IP phones Vlan isolation [solved]

oscar · January 6, 2021, 2:26pm

Hello,
my goal is to isolate two IP-telephones from the main LAN through vlan.The two ports for this purpose are located on a separate (managed) switch. So I started:

defined a new interface, set it to eth0.7
set vlans on trunks and physical ports:

Router

Switch

created an associated firewall and corresponding rules

config forwarding
        option dest 'wan'
        option src 'Fon'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Fon DNS'
        option family 'ipv4'
        option src 'Fon'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'Fon DHCP'
        option family 'ipv4'
        option src 'Fon

set up dhcp for this subnet

config dhcp 'Fon'
        option leasetime '12h'
        option interface 'Fon'
        option start '2'
        option limit '2'

I can ping to 192.168.200.1 (the IP address of the IF), but not to any device connected on these ports. They in turn do not get the expected IP address but '0.0.0.0'.

Any ideas what I do wrong?

Cheers
Oscar

PS: the other ports on the switch belonging to vlan 1 just work fine

trendy · January 6, 2021, 2:33pm

Don't mix tagged and untagged traffic.

I suppose you mean eth0.4
Ports 3 and 4 on the switch must have PVID 4.
On firewall for dns you need udp only. For dhcp only port 67.

oscar · January 6, 2021, 2:55pm

I do my best, but am struggling

It looks like this now:

It took a reboot of the router to take effect, but now it works!

Thank you @trendy!

Cheers
Oscar

faser · January 6, 2021, 3:43pm

I will ask everytime, why not! This clearly within the respective definitions of the standard and is working fine on Openwrt.
Do you have any documentation that shows that this is causing issues?

oscar · January 6, 2021, 4:14pm

I believe 'untagged' is needed for outgoing traffic to vlan-unaware devices like a PC. The tag is removed before leaving for the end-device.
'Tagged' by contrast is leaving the tag untouched, which is required while the traffic circulates within the network, as e.g. trunk ports connecting two network-devices.

In my example, traffic arrives with vlan4 tag on port 1 of the router, passed on with the tag to port 5 on the switch, which then hands it to port 3 or 4. If either of the previous ports were untagged, the traffic could not be directed to port 3/4. They in turn have to remove it, as the end device does not know what to do with it. And the other way round backwards from PC to router.

It is my understanding, using my words. Hope the experts forgive me for using unskilled word

trendy · January 6, 2021, 4:27pm

When you have at least a tagged vlan, it means the other end of the cable also supports tagged frames. Personally I don't see the sense of mixing them. For inexperienced users it is another potential pitfall. If you feel confident go ahead and use it.

faser · January 7, 2021, 12:56am

Well I have the port to my Server mixed tagged/untagged mixed.
The "untagged" is for my common LAN while I use the "tagged" ones for different servers that are running in VMs/Containers on the server.

system · January 17, 2021, 12:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.