ISP VLAN on ASUS RT-ACRH17

ahuman · February 3, 2024, 5:46am

I've tried to piece this together from the handful of existing forum topics and the docs, but every situation seems to be just different enough to leave me baffled.

I just flashed OpenWrt 23.05.2 stable to this device. I intend to use it with a FTTH connection in place of the ISP's provided router. The ISP requires the router to tag VLAN 1000 on the WAN. I've done this before with a different off-the-shelf router, where tagging a VLAN on the WAN is very straightforward in the OEM GUI.

What I don't understand is how I need to configure the devices/interfaces to use VLANs on the WAN in current OpenWrt with this router.

A second question is how this works with a WireGuard VPN and/or ZeroTier, which set up their own "adapters" that are distinct from the WAN.

Here's the default configuration of the device out of the box:

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "ASUS RT-AC42U",
	"board_name": "asus,rt-ac42u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc8:30ed:d708::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

root@OpenWrt:~# ls -l /sys/class/net
lrwxrwxrwx    1 root     root             0 Nov 14 13:38 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth0 -> ../../devices/platform/soc/c080000.ethernet/net/eth0
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan1 -> ../../devices/platform/soc/c000000.switch/net/lan1
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan2 -> ../../devices/platform/soc/c000000.switch/net/lan2
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan3 -> ../../devices/platform/soc/c000000.switch/net/lan3
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lan4 -> ../../devices/platform/soc/c000000.switch/net/lan4
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Jan  1  1970 wan -> ../../devices/platform/soc/c000000.switch/net/wan
lrwxrwxrwx    1 root     root             0 Nov 14 13:38 wlan0 -> ../../devices/platform/soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0
lrwxrwxrwx    1 root     root             0 Nov 14 13:38 wlan1 -> ../../devices/platform/soc/a000000.wifi/net/wlan1

psherman · February 3, 2024, 6:05am

It should be as easy as wan.1000 like this:

config interface 'wan'
	option device 'wan.1000'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan.1000'
	option proto 'dhcpv6'

These don't have the concept of VLANs....You set up WG or ZT the same way you would on any other OpenWrt config. not sure if that's answering your question though -- please elaborate if there is more to your question.

ahuman · February 3, 2024, 6:36am

That VLAN option doesn't appear to be exposed in LuCI? Editing the config will be fine for such a simple change, I'm just trying to make sure that I'm not missing some obvious way to set this via LuCI.

With respect to WG and ZT, I guess my confusion comes from how they interact with the WAN. Obviously there's an underlying way that they communicate out via the WAN, but that's "hidden", so I didn't know if tagging the VLAN on the WAN would automatically affect them as well or not. If you're saying that having the WAN tagged is all I need to do, and they will work as usual with no change, that's absolutely perfect.

A big problem I will have here is that I won't be able to properly test the WAN tagging while I work on the rest of the setup. It's for a friend's house and I'll need to have everything working before going there to install, and then hope that I can enable the WAN tagging at that time and everything still "just works". I know that's a terrible plan, but it is what it is.

slh · February 3, 2024, 6:44am

It's possible with luci, but most of us who are more familiar with it tend to edit the config files directly (or use uci on cli), it's just quicker - and easier to explain to others.

for some overview (although that's more complex than you need it to be right now).

github.com/openwrt/luci

Introduce support for managing `config device` and `config bridge-vlan` sections

openwrt:master ← jow-:uci-network-device-support

opened 07:03PM - 28 Jul 20 UTC

jow-

+1336 -384

This PR adds initial support for managing `config device` sections which allows …for fine grained control over low level device details in uci. It requires the latest netifd Git HEAD to function. Additionally, it implements support for bridge VLAN filtering as defined in http://lists.openwrt.org/pipermail/openwrt-devel/2020-July/030151.html ![grafik](https://user-images.githubusercontent.com/2528802/88709471-7bd07980-d115-11ea-94a5-c3bd867caca7.png) ![grafik](https://user-images.githubusercontent.com/2528802/88709499-8723a500-d115-11ea-9db5-192cb0375c59.png) ![grafik](https://user-images.githubusercontent.com/2528802/88709508-8db21c80-d115-11ea-97ea-19bab4851c69.png) ![grafik](https://user-images.githubusercontent.com/2528802/88709520-930f6700-d115-11ea-8f32-700af6987a6e.png) ![grafik](https://user-images.githubusercontent.com/2528802/88709562-a6223700-d115-11ea-9ed7-99c9887c0c0d.png) ![grafik](https://user-images.githubusercontent.com/2528802/88709647-bfc37e80-d115-11ea-883f-9ff47ffee81e.png)

psherman · February 3, 2024, 6:47am

I'd have to check on a DSA device with LuCI... I haven't tried it that way, so offhand I don't know.

They indirectly interact with the wan as a (logical) network interface at L3, not a physical ethernet interface (even when VLAN tagged) at L2. Really, they're interacting with the routing engine which is what handles the inter-network routing. The other interfaces don't need to know anything about each other -- it is the routing engine and firewall that governs all of this.

ahuman · February 3, 2024, 8:04am

Thanks for this.

I've read the DSA Mini-Tutorial in trying to figure out how to set up tagged VLANs for local networks, and it's fairly helpful in that respect. Regarding my questions here, the problem is what interface or device is used to apply the VLAN configuration when it's on the WAN. But one of the screenshots in that PR thread got me to look again at the "VLAN 802.1q" device type and now I realize that I can make one of those with "switch port: wan" as the "base device" and give it the VLAN ID "1000". Then... I would change the "wan" and "wan6" interfaces to use this device, right? And nothing else would need to be changed?

Does setting that VLAN ID in this way make it "tagged"? I'm still confused about that subject. It makes sense for local VLANs on a bridge, where I can look at the table of tagged, untagged, and excluded, but in this situation what's actually going on isn't clear to me.

Thanks for the quick responses from both of you, by the way.

psherman · February 3, 2024, 8:09am

Yup. It is a bit different when dealing with bridge vlan filtering, but for the wan, wan.1000 is tagged vlan 1000.

ahuman · February 3, 2024, 1:24pm

Perfect, thank you.

system · February 13, 2024, 1:25pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.