Help for vlan tag please

Tonio1987fr · December 19, 2021, 8:54am

Hello, I am trying to tag the wifi of my openwrt to use the vlan20 of my sophos (the vlan20 works with my computer). I created an interface with a bridge but it doesn't work (I haven't created wifi yet)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:d4be:e343::/48'
		
config interface 'lan'
	option proto 'dhcp'
	option device 'eth0.1'

config switch
	option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5 1'
        option vid '1'

config device
        option type '8021q'
        option ifname 'eth0.1'
        option vid '20'
        option name 'eth0.1.20'

config device
        option type 'bridge'
        option name 'vlan20'
        list ports 'eth0.1.20'

config bridge-vlan
        option device 'vlan20'
        option vlan '20'
        list ports 'eth0.1.20:t'

config interface 'VLAN20'
        option proto 'dhcp'
        option device 'vlan20'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t'
        option vid '20'

I put wan port with lan. Where is my error for the vlan20?

pavelgl · December 19, 2021, 10:00am

There are some obvious errors in your configuration.

eth0 is the physical interface name
eth0.1 - vlan 1
eth0.20 - vlan 20
eth0.1.20 - something totally wrong

To create vlan 20 with the corresponding bridge interface, you need the following:

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2t' #Change the tagged port of your choice 
        option vid '20'

config device
        option type 'bridge'
        option name 'vlan20'
        list ports 'eth0.20'

config interface 'VLAN20'
        option proto 'dhcp'
        option device 'vlan20'

Everything else is unnecessary, wrong or not supported by your device.

Tonio1987fr · December 19, 2021, 10:19am

With this configuration my port 1 ignores the vlan. My pc takes an ip from my lan and no ip for the interface VLAN20

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8e:d4be:e343::/48'

config interface 'lan'
        option proto 'dhcp'
        option device 'eth0.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5 1'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1t'
        option vid '20'

config device
        option type 'bridge'
        option name 'vlan20'
        list ports 'eth0.20'

config interface 'VLAN20'
        option proto 'dhcp'
        option device 'vlan20'

pavelgl · December 19, 2021, 10:30am

Review the configuration using swconfig dev switch0 show.

Make sure port 1 is up, and it corresponds to the port that you plug the cable.

Tonio1987fr · December 19, 2021, 10:35am

My pc is on port 2 now and port 1 on sophos xg

Global attributes:
        enable_vlan: 1
        ar8xxx_mib_poll_interval: 500
        ar8xxx_mib_type: 0
        enable_mirror_rx: 0
        enable_mirror_tx: 0
        mirror_monitor_port: 0
        mirror_source_port: 0
        arl_age_time: 300
        arl_table: address resolution table
Port 0: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 1: MAC 00:00:00:00:00:00
Port 2: MAC 00:00:00:00:00:00

        igmp_snooping: 0
        igmp_v3: 0
Port 0:
        mib: MIB counters
RxGoodByte  : 2708678 (2.5 MiB)
TxByte      : 2297995 (2.1 MiB)

        enable_eee: ???
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 0
        link: port:0 link:up speed:1000baseT full-duplex txflow rxflow
Port 1:
        mib: MIB counters
RxGoodByte  : 4056001 (3.8 MiB)
TxByte      : 2567423 (2.4 MiB)

        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 1
        link: port:1 link:up speed:1000baseT full-duplex txflow rxflow auto
Port 2:
        mib: MIB counters
RxGoodByte  : 2637753 (2.5 MiB)
TxByte      : 5618331 (5.3 MiB)

        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 1
        link: port:2 link:up speed:100baseT full-duplex txflow rxflow auto
Port 3:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 1
        link: port:3 link:down
Port 4:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 1
        link: port:4 link:down
Port 5:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 1
        link: port:5 link:down
Port 6:
        mib: No MIB data
        enable_eee: ???
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 0
        link: port:6 link:up speed:10baseT half-duplex
VLAN 1:
        vid: 1
        ports: 0t 1 2 3 4 5
VLAN 2:
        vid: 20
        ports: 0t 2t

pavelgl · December 19, 2021, 10:39am

I see discrepancies between the posted configuration and the reality.

Tonio1987fr · December 19, 2021, 10:43am

yes I have make change for that now is
option ports '0t 2t'

I think the problem is here :

Port 2:
        mib: MIB counters
RxGoodByte  : 3328085 (3.1 MiB)
TxByte      : 7845574 (7.4 MiB)

        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        **pvid: 1**
        link: port:2 link:up speed:100baseT full-duplex txflow rxflow auto

this should be pvid: 2?

pavelgl · December 19, 2021, 12:55pm

This means that the untagged frames will be treated as members of VLAN1. It shouldn't be a problem in your case, but better don't mix tagged and untagged frames on the same port.

If you need port 2 to be a member of both VLANs, set the tagging for VLAN1 too (you should also reconfigure the upstream device).

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2t 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2t'
        option vid '20'

Otherwise remove it from VLAN1.

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 3 4 5'
        option vid '1'

EDIT:

Are you really sure your sophos is set to work with VLAN tagged frames? Try also the following:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2'
        option vid '20'

Tonio1987fr · December 19, 2021, 1:30pm

It didn't work either.
I made a factory reset, I will try to tag the WAN port so that it uses the vlan20 of my sophos

mk24 · December 19, 2021, 2:35pm

That really doesn't matter since the WAN port is just another port of the switch it works identically to the four LAN ports.

pavelgl has an excellent point that you need to know if the Sophos is actually making tagged packets. If you can connect your PC directly to it and have it work without setting any VLAN in the PC, it must be sending untagged packets.

Tonio1987fr · December 19, 2021, 2:50pm

This don't work too

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda9:6710:219c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.20'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0.20'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1t'
        option vid '20'
        option description 'Internet'

The vlan 20 on the sophos work well if I tag the card on my computer
i tested a lot of stuff on openwrt. There must be a bug.

it's work if i make a vlan2 on sophos and change untagged to tagged in openwrt without modifying another option