Correct VLAN setup in WebUI of NICGIGA S25-0501-M

I understand that this is not an OpenWrt question. I recently added a NICGIGA brand managed switch (S25-0501-M) to my home network. The WebUI is a bit confusing. I have some VLANs configured on my OpenWrt router/firewall (10, 3, 4, and 5). This switch should only be working on VLAN 10. I made ports 1-4 untagged on VLAN 10 in the WebUI. I then made port 5 and 6 tagged on VLAN 10 (this will serve as the uplink port to another managed switch). I am thinking that is correct?

These two screenshots are of the WebUI's "Static VLAN" section:
First the default entry called "1" which cannot be deleted:

Second the entry I created called "10":

This last screenshot is of the WebUI's "VLAN Setting":

If the switch is only handling a single VLAN, there's really no need to have any of the ports tagged... all untagged is fine.

Let's see the network file from your main router, and also please tell us what physical port on the router is used to connect to the switch, as well as which port is used on the switch to connect to the router.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

looking at the first image you have VLAN1 untagged on ports 1-4 and VLAN10 also untagged on ports 1-4. This won't work.

strictly speaking, it could work :slight_smile:
both vlan transmitting untagged packet on same port
egress (input) is determined with PVID (so only one vlan will receive input traffic)

but yes, it is illogical an confusing

@psherman - The router is a mini PC that has two NICs. I am using eth0 to connect the router to the first switch and I am using eth1 to connect the router to the WAN (modem). As you see from the config, eth0 is behind br-lan which is tagged with all relevant VLANs. In turn that is connected to a port on the netgear that is trunked.

I tried to copy this with the new switch on port 5 for VLAN 10. What confuses me is the interface by NICGIGA. Forcing VLAN 1 on everything in addition to VLAN 10.

# ubus call system board

{
	"kernel": "6.6.30",
	"hostname": "am06pro",
	"system": "AMD Ryzen 7 5800U with Radeon Graphics",
	"model": "HC Technology.,Ltd. HCAR5000-MI",
	"board_name": "hc-technology-ltd-hcar5000-mi",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r26145+4-918d81a3ea",
		"target": "x86/64",
		"description": "OpenWrt SNAPSHOT r26145+4-918d81a3ea"
	}
}
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:692b:58dc::/48'
	option packet_steering '1'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.9.7.1'
	option netmask '255.255.255.0'

config interface 'homeoffice'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.9.6.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
...

Current setup:

      [Modem]            [PCs] [cameras]        [2.5 GbE PCs]
         |                 |       |                  |
[OW x86-64 router] <--> [Netgear gs316ep] <--> [Nicgiga 2.5 GbE]
                            |      |
                          [AP1]  [AP2]

Alright, after some trial and error I think I figured out the confusing WebUI for this switch.

  1. Under Configuration>VLAN>Static VLAN is where you define all possible VLANs as well as use the crude interface to select which ports should be untagged and which ports should be tagged. As you see in the screenshot below:
  • ports 1-3 are untagged on VLAN 10
  • port 4 is untagged on VLAN 3
  • ports 5-6 are tagged (trunked) for all VLANs (3, 4, 5, and 10).

What I do not understand is why I am forced to use VLAN 1 (the first row in the table) which cannot be deleted.


2. Under Configuration>VLAN>VLAN Setting is where you define the PVID which can by any of the VLANs you defined. What is odd to me is that you also have the concept of untagged and tagged. As you see I just mirrored my settings for ports 1-3 (untagged on VLAN 10), port 4 (untagged on VLAN 3), and 5-6 (tagged on the VLAN 10).

A device on ports 1-3 gets an IP by the VLAN 10 interface range and a device on port 4 gets an IP on the VLAN 3 interface's range and all firewall rules seem in place (3 = my guest network which cannot access other subnets).

I found the whole thing to be pretty confusing, but wanted to update this thread as there is very little info/documentation about this switch at last at the time I posted this.