I (still) need help with VLANs, I can’t get them to work, please assume I not know how to computer nor network

Installing and Using OpenWrt
1

Note to staff: I am reposting this as I still need help and there is no appeal procedure for a post locked and delisted, except for the same person who banned my post judging that you don't need help. There were good reasons for hiding one of my replies in that thread, as I was an asshole, but I do not feel that warranted nuking the whole thread.
If one is still doubting my intentions I'm willing to get on a call with them or a livestream to show my configurations.

Note to all: I very much do not like being accused of using “AI”. I find the technology in it's most promoted form abhorrent and an “insult to life itself”.

Original post (slightly modified with some more things I've tried and for other places I tried to get help) follows.

---- 8< ----

I have tried for over a week to make it work, which seems so simple, yet I can't make it work.

Now I have read too much random guides on this topic and I don't know what is and isn't correct (also for my setup). So please assume I could have made a simple mistake somewhere that I keep missing.

Goal:

  • have VLANs to separate some Proxmox traffic for some of it's features and for general learning.
  • both VLAN and non VLAN traffic on all switch ports (give or take VID 1).

Setup:

  • HP T610 Plus with a Broadcom quad BCM5709, details in the “infos” section, “router”,
  • Zyxel GS1920-24 HP, FW: V4.50(AAOC.3) | 05/20/2020, “switch”,
  • two HP EliteDesks with Proxmox (FWIF powering them down changed nothing),
  • my workstation with two NICs, “workstation”.

Connections:

  • router eth0 is WAN,
  • router eth1, 3, 4 are VID 1, 3 and 4 respectively, straight to the switch,
  • router eth2 is not connected,

Results:

  • only ARP and UDP traffic is coming from the workstation or Proxmox machines, to the unknown MAC (see below) or broadcast,
  • there is no returning traffic,
    • as in I can get ARP and DHCP requests, but no replies.
  • I have a MAC address form tcpdump that isn't in my network, isn't in any ARP table on my machine, that I didn't found in MAC lookup databases: 09:00:2b:00:00:05 ($MAC_NOT_IN_THE_ARP_DATABASE in the tcpdump snippet),
  • I start my day with generating a backup archive for the router.

Tried (added a new and an old case):

  • P2P Ethernet connection - same: only inbound traffic,
  • making the switch aware of the VLANs, with configuration that would assume that all ports can handle all traffic,
  • a lot of random guides,
  • trying to learn the difference between “untagged” and “tagged” ports,
  • having the the VLANs on eth1 as 1u, 3t, 4t,
  • tagging the eth3 to 3t and eth4 to 4t, including P2P,
  • setting the eth3 and VID 1 to untagged, VID 3 to tagged and connecting it P2P to the workstation, VID1 works, VID 3 doesn't,
  • (somewhere around here I've noticed that the tcpdump stopped capturing anything),
  • subnet-based VLANs on the switch seem broken.

The below status is the best I can figure out that doesn't trigger an automatic configuration revert.

Infos:

root@router:~# ubus call system board
{
        "kernel": "6.6.119",
        "hostname": "router",
        "system": "AMD G-T56N Processor",
        "model": "Hewlett-Packard HP t610 PLUS WW Thin Client",
        "board_name": "hewlett-packard-hp-t610-plus-ww-thin-client",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "x86/64",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}

root@deathbox:~# lspci | grep Ethernet
03:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
03:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
04:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
04:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
07:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetLink BCM57781 Gigabit Ethernet PCIe (rev 10)

root@router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '$ULA_PREFIX'
        option packet_steering '1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth3'

config interface 'lan_3'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '10.3.0.1'
        option netmask '255.255.255.0'
        option gateway '10.0.0.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'eth4'

config interface 'lan_4'
        option proto 'static'
        option device 'br-lan.4'
        option ipaddr '10.4.0.1'
        option netmask '255.255.255.0'

root@router:~# cat /etc/config/wireless


root@router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'

config dhcp 'lan'                                                                                                                                                             
        option interface 'lan'
        option start '2'
        option limit '254'
        option leasetime '2h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.0.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config domain
        option name 'deathbox.lan'
        option ip '10.0.0.1'

config dhcp 'lan_3'
        option interface 'lan_3'
        option start '2'
        option limit '254'
        option leasetime '2h'

config dhcp 'lan_4'
        option interface 'lan_4'
        option start '2'
        option limit '254'
        option leasetime '2h'

config host
        option ip '10.0.0.184'
        list mac '$MAC_ETH_USB'
        option name 'eth-usb'

root@router:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'br-lan'
        list device 'eth4'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'lan_3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_3'

config zone
        option name 'lan_4'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_4'

Fragment of tcpdump -i br-lan -e 'vlan 4' | egrep --color=always 'vlan [34]|'

11:32:54.723423 $MAC_WORKSTATION (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 162: vlan 4, p 0, ethertype IPv4 (0x0800), $WORKSTATION_HOSTNAME.lan > 10.0.0.255: udp
11:32:55.741664 $MAC_PROXMOX_1 (oui Unknown) > $MAC_NOT_IN_THE_ARP_DATABASE (oui Unknown), ethertype 802.1Q (0x8100), length 1518: vlan 4, p 0, 802.3LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe)
Command, ctrl 0x03: OSI NLPID IS-IS (0x83): p2p IIH, src-id 0100.0300.5002, length 1497
11:32:57.840447 $MAC_WORKSTATION (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 88: vlan 4, p 0, ethertype IPv4 (0x0800), $WORKSTATION_HOSTNAME.lan.27036 > 10.0.0.255.27036: UDP, length 4
2
11:32:58.517554 $MAC_PROXMOX_1 (oui Unknown) > $MAC_NOT_IN_THE_ARP_DATABASE (oui Unknown), ethertype 802.1Q (0x8100), length 1518: vlan 4, p 0, 802.3LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe)
Command, ctrl 0x03: OSI NLPID IS-IS (0x83): p2p IIH, src-id 0100.0300.5002, length 1497
11:33:00.848609 $MAC_WORKSTATION (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 88: vlan 4, p 0, ethertype IPv4 (0x0800), $WORKSTATION_HOSTNAME.lan.27036 > 10.0.0.255.27036: UDP, length 4
2
11:33:01.285881 $MAC_PROXMOX_1 (oui Unknown) > $MAC_NOT_IN_THE_ARP_DATABASE (oui Unknown), ethertype 802.1Q (0x8100), length 1518: vlan 4, p 0, 802.3LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe)
Command, ctrl 0x03: OSI NLPID IS-IS (0x83): p2p IIH, src-id 0100.0300.5002, length 1497
11:33:03.989984 $MAC_PROXMOX_1 (oui Unknown) > $MAC_NOT_IN_THE_ARP_DATABASE (oui Unknown), ethertype 802.1Q (0x8100), length 1518: vlan 4, p 0, 802.3LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe)
Command, ctrl 0x03: OSI NLPID IS-IS (0x83): p2p IIH, src-id 0100.0300.5002, length 1497
11:33:06.760098 $MAC_PROXMOX_1 (oui Unknown) > $MAC_NOT_IN_THE_ARP_DATABASE (oui Unknown), ethertype 802.1Q (0x8100), length 1518: vlan 4, p 0, 802.3LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe)
Command, ctrl 0x03: OSI NLPID IS-IS (0x83): p2p IIH, src-id 0100.0300.5002, length 1497
11:33:06.863101 $MAC_WORKSTATION (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 88: vlan 4, p 0, ethertype IPv4 (0x0800), $WORKSTATION_HOSTNAME.lan.27036 > 10.0.0.255.27036: UDP, length 4
2
11:33:07.898260 $MAC_WORKSTATION (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 411: vlan 4, p 0, ethertype IPv4 (0x0800), $WORKSTATION_HOSTNAME.lan.27036 > 10.0.0.255.27036: UDP, length
365
11:33:09.658243 $MAC_PROXMOX_1 (oui Unknown) > $MAC_NOT_IN_THE_ARP_DATABASE (oui Unknown), ethertype 802.1Q (0x8100), length 1518: vlan 4, p 0, 802.3LLC, dsap OSI (0xfe) Individual, ssap OSI (0xfe)
Command, ctrl 0x03: OSI NLPID IS-IS (0x83): p2p IIH, src-id 0100.0300.5002, length 1497

Switch VLANs configuration:

image
image734×754 84.5 KB

2

Are you asking us to guess 3rd party switch to assist you with? Your tcpdump shows incoming packets tagged while port config is untagged.

1 Like
3

Firmware: V4.50(AAOC.3) | 05/20/2020

Also I'm adding a new case which I've tried just now and another which got lost in the replies from the previous post.

4

You have to consult your switches commercial support. You get tagged vlan 2 on your openwrt port if that helps any.

5

Unfortunately it's a second-hand, past-EOL switch.

I don't use VID 2.

Anyway new “tried” case incoming.

6

It is called rtfm

2.2 How to configure the switch to route traffic across VLANs

Your picture clearly shows you have not configured vlan tagging at all.

1 Like
7

My intention was to allow multiple VLANs on most if not all ports and I have not said anything about routing between VLANs because it is not my use-case.

Also if you “RTFM” me, I would like for you to not engage further.

8

Unfortunately, this circumstance doesn't change that the OpenWrt community knows nothing about it.

Posting model and firmware version doesn’t change that it's third party.

Are you asking us to guess?

Why did you show VLAN 4, is there a specific issue?

I don't see a VLAN configuration in this screenshot.

Can you clarify this?

Please provide more detail.

Please clarify.

Which ports?

It's hard for anyone to engage when we are unfamiliar with the Zyxel. Are we supposed to know the manual of your EOL device?

(Let's keep this thread neat and tidy, please - not like your other thread.)

9

That’s not how it works. You have ‘access’ ports which connect directly to individual devices. These are likely to be the majority of the ports on a switch and should only be using one VLAN (and untagged as its unlikely the end device will be VLAN-aware).

Ports being used to interconnect VLAN-aware devices (switches, routers etc.) are ‘trunk’ ports and can have multiple tagged VLANs.

For non-OpenWRT devices, that is likely to be answer you will get. This isn’t a general networking forum so there is an onus on users doing their own research about how to use and configure non-OpenWRT devices.

1 Like
10

Your zyxel is managed by you. Whining here will not configure it.

That requires configuring both ends of cable, you dont seem to dig other end of cable is misconfigured (actually at its defaults, but does not matter here)

11

So if I understand correctly you can't have a end device-end device, with or without a switch communications on multiple VLANs on the same physical connection?

This ignores the case that I've also tried a P2P Ethernet connection and described it.
Not to mention the “RTFM” is for a case I don't use and it's just rude.

12

Incorrect. The issue is you haven't properly configured a trunk to do so.

What is a P2P Ethernet connection?

(And how was it supposed to solve the issue you describe?)

Allow me to rephrase:

What does the Zyxel manual say about VLAN configuration on the switch?

(We don't understand what you mean by the phrase "a case I don't use" - please clarify.)

It seems you may misunderstand the purpose and usage of VLANs.

13

(and other switch references)

Again, I wrote also about P2P Ethernet connection with a similar behaviour. So if this is a problem we can just disregard the switch.

Even after today's discoveries that made me trust the switch even less I'm thinking about just getting rid of it or going with the dev version and getting another - stable one.

Up to half-way I've used VLAN 4 trough the switch and VLAN3 P2P. Now I'm just trying with VLAN 3 to leave out one variable and both VLANs were to be treated as siblings, as in the same configuration, different physical port, different VID, different subnet, different Proxmox service, otherwise the same.

I might have referred to VID 1 or untagged traffic. Either way I wanted to mix VLANs on single ports. So a machine could have access to untagged or VID 1 traffic and specific VLAN's.
For example Proxmox with Ceph and clustering requires requires (AFAIU) a separate interface with a network between nodes (thus didn't think that intra-VLAN routing was needed and did not plan it) for both.

Bad switch configuration when I tried subnet-based VLANs, but the switch did not shown them as active. When I've returned to “Simple VLAN” the traffic came back. So here I'm back to square one.

See the answer to your “both VLAN and non VLAN traffic - please calrify question” question.

(Masked, as this is more personal, so a possible OT) I am really trying to keep this neat and tidy for how much grief this, supposedly simple, thing has caused me. For me this is impostor syndrome on steroids.

14

This is all I see, you'll need to provide more detal.

The phrase "same: only inbound traffic" is not very helpful.

Huh?

Please be more descriptive, using standard terms and jargon.

Did you configure your clients for this (unrelated to OpenWrt)?

?

(Just providing the answer is more helpful - I don't understand what I'm to guess or extrapolate.)

(Providing details will help.)

Perhaps you posted details in the locked thread and mistaken it for this posting?

15

Device-device connection, without a switch. It was supposed to test if my problems are because of the switch.

I don't need and didn't configure inter-VLAN routing.
Also with P2P Ethernet I am now not even connected to the switch and the problems remain.

I thought that it was to logically partition a physical network. Which gave me a good solution to my problems with Proxmox. Guess I'm just that dumb… :frowning:

16

I will take a pause and breathe, as I think I'm answering (for better or worse) some questions that are asked while I'm writing. And I perhaps just need a break form thinking about this…

17

Yes, a pause may help. Each time we ask about a switch, you mention inter-VLAN routing or tell us you'll eliminate the switch. It's not clear why you won't answer about the switch performing switching.

I asked:

You didn't answer if you [tried] configuring this to work - since it's clear you didn’t configure the switch.

So far it seems you succeeded in partitioning, but it's unclear why you expect a "P2P Ethernet connection" to work after doing so.

18

Mixing tagged and untagged on the same port is not recommended as it does not work properly on all hardware. As others said, think in terms of "trunk" and "access" ports.

A trunk port has multiple VLANs and they are all tagged. This is used to transport several networks on one cable. The device at the other end of the cable is typically a managed switch or another OpenWrt router and it must be configured with the same VLAN numbers.

An access port is attached to one VLAN and it is untagged. Access ports are used when the device at the other end of the cable is not VLAN aware such as a printer or desktop computer.

1 Like
19

And let me repeat from "the other thread": avoid using vlan 1 just because of reasons.

1 Like
20

Your configs as seen in the first post have numerous issues.

My recommendation would be to start over and create just one new network (for a total of 2 networks). Use the guest wifi guide as a start to setup the network in general (along with its firewall zone and dhcp server). Then, you can refer to the DSA tutorial to understand how to properly create bridge VLANs for the ethernet connectivity.

Specifically on the VLAN side, I'd recommend starting by assigning one ethernet port as an access port for the new network so that you can prove its general connectivity and function. Do this using the bridge VLAN construct and simply making the chosen port untagged for the new network/VLAN.

Once you've proven out that the networks are functioning properly, you can create a trunk port -- that is the port that will link to your switch.

It is at this point that you will probably want to refer to the user manual or other support resources available for the Zyxel switch to understand how to properly configure the trunk port and access ports. Start with just the trunk to the router, and create at least one access port for each of the VLANs so that you can now verify that the trunk is working as expected as well as the access ports on the switch.

Keep in mind that this forum doesn't serve as a support resource for the Zyxel switch, but we can help verify that the OpenWrt config is correct. If you want an option that is "fully supported" by the forum, you can always pick up another router that is supported by OpenWrt and use that as a switch and/or AP. This option would be good if you really need end-to-end support to really understand VLANs (once you have wrapped your head around the concepts, it becomes quite a bit easier to learn another vendor's system kind of like it being just another language but based on the same principles. Or you could think of it as learning to drive a different brand of car once you've learned to drive in general -- sure the controls may be in different places and maybe labeled slightly differently, but you have the basic understanding of the functions of the controls.