Can't tick "vlan filtering" on Ubiquiti EdgeRouter ER-X

thepenguin · November 18, 2022, 8:44pm

Hello guys,
i bought the Ubiquiti Edgerouter-ERX for VLAN routing.
Got OpenWRT 22.03.2 already up and running.
Now i want to configure the br-lan device for VLAN filtering, but if i enable VLAN filtering on the bridge, it will revert after "Save and apply".
Theres also a device called "dsa" ("Ethernet Switch: "dsa"). Its a "Network device" i think i have to configure my VLANs with this device or? But how i can setup the ports wihtout bridging the eth0-eth4 ports (dsa)?

dsa and eth0 have same mac-address
br-lan and eth1 have same mac-address

Can't find any manual or further information in the internet so far..

The device-site is not providing me informations about vlan-config:

Thank you!

lleachii · November 19, 2022, 12:27am

If you enable VLAN filtering, you must also:

create the VLAN
add VLAN to various interface(s); and
change the LAN to VLANx instead of just br-lan (e.g. it will become br-lan.x)

thepenguin · November 19, 2022, 9:33am

I add a VLAN device (br-lan.10) and Interface with this VLAN. But OpenWRT ist still unticking the box "VLAN filtering" on br-lan, if i press "Save". If i tick the Box "VLAN filtering" and add a VLAN 10 without further configuration i have to wait 90 seconds after "Save and Apply".

eginnc · November 19, 2022, 8:48pm

I find this much easier to do by logging into the router from a terminal window and just editing the /etc/config/network file with vi or, if you prefer, nano (but you'll need to install the nano text editor package first).

See my comments below (denoted with #) pointing out where you implement lleachii's guidance.

ssh root@192.168.1.1
cd /etc/config
vi network

Here is an example setting up a guest and internet of things vlan. In this example the main lan goes untagged to all 4 lan ports, and the GST and IOT networks go tagged to the first two lan ports only.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
# The lan is put on a vlan as well by adding ".1" to br-lan below
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
# The lan vlan 1 now needs to go out to the ports
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'GST'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1:t'
	list ports 'eth2:t'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth1:t'
	list ports 'eth2:t'
	
config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

Of course you'll probably want to add this to /etc/config/dhcp to give your guest and IOT networks a DHCP server:

config dhcp 'GST'
	option interface 'GST'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'

And add something like this to /etc/config/firewall to give GST and IOT internet access:

config forwarding
	option src 'gst'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config zone
	option name 'gst'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GST'
	option input 'REJECT'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'REJECT'

config rule
	option name 'Allow-gst-DNS'
	option src 'gst'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-gst-DHCP'
	list proto 'udp'
	option src 'gst'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow-iot-DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-iot-DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'
	option target 'ACCEPT'

thepenguin · November 19, 2022, 9:25pm

Hey eginnc,
thank you very much for your reply!
Okay i've created a config (working on other devices) and saved it directly over ssh.
Luci shows the VLAN Bridging Tick and the VLANs there, nice!
But..
If i go to "Interfaces" in Luci and check if its all corect there, the "LAN" Interface (configured as vlan 10 (br-lan.10) shows "br-lan" without VLAN-Tag. If i go into the Interface settings i can see device "br-lan.10" if i save then, Luci thinks this is a new configuration. I have to Save and Apply. Ok i thought, check if my Port is configured corectly under "Vlan filtering". Yes eth1 is configured untagged VLAN10.
After "Save and Apply" im not able to reconnect to Luci or the device anymore.. did this exact same vlan config on the old device, working.

uploaded two videos on youtube, to show how i try to configure vlan filtering on the device.
luci is showing inconsitent data on all of the last big openwrt-releases (22, 21, 19)

the device dont like vlans or vlanfiltering i think

youtube: activate vlan filtering and add some vlans (without participating)
youtube: unable to activate vlan filtering over luci

eginnc · November 19, 2022, 9:59pm

Maybe try rebooting after you manually edit the network file? Also the obvious, check over the files for any unintended mistakes.

FWIW, I used a setup like this with an ER-X for years without issue, including 21.02.x and later snapshots close to what became 22.03.x. 19.07.x uses swconfig, so of course this DSA configuration will not work with 19.07.x.

I never bothered doing it in LuCI though, so I can't comment on the LuCI menus.

mk24 · November 20, 2022, 3:54am

It's the well-known MT7621 chip, which has no issues with DSA. Here though the names are changed to match the writing on the case, so eth0 through eth4 are the physical ports, and the internal port is called dsa. Do not reference the internal port in any of your configuration files.

thepenguin · November 20, 2022, 10:46am

Okay i've got it working now !!!
Maybe this "dsa"-device confuses me a little, first i thought i have to create vlans under this device..(maybe somebody can add this to the wiki, about the "dsa"-device)

However, i have a working device now with working vlan configuration !
Just like others explain above, FIRST create br-lan vlans THEN activate vlan filtering.

Thank you guys! Have a nice weekend.

system · November 30, 2022, 10:46am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.