I'd like to know if following setup is possible.
I have a small managed switch with SFP slot where optics from my ISP ends. Rest of switch ports is my home lan network.
Now I need to setup my openwrt router. I think I should be able to connect it to switch with single "trunk" cable and have two VLANs for lan and wan, but I cannot figure out how to set it on router side.
Can someone give me any advice, please?

how many ports do you have on your switch? why not simply use one port for owrt wan, another for owrt lan?

something like:

ISP - + S |
      | W + - LAN DEVICE1
	  |   + - LAN DEVICE2

ISP -- + S |   +---+
       | W + - + O | (WAN)
	   |   + - + W | (LAN)
LAN1 - +   |   | R |
LAN2 - +   |   | T |
	   +---+   +---+

hello @grrr2,
that would work out of the box yes.
The main reason for me is to save cabling (long distance, and I already have single cat there).
I guess the method with VLANs should work too, but I'm not sure :wink:

Yes, it's going to work, but it limits your WAN/LAN bandwidth to 50% speed as both traffic needs to pass the single cable. I had such a setup for several years, it's not difficult:

  • Create trunk port on switch
  • Create trunk port on OpenWrt
  • Move lan and wan interfaces to the VLANs

How the latter two are done depends on your router, whether it uses swconfig or DSA - what router and OpenWrt version do you use?

hi @andyboeh, I have xiaomi ax3200 which uses DSA I think.
Can you please share some example configuration? I'm interested mainly how to put the interfaces into the VLANs.
Would the bandwith be really limited to 50%? I think it would be limited but the ratio highly depends on actual traffic, doesn't it? 50% is just the worst case.

Sure, that's from a ER-X, the individual lan ports are labelled "eth0" to "eth4", you will need to change that. eth0 is my trunk ports, the other ports do not have any VLANs attached. The interface "modem" is not required for the PPPoE connection to work, I just added it to be able to access the modem's web page. VLAN 100 is for the modem, VLAN 300 is for the LAN. The important part is moving the lan to the VLAN by modifying the interface to br-lan.300 and the configuration of the bridge for the VLANs.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option proto 'static'
	option netmask ''
	option ip6assign '60'
	option device 'br-lan.300'
	option ipaddr ''

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'eth0:t'

config interface 'modem'
	option proto 'static'
	option device 'br-lan.100'
	option ipaddr ''
	option netmask ''

config interface 'wan'
	option proto 'pppoe'
	option device 'br-lan.100'
	option username 'xxx'
	option password 'xxx'
	option ipv6 'auto'

I'm not sure if I got the phrasing correct: A GBit WAN connection will be limited to 500M as the WAN traffic needs to pass the VLAN trunk twice. A 500M WAN connection will not be limited, but that's the max. I only had 40M WAN, so no problems to expect here :wink:

I will try, thanks...

Btw why is the eth0 (trunk) part of br-lan? I think I'm still a bit confused what is device and interface :slight_smile:

br-lan is the complete bridge covering all ports. I'm always doing bridge-based VLAN filtering. On your device, these are the names of the ports, like "lan1" and "lan2". They are named "ethx" on the ER-X.

The important part is using br-lan.300 and br-lan.100 as devices for lan and wan - this is where the magic VLAN-filtering happens :slight_smile:
Here is the relevant part of the Wiki article describing this syntax:

hmm, I was not able to make it working, yet :frowning:
once I move the lan interface into br-lan.300 I'm loosing access to the router

If you're connecting LAN devices to the other ports on the router, you need to add them to the new LAN VLAN (300):

    list ports 'lan1:t'
    list ports 'lan2:u'
    list ports 'lan3:u'
    list ports 'lan4:u'

In the managed switch, configure the ports that are going to ordinary LAN devices as VLAN 300 untagged, with a PVID of 300.

It's good to have a way to log into the router by wifi while you are reconfiguring Ethernet so that access is not lost.

