Can't get trunking working thru Netgear GS108Ev3 switch

Installing and Using OpenWrt
1

Hi there.

I have just introduced VLANs into my setup -- something I wanted to do since years, but I've never managed to take the time...

I was fortunate enough to have a couple of routers for a lab setup, so this is how I prepared everything. When I was happy, I wanted to roll that out onto my production setup, and then I noticed that something I couldn't deploy in my test setup (my Netgear GS108Ev3 switch, of which I only have a single device) was actually causing issues.

My high-level design is as follows:

  • Linksys WRT1900ACS as my internet router, running OpenWrt 22.03.2
  • Netgear R6220 as access points (I have two of them), running OpenWrt 22.03.5
  • Netgear GS108Ev3, latest FW version V2.06.24EN, as my "core switch"

Low-level design:

  • VLANs 10 (home), 20 (IoT), 30 (guest)
  • corresponding networks to the above
  • dedicated SSIDs for each of these VLANs, bound to the corresponding networks

My idea was to have a "trunk" port on each of my APs, and on my router, and connect all APs to the router via the above mentioned Netgear "core switch." This doesn't work, however. If I connect the AP directly to the router (with the trunk ports "back-to-back"), it works. So I believe my VLAN setup on the Netgear switch must be broken, but I don't see how?!

Here's my router's setup (excerpts, pastebin for better readability):

config device
option type 'bridge'
option name 'switch'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config device
option name 'switch.10'
option type '8021q'
option ifname 'switch'
option vid '10'
option acceptlocal '1'

config device
option name 'switch.20'
option type '8021q'
option ifname 'switch'
option vid '20'
option acceptlocal '1'

config device
option name 'switch.30'
option type '8021q'
option ifname 'switch'
option vid '30'
option acceptlocal '1'

config bridge-vlan
option device 'switch'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan3:t'
list ports 'lan4:t'

config bridge-vlan
option device 'switch'
option vlan '20'
list ports 'lan2:u*'
list ports 'lan3:t'
list ports 'lan4:t'

config bridge-vlan
option device 'switch'
option vlan '30'
list ports 'lan3:t'
list ports 'lan4:t'

config bridge-vlan
option device 'switch'
option vlan '90'
option local '0'

config interface 'home'
option device 'switch.10'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'

config interface 'iot'
option proto 'static'
option device 'switch.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'

config interface 'guest'
option proto 'static'
option device 'switch.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
option ip6assign '64'

Here's the AP network setup (again, Pastebin link):

config device
option type 'bridge'
option name 'switch'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'

config bridge-vlan
option device 'switch'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'wan:t'

config bridge-vlan
option device 'switch'
option vlan '20'
list ports 'wan:t'

config bridge-vlan
option device 'switch'
option vlan '30'
list ports 'lan4:u*'
list ports 'wan:t'

config bridge-vlan
option device 'switch'
option vlan '90'
option local '0'

config interface 'home'
option proto 'static'
option device 'switch.10'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
option ipaddr '192.168.2.38'

config interface 'iot'
option proto 'static'
option device 'switch.20'
option netmask '255.255.255.0'
option ipaddr '192.168.20.38'

config interface 'guest'
option proto 'static'
option device 'switch.30'
option netmask '255.255.255.0'
option ipaddr '192.168.30.38'

And here I'm trying to reproduce my Netgear switch's config:

  • Advanced 802.1Q VLAN: enabled
  • VLANs and ports:
    VLAN ID Port Members
    1 1
    10 1 2 3 4 5 6 7 8
    20 1 2 3 4 5 6 7 8
    30 1 2 3 4 5 6 7 8
  • VLAN 1: 1u (I left this because I was afraid I could cut myself off the switch's web interface if I removed this)
  • VLAN 10: 1t, (2-7)u, 8t
  • VLAN 20: (1-8)t
  • VLAN 30: (1-8)t
  • PVID: 10 for all ports

I hope the above fully reflects what you need to know in order to understand my setup.

(Just so that you understand: The Netgear switch I tried to set up so that I can still keep my original non-segmented setup, therefore I have the many "untagged" ports with a PVID of 10, so that all these devices are in my "home" network. I will later properly segment the rest when I find the time to do so, I might even need another "smart" switch for enforcing VLAN tags.)

With the Netgear switch between the AP's "WAN" port (trunk) and the router's lan4 port (trunk), I have no connectivity on VLANs 20 or 30. With the switch removed, and the two trunk ports directly connected, it works.

Any idea where the problem is?

Thank you in advance for sharing your expertise.

Kind regards,

Ralf

2

Hi,

unfortunately, these cheap smart-managed switches are more crap than anything else. However, it should still work (I owned two TL-SG108E which is the TP-Link equivalent for your Netgear).

First, I would not mix tagged and untagged traffic on the same port - that might already fix your issue. The OpenWrt configs look fine on first glance.

Leaving one port as management port for the time being is also a very good idea!

2 Likes
3

Hi

you messed up bridge vlan filtering and software vlans :slight_smile:

try this config for main router

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option type 'bridge'
        option name 'switch'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config bridge-vlan
        option device 'switch'
        option vlan '10'
        list ports 'lan1:u*'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'switch'
        option vlan '20'
        list ports 'lan2:u*'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'switch'
        option vlan '30'
        list ports 'lan3:t'
        list ports 'lan4:t'

config interface 'home'
        option device 'switch.10'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'iot'
        option proto 'static'
        option device 'switch.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'guest'
        option proto 'static'
        option device 'switch.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
2 Likes
4

Hi, thank you for your comments.

You mean "not mix tagged and untagged traffic on same port" with regards to the Netgear el-cheapo "smart" switch, right?

Yeah, I've read in multiple places that this can often call for trouble, but the Netgear manual doesn't warn about it, so I naively assumed it should be allowed and working?

(I've ordered a 5-port Netgear switch from the same series, should be delivered today. I will then use this in my lab setup for experimenting. :slight_smile:)

About the "management" port on the switch: Yeah, I figured this was somehow smart, but I don't even understand the logic behind accessing the web console. I mean how does the switch know which VLANs to allow access to the web console's IP address (that I have hard-wired into the Netgear switch's console config, I don't like DHCP for that)? How can the Netgear switch associate VLANs with IP networks? :confused:

Or does it simply inspect the traffic on all VLANs for it's own IP address?

Kind regards,

Ralf

5

Hi, many thanks for your comment and advice.

Could you pls elaborate a bit on the below one?

you messed up bridge vlan filtering and software vlans :slight_smile:

Are you saying I mixed "hardware" VLANs and software VLANs?

I must admit that I'm very confused about this, especially considering that even the OpenWrt wiki at one point writes "this is work in progress and may not properly match reality anymore".

I think I understand well the difference in the concepts between

  • "hardware" VLANs (the switch hardware understands VLAN tags and can filter accordingly by such tags, before the Ethernet frame even reaches the router's CPU) and
  • software VLANs (all Ethernet frames reach the CPU, and the CPU detects different VLANs by analyzing the VID tag at the beginning of the Ethernet frame, and also attaches the required VID tag when sending out frames),

but "what's what" in terms of OpenWrt config is not clear to me.

So you're basically saying I just should remove the below fragments?

9,29d15
< config device
< option name 'switch.10'
< option type '8021q'
< option ifname 'switch'
< option vid '10'
< option acceptlocal '1'
<
< config device
< option name 'switch.20'
< option type '8021q'
< option ifname 'switch'
< option vid '20'
< option acceptlocal '1'
<
< config device
< option name 'switch.30'
< option type '8021q'
< option ifname 'switch'
< option vid '30'
< option acceptlocal '1'
<
50,54d35
< config bridge-vlan
< option device 'switch'
< option vlan '90'
< option local '0'

Would this have any functional effect? Or would it "just" clean up "duplicate" (or even "non-functional") parts of the config?

Thanks again.

Kind regards,

Ralf

6

Hi

without going deep ...

will overlap with vlan bridge filtering (look at forum, DSA, bridge vlan filter)

so, on one bridge, you will use brifge vlan filtering, or. you will use option type '8021q' but not both at same bridge on same time

look a dumb AP config
there is no option type '8021q'

1 Like
7

anyway
with option type '8021q' device, you have no ability later to select on which LANx interface will packets go

so, on old-fashion ETH0, ETH1 ... devices, yes
it is OK to use option type '8021q'
because they have no other options
for ex ETH1 is old fashion rj45 plug
and you make tagged vlan99 with option type '8021q' on top of ETH1
so far so good

but DSA switch have many ports
LANx + WAN (in your case) and you need to have ability to say, i want vlan99 to go on LAN3 tagged
it is only working with bridge-vlan-filtering and
list ports 'lan3:t'

if you ever used Mikrotik ROS and bridge-vlan-filter you will be familiar with "new" way to make vlans, same thing, same terminology, same logic

8

Apologies, I have too little "historic" knowledge about VLAN stuff in OpenWrt, I cannot make sense out of your comments.

FYI: My overall setup was ok (apart from this obviously "cosmetic" dirtyness you discovered). It just turned out that I used a router port that was not trunked, this is why I only had a subset of the expected traffic crossing my networks... :man_facepalming:t2:

Thank you.