My OpenWrt version is 24.10 (snapshot + manually installed Luci).
GL.iNet Slate AX (GL-AXT1800): 3 Ethernet ports (lan1, lan2 and wan).
I am configuring it as an access point (no NAT, no fancy routing, all ports equal).
Hoping to achieve following goals:
2 vlans: "priv" with pvid "10" and "dmz" with pvid "20";
all untagged traffic on "lan1" goes to vlan "priv";
all untagged traffic on "lan2" goes to vlan "dmz";
"wan" port is trunk handling both tagged and untagged traffic;
no WiFi is enabled at the moment (to keep it simple);
no DHCP or DNS server (everything is working upstream).
I have attempted to configure this via Luci and directly editing /etc/config/network.
Outcome is always the same though - once VLAN filtering is enabled, the access point can no longer be reached via HTTPS or SSH. I have to perform factory reset to gain access to it.
My /etc/config/network is rather simple:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1/8'
config device
option name 'br-lan'
option type 'bridge'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1/24'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:u*'
list ports 'wan:t'
config interface 'priv'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1/24'
config interface 'dmz'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1/24'
Given your apparent goals, all three ports should be in br-lan as you have in your most recent post.
There is one other issue:
The lan interface still references br-lan (without a VLAN), but this is invalid now that you're using bridge-VLANs.
If you're still using that interface, you can either remove the device line (fine if you're using just a single wifi radio), or add another bridge-vlan for that (maybe VLAN1)... you don't necessarily have to tie it to any ethernet ports.
If I were to disable lan interface, how would I reach 192.168.1.1 over "wan" ?
I am currently not using any VLAN to reach 192.168.1.1, so attaching it to a VLAN would make it inaccessible.
Unfortunately, this did not work yet. I've now reset the access point again after trying this config:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1/8'
config device
option name 'br-lan'
option type 'bridge'
list ports 'wan'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1/24'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:u*'
list ports 'wan:t'
config interface 'priv'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1/24'
config interface 'dmz'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1/24'
I tried configuring the same via Luci but every time I enable VLAN filtering, it always rolls back. Force applying it resulted in inaccessible device - I could not read its config file so weren't able to confirm final settings.
So manually editing the config file seems like the only viable approach I take to get this sorted.
If you disable the lan, obviously you wouldn't be able to reach it. That's why I said "if you're still using" it, you can create a new VLAN for it.
I don't know what you mean by this though:
Meanwhile...
Actually, this network is not assigned to any ports once you enable VLANs. Maybe that is your issue??
This is my preference, but it can be done via LuCI if you sequence it properly (don't apply any settings until everything is done).
That said, what I see is that you have VLAN 10 assigned to port lan1 as (untagged + PVID), and VLAN 20 (also untagged + PVID) on port lan2. The wan has both of the VLANs tagged.
What do you want the standard lan (192.168.1.0/24) to do? You cannot apply it to a lan port untagged because you already have both lan ports claimed by the other VLANs. So... what do you want to do with this network?
I'd like for the traffic on ports lan1 and lan2 to be tagged by this AP. So any VLAN unaware device connected to either of them, gets it traffic tagged respectively.
For wan port, I'd like it to admit all traffic (tagged and untagged) without any modification. This way it can carry tagged traffic upstream but also allow untagged traffic as is. I hope this would allow me to use wan as both trunk port connecting lan1 and lan2 with upstream switch and also let me reach the AP admin interface (ssh and/or Luci) by directly plugging VLAN unaware device (laptop) to wan in case that upstream switch fails.
To achieve that, I'd have to keep 192.168.1.0/24 configured without any VLANs.
I think my main struggle here is figuring out how to configure "wan" port as "admit all".
I tried taking these steps in Luci following a reset:
Removed wan interface and wan bridge.
Assigned wan device (port) to lan interface (by removing br-lan and adding wan instead).
Added wan to the default br-lan bridge device, so all 3 Ethernet interfaces are part of br-lan bridge.
In br-lan "Bridge VLAN filtering" tab, I've enabled VLAN filtering:
- VLAN ID "10" local: lan1 as "U*"; lan2 as "--"; wan as "T";
- VLAN ID "20" local: lan1 as "--"; lan2 as "U*"; wan as "T".
Clicking "Save" after "Bridge VLAN filtering" produced two new devices: br-lan.10 and br-lan.20.
Created two new interfaces on the Interfaces tab:
priv by including br-lan.10 device and assigning it a static IP: 192.168.10.1;
dmz by including br-lan.20 device and assigning it a static IP: 192.168.20.1.
Clicked "Save & Apply" - after 90s timeout settings were rolled back
The best I could get working was to was getting "Save & Apply" after step 5) - essentially skipping creating priv and dmz interfaces. Without those though I will not be able to assign WiFi to either of them which is a problem.
As stated earlier, editing the config files avoids the issue with the sequencing that can crop up when using LuCI. However, you still have an issue that is not being addressed.
The lan (192.168.1.0/24) must be assigned to a VLAN, and it doesn't look like you've done that. Once you apply the bridge-VLANs, the lan subnet will no longer be accessible since it's not connected to a VLAN and thus not connected properly to any of the ports.
It's still not clear what is supposed to happen with that subnet in your port assignments. Here's what I understand:
Port lan1: VLAN 10 untagged & PVID
Port lan2: VLAN 20 untagged & PVID
Port wan: VLAN 10 tagged + VLAN 20 tagged.
that covers your priv and dmz networks, but the lan network is missing. How do you plan to connect to the lan interface?
Further, what is connected to the wan port -- is it VLAN aware and configured for the VLANs?
@psherman,
Are you saying there is no way in OpenWrt to make wan port admit both tagged and untagged traffic?
For wan port, I'd like it to admit all traffic (tagged and untagged) without any modification. This way it can carry tagged traffic upstream but also allow untagged traffic as is. I hope this would allow me to use wan as both trunk port connecting lan1 and lan2 with upstream switch and also let me reach the AP admin interface (ssh and/or Luci) by directly plugging VLAN unaware device (laptop) to wan in case that upstream switch fails.
No, I didn't say that. You can add another VLAN and make it untagged on the wan port. It just that I haven't been able to understand your specific goals as to which port you wanted to use for the lan and if it was going to be tagged or untagged.
There is an opinion that all VLANs should always be tagged on a trunk, but that is often a matter of personal/professional opinion/style rather than a technical limitation in the vast majority of cases. There are some situations where tagged + untagged on the same trunk can cause problems, but that's the exception, not the rule.
If you want to add the lan as untagged to the wan port...
Create a new bridge-vlan:
