Correct Bridge VLAN Filtering setup with managed switch and Powerline adapters?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

In order to extend my network to a different room I have setup a managed switch (TPLink TP SG605E) which connects to my Openwrt router via powerline adapters.

The basic setup is:

Openwrt Router (port3) ---> TPLink Powerline adapter 1 --> TPLink Powerline Adapter 2 ---> Managed Switch (port 5)

I´m using separate VLANs on the Openwrt router (LAN (VLAN ID: 10), WORK (VLAN ID:30, IOT:VLAN ID: 20) and have these also setup on the TL-SG605E manage switch. I also have separate VLANS for the Guest network and a couple of other things but these are not active on my managed switch.

Power line adapter 1 is connected to a port 3 on the Openwrt router (lan3) and Powerline Adapter 2 is connected to port 5 on my managed switch as noted above.

My managed Switch is configured as follows:

802.1.1Q_VLAN_Config
802.1.1Q_VLAN_Config916×655 24.8 KB

PVID settings
PVID settings966×464 12.6 KB

What I´ve found is that the only way I can get traffic to pass (seemingly correctly) on the VLANs over the Powerline adapters is by setting the LAN VLAN (VLAN ID:10) to Untagged (U) under the Bridge VLAN Filtering settings for the br-lan device on the Openwrt router. I believe this is probably because the Powerline adapters are not VLAN aware so cannot pass Tagged traffic/packets. This part makes sense to me, but what I´m struggling to understand is how other devices connected to my managed switch on different VLANs are able to function correctly if I have all VLANs set to be untagged on this port on the Openwrt router. I.e. if I plug a device into my managed switch on port 1 this correctly gets assigned a DHCP address from VLAN 30 (WORK), if I connected a device to port 2 on the managed switch it correctly gets assigned a DHCP address from VLAN 20 (IOT) etc.

I´ve also found that everthing seems to work correctly if I set just the LAN VLAN (VLAN ID: 10) to untagged and the other VLANS (WORK (30) and IOT (20) to Tagged.

This is my Openwrt configuration:

br-lan
br-lan1127×744 36.5 KB

This configuration also works:

br-lan 2
br-lan 21137×761 40.3 KB

The reason I´m confused as to how this is working is because of two things:

(1) As the managed switch is VLAN aware I thought that I´d need to set up tagged ports on Openwrt, at least for the WORK and IOT VLANS (Indeed this seems to work in my tests (see above), but also works when all 3 VLANS are set to untagged in Openwrt).

(2) Reading the Openwrt documentation it seems to suggest that only 1 VLAN can be marked as untagged on a single port, however Openwrt seems to allow me to set all my VLANs to untagged on a single port.

I assume this is somehow working because of the PVID settings on the managed switch, but am not sure if I´m missing anything or if the way I have this setup currently is likely to cause me any security issues (my main aim is to isolate the VLANs from each other).

Thanks

2

I have a setup similar to yours (TL-SG105E and goCoax MoCa adapters).

On the switch:

  • The 802.1Q VLAN Configuration switch UI shows port 1 as untagged for both VLANs 1 and 30. That looks incorrect to me, or at least strange.
  • I believe "untagged" ports specify how to treat untagged ingress traffic (e.g., assign it a tag), so each port should be configured as untagged for at most a single VLAN ID; the screenshot shows port 1 being untagged for 2 VLAN IDs.
  • The 802.1Q VLAN PVID screenshot implies that port 1 is intended to be an access port for VLAN/PVID 30, so I suggest removing port 1 from the "untagged ports" configuration for VLAN ID 1.

On the OpenWrt router, "lan3" seems intended to be a trunk port, so I suggest marking the desired trunked VLAN IDs 10,20,30 as tagged (T) on "lan3" for propagation through the switch.

If the Powerline adapter is similar to the goCoax adapter, then the Powerline adapter is capable of passing VLAN tags, but cannot itself "participate" in VLAN tags, so:

  • I suggest adding VLAN 1 as untagged (U) and "primary VLAN" on "lan3".
  • Adding VLAN 1 will enable management of the Powerline adapter itself (I assume the Powerline adapter has some kind of management web UI accessible via some kind of IP address).
  • This VLAN 1 configuration would correspond to VLAN 1 being "PVID" for port 5 on the switch.
3

Only at most one VLAN can be untagged on a port. The configuration posted is definitely wrong.

On the "trunk" OpenWrt port, set all VLANs to tagged, and the same on the switch. Mixing tagged and untagged on a port does not work on all hardware.

In a switch the PVID is where untagged incoming packets will go. There should never be any on a trunk port, so the setting doesn't matter.

4

Apologies for the delay in responding. Thank you both!

The problem with setting VLAN 10 to Tagged in the Bridge VLAN Filtering for the port is that as well as the power line adapter connected to the Openwrt router and the power line adapter connected to the managed switch, I also have a 3rd power line adapter connected (as part of the same powerline network) which incorporates a WIFI extender which I use to expand the LAN (VLAN 10) network due to WiFi coverage problems in my house. I can set VLANs 20 and 30 to Tagged in Openwrt without issue, but if I set VLAN 10 to Tagged, any WiFi clients connected to the LAN WiFi via the powerline WiFi extender adapter cannot communicate. I think this part makes sense because the powerline WiFi extender is not VLAN aware.

Sorry I should have explained this in more detail in my original post.

This does work if I set VLAN 10 to untagged and VLANs 20 and 30 to Tagged, which I understand from the replies is probably ok as with this configuration only 1 VLAN is marked as tagged in the Openwrt Bridge VLAN Filtering settings?

It does sound like I need to review the managed switch VLAN settings, so I will take a look at those.

Thanks again!