Configuring VLANs with managed switch

I am having trouble getting VLANs working with OpenWRT (running in an x86 VM right now) and a TP-Link TLSG108PE managed switch. Ports 1-4 are attached to Unifi Wifi APs that handle VLAN tagging. I think they are trunk ports. Port 5, is for untagged traffic (e.g., printer and a wired desktop) on my "home" VLAN (VID 16), port 6 is for untagged traffic on my IoT VLAN (VID 17), and port 7 is for untagged traffic on my Guest VLAN (VID 18). I think these are access ports. Port 8, is attached to eth3 on my OpenWRT router. I am not sure if that is a trunk port or something else. The switch also has VID 1, which I am not using, but deleting it causes me to lose access to the switch.

When I plug an untagged device (e.g., a desktop) into port 5 (or 6 or 7) of the switch, it is unable to get an IP address. I have not yet checked to see if the tagged ports work with the APs. The OpenWRT VM also has additional untagged NICs that seem to be doing what I expect: eth0 (VID 16), eth1 (VID 17) eth2 (VID 18) and eth4 (WAN).

openwrt895×497 32.2 KB

VLAN1050×847 75.7 KB

PVID1051×617 37.4 KB

Looking or hints about what I have screwed up?

The VLAN configuration appears to be correct. It is possible that the issue lies with the way the VM/host interacts with the actual hardware, but I'm not convinced about that yet.

Let's see your complete config from the router:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

I knew I should have just posted everything to start with

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcf:5772:2bfe::/48'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'eth2'
	option ipv6 '0'

config device
	option name 'eth3'
	option ipv6 '0'

config device
	option name 'eth4'
	option ipv6 '0'

config device
	option name 'switch0'
	option type 'bridge'
	option macaddr '52:54:00:ab:00:00'
	option ipv6 '0'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config device
	option name 'switch0.16'
	option type '8021q'
	option ifname 'switch0'
	option vid '16'
	option ipv6 '0'

config device
	option name 'switch0.17'
	option type '8021q'
	option ifname 'switch0'
	option vid '17'
	option ipv6 '0'

config device
	option name 'switch0.18'
	option type '8021q'
	option ifname 'switch0'
	option vid '18'
	option ipv6 '0'

config bridge-vlan
	option device 'switch0'
	option vlan '16'
	list ports 'eth0:u'
	list ports 'eth3:t'

config bridge-vlan
	option device 'switch0'
	option vlan '17'
	list ports 'eth1:u'
	list ports 'eth3:t'

config bridge-vlan
	option device 'switch0'
	option vlan '18'
	list ports 'eth2:u'
	list ports 'eth3:t'

config interface 'wan'
	option device 'eth4'
	option proto 'dhcp'

config interface 'Home'
	option device 'switch0.16'
	option proto 'static'
	option ipaddr '192.168.16.1'
	option netmask '255.255.255.0'

config interface 'IoT'
	option device 'switch0.17'
	option proto 'static'
	option ipaddr '192.168.17.1'
	option netmask '255.255.255.0'

config interface 'Guest'
	option device 'switch0.18'
	option proto 'static'
	option ipaddr '192.168.18.1'
	option netmask '255.255.255.0'

config interface 'Remote'
	option proto 'none'
	option device 'tun0'

# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'Home'
	option interface 'Home'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'IoT'
	option interface 'IoT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config zone
	option name 'Home'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Home'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IoT'

config zone
	option name 'Guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'

config zone
	option name 'Remote'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Remote'

config forwarding
	option src 'Home'
	option dest 'wan'

config forwarding
	option src 'IoT'
	option dest 'wan'

config forwarding
	option src 'Guest'
	option dest 'wan'

config forwarding
	option src 'Remote'
	option dest 'wan'

config forwarding
	option src 'Remote'
	option dest 'Home'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'Home'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'Home'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I suspect that the problem is here... you probably don't want to have everything part of a bridge like this.

Typically, these 4 port cards are setup as individually routed ports, not part of a switch.

Before making any changes, make a backup of your current config. This way, if I'm wrong, you can easily get back to where you were.

Delete this:

Next, create bridges using dotted notation like this:

config device
	option name 'br-home'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth3.16'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth3.17'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth2'
	list ports 'eth3.18'

then, modify your network interfaces to use the bridges:

config interface 'Home'
	option device 'br-home'
	option proto 'static'
	option ipaddr '192.168.16.1'
	option netmask '255.255.255.0'

config interface 'IoT'
	option device 'br-iot'
	option proto 'static'
	option ipaddr '192.168.17.1'
	option netmask '255.255.255.0'

config interface 'Guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.18.1'
	option netmask '255.255.255.0'

Then restart your router and test eth0-eth2 to make sure they're working properly. If so, move on to ports 5-7 on the switch.

Wouldn't it be simpler to use one bridge and vlan filtering ?
ain't that the "DSA way" ?

Isn't that what I did originally with creating switch0? What exactly are you proposing?

Pardon.
I saw switch0 and automatically thought of swconfig.

I have similar setup, but with
option bridge_empty '1'
in
config device switch0/bridge
section.

But this card has 4 routed ports, not part of a switch. Yes, you can bridge them and use bridge vlan configurations, but it is not necessary here. And I find that it is often easier and more predictable to use dotted notation when working with individually routed ports (that are not part of a switch).

@danielshub - have you implemented my suggested changes? Did things work as expected for eth0-2? and what about your switch?

I have not tried your suggestion yet. I will after work.

The hardware has two physical NICs that are passed through to the OpenWRT VM. One NIC is connected to my modem and the other to the physical TP-link switch. The other 3 NICs are virtual bridges created in the host with a "tap" provided to the VM. I am not sure that these virtual NICs have anything to do with my problem. I can delete them and simply have two physical NICs passed through to the VM.

Oh...ok.

So if they are distinct virtual bridges, they are indeed individually routed virtual ports and therefore should be treated as such.. typically this means using dotted notation. DSA doesn't apply here because there isn't a swtich. FWIW, though, I believe that the bridge-vlan approach could be used even though your system doesn't actually have anything to do with DSA. But, as I said earlier, I think dotted notation is the optimal approach here.

Regrding the 3 vitual NICs -- are they used for virtual connections to other VMs?

No, I don't think they are having any impact here. But becaue you are using each virtual NIC for exactly one untagged network, I would not bridge them together and use bridge-VLANs... it's just easier and cleaner with the syntax I have presented.

User error. My original configuration works if you get all the bits to stick at the same time. The TP-Link switch likes to reset the PVIDs when changing the VLAN settings. The warning is right there at the bottom of the PVID page.

Just to close the loop. Both the dot notation and DSA method work. Luci likes to create the DSA based config.

The other virtual NICs have VMs connected to them at the host level.

The UX on these switches is not great (pretty, but not intuitive)... yet another reason why I avoid the entry level smart switches from TP-Link. But glad you figured that one out and fixed it!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.