Cannot get VLANs beyond port numbers to work

Installing and Using OpenWrt Network and Wireless Configuration
1

I think I'm maybe doing something wrong with vlan names but can't find anything differing from the config I have...

Vlans matching the ethernet ports work ok (e.g. eth0.3 or eth0.4) but as soon as I try anything like vlan eth0.8 or eth0.10 nothing happens.

The router is a BT Homehub 5A running OpenWrt 18.06.1.

I’m trying to set this up for an old D-Link DAP-2360 access point which does not support isolation of WiFI clients other than with vlans.

The AP works fine on vlan 4 but since I set it with a lan PVID of 10 I can no longer access its configuration. The vlan 4 route through that is still working fine though.

Testing has been via a managed switch and lots of cable swapping. There is an unmanaged port and a trunk port from the router to the switch.
The switch trunk ports (router & AP) is set to tagged on all 3 vlans.

Vlan 4 always provides a DHCP lease when the port connecting my laptop to the switch is set to vlan 4. Switching to vlan 8 or 10 provides no DHCP leases.

swconfig dev switch0 help:

switch0: eth0(Lantiq XRX200 Switch), ports: 7 (cpu @ 6), vlans: 64
     --switch
	Attribute 1 (int): enable_vlan (Enable VLAN mode)
	Attribute 2 (none): apply (Activate changes in the hardware)
	Attribute 3 (none): reset (Reset the switch)
     --vlan
	Attribute 1 (int): vid (VLAN ID (0-4094))
	Attribute 2 (int): enable (Enable VLAN)
	Attribute 3 (ports): ports (VLAN port mapping)
     --port
	Attribute 1 (int): uvr (Unknown VLAN Rule)
	Attribute 2 (int): vsr (VLAN Security Rule)
	Attribute 3 (int): vinr (VLAN Ingress Tag Rule)
	Attribute 4 (int): tvm (Transparent VLAN Mode)
	Attribute 5 (int): pvid (Primary VLAN ID)
	Attribute 6 (unknown): link (Get port link information)

Config is as follows.
‘wifi’ (eth0.4) is the working vlan.

Network:

config interface 'wifi'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.40.1'
        option ifname 'eth0.4'
        option gateway '192.168.0.1'

config interface 'wifi_guest'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.41.1'
        option ifname 'eth0.8'
        option gateway '192.168.0.1'

config interface 'wifi_guest2'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.42.1'
        option ifname 'eth0.10'
        option gateway '192.168.0.1'

Firewall:

config zone
        option name 'wifi'
        option network 'wifi'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wifi_guest'
        option network 'wifi_guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wifi_guest2'
        option network 'wifi_guest2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option dest 'wan'
        option src 'wifi'

config forwarding
        option dest 'wan'
        option src 'wifi_guest'

config forwarding
        option dest 'wan'
        option src 'wifi_guest2'

DHCP:

config dhcp 'wifi'
        option interface 'wifi'
        option limit '150'
        option leasetime '1h'
        option start '100'

config dhcp 'wifi_guest'
        option interface 'wifi_guest'
        option limit '150'
        option leasetime '1h'
        option start '100'

config dhcp 'wifi_guest2'
        option interface 'wifi_guest2'
        option limit '150'
        option leasetime '1h'
        option start '100'
2

You forgot to post the part of "/etc/config/network" where you define the VLANs.

3

Doh, sorry about that.

Here it is:

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0 6t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '4t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '8'
        option ports '4t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option vid '10'
        option ports '4t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '2 6t'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'
        option vid '2'
4

Please try to keep the "vlan" numbers continuous, like that:

vlan | vid
   1 |   1
   2 |   2
   3 |   3
   4 |   4
   5 |   5
   6 |   8
   7 |  10
5

What are you using vlans 2 3 and 5 for? If you want LAN ports all in the same network just put them in the same VLAN.

'vlan' is an index in the switch's internal table, and 'vid' is the tag number that goes out on the port. Some switches do not work with 'vlan' numbers higher than 15, but you can set 'vid' to any number 1-4094.

Use swconfig dev switch0 show to see the actual running configuration in the switch.

6

Thanks for the advice, here is the full, updated network config file with some potentially sensitive parts removed:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdec:bd74:da18::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option xfer_mode 'ptm'
	option line_mode 'vdsl'
	option annex 'b'
	option tone 'a'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	option ifname 'eth0.1'

config interface 'lan2'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.50.1'
	option ifname 'eth0.5'

config interface 'lan3'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.30.1'
	option ifname 'eth0.3'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config interface 'wifi'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.40.1'
	option ifname 'eth0.4'
	option gateway '192.168.0.1'

config interface 'wifi_guest'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.41.1'
        option ifname 'eth0.8'
        option gateway '192.168.0.1'

config interface 'wifi_guest2'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.42.1'
        option ifname 'eth0.10'
        option gateway '192.168.0.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '00:37:b7:28:ce:94'

config interface 'wan'
	option proto 'dhcp'
	option release '0'
	option peerdns '0'
	option dns '8.8.8.8 8.8.4.4'
	option clientid 'XXXXXXX'
	option macaddr 'XXXXXXX'
	option vendorid 'XXXXXXX'
	option _orig_ifname 'eth0'
	option _orig_bridge 'false'
	option ifname 'dsl0.101'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'
	option reqprefix '56'
	option peerdns '0'
	option norelease '1'
	option dns 'XXXXXXX'
	option reqaddress 'none'
	option macaddr 'XXXXXXX'

config device 'wan_dev'
	option macaddr 'XXXXXXX'
	option name 'dsl0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0 6t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '4t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option vid '8'
        option ports '4t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option vid '10'
        option ports '4t 6t'```
7

I think vlan 2 was autogenerated for WAN. Vlans 3 and 5 were for testing.

swconfig dev switch0 show:

Global attributes:
	enable_vlan: 1
Port 0:
	uvr: 0
	vsr: 0
	vinr: 0
	tvm: 0
	pvid: 3
	link: port:0 link:down
Port 1:
	uvr: 0
	vsr: 0
	vinr: 0
	tvm: 0
	pvid: 1
	link: port:1 link:up speed:1000baseT full-duplex auto
Port 2:
	uvr: 0
	vsr: 0
	vinr: 0
	tvm: 0
	pvid: 5
	link: port:2 link:down
Port 3:
	uvr: 0
	vsr: 0
	vinr: 0
	tvm: 0
	pvid: 1
	link: port:3 link:down
Port 4:
	uvr: 0
	vsr: 0
	vinr: 0
	tvm: 0
	pvid: 1
	link: port:4 link:up speed:1000baseT full-duplex auto
Port 5:
	uvr: 0
	vsr: 0
	vinr: 0
	tvm: 0
	pvid: 2
	link: port:5 link:down
Port 6:
	uvr: 0
	vsr: 0
	vinr: 0
	tvm: 0
	pvid: 1
	link: port:6 link:up speed:1000baseT full-duplex auto
VLAN 1:
	vid: 1
	enable: 1
	ports: 1 6t 
VLAN 2:
	vid: 2
	enable: 1
	ports: 5 6t 
VLAN 3:
	vid: 3
	enable: 1
	ports: 0 6t 
VLAN 4:
	vid: 4
	enable: 1
	ports: 4t 6t 
VLAN 5:
	vid: 5
	enable: 1
	ports: 2 6t 
VLAN 6:
	vid: 8
	enable: 1
	ports: 4t 6t 
VLAN 7:
	vid: 10
	enable: 1
	ports: 4t 6t

Thanks

8

The VLAN numbering and VLAN tagging in OpenWrt can be somewhat confusing.

As I understand it, there is a table of entries in an internal that is keyed on option vlan that can be limited in number, perhaps as small as 8 or 16. If option vid is not specified, then the VLAN tag in the frame is the same as the table row number taken from option vlan. It can be overridden with option vid (which I make a practice of for all my VLANs).

The Linux kernel doesn't know about this driver construct, so the ifN.VLAN notation refers to the tag.

Just to keep you on your toes, the PVID for a switch port is, as I recall, by table number, not by VLAN tag.