complicated if there are devices in your own network that use similar protocols. Without knowing just what those packets look like, there's a lot of speculation involved.

Gingernut · August 26, 2019, 6:27pm

Yes both use the same VLAN.

The tutorials I've seen it working for are Pfsense, Mikrotik & Ubiquiti and they always create a second VLAN20 on a LAN port.

Thanks for the help btw.

psherman · August 26, 2019, 11:39pm

Ultimately, I think you need a device with the ports that are separate (or separable) from the switch. It is likely that the Belkin unit has all 5 ports on the same switch. This means that any VLANs configured on the switch (which is all ports in this case) are switched, not routed, so if you define VLAN20 to operate on the physical port associated with the WAN and also on the physical port(s) on the LAN, it essentially acts as a pass-through, rather than 2 independent routed networks. In the case of the EdgeRouter configs, the relevant ports are removed from the switch so that each acts as a fully routed port and can have the same VLAN IDs on multiple ports that are actually different networks, rather than a pass-through.

If you have an extra router or smart/managed switch around, a hack would be set the network as untagged out of the Belkin (OpenWrt) and PVID = 20 (i.e. untagged frames associated with VLAN 20) on the second device. On another port on the second device, connect your ultimate target to a port that has been configured with tagged VLAN 20. You might want to configure a separate VLAN (using a different ID than 20, but to be transformed to VLAN 20 via the second device) on your OpenWrt Belkin device and then send that out untagged as described before.

Or you could do a double-NAT config and achieve something similar. Or do this with a device that has individually routed ports accessible at the user level (rather than all via the same switch).

slh · August 26, 2019, 11:45pm

The DSA switch framework would support this, the swconfig API doesn't.

system · September 5, 2019, 11:45pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.