DSA VLAN issues with Netgear R6220

I've had OpenWRT 19.07 on my Netgear R6220 for years and finally got around to trying to upgrade OpenWRT to 21 or 23 and am unable to get VLANs to work via DSA. (I've been doing networks since before TCP, and have used VLANs for more than 2 decades.) I configure the devices for 2 VLANs exactly as in the simple configuration in the Wiki page. LAN1-4 are Local and on VLAN 1 (u*), WAN is Local on VLAN 2 (u*). With VLAN filtering off, I can talk to the router (through a wire - wireless is off). When I turn on VLAN filtering (as the only change via Luci) and do Save&Apply, the device sends no packets out through the LAN ports nor does it answer an ARP WHO-HAS 192.168.1.1. (I haven't checked the WAN). At 90 seconds, it falls back to the config with VLAN filtering off. If it matters, nothing is connected to the WAN or other VLAN ports. I talk to it (192.168.1.1) from a static i/f (192.168.1.3).

I tried both 23.05.2 and 21.02.7. After initially having no luck, I went back to 19.07.10 with my old configuration where the VLANs again worked. Then back to 23.05.2 with nothing set but the password and the network config from the wiki page above (via Luci). I confirmed the devices in /etc/config/network agrees with the wiki page version (modulo name of the bridge device and a reorder of a pair of lines).

What am I missing?
Can someone confirm they have a R6220 working with DSA vlans?
Presumably something is failing as the network is starting and it probably goes into a log. Are there logs that survive the fallback to the earlier configuration?

Post your default (or near default) network config file and then describe what it is that you are tying to achieve in terms of VLANs.

  • Is this a dumb AP or the main router?
  • if the main router, describe the name/purpose, subnet, and VLAN ID for each network.
  • tell us what each port should do in terms of the port-vlan membership (and tagged/untagged status per VLAN per port).

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

Thanks for the quick response.

I use two router-capable boxes, but the R6220 is acting only as a vlan-capable switch & access-point (but is intended to be a spare router if the first one fails). The other router is connected to the ISP's modem and does the local routing. My network has 4 Layer-3 networks, each on its own VLAN (vlans 1,2,3,4). Three networks (vlans) have distinct SSIDs. The two network devices have a single cat-6 running between them, carrying the tagged traffic. Both devices (normally) announce the 3 SSIDs, and each has wired devices hanging off them.

But, at this point, I am just trying to get the VLANs working on the R6220 as they did in 19.07. So I pulled the R6220 out of the network and have it sitting on my desk, connected only from LAN4 to my laptop via a cat6 cable. I couldn't get it to work with my 4 VLAN configuration, so I've got it configured for a simple 2 VLAN network as per that Wiki page. In this configuration, I expect a device connected to a LAN port to be able to talk to the LAN interface of the router (192.168.1.1, inherited from the default config of 23.05). The WAN interface has no IP since it defaults to being a DHCP client, but no wire is attached. The wifi networks are off as that is the default.

As you'll see in the network config, the vlan filtering is off (necessary so I can talk to the R6220). If I go into Luci, to the network config window, I see that the Vlan Filtering box is checked (although it should be unchecked). If I click Save, I see there is 1 change to be applied (turning on filtering, since the box is checked but filtering was off). If I then apply that, the system can't communicate and 90 seconds later comes back with Dismiss/Revert option. To rule out a DHCP failure, my laptop is using a static 192.168.1.3 address on that interface. I did a tcpdump from my laptop of that interface and saw no packets at all arrive during that 90 seconds. As my laptop was sending out Who-Has 192.168.1.1 repeatedly, I think it is clear the network is not coming up on the R6220.

The R6220's label identifies its model as R6220, without a version number.

As I said earlier, I did try version 21 just in case this was some recent bug. I just tried installed the sysupgrade for version 22, being sure no configuration file was preserved (unchecked the box). I set up the same simple 2-vlan network. Without vlan filtering, all was happy. Turning on vlan filtering resulted in no connection and the Dismiss/Revert/Force option.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Netgear R6220",
	"board_name": "netgear,r6220",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'
	option vlan_filtering '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'wan:u*'


I'd recommend that we aim for the desired in-situ configuration directly, although we'll start with just 2 VLANs (then you can build from there). It should work, but there are some devices that have experienced some bugs that impact VLANs with DSA. I don't recall if your device is one of the affected ones.

For the moment, let's use lan1 for the upstream connection (rather than wan), just in case the wan has some special considerations (like not actually being part of the switch -- again, I'd have to look to see the physical design of your device.

Some questions first:

  • Do you have an ethernet connection at your desk that is (or can be) a trunk with all your VLANs? This will make it easier to test the config while it sits at your desk.
  • Is VLAN 1 used for managing the R6220 itself? If not, what VLAN is used?
  • What is the desired address of the R6220 on the management network (or do you want it to use DHCP)?

Thank you very much for your help. I have it working now.

I had focused on the changes to the devices. But I missed that the devices on the interfaces need to be device.vlan, specifically br-lan.2 (etc). This is mentioned in the text of the wiki page but not shown in the graphical parts.

I recognized my error, not from a how-to, but from constructing a new configuration and realizing that the interface's device had to be the VLAN,

Once I recognized my error, I had the configuration in minutes. While there are many settings, the Luci interface for configuring the OpenWRT is straight forward with sufficient explanation of the settings I cared about.

Again, I especially appreciated your willingness to help. Thank you.

Can you post the working version of the network file please?

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.1'

config interface 'wan'
	option device 'br-lan.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'br-lan.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'
	list ports 'lan1:t'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'
	list ports 'lan1:t'
	list ports 'lan3:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'
	list ports 'lan1:t'
	list ports 'lan4:u*'
	list ports 'wan:t'

config interface 'vlan3'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'

config interface 'vlan4'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'
	option gateway '192.168.3.1'

Thank you. :vulcan_salute:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.