I want all untagged traffic to go through VLAN 99, but if any traffic is tagged to n then it should go through VLAN n, in this case any tagged traffic should go through VLAN 10. Is this configuration correct?
Following on from this, what if both were set to tagged but I had 99 set to PVID, would this have the same effect?
Yes.
This would be invalid. A VLAN can be tagged or untagged (the * is the PVID indicator which applies to untagged networks, I'm not honestly sure what the difference is between u and u*). You cannot have a network that is both tagged and untagged/PVID.
Your configuration above is correct.
Untagged means packets from vlans you set will go out on that port without a vlan tag. PVID means packets that come in from that port without any tag will receive that set vlan tag. You can set multiple vlans to untagged, but usually just one for pvid.
2 Likes
Right... this I know. However, in practice, it seems that setting u and u* have the same result... if the PVID was actually set by the * and was required, that would make it more like some managed switches (more below). However, you don't actually need the * from what I can tell (although I always recommend including it).
This can be read 2 ways... I'm curious what you were intending:
- Any/all VLANs set as untagged on a port may egress packets out of that port, but the PVID defines the ingress assignment for untagged frames
-- or -- - Multiple VLANs can be set as untagged on a port, but the PVID setting, which technically sets the ingress VLAN association, will also set the active VLAN for egress (such that there is only one VLAN allowed to egress).
While there may be an academic reason to consider option 1, I haven't ever seen a case where frames egress untagged and return tagged (presumably what would happen/be required if you set u so that it is not the PVID). Therefore, with the potential exception of broadcast packets, there would be no practical use for such a configuration since egress traffic would never manage to get the ingress return traffic.
Following on my above assertion and understanding of the 802.1q spec, only one VLAN may be active as untagged on a port at a time. There are some smart switches that allow you to set multiple networks as untagged, and then you use the PVID option to select which of those is active.
I know that both TP-Link and Netgear have switches where this is the method of configuration. In those devices, you first set a network to tagged, untagged, or excluded from a port. Then, if it is untagged, you can set the PVID with that VLAN ID and traffic from that VLAN will indeed be untagged. Any other networks that were assigned port membership as untagged are simply ignored (unless option #1 above is actually what is happening, but that seems unlikely). I find it a bit odd that you have to set a VLAN in two places to make it untagged on a port, but that's the way it works for those devices. I often view this as "multiple VLANs are available to be used as the PVID/untagged VLAN on the port, but only one may be selected." Maybe this makes administration a bit easier when you want to change the PVID when you've got lots of VLANs -- you don't have to find which VLAN was set as untagged and exclude it and then go to the one you want to make active and select add it as untagged.
Contrast that with something like the ER-X. When VLAN. aware mode is enabled, you can only set PVID and VID (tagged) VLANs for each port. Only a single VLAN can be in the PVID field (which of course makes sense). But there is no way to make a port an untagged member of a VLAN and not make it the PVID. IMO, this actually makes more sense than the way that the TP-Link/Netgear devices handle untagged networks.
Back to OpenWrt, I haven't yet seen a situation where there is a difference between u and u* -- it is possible that if there are multiple VLANs with a port setup as u, the one with u* will take precidence and the others will be ignored. But, IMO, it is best practice to always ensure that only one (or zero) untagged VLAN is present on any given port.
That said, @devast - if I have any of this wrong, please help me understand the practical difference between u and u* and when/why a user would ever want/need multiple VLANS assigned as uon a given port. This is something I've been trying to figure out for a while... I've asked a few people in other threads or PMs and gotten a 
...lol.
Exactly. Technically #1 is the correct. Openwrt just does this so it hides it from you:
Some other networking devices do not do any obfuscation. Some do it with different constraints, like ER-X.
Edit: Weird setup example: https://forum.openwrt.org/t/dsa-and-pvid-usage-examples/106420
1 Like
So @devast , follow up questions:
-
for the untagged VLANs that are not pvid, do they actually listen for tagged frames on ingress?
And -
is there a practical application where the untagged-non-pvid configuration (when you have a different vlan set as pvid) actually does something useful?
That's a very good question. I guess you need to try it 
. Generally, if ingress 802.11Q vlan tags are filtered on the port, then it will only admit it if that vlan is set to tagged. If there is an option on your device, to set vlan x to untagged but also do not filter ingress vlan tags just admit them all then maybe. Though i never did anything like this.
No clue, haven't done anything like that 
But in my previous post there's a link with an example.
What about multicast ? Video strems from multiple vlans delivered untagged to one port. Wild guest 
Local
Untagged, Tagged and PVID
Egress Untagged, Egress Tagged and PVID Examples
Do those parts of the documentation help you understand the meaning of the UI?
[edit]
Having all links in one-box mode here hides the fact that I linked 3 sections on the same page. Headlines added.
2 Likes
I have bookmarked this thread, very useful, thank you all
Thanks for all the help guys! I get tagged and untagged but the PVID throws me off a little bit in certain situations. I understand that if a port had two VLANs untagged, the one set with PVID would be the one incoming traffic would be assigned to but then I still don't understand how you can have two VLANs untagged on one port without a PVID set (because which one would it assign to)?
How would a port with one VLAN tagged and set to PVID and the other VLAN untagged work?
[edit]
Going by what was said above, I guess PVID would have no effect on a tagged port unless there was another VLAN that was tagged on the same port, but, with two tagged VLANs and one set to PVID this would allow untagged traffic to be assigned to the VLAN which has the PVID but then surely at this point you should just use untagged?
From a while ago, it maybe answers some question regarding u and u* and PVID, too: Yet another DSA-"I still have questions"-thread
1 Like
So the setup I have now works (the picture in my first post).
I have a Meraki MR42 running OpenWRT... how would I tell it to use it's only LAN port as a tagged VLAN 10 port? What I've done so far is add a new 802.1Q VLAN tagged 10 in the devices tab then I've set the lan interface to use br-lan.10. I can see that this is working because the AP picks up a IP address in that VLANs subnet. Cool. But now I can't get wireless devices connected to that AP to use VLAN 10 (they are still using VLAN 99, and it's as if the traffic is untagged) because I can tell from the subnet given to me through DHCP.
This is really baffling my head 
You need to associate your wifi to inteface where the vlan 200 is bridged to ...