How to drop packet with vlan tag on untagged interface

I defined vlan aware bridge with vlan10 as pvid:

ip link set br-lan type bridge vlan_filtering 1 vlan_default_pvid 10
root@prplWrt:# bridge vlan show
port    vlan ids

br-lan   10 PVID Egress Untagged

wlan0.0  10 PVID Egress Untagged

wlan0.0 is in the bridge.

I have a test station connected to wlan0.0, and this station sends ping with vid 10 tag to another station on the network which also connected to a VLAN 10 port.
My test fails, since the test environment expects that the traffic will drop.
I need that only untagged packet would pass, and adding on it the vlan tag 10. If a packet comes with a tag, the packet must be dropped.

How can I do it?

Are you using OpenWRT?
What version?

I worked on VLAN:s this weekend and they really don’t look like that if you follow the network instruction.

Generally you cannot pass tagged frames over wifi. What you can do is assign an SSID to a tagged interface and all incoming traffic will be assigned to that vlan.
The station connected on the wifi can connect and send untagged frames which will be then assigned to the desired vlan.

1 Like

Wlan0.0 would be a VLAN 0 and br-lan which VLAN/interface is that locked to?
PVID is PortVlanID and tags incoming packages and usually have the same VLAN ID as the outgoing packages. But it can be a black hole VLAN also if you have a tagged port.

It is custom version of openWRT.

I am able to send vlan tag over wifi. In fact, this is my test environment test.

This is what I do now. But it is not what I asked. Need to figure out how to block tagged traffic.

No wlan0.0 is not a vlan interface. It is a wireless interface.
wlan0 is a radio interface and wlan0.0, wlan0.1 ... are BSS interfaces which each one of them have a different ssid.
I assigned VLAN 10 to wlan0.0.

How much custom is there and how much OWRT is left?

How are we supposed to help if you have a custom firmware and you don't say that in the first place and you don’t say what is custom and what is original?

You only say you have some firmware and it doesn’t do what you want. Well, to be honest I am not surprised on that one.

1 Like

If you really have some traces of OpenWRT in your custom firmware then what we really need to see is the content of network and wireless config files.

uci show network
uci show wireless

Because thats is where the VLAN handling usually should be for OWRT.