Hi there,
I'm fairly new to VLANs (and OpenWrt in general!), and I really need assistance with my configuration. I've looked around online and all my attempts have not been successful, thus I am here. I've set up my network with:
On the Switch, I have Port 1 as trunk, and Port 4 as trunk for this access point. The PVID of this port 4 is 1, with VLANs 70 and 80 as tagged. Here is the screenshots, the VLAN80 is the same as VLAN70.
Yes... this can be done. Let's use port lan1 for the trunk, then lan2 for VLAN 1, lan3 for VLAN 70, and lan4 for VLAN 80... this will be a useful method to ensure that everything is working as expected in terms of the trunk and the upstream configuration (simply plug a computer into ports lan2-lan4 and you should get on the respective network).
Add bridge-vlans:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
config bridge-vlan
option device 'br-lan'
option vlan '70'
list ports 'lan1:t'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '80'
list ports 'lan1:t'
list ports 'lan4:u*'
Next, edit your lan interface to use br-lan.1:
config interface 'lan'
option device 'br-lan.1'
option proto 'dhcp'
And for wifi to work, you also need to add unmanaged interfaces:
config interface 'vlan70'
option device 'br-lan.70'
option proto 'none'
config interface 'vlan80'
option device 'br-lan.80'
option proto 'none'
Finally, add wifi SSIDs for VLANs 70 and 80 tied to the respective interface names.
Sorry for my ignorance, but why are lan2 ,3 and 4 being used? I have one ethernet wire connected to my access point using the LAN 1 port. All the others are empty.
You don’t need to use those ports, but I set them up for the purpose of a simple sanity check. Port lan1 connects to the upstream switch. The other ports are for downstream - simply so you can easily plug a computer into them, one by one, to verify connectivity to the VLANs.
Thank you so much! It works (for now ) I have been banging my head for the last few days trying to understand how OpenWrt does this. I really appreciate it. The VLANs on their SSIDs seem to be working as expected. I hope this post will help out someone else in my predicament.
Please don't use pvid. Never. Since over 20 years you should need them only on broken hardware!
Instead :
option 1. Use trunk as trunk with only tagged vlans. And if you want to use a vlanon the AP directly, use just an tagged interface on the access point. With OpenWrt this is no issue.
Option2 with some enterprise gear where you can only use untagged interfaces for client configuration then you could use a trunk port with a single untagged vlan. But please stay away from pvid.
But as always, just follow @psherman advice more or less blindly. He know what he's doing
My main "management" VLAN (or from my understanding it is just LAN) was by default set as 1. So are you suggesting that I make VLAN 1 (or LAN) a tagged VLAN?
In larger networks the good mantra is even to stay away from any untagged or tagged vlan 1.
Because till to this day every vendor seams to handle this differently.
So IMHO and exp you will use a dedicated vlan id (not equal 1) to use as a mgmt vlan for switches and access points and routers.
Even a second mgmt vlan for servers, and third for iot and so on.... And then users.... You now know the deal.
So effectively, it is a good idea to just turn off the LAN in the router, and instead make a VLAN with the same subnet as the old LAN and with a different VLAN number, say 100? Is there a purpose to VLAN 1 (or LAN) any more after this?
No.
Vlan id are 12 bit. So you can setup 4096 minus 3 reserved one.
0, 1, and 4096 as I remember.
How or how many IP and ip6 (layer 3) networks you assign to each vlan is your choice to make.
There is some equipment that doesn’t like the mix of tagged + untagged. Those are fairly rare, though.
On the sysadmin/best practices element, there are strong opinions about if it is safe and/or wise to mix untagged and tagged on the same port. I do not have a strong opinion here, but some say that this should be avoided at all costs. The same argument is often made about vlan id 1.
Finally, at a practical level, it can be hard to work with all tagged networks because of sequencing the configuration of the different devices (including temporary loss of connectivity) while the config itself is in flux. For users new to VLANs, it is often easiest to keep vlan id 1 untagged on the trunk until there is more compressive understanding of and comfort with VLANs.
I'd like for this specific access point to have all tagged VLANs. I have created Management VLAN100 on the router and I'm using this access point as a test Is this the best way to make the adjustment? Is there anything missing from this?
What are lan2-lan4 for? If you intend to connect a "normal" Ethernet device (I.e. a computer/game console/STB, etc.), those will not usually expect tagged networks and therefore won't work.
Also, the * means PVID which is the default VLAN to which untagged ingress frames are assigned. That should not be used in conjunction with T (tagged) networks.
On the trunk (lan1) it is totally fine (and potentially even best, depending on your stance on the tagged+untagged discussion) to have all ports tagged.
Gotcha! I aim to remove PVID entirely, so therefore I will remove the *. Lan2-4 are used for nothing right now, but for only computers when I service it.
Lan2 = VLAN100
Lan3 = VLAN70
Lan4 = VLAN80
My understanding then, is that these ports will need to be untagged. If the PVID is not there, how are these untagged ports assigned?
If you're going to connect a normal device to the ports, you should be specifying that it is untagged and also PVID. That results in :u*.
The truth is that for untagged, it seems that it's not absolutely required to specify... that is:
list ports 'lan1'
appears to be the same as:
list ports 'lan1:u'
and also:
list ports 'lan1:u*'
However, I always recommend for untagged (normal) ports (also called "access ports") they should be specified completely with :u* -- this makes it very clear what the port is doing.
Is PVID actually necessary to use when using these "access ports"? The goal is to remove PVID if possible. Can these ports not just be 'lan2:u', 'lan3:u', 'lan4u' for each VLAN? Like this:
As I said above, just using :u seems to work fine, but I don't understand your reasoning for removing the PVID, and more importantly what you expect the ports to do (or not do). Can you explain?
Sorry, I was confused earlier, and I was wrong: I do need PVID. I decided to take a step back and go over the basics again. I have now readjusted my settings to replace VLAN1 with VLAN100 (management VLAN) for best practices. Here's my configuration:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xx:xx:xx:xx:xx:xx'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device
option name 'lan2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device
option name 'lan3'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device
option name 'lan4'
option macaddr 'xx:xx:xx:xx:xx:xx'
config bridge-vlan
option device 'br-lan'
option vlan '70'
list ports 'lan1:t'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '80'
list ports 'lan1:t'
list ports 'lan4:u*'
config interface 'vlan70'
option device 'br-lan.70'
option proto 'none'
config interface 'vlan80'
option device 'br-lan.80'
option proto 'none'
config bridge-vlan
option device 'br-lan'
option vlan '100'
list ports 'lan1:t'
list ports 'lan2:u*'
config interface 'vlan100'
option proto 'dhcp'
option device 'br-lan.100'
Might there be any security issues in this configuration? What should I look out for?
Not really... your management network is VLAN 100 and its the only one that has an address, so as long as that is properly configured (at the upstream), it should be fine.
) I have been banging my head for the last few days trying to understand how OpenWrt does this. I really appreciate it. The VLANs on their SSIDs seem to be working as expected. I hope this post will help out someone else in my predicament.
Is this the best way to make the adjustment? Is there anything missing from this?
