ISP tells me that besides proper VLAN ID on WAN I send VLAN 0

Following setup:

Use case:

I recently got fibre installed in my house and wanted to set it up now. ISP tells me all I need to do is set a certain VLAN ID on my WAN interface... done.

Problem: After tagging the interface with the right VLAN ID I get the right public IP (I have one reserved for me) and DNS 1 & 2 set automatically and the right ones but I simple can't connect browse anywhere.

Now to the strange part: ISP is telling me that he sees my device and sees that I have the proper VLAN ID set but in addition to the one they require I am supposedly sending "VLAN 0"...

My /etc/config/network looks like this where "wan.xx" is of course set with the right value e.g. "wan.22":

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '...'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'net2'
        option proto 'static'
        option ipaddr '...'
        option netmask '...'
        option ip6assign '60'
        option device 'br-lan.2'

config device
        option name 'wan'
        option macaddr '...'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3'

config interface 'net1'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '...'
        option netmask '...'

config interface 'net3'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '...'
        option netmask '...'

config interface 'Guest'
        option proto 'static'
        option device 'radio1.network3'
        option ipaddr '...'
        option netmask '...'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '4'
        option name 'br-lan.4'

config interface 'net4'
        option proto 'static'
        option device 'br-lan.4'
        option ipaddr '...'
        option netmask '...'

config interface 'wan'
        option proto 'dhcp'
        option device 'wan.xx'

I thought that e.g. "wan.22" would be enough and thats that and since I somehow get a public IP and DNS assigned automatically I thought its fine and I can't for the life of me find where I should have that VLAN 0 set. I checked many posts here and some places else and tried the all the slightly different approaches to tagging the WAN VLAN ID I found in those posts but none worked. Interestingly enough when I did a tcpdump all I see is ARP requests that seemingly don't get a response for the default gateway which just show the VLAN I tagged. Can someone please help me fill in the missing blanks and/or tell me where I went wrong?

Thank you all for your time!

Try to check on wiki, for example:

• https://openwrt.org/docs/guide-user/network/wan/isp-configurations

My example config looks like:

• https://github.com/danpawlik/openwrt-builder/blob/master/settings-configs/BPI-R4/network-pppoe

Hope some would work

Thank you for those links. Unfortunately my proto is "DHCP" and my ISP isn't listed in my country :-/

Also throwing in

option hostname '*'

and

option delegate '0'

in various combinations does not help.

Try to make it once again from scratch and take the closest config from the wiki. If that does not work, send logread on gist GitHub or similar

Long ago, when DSA was first introduced, I also struggled with VLAN setup on some DSA-enabled devices when I tried to set up a device that connects all required networks (including WAN) via a single link.

I resorted to setting up a DSA bridge "br-xyz" that contains only this single I/F and assign the VIDs to the bridge, e.g. to br-xyz.22 (via bridge-vlan), instead of directly to the I/F like you did. Then it worked.

I don't remember which target that was (it wasn't mvebu, though) and I didn't troubleshoot any further, since I'm setting up my devices via automatic script, and this method even simplified my setup script for good measure

As a heads-up, depending on how many separate, VLAN-filtered bridges the switch chip in your device supports, you might also be better off adding the wan I/F to br-lan and use br-lan.22 as WAN device, in order to not lose HW accelerated VLAN filtering.

@danpawlik https://gist.github.com/skillpoint-dev/b0a0aa35e7ef317e383f1fad0c91cadd

I performed a reset of the config and the only thing I did in Luci was to change the WAN interfaces to use device "wan.XX" instead of "wan"

What exactly packets are sent with vlan 0? It might be some service bound to untagged interface (like LLDP or something)

Service person from ISP did not specify - he just told me that he sees packages being send with both VLAN XX and VLAN 0 being set...

TCPDUMP on wan interface just showed me ARP request to gateway with VLAN XX but not VLAN 0 so I wasn't able to verify his statement but he was very insistent...

I tried that now: With adding WAN switch port to br-lan it just won't let me set a tagged VLAN ID of the WAN port - config change apply tells me to revert.

When I try to create a separate bridge as you described only with WAN switch port then device is not coming up (empty bridge)

I would suggest you to ask service person about that - without understanding what have vlan 0 tag, other actions are just guessing

Use console for such changes, or directly edit config files. Making dependent changes in LuCI is a pain and needs to be done in the right order to successfully apply.

First I suggest to disable wan6, if not supported just to make more clear logs. Try again and paste logs on gist - you can wait littlebit longer.

this one ran longer, I deactivated IPV6 and deleted the wan6 interface

I am letting "tcpdump -n -i wan" running on the side as well and it only has ARP requests:

"Request who has x.x.x.x tell x.x.x.x" and in between always also ARP requests who has GATEWAY tell MY-PUBLIC-IP....

There are literally nothing else than ARP requests being shown

I don't know why I didn't think of this earlier - I am sorry. I reset the firmware back to the OEM and configured the necessary things there. Surprise... I am also not able to connect anywhere there although I am assigned my public IP. Thus at least telling me it is not an OpenWRT issue but a router hardware or ISP issue. Thank you @danpawlik, @Shine and @ProMix0 for suggesting things and willing to help, I learned a lot and I will try my best to pay this kindness forward!