I've got an R7800 too on which I'd like to setup a few VLANs, but I keep hitting a wall...a thick one! I have read several VLAN guides and watched videos and have a basic understanding of networking, but I admit that I am a newbie with OpenWRT and this community, so please bear with me!
My objective: I have successfully setup several VLANs with untagged ports, but I'd like to create 2 VLANs that share a physical router port (LAN1, via a switch) and are active at the same time, one with DHCP, the other with static IPs only.
The issue: I setup my network based on @atownlede config (LAN1 tagged on both VLANs, ...) but if I connect a laptop to LAN1 it doesn't get assigned an IP. If I use a static IP, within the VLAN address range, I still cannot ping any machine on that VLAN, not even the router. If I go back and configure untagged ports, internet access via WAN also stops working for a while (it's like it is stuck).
Could you first of all confirm that my objective is something feasible? If so, any idea what could be the issue (I could post my /etc/config/network if it helps)?
This is likely because you've setup a tagged network and your laptop is not configured to use 802.1q tagged interfaces.
Let's get some info here, though:
Is this a managed or unmanaged switch connected to port lan1?
Let's see your current configuration:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Ok, wasn't aware about this. Does that mean that if I have guests connecting to a 'guest' VLAN, their devices should be set up in a specific way? Does this apply to Wi-Fi connections too?
Not sure how to check that? It is a TP-Link TL-SG108.
This depends on the connection method and the desired general topology.
VLANs technically apply only to ethernet where you have multiple networks/subnets on a single physical port/cable. The 802.1q tags that make VLANs possible are how VLAN aware systems differentiate between the different networks. If you do not have VLAN aware devices, they will not be able to connect to networks with 802.1q (VLAN) tags. Most end devices (computers, game consoles, STBs, etc.) are not VLAN aware; some devices can be configured to connect to VLANs -- it depends on the OS and hardware).
If you want to have ethernet connectivity for 'regular' (non-VLAN aware) devices, you would need to create "access ports" -- these are ports that have just a single untagged network and no tagged networks assigned.
Wifi doesn't actually have the concept of VLANs. In the case of wifi, you will setup an SSID and associate it with a network -- you can do this with multiple SSIDs, each with it s own network. it is even possible (recently) to have a single SSID for multiple networks, where the password is what determines the network to which a device is connected. IIRC, this is currently not implemented in the GUI and can be a bit tricky to setup, so it is a bit of an advanced user thing for now.
This is an unmanaged switch. It is not made to pass VLANs, and cannot be used to configure access ports or anything else. Therefore, this should never be connected to a port that carries VLANs.
If you're going to use VLANs through a switch, it must be a managed switch.
There are a lot of issues here. It may be best to start simple -- reset to defaults and make sure the basic single wan/lan functionality works. Then setup one new network (so you'll have a total of 2). Once this is proven to work, you can create additional networks using the same recipe.
With that in mind, it is first important to define your goals -- what network(s) are needed and for what purpose (i.e. trusted lan, guest, iot, etc.). Then define what is allowed/denied in terms of access to each other and/or access to the internet (can be broad/simple, or granular/complex).
Finally, for each network, it is necessary to have a clear plan for what networks need etherent vs wifi vs ethernet+wifi and how the ports will be used.
If you can define the desired topology and goals, we can help you implement them. Again, I'd recommend starting from scratch on this, though.
It might not come through my config files, but I did give a lot of thought to the network topology, scope of each VLAN, firewall rules, etc (I've got some diagrams). The final setup is supposed to be more complicated than this, with 5 or 6 different VLANs.
I started with a single VLAN (VLAN3_TRUSTED) and everything worked well. Then I added VLAN5_SMARTTV because it is the only one that needs to go through the switch to the same router port. But I didn't know that my switch had to be VLAN-aware, that might be the biggest issue (plus, some leftover config from previous tests).
I will follow your advice and start from scratch -- will get back here with a cleaner config, thanks!
Hi, @psherman does it means that if I have a situation like: VLAN openwrt Router --> gigabit TP-Link switch (not manageable) --> VLAN openwrt router (dumb AP)
VLANS will never work because the switch is not vlan aware?
My scope is not configuring vlans on the switch. I need to do that with the routers. But the switch is in the middle as I need more ports than the router have.
The answer is not entirely straight forward, unfortunately.
The short answer is: Don't put any tagged networks through an unmanaged switch.
The longer answer is a bit more complex. Basically, unmanaged switches are not designed to carry tagged networks. This means that the behavior is undefined and may be different from swtich to switch (brand/model or even version of any given model).
You may find the following types of situations, depending on the switch in use (generally it would be just one mode from this list):
The VLAN tags can pass transparently without issue. So if you have a trunk from your router and then say a VLAN aware AP, this may work just fine.
The switch does not pass the tagged networks, so only the untagged network will function properly.
The switch strips the tags and then co-mingles all of the networks. This is a really bad situation because it will give every device access to all VLANs and may also be entirely unpredictable as to what network a given host will join.
The switch chokes entirely on the tags and doesn't switch traffic normally in general.
There is also the possibility that the switch operates in an unpredictable manner overall, where you might not be able to say "oh, this switch does x."
Assuming that the tags pass without issue, the other major issue is that there is no way to configure any of the ports. That is to say that all ports become trunk ports -- the same as whatever trunk ports exist at the uplink. This means that all devices that are VLAN aware could gain access to the other VLANs (this is fine when explicitly desired like for an AP, but not good for an untrusted computer, for example). Further, you cannot untag a network that is tagged on the uplink for a normal non-VLAN aware device (i.e. STB, game console, regular computer, etc.) to use... they will only be able to use the untagged network (if any) as it exists on the trunk.
Basically, the unmanaged switch should only ever be tasked with a single, untagged network. If you've got VLANs in your setup, make sure that the port that connects to an unmanaged switch is configured as such (be it a port on a router or a managed switch).
There is only one safe way to deal with multiple networks (~VLANs) and unmanaged switches, by keeping them inside the OpenWrt router (and its onboard managed switch), as in e.g.:
LAN1, lan, untagged - as there is only one untagged network from here on, unmanaged switches can be used
LAN2, iot, untagged - as there is only one untagged network from here on, unmanaged switches can be used
LAN3, guest, untagged - as there is only one untagged network from here on, unmanaged switches can be used
LAN4, lan+iot+guest, all-tagged - as there are multiple tagged VLANs on this port, only VLAN-aware devices can be connected - so either a direct connection to your VLAN-aware (OpenWrt-) AP XOR a managed switch distributing your VLANs across its (access-) ports
An unmanaged switch should never see multiple VLANs or VLAN-tagged packets on any of its ports (psherman laid out the reasons for- and consequences with that).
wow! thank you. you have been clear.
What I take out of it is that if One wants to use VLANs to separate network traffic, One need to by managed or smart switchs. That of course comes with a price tag as well.
I can imagine that most of us wants to separate Guest lan/wifi, IoT, LAN and maybe more.
But the router are limited ports.
In my case, I have several Raspberry Pi wired and that alone overcome the amount of router port.
Than I have a Dumb AP with only 2 ports (its a xiaomi converted to openwrt) upstairs that serves a few devices lkike IPTV from my ISP, my Android TV, my computer, a NAS and a few wifi devices (among those gaming devices from the kids I like to separate from my LAN). Obviously I have a switch next to the dumb AP as well.
If I understand correctrly your point:
I have to:
Have my main Opemnwrt router with VLAN configured
Have a managed switch and define the VLANS there too
Have my Dumb AP with VLAN configured
Have an other managed switch (L3) with VLAN configured.
Is that correct?
I am not a pro here so I assume I am making it complicated. Please correct me.
OK!
I just wrote a long answer to psherman. I think your reply covers quite a bit of it.
I have to look at few tutorials how to separate networks (you spot on with LAN, Guest and IoT) and not tagged network.
Will see if I can keep my actual switch or best to buy a managed one. I just prefer not to buy more than one managed switch to cover the router and the Dumb AP upstairs and all teh devices behind it.
Any suggestions to easy tutorial, are welcome.
If you want to send out separate ESSID for your different networks over the air (e.g. lan, guest, IoT), yes.
L2 or L2+ is enough, L3 is not necessary (unless you know that you want L3 features).
Sometimes you can get used smart-managed (L2+) switches on the second hand markets for rather little money (e.g. from the ZyXEL gs1900 series of switches, which may start around 15-25 EUR used (pretty much independent of the port count, ranging from 8 to 52, only PoE as a feature would significantly drive up the cost; you will need some patience and persistence to find them for those prices, but you can, regularly) and would be even be OpenWrt compatible, but the OEM firmware isn't bad as-is either). In used condition they may have gained some scratches, dents and other cosmetic issues, but that usually doesn't affect functionality - these devices are designed to stand the abuse in rack-mounted environments and are rather sturdy (physically and electrically), so your chances to get lucky aren't bad.
The question about the number of switches and their capabilities is always about your local setup. As long as you can keep all tagged packets away from the unmanaged switches (or APs that don't know about VLANs; APs running OpenWrt do), you can use those existing unmanaged ones on the perimeter of your network (where you only need to distribute a single, untagged, network) - but managed ones throughout make your setup a lot more flexible.
Thanks @slh ,
I really dont care about scratches on the outside of a switch. I am not going to look at it at all!
I think I will need managed switches (or smart switches. Not sure to understand the difference between managed and smart yet).
I am looking at this video that seems easy enough to implement and it appear that I have to tag and untag different ports/lans. (https://www.youtube.com/watch?v=qeuZqRqH-ug)
I will look for decent routers for this purpose.
Thanks for your help.
I might will pick this up in the future when I will receive the switched that are needed.
