I can't seem to wrap my head around the problem with my router in combination with OpenWrt. My router has additional complexity with CPU tagging, there's the new OpenWrt architecture but limited support for my router, old documentation vs new documentation, me, not being comfortable with all concepts ... I could really use some help to put all the pieces together.
My router (TP-Link AC1750 v2) has 4 ports + 1 WAN port.
What I would like to do:
- WAN port: VLAN20 untagged
- LAN1 port: VLAN21 untagged
- LAN2 port: VLAN22 untagged
- LAN3 port: input trunk from firewall VLAN10, 20, 21, 22 and 30
- LAN4 port: output trunk to router in other room VLAN10, 20, 21, 22 and 30
- All rules between VLANs are implemented on my firewall
How I see it, please correct me where I go wrong:
- Network -> Switch:
1a) add all VLAN IDs, tag VLANs 10, 21, 22 and 30 on CPU(eth1), tag VLAN 20 on CPU(eth0)
1b) Tag LAN3 and LAN4 on all VLANs (10, 20, 21, 22 and 30)
1c) Untag WAN, LAN1 and LAN2 on VLANs 20, 21 and 22
1d) All other combinations are "off"
2a) Create a br-xxx bridge device for every VLAN and attach the correct port: e.g. br-10 attached to port eth1.10
2b) No VLAN filtering required
- Create a new interface for every bridge device: e.g. "10" interface and connect to br-10
Would this allow me to get all VLANs from the firewall on LAN3 port, attach devices from VLAN20 on WAN port, devices from VLAN21 on LAN1 port, devices from VLAN22 on LAN2 port and pass all VLANs on to another router on LAN4 port?
If I understand correctly, then this configuration would do the correct VLAN routing on both CPUs.
Thank you so much for taking the time to read this and correct me where I go wrong.
If I've understood your question correctly, then OpenWrt on this box is not meant to do any packet processing, you are going to use the device as a managed switch only. Three ports are access ports for a specific VLAN, two ports are trunks. There is no difference between "input trunk" and "output trunk".
In this case, you only need to configure the switch, the CPU is not involved in VLAN processing. No bridges required, no interfaces required. You don't even need to pass the traffic to the CPU. But be careful: If no VLAN is configured for the CPU port, you can't access your router any longer.
For the configuration, I would keep one or two ports in the default configuration to be able to access the router and test if the other ports are working as expected. Then move on to the remaining ports.
The switch configuration appears correct. Keep in mind that vlan 20 is configured to go to eth0.20 while all the rest are eth1. I'm not sure what the use case is to distribute the wan network, usually it is connected only to the modem.
You don't have to make bridges for everything unless you're also going to run local wifi on those networks. It is OK to have eth1.X as the Device directly in an interface configuration.
If some of the VLANs are simply passing through the switch, they don't need an interface defined at all. The switch hardware will handle those packets with no CPU attention.
Thank you for your reply. No quite sure what you mean by "packet processing". I assume that setting routing rules between VLANs would qualify as packet processing. But since those rules are implemented on my firewall (pfsense), there is no need for "packet processing"?
So my follow-up question would be: does my setup allow me to approach my router UI on the different VLANs (provided access via the rules on my firewall)? Would my setup then at least have that as an advantage?
And to respond you question: you are correct in your statement. However (not sure if that makes any difference), but I would like to attach the different VLANs later on to their own Wifi network. My different networks/VLANs that are passed between different rooms will be rebroadcasted on Wifi in the different rooms.
@mk24 has already answered most of your questions
You got right what I meant with "packet processing".
Regarding accessing the UI: All VLANs that you would like to have access from must have a CPU tag and an interface (not necessarily a bridge, but the bridge is required for WiFi).
@mk24 I didn't really have anything specific in mind when mapping to eth0.20, unless using the WAN port just like any other LAN port.
I am really confused with the CPU tagging principles. And so in the switch configuration, I tagged eth0 to WAN (+untagged VLAN20), thinking that would make my VLAN20 available on the WAN port.
Yes in the switch the wan port is the same as all the other ports and you can use it for lans. I suggest putting it on CPU port eth1 so it is like the others.
The reason for two CPU ports in the design is so when the router is used for routing, packets go in and out on different ports and there is no possibility of a speed bottleneck. (This is rather optimistic considering the speed of the CPU itself is not that high.)
All VLANs on a CPU port must be tagged so that the kernel can separate them into different networks. Technically if there is only one network going into a CPU port it could be untagged, but there is no real speed advantage to doing that.
Thank you guys for the speedy responses. I'll try all your suggestions now.
Hopefully, I can conclude this thread with a "success!" message.
While this is a bit ambigous, it looks like you're talking about the archer c7 v2 - in which case there wouldn't be any reason not to upgrade to a modern, security supported version of OpenWrt (15.05 has been EOL for over six years and has accumulated a number of security issues, even if you're just using it as a managed switch, it matters).