Double VLAN tag

Hello everyone,

I'm trying to configure my router to access vlan 100 on the WAN port and on port 4.
I need port 4 to act as an independent unmanaged interface to avoid double NAT so i can pass the vlan to the other router connect on that port.

i tried to double tag vlan 100 to vlan 10 and add a new interface but using the ip link command return the following error:

ip: argument of "protocol" must be "on" or "off"

using the openwrt wiki command for stacked vlan:

ip link add link eth0 eth0.100 type vlan proto 802.1ad id 100

Tried to used to 802.1q vlans and created interface eth0.100.10 but i cannot select port 4 on the switch for that tag.

If anyone can share some insight maybe an easier way i would appreciate.

Perhaps I did not understand what you are trying to achieve, but here are my two cents:

  • Create VLAN 100 on WAN, let's call it eth0.100
  • Separate port 4 on LAN, let's call it eth1.4
  • Now bridge together eth0.100 and eth1.4

Thank you for your advice.

The problem i'm having is because my router (wdr3600) only has the eth0 interface so i cannot separate port 4 from lan.

Sure you can? Define a new VLAN (you can do that in LuCI even), assign port 4 to it (tagged if you keep it in the default VLAN as well), done.

I own a WDR4300 (only difference is that it has one extra external antenna), and you can separate LAN ports; I know because I did it... I use eth0.3 (VoIP) and eth0.6 (Internet) on WAN, and then eth0.9 (port 4) and eth0.1 (ports 1,2,3) on LAN:

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vid '1'
	option vlan '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vid '9'
	option vlan '9'
	option ports '0t 5'

config switch_vlan
	option device 'switch0'
	option vid '3'
	option vlan '3'
	option ports '0t 1t'

config switch_vlan
	option device 'switch0'
	option vid '6'
	option vlan '6'
	option ports '0t 1t'

Maybe i didn't explain my problem correctly.

I need to have vlan 100 tagged on wan port with dhcp client, no far no problem assign interface eth0.100 to wan and tag the port on the switch which gives me the first public ip.

Then i also want to have the same vlan 100 on port 4 but with unmanaged protocol to pass the vlan down to the next router for the second public ip bypassing the firewall on the wan port.

My config for the moment is this;

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.23.84.254'

config interface 'wan'
        option ifname 'eth0.100'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '100'
        option ports '0t 1t 2t 5t'

expanding on this.

Most devices have an interface which is not directly exposed to the outside
world. Instead it connects to a switch (in some devices, all interfaces connect
to a switch)

These swiches are intellegent, and can be configured so that each port on the
switch has a different configuration. There are two basic modes a port can be in

  1. Trunk mode where it has multiple VLANs operating on the port, every packet
    should have a VLAN tag on it to say what VLAN it is

  2. raw mode where vlan tags are removed

A given switch port should only be in one of these two modes, and if it's in raw
mode, it should only be assigned to one VLAN (while it's technically possible to
violate these rules, the resulting behavior 'interesting')

The switch interface(s) connected to the CPU of the router should be in trunk
mode so that you can use multiple VLANs (this shows up as ethN.M interfaces)

you then use the switch configuration to define the switch ports

David Lang

I do not understand why port 2 is on VLAN2, but that should not be a problem, you just lose one LAN port.
I see you are tagging port 5 on VLAN2, is the other router configured to use VLAN100 too?

For the moment i was disabling the wan port to see if the port 4 vlan was working on the other router.

I'm kinda confused about this mostly how the traffic flows, if i put the wan interface on eth0.100, tag vlan 100 on port 4 and disable port 4 on vlan 1 (lan) i can get an ip on the other router but won't i get the wan firewall rules for both the wan and port 4?

Could you please post the config files each time you make a change, and tell us what works and what not?

I've managed to get it working with the following config:

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.23.10.254'
        option _orig_ifname 'eth0.1 radio0.network1 radio1.network1'
        option _orig_bridge 'true'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth0.100'
        option proto 'dhcp'
        option peerdns '0'
        option dns '208.67.222.222 208.67.220.220'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '100'
        option ports '0t 1t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '2'
        option ports '0t 4t'

config interface 'mls02'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'true'
        option ifname 'eth0.101 eth0.2'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 2t 3t'
        option vid '101'

config interface 'vmnet101'
        option proto 'static'
        option ifname 'eth0.102'
        option ipaddr '172.23.10.254'
        option netmask '255.255.255.0'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '102'
        option ports '0t 2t 3t'